“in order to more thoroughly investigate"
OK, a split infinitive isn't actually reckoned to be ungramatical. Throwing in an adjective as well is just plain ugly.
OTOH I take it that "exceeding authority" is PR-speak for telling the truth.
Brit retail bank NatWest is backtracking on previous claims that it was aware of a security glitch at the log-in stage that requested customers to enter more digits of their password than existed. A little over a week ago, a potential security issue emerged when this writer was asked to enter the 11th digit of a password to an …
A very long time ago I had an account with Lloyds. being a callow youth I ahd to pay for my car insurance in installments but the company concerned used to require 3 post dated cheques (I said it was a long time ago!)
I can't remember exactly why but I chose to close my account with Llyods, genuinely forgetting that i had written the cheques. The last of the cheques was presented after I had closed the account. For reasons best known to themselves it was cleared and paid. They duely sent me a letter saying I was overdrawn and I should do something about it, I wrote back saying, I don't have an account with you and went on my merry way.
Every two or three months I'd receive a statement indicating i was £55 overdrawn and I'd ignore it. This went on for a while and then suddenly a statement arrived that indicated a positive balance.
I wandered into the branch and asked the cashier if the statement was correct, he said yes so I withdrew it and closed the account (again!)
It was like real life monopoly :D
"We can't be arsed to do our job properly unless you hang out your dirty laundry in public on Twitter" approach to customer service
AFAICS customer service was doing its job - it even escalated the problem, a step which seems to be unknown to many these days. The tech side -trying without success.. It's PR that needs to be hung out to dry.
"The tech side -trying without success."
The "tech side" in this case are probably an outsourced bunch of 1st line response subcontinent morons, not the people who actually wrote the code. Having said that, how hard can it be to find the section of code that generates PIN digit numbers on the login web page? I would suggest not very.
Given that the login is already obfuscated by accepting random characters in place of the full string, I can fully imagine this being a separate locked-down system that just passes an authenticated pass/fail flag back to the 'main' server.
Agree that PR need stringing out for such a blatant attempt for a cover-up.
"I saw the problem myself"
"No you didn't"
It's PR that needs to be hung out to dry
Well - you do have to remember that PR is the slightly-backward ugly cousin of HR (HR exists to protect the company from the employees, PR exists to protect the company from the public).
It's where the people who fail the HR empathy tests[1] go.
[1] Which, in most HR departments I've seen, consists of filtering out anyone that has, or seems to have, any shred of empathy.
Have El reg seen a screen shot they can trust or reasonably expect to be of the problem?
Can El Reg advise the person to carry out a subject access request for their notes...and call recordings...this should include contact with technical...any refusal on security grounds or excessive redacting is usually a give away?
LOL!
I even scanned in the letter from customer services together with their "interesting" admissions.
The most joyous bit was discussing this letter with their Press Office, during which convo one could almost literally hear the gears grinding as official spokesperson attempted to explain how their customer services bod had just gone off piste and made this up wholesale without actually saying they'd done that...
Trying to op[en a new account with them 2 months ago; it didnt matter how many times they reset the password for us, it kept saying we were entering the wrong password.
In the end this, and their total inability to understand that someone born in China might actually be a UK citizen, made us go elsewhere.
Still waiting for that Norman Muntz icon.
> Trying to op[en a new account with them 2 months ago; it didnt matter how many times they reset the password for us, it kept saying we were entering the wrong password.
That is interesting, because for the last few months I have had the exact same problem. I have been banking with Natwest for years, always with the same credentials, when a few months ago, without warning, no matter how many times I would type it in, it would say I was entering the wrong password. After 3 attempts it would lock me out and I would have to re-register for online banking.
So I have to register again, then it would work (because you can click "continue to online banking" straight from the registration confirmed page, so it doesn't prompt you for credentials), until I logout, then when I try to log in again I get exactly the same error.
It came to be that every time I wanted to log in to online banking, I had to re-register. After doing this 4-5 times, I kind of gave up, and just moved my account across to a competitor, along with all my Direct Debits and savings, thereby ridding myself of this problem (not to mention that my faith in their ability to actually keep my account secure is in doubt, if they can't do something as simple as count the number of characters in my password, I dread to think how the rest of their system is coded).
Your title might actually be the answer
- If you have that god awful IBM Trust software installed (Nat West really really pushes to have it installed) there is a setting that converts some l3tt3rs into numb3rs.
Can't remember what it is precisely, but it caused my wife's work business account no end of problems due to it. Took ages to find that out. Of course there's nothing on the Nat West site to check it.
" this writer was asked to enter the 11th digit of a password to an online account that only contained nine characters."
This probably stems from another frequent failure in password specification. They always specify n_charsmin, but very rarely n_charsmax. Isn't it time there was a standard for this stuff?
A standard? There are lots of standards. Just pick one.
No, no, no. *Far* more fun to generate another one. After all, even if it only becomes the standard in your organisation, it'll be your standard and they can never sack you..
Especially if you make it as internally-consistent as Windows.
