Platform security

IvanOpinion

tigerspill said:

IvanOpinion said:

csgohan4 said:

you can raise the concern with your platform, but setting up the most random password you can would be pertinent

Not sure what you mean by 'random' but the 3 most important things for a password are length, length and length.  By all means use random characters (upper, lower, numeric, special) but they make little difference to a cracker - it just scans the full ASCII character set.

This is not the case at all.  Most password cracking uses "dictionaries" to generate password attempts.  Using random characters then makes cracking massively more difficult.  With modern encryption, hacking passwords using sequential character based tries simply takes too long so the "dictionary" (more than just traditional words) approach is used to massively shortcut this.

I think there is probably a mixture of the two going on - I suppose it depends on the cracker and how advanced it is.  As I said earlier I was surprised by the NIST guidelines when we investigated them ... we consider them to be the SMEs, so follow their guidance.

masonic

The form of attack will tend to be customised to the login database that is stolen. Hopefully no financial company is storing actual passwords, and hopefully they aren't storing unsalted hashes either. Most likely password guesses will be hashed and checked against the whole database. Your objective is not to be the low hanging fruit. You need to be in the lowest density password space possible, which may, counterintuitively, mean not choosing a password that is equal to the maximum length if that limit is not very high.

terry999

A woman’s HMRC account was hacked, they changed her linked bank account, altered her return so she was due a huge refund.
2FA using SMS isn’t great. Vodaphone got fined for moving someone’s number which was used for fraud, albeit they had to try 3 times before they got an obliging operative at Vodaphone. 

i don’t think investing platforms would be as irresponsible, as say BA’s cavalier attitude to payment security

masonic

terry999 said:

A woman’s HMRC account was hacked, they changed her linked bank account, altered her return so she was due a huge refund.
2FA using SMS isn’t great.

I agree, SMS based 2FA should be consigned to the dustbin, since NIST has been mentioned in this thread, it's worth noting they agree. But HMRC have supported TOTP via authenticator apps for years, which is a much better system. Though they try to promote their own app, you can use it with others such as Google Authenticator.

Prism

masonic said:

The form of attack will tend to be customised to the login database that is stolen. Hopefully no financial company is storing actual passwords, and hopefully they aren't storing unsalted hashes either. Most likely password guesses will be hashed and checked against the whole database. Your objective is not to be the low hanging fruit. You need to be in the lowest density password space possible, which may, counterintuitively, mean not choosing a password that is equal to the maximum length if that limit is not very high.

I think that any of the banks or investment platforms that ask for 3 random characters from the password are likely storing the full password somewhere - hopefully that somewhere being an encrypted hardware security module than can't be hacked remotely. I guess gradually they will all move away from that method. Most of them support MFA anyway and if available it should always be used. The increase in sim swapping means that text based MFA might need to be re thought.

masonic

Prism said:

masonic said:

The form of attack will tend to be customised to the login database that is stolen. Hopefully no financial company is storing actual passwords, and hopefully they aren't storing unsalted hashes either. Most likely password guesses will be hashed and checked against the whole database. Your objective is not to be the low hanging fruit. You need to be in the lowest density password space possible, which may, counterintuitively, mean not choosing a password that is equal to the maximum length if that limit is not very high.

I think that any of the banks or investment platforms that ask for 3 random characters from the password are likely storing the full password somewhere - hopefully that somewhere being an encrypted hardware security module than can't be hacked remotely. I guess gradually they will all move away from that method. Most of them support MFA anyway and if available it should always be used. The increase in sim swapping means that text based MFA might need to be re thought.

I hope there are very few, if any, that *only* ask for 3 random characters from a password, rather than username + password + 3 random digits from another password or code.

Prism

masonic said:

Prism said:

masonic said:

The form of attack will tend to be customised to the login database that is stolen. Hopefully no financial company is storing actual passwords, and hopefully they aren't storing unsalted hashes either. Most likely password guesses will be hashed and checked against the whole database. Your objective is not to be the low hanging fruit. You need to be in the lowest density password space possible, which may, counterintuitively, mean not choosing a password that is equal to the maximum length if that limit is not very high.

