Poor security practices [of 3rd parties]

numpty
numpty
Community Member
edited February 2019 in Lounge

Thought we could have a thread here where people could have a laugh/facepalm at BS security theatre on websites we come across..

This all came about from speaking with a coworker, after I saw a strange plastic card that had a collection of characters in a grid on her desk..

It turns out this was the 2FA for her personal banking login :|
The card has a 7x7 grid of characters - 49 characters.
After logging in with the usual username/ password, she is asked for a combination of three of these characters.

I spent a few minutes discussing with her about using a password manager, and also suggesting she send feedback to the bank to fix this, as 144-147 possible combinations (feel free to correct me if I'm wrong) for a 2fa is just poor.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • gordcook
    gordcook
    Community Member

    @numpty I’m not sure I completely agree with your perspective and I disagree with your math.

    As for the 49 positions, it seems to me that this is to increase the total number of possible cards and reduce the likelihood of duplication. I'm sure it also helps mitigate the risk of a replay attack. However, unless my math is wrong, it does not play a role in calculating the number of permutations.

    I’ll be conservative and assume that the requested characters are taken from a pool of 36 (10 digits and 26 lower case letters). The number of permutations would be 36³ = 46656 (15.5 bits of entropy). If the card includes both uppercase and lowercase letters as well as digits, it becomes 62³ = 238328 permutations (17.9 bits of entropy). In NIST Special Publication 800-63 "Electronic Authentication Guideline", they explicitly state that a 3-character password chosen randomly from "the 94 printable ISO characters on a typical keyboard" has an entropy of 19.8 bits. So the security depends mostly on the richness of the character set in use and has almost nothing to do with the dimensions of the matrix.

    Let’s compare with a six-digit TOTP: a six-digit number has 10⁶ permutations (20 bits of entropy). So this is very close to the 94-character possible variant of the printed card.

    The big advantage of the plastic card is that it is a challenge-response mechanism. Each prompt would request a different sequence of characters. If you guess wrong, the system would prompt for a new sequence. It essentially expires immediately upon use, whereas Time-based OTP is typically valid for a 30-second interval. Presumably, if a client had someone brute forcing their second factor, the system would disable the account and require the client to visit a branch to provide ID and change the password.

    The card also has the real-world advantages of being cheap to produce and easy to replace. Plus, it doesn’t require clock synchronization, doesn’t need a battery, and is impossible to hack into. The real-world disadvantage is that for online registration, the user must wait to receive the card via mail (or courier) before being able to start using 2FA, so it would not be very practical for this purpose.

    IMHO, it is a reasonably good safeguard... with its own set of trade-offs.

  • AGAlumB
    AGAlumB
    1Password Alumni

    It seems to me that the problem with the "card grid" security model (used mainly by EU/UK banks from what I understand) is the problem that is created by a lot of "creative" security measures: that is, it places additional burden on the user for a questionable security benefit, when compared to the alternatives available in the 21st century.

    Still beats SMS "two-factor", which is prevalent in the US and probably many other places. But with TOTP and even U2F within reach of "normal" users, I suspect this has more to do with the institution covering their collective butts rather than actual security, since there are far better options.

    Good point by gordcook:

    The card also has the real-world advantages of being cheap to produce and easy to replace.

    But yeah, no fun when you have to wait for a new one of these to arrive by post:

    The real-world disadvantage is that for online registration, the user must wait to receive the card via mail (or courier) before being able to start using 2FA, so it would not be very practical for this purpose.

    Probably this was the best option available decades ago, and no one is really motivated yet to adopt a more secure, less inconvenient solution.

  • gordcook
    gordcook
    Community Member

    Agreed. I’m seeing slow 2FA adoption in Canada. My bank is rolling out SMS 2FA now. Previously, their so-called 2FA was password and stored cookie. If you tried to login from a new location, you would be required to answer one of your security questions. So in reality, this boils down to something I know and something I know, which is still 1FA. So, SMS 2FA is a big improvement, but we’re still very far from where we want to be. I suppose that the banks’ challenge is how to deal with customers without smart phones.

    In contrast, a coworker who emigrated from The Netherlands had a USB token to establish the second factor. I felt very backward when I saw how advanced the systems were in Europe. Frankly, I think the banks make enough money off of us that they can afford one of these per customer without batting an eye.