I really hate this "Enter the 1st, 3rd, 10th characters of your password" BS.
a) As a user, if you know the password, it's much easier to just type the whole password than faff about with identifying the nth characters
b) From a security POV, it means that the server somewhere has access to the plaintext password so it can compare nth characters, instead of hashing the passowrd when it is set, storing the hash and forgetting the password. So it's less secure than using the whole password
"From a security POV, it means that the server somewhere has access to the plaintext password so it can compare nth characters, instead of hashing the passowrd when it is set, storing the hash and forgetting the password. So it's less secure than using the whole password"
While you make a good point about using using a password hash rather than the password, the servers handling authentication are much less likely to have been compromised with malware due to little Johnny browsing soapytitwank.com (or similar delights) than your browser / PC / phone i.e. in real life making users type in their whole password on a personal device is probably less secure.
"the servers handling authentication are much less likely to have been compromised with malware"
OTOH if your device is compromised you lose control over your own passwords and, frankly, the bank isn't going to care about that. If the authentication server is compromised they lose control over everyone's passwords and. of course, the bank ... Yes, you can see why they're choosing such an insecure option.
Seriously, there are two aspects to risk. One is the probability that something will go wrong, the other is the scale of going wrong.
Would it not be possible to hash each character in your password, add a slat to it as well to make it a bit harder to brute force if the DB bacame compromised.
Unfortunately, that's barely better then storing the password in the clear, since there aren't many different characters (OK, including all of Unicode takes it to ~10^6), and you'd be able to find the password character by character - in parallel if you want.
The interface for a system to store passwords, issue challenges for certain characters, and validate the response seems fairly simple, which should make it much easier to develop a secure, isolated system for this purpose.
In other words, in this case, making sure those passwords won't leak seems achievable, with reasonable care.
However, the implementation also seems like it should be fairly simple, which ought to preclude the sort of issue in this story...
Are you seriously suggesting the PR dept. who WILL be in "oh sh*t! damage limitation mode" are significantly more credible that a supervisor who has spoken to technical and and put sh*t in writing?
Was it asking for some pre-encryption hash character? Is there an error in handling certain characters...I can think of one major financial co that allows % but not * in passwords.
I abandoned NatWest in the 1990's when they were still insisting you needed to use IE with ActiveX controls to access online banking as other browsers "weren't secure".
To be honest, working in IT back then, I was hardly the front-runner of new technology in everyday life anyway, but I just moved to a bank that had a vague understanding of what SSL actually did.
PayPal recently allowed me to set a password that was longer than their maximum, then kept refusing my login, presumably because it was truncating my input before comparing hashes, so I had to jump through the hoops to reset it. I figured out the problem by trial and error.
On a related issue, the practice of the UI not telling you the password requirements until after you've typed one that doesn't meet them, is still rife, and still wasting people's time.
Yes, I wondered if that was what happened here and that the 11th character was recorded somewhere. It’s happened to me, allowing more characters entered and seem accepted, on several sites. If you use a password manager you are confident you have entered the right password and so it’s worth finding out what the max number is and truncating your password.
It's worse than that, they'll ask you to select the (eg) 3rd, 5th and 2nd characters of your password. So, not only does your password have to be somewhat memorable (no copy/pasting, dropdowns only), but presumably to do such a thing, they must be storing your password with reversible encryption.
Yes! I've had this happen, twice, but not recently - probably over a year ago.
When I queried Natwest they suggested that I might have mis-keyed the customer number and thereby attempted to log into another customer's account - one with a longer password than mine.
I guess this is possible so since then I've been very careful to get it right. If it happens again I'll know it's their fault.
So just to be clear. The bank ask for the nth digit of your password and compare it to what?
Doesn't this method of security (asking for 3 out of n digits/characters of your password) require that the password is itself stored in plain text or did I miss the bleeding obvious (yes, yes, I guess you could encrypt the password, but do you decrypt it into secure memory? and do you keep the encryption key safe?).
Paris as the dumb-blonde look may yet come back to haunt me :D
The password will be stored in a database, encrypted by a key. The key will be held in an HSM. The 3 characters and their positions will be passed to the HSM (it's a standard function call for HSMs) where the encrypted password will be decrypted, the characters matched and a yes/no answer returned. All of this will happen within the HSM - so the password is never exposed.
> You can believe that all you want but I know for certain that a major non-banking player in the UK held plain text passwords because I manipulated them into telling me what my password was.
The password could be stored using reversible encryption, PCI compliance allows this for card numbers which don't change often if at all.
Of course the "encryption" could just be strrev() or Igpay Atinlay and nothing excuses giving out passwords. Bad major non-banking player!
I once had a standing order set up, transferring money from my Sister's account to my savings account.
I got a letter one day, stating something to the effect of "There is not enough money in your account, to transfer from your sisters account to yours. We have charged you £25"
I went into the bank and asked them to explain. They read it, then re-read it a few times with a confused expression, then said it was clearly a mistake and they'd sort it out.
A few days later, my Sister got a letter: "There is not enough money in your Brother's account, to transfer from your account to your Brother's account. £25 - ker-ching"
Mind you, I still bank with them...
Ha, Nat West.
Back in 1991 (long story short) I wanted to close my account with them. They wanted to photocopy my Forces ID card, and refused to allow me access to my funds unless I did so. I refused to leave the bank, so they threatened to call the police. I was only too glad to oblige, knowing Plod would call the RMP, and when Plod arrived, they duly did.
RMP listened for about thirty seconds before calling in SIB
Cue the bank manager trying to explain why he had over 700 photocopied ID cards