MSE News: Coventry BS launches market-leading ISA to rival top easy-access savings accounts

pafpcg

According to a recent letter (1st March) from CoventryBS:

"Later this year, we're going to be making some changes to the way you log in and use Online Services. They're designed to make your online banking more secure than before."

The letter requests that we check our phone numbers and email addresses are correct, so I assume that CoventryBS will be introducing some form of two-factor authentication via phone or email.

dimple_pie

Registering has been a little cumbersome. Applied online on Monday and, to date, I’ve received a total of four “letters” in the post from them but only got as far as obtaining a password. I now apparently have to wait up to four (working ?) days to receive further security info which I’m assuming is the web i.d. and the Grid card (?).
Little reluctant to send them 20k without being able to view it online. Fortunate I had the foresight to not leave it much later.

bubieyehyeh

Stompa wrote: »

Having been a Coventry customer for a very long time, one curiosity I've noticed is that that when they ask for three characters from your password, they only ever use the first 5 characters and the last one. Any other characters never get asked for.

yeah I've noticed the same.

londoninvestor

etienneg wrote: »

Also, the letter positions are not transmitted with the letters themselves, making piecing the password together even more difficult.

This frustrates keylogging attacks. As (even more so) do some sites by having you select the letters from a dropdown rather than keying them in.

katies_mum

We logged into our Coventry accounts yesterday, clicked new account and had the Easy access ISA opened within a minute. The system said to wait up to 2 hours before it would show in our list of accounts, it was there within 20 mins. The longest part of the transaction was having to wait 16 minutes to speak to a Coventry advisor to make the ISA internal transfer... once through this took just a few minutes and it was in our account listing a few minutes after that.

sausage_time

etienneg wrote: »

I'm not at all sure why you think this follows (or even probably follows).

What is pretty clear is that it avoids transmitting the whole password in any one message, ever, even encrypted. So a hacker would need to intercept multiple messages to have even a remote chance of getting the whole password. Also, the letter positions are not transmitted with the letters themselves, making piecing the password together even more difficult.

A similar system is used over the phone, where the customer service person asks for particular digits (chosen by their computer) and inputs the customer response. The computer verifies the response, and the customer service person never sees the whole password. Again, no reason to assume storage of the password as plain text.

I don't understand how their back-end system can confirm that the 5th letter of my password is "e" (it's not!) unless they have stored the password as plain text? If their servers are ever hacked that could yield the passwords. Secure systems don't work this way - they store a hashed value for the password which does not yield any detail about the individual characters of the original.

Stompa

sausage_time wrote: »

I don't understand how their back-end system can confirm that the 5th letter of my password is "e" (it's not!) unless they have stored the password as plain text? If their servers are ever hacked that could yield the passwords. Secure systems don't work this way - they store a hashed value for the password which does not yield any detail about the individual characters of the original.

As I mentioned previously, they appear to only ever ask for 3 characters from 6, so there are only 120 possible combinations. Perhaps each of those combinations is stored as a hashed value on the server???

Reed_Richards

Jimmithecat wrote: »

What about the Leeds BS cash isa at 1.51%?

There's a 60 day loss of interest penalty on withdrawal for the Leeds BS ISA. If you can put-up with that then you can get 1.55% from YBS.

eskbanker

sausage_time wrote: »

I don't understand how their back-end system can confirm that the 5th letter of my password is "e" (it's not!) unless they have stored the password as plain text? If their servers are ever hacked that could yield the passwords. Secure systems don't work this way - they store a hashed value for the password which does not yield any detail about the individual characters of the original.

The passwords won't be stored in plain text but in encrypted format, but there obviously has to be an algorithm that allows keyed plain text input to be validated against the password in its stored form, because that's the whole point of using passwords!

So, the authentication process isn't saying 'tell me what the 5th character of the password is' but 'is the 5th character "e", yes or no?'....

If your theory was correct (that selective character validation implies plain text password storage) then that would suggest that most (if not all) of the industry's leading players have a massive security issue, as this mechanism is used by (off the top of my head) Lloyds group, RBS, Santander, First Direct, CYBG, Tesco, etc....

short_butt_sweet

eskbanker wrote: »

The passwords won't be stored in plain text but in encrypted format, but there obviously has to be an algorithm that allows keyed plain text input to be validated against the password in its stored form, because that's the whole point of using passwords!

So, the authentication process isn't saying 'tell me what the 5th character of the password is' but 'is the 5th character "e", yes or no?'....

the issue is: if an attacker has stolen an encrypted password, can they (quickly, via an automated process) figure out the password?

if what is encrypted is 1 character by itself, then they can do this, and very quickly, by trying each possible character in turn. because there are only about 100 characters to try. that's trivially easy.

Stompa wrote: »

As I mentioned previously, they appear to only ever ask for 3 characters from 6, so there are only 120 possible combinations. Perhaps each of those combinations is stored as a hashed value on the server???

that's an interesting point. in fact, there are only 20 combinations (because there are 120 permutations of how you can pick 3 characters from 6, in a specific order; but there are 6 different orders in which you can pick any 3 given characters).

so if passwords are stored encrypted in groups of 3 letters, can an attacker find the 3 letters from the encrypted password?

it's a bit harder. assuming 100 possible characters, they need to try 100x100x100 = 1,000,000 combinations to find the 3 characters. but that's still far too easy to give any serious protection, given the processing speeds of modern computers. if your whole password was only 3 characters long, that wouldn't be long enough to make it reasonably secure; and this is essentially the same thing.

(that only gives the attacker 3 characters of the password. to find all 6 characters of the password, they'd have to do this twice. so we're up to 2,000,000 combinations.)

so i think storing letters (or groups of 3 letters) of the password encrypted would give very little protection against an attacker who's stolen the password database. that is a weakness of the technique of asking only for certain letters from the password when users are logging in. but the technique does have the advantage (as has been mentioned) that it's harder for a keylogger (or similar snooping programs) to steal the whole password.

entering the whole password to login is more vulnerable to keyloggers. but has the advantage that it's harder for an attacker who's stolen the password database to work out the password (provided that it's long enough, and not too obvious e.g. "password" or "secret").

i noticed that HL's new(-ish) login process requires you to enter both one kind of password in full, and selected letters from another kind of password. which will hopefully give some of the advantages of both techniques.