  • jimthing
    jimthing
    Community Member
    edited February 2019

    In the UK, several banks offer 2FA set-up via an option: Either use a card-reading device they supply you with to generate a one-time code each time you login or to authorise a payment during login. Or their phone app offers one.

    The trouble is, the separate card-readers are a pain (if you don't have it with you, for example). And the phone app one is pointless, as they typically use Touch ID/Face ID recently to log you in, authorise a payment, anyway.

    It's currently a really jumbled-up 2FA world out there, lol.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Agreed. I’m seeing slow 2FA adoption in Canada. My bank is rolling out SMS 2FA now. Previously, their so-called 2FA was password and stored cookie. If you tried to login from a new location, you would be required to answer one of your security questions. So in reality, this boils down to something I know and something I know, which is still 1FA. So, SMS 2FA is a big improvement, but we’re still very far from where we want to be. I suppose that the banks’ challenge is how to deal with customers without smart phones.

    @gordcook: Huh. I never would have even thought to consider that as two-factor authentication. But maybe some banks do. It's something I think all of mine use. Just never imagined it might be presented that way.

    In contrast, a coworker who emigrated from The Netherlands had a USB token to establish the second factor. I felt very backward when I saw how advanced the systems were in Europe. Frankly, I think the banks make enough money off of us that they can afford one of these per customer without batting an eye.

    Indeed. I do think a lot of the advancement in these areas in Europe though is driven by the EU. It's really the Wild West in the US when it comes to regulation, comparatively speaking. And the incentives just aren't there for banks to invest in upgrading what is often infrastructure from the 80s that is holding back stuff like this. Fascinating -- and terrifying.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @jimthing: Thanks for the perspective! Indeed, it's a jungle out there. I can imagine how Mr. Monk feels. :crazy:

  • gordcook
    gordcook
    Community Member
    edited February 2019

    @brenty,

    Huh. I never would have even thought to consider that as two-factor authentication. But maybe some banks do. It's something I think all of mine use. Just never imagined it might be presented that way.

    In principle, it sounds good. Having the cookie, in theory, means having possession of my laptop/phone/device. The thing that really makes it flawed is the fallback authentication to security questions (a dictionary word password with a hint). To be fair, I'm not sure that position was ever, strictly speaking, official policy; it was a response from a service representative to a question about 2FA on their Q&A forum. It appears that the original post has since been taken down... and replaced with a lot of hype about "Two-Step Authentication" (which is just SMS 2FA, sigh). I suppose it just means that the onus is on the customer to ensure that they have a good, strong, unique password and to protect it well.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Ah gotcha. Also, cookies can be hijacked or stolen. So it scares me that this might be presented as real security. :dizzy:

    I think it's good for all of us to take an active role in our own security...but at the same time we don't want to place the burden solely on the user. Using something the right way should be safe to do.

  • gordcook
    gordcook
    Community Member

    Yes, cookies are weak authentication. Security questions are weak authentication. SMS Two-Step is fair, by comparison, but still weak. But this is my bank. When they are leaving me with what amounts to 1 factor authentication, they are placing the burden on me to ensure it's a darn good one. And that's not right.

    Mind you, I'm old enough to remember these things called "cheques" where an ink scribble was sufficient "authentication" to withdraw money from my account. :p

    I'm afraid I've committed the cardinal sin of highjacking @numpty's thread. Oops. Sorry.

    In principal, it sounds good.

    I realized too late that it should have been "In principle", and I have insufficient privileges to go back and edit it.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Yes, cookies are weak authentication. Security questions are weak authentication. SMS Two-Step is fair, by comparison, but still weak. But this is my bank. When they are leaving me with what amounts to 1 factor authentication, they are placing the burden on me to ensure it's a darn good one. And that's not right.

    Yeah... :( At least 1Password can help us maintain really strong passwords, which may otherwise be infeasible, though. :)

    Mind you, I'm old enough to remember these things called "cheques" where an ink scribble was sufficient "authentication" to withdraw money from my account. :p

    Oh no. Me too! :lol:

    I'm afraid I've committed the cardinal sin of highjacking @numpty's thread. Oops. Sorry.

    Well, I do think we're still on topic, or at least in the ballpark, but I agree we should let numpty be the judge of that. :lol:

    In principal, it sounds good.

    I realized too late that it should have been "In principle", and I have insufficient privileges to go back and edit it.

    Fixed. :)

This discussion has been closed.