[BreachExchange] Third of US banks OK with passwords even social networks reject

Audrey McNeil audrey at riskbasedsecurity.com
Thu Mar 3 19:03:33 EST 2016


http://www.theregister.co.uk/2016/03/03/us_bank_passwords/

Six of 17 major US banks have weaker password enforcement procedures than
most social networking websites, according to a new study by an American
university.

The banks ask users to set up passwords that include letters and special
symbols, but a study by researchers at the University of New Haven shows
that in around a third of cases these passwords may not be case sensitive.
This means any combination of upper and lower case letters might work.
Ignoring case sensitivity reduces the entropy of login credentials, making
them less resistant to cracking as a result.

"We were very surprised when we learned that banks have fewer requirements
for passwords than social media sites," said Walter Gordillo, '16 of
Norwalk, Connecticut, a cyber systems major who took a lead on the
University of New Haven Cyber Forensic Research and Education Group
(UNHcFREG) project.

Banks with the issues include Wells Fargo (70 million customers), Capital
One (50 million customers), BB&T, Webster First Federal Credit Union, Chase
Bank (50 million customers), and Citibank (200 million customers).

El Reg contacted PR representatives of Wells Fargo, Capital One and Chase
Bank as well as US banking organisations (Financial Services Information
Sharing and Analysis Center (FS-ISAC) and Financial Services Roundtable
(FSR)) for reaction to the study. We're yet to hear back, but will update
this story as and when we hear more.

Frank Breitinger, UNH assistant professor and co-director of UNHcFREG,
oversaw the study, which was carried out by UNH undergraduates in an
introduction to computer security course. "Consumers believe that banks
with several million customers should have strong security mechanisms in
place to protect accounts, starting with password policies," Breitinger
argued.

The research group attempted to contact the banks through their regular
hotlines to inform them about what they had found and to ask for a
statement in reaction to the findings of the research.

"It turned out that it is almost impossible to contact and notify them
about a security issue," Breitinger said.

"Our findings raise an important question: why do social networking
platforms and many others not related to personal and business finances
adopt much stricter password policies?" Breitinger asked.

More details about the research can be found here.

Sweet 2FA

Per Thorsheim, an infosec researcher and founder of the PasswordsCon
conference, said the findings of the research were "interesting, but not
surprising."

"Based on what I know of US banks, I think that European banks are ahead of
the US in this area [password security]," he told El Reg.

"Europe deploys advanced security technology, US does more financial risk
analysis."

It would be wrong to regard social media profiles as thruway items that are
therefore ill-deserving of rigorous password security policies, according
to Thorsheim.

"Social media sites actually keep a lot more sensitive information about
you than any bank will probably ever do. At the same time, people tend to
consider their money more important than information, pictures & videos of
themselves, family, friends and colleagues."

Password security is only one component of online safety. In particular,
two-factor authentication (2FA) controls are used by many banks to
safeguard against account takeover and fraud, Thorsheim added.

"Examining the password policy by itself is interesting, there's no mention
of two-factor authentication such as software or hardware tokens or
biometrics, fraud detection."

"I am sure that the affected banks have all done their financial and market
risk analysis to justify their security, with perhaps the biggest
consideration being 'if we [make] it harder to log in compared to our
competition, we may lose customers'," Thorsheim concluded.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160303/5b88b899/attachment.html>


More information about the BreachExchange mailing list