I think that any of the banks or investment platforms that ask for 3 random characters from the password are likely storing the full password somewhere - hopefully that somewhere being an encrypted hardware security module than can't be hacked remotely. I guess gradually they will all move away from that method. Most of them support MFA anyway and if available it should always be used. The increase in sim swapping means that text based MFA might need to be re thought.

I hope there are very few, if any, that *only* ask for 3 random characters from a password, rather than username + password + 3 random digits from another password or code.

Agreed, however Youinvest for example do in fact ask for username + 3 characters from password (meaning they store the password) + a secret (e.g first pet). They do also support app and text based MFA but I wouldn't say they encourage it enough. The 3 random characters does help vs phishing which is the bigger threat I suppose.

masonic

Prism said:

masonic said:

Prism said:

masonic said:

The form of attack will tend to be customised to the login database that is stolen. Hopefully no financial company is storing actual passwords, and hopefully they aren't storing unsalted hashes either. Most likely password guesses will be hashed and checked against the whole database. Your objective is not to be the low hanging fruit. You need to be in the lowest density password space possible, which may, counterintuitively, mean not choosing a password that is equal to the maximum length if that limit is not very high.

I think that any of the banks or investment platforms that ask for 3 random characters from the password are likely storing the full password somewhere - hopefully that somewhere being an encrypted hardware security module than can't be hacked remotely. I guess gradually they will all move away from that method. Most of them support MFA anyway and if available it should always be used. The increase in sim swapping means that text based MFA might need to be re thought.

I hope there are very few, if any, that *only* ask for 3 random characters from a password, rather than username + password + 3 random digits from another password or code.

Agreed, however Youinvest for example do in fact ask for username + 3 characters from password (meaning they store the password) + a secret (e.g first pet). They do also support app and text based MFA but I wouldn't say they encourage it enough. The 3 random characters does help vs phishing which is the bigger threat I suppose.

That is a bit concerning. I don't suppose there is much hope of them hashing the secret (which could just be a complex and random password), probably not if they are using it for other channels, such as phone support.

The 3 random characters is just "security theatre", it just gives the perception of higher security. It doesn't help much against phishing, which has moved on in sophistication to scraping the actual login pages of the target sites and presenting the user with the same login challenges. It just limits the phishing site to one login session. If they can present a false login failure message the first time, they can use the second login attempt to harvest more random characters. Repeat a few times, asking for a different set of 3 characters each time to fill in the blanks... I'd imagine many users would try 2-3 times without hesitation, especially those who would tend to fall for phishing scams.

IvanOpinion

One of the problems with 'secret' is that I have come across many databases were the responses are stored in plain text.

As far as phishing goes there was an advert on TV were an operator asked for characters 1,3,5, claimed that didn't go through and then asked for 2,4,6.  Very very simple, no idea if that has ever been done, but demonstrated a very simple attack.

In relation to SMS, it is no longer considered a secure means of authentication - but still better than nothing.

On a similar note, have you noticed the latest version of CAPTCHA has no UI.

bowlhead99

IvanOpinion said:

On a similar note, have you noticed the latest version of CAPTCHA has no UI.

Yes, V3 is invisible for users - no need to prove you're human by typing text or spotting zebra crossings or buses or shopfronts, they just give you a score based on whether your interactions around the web and the things stored in cookies you have make you seem like you're probably a low risk of being a bot. Perhaps it's better as it's low hassle for us users to use, the downside from a privacy standpoint is that it just means we have to let them track us more so they can learn how humans are supposed to behave online. 

Despite this I still come across plenty of sites on the old versions of reCAPTCHA - the old ones are not going away yet - and I had to pass an inordinate amount of photo recognition tests to get through one website earlier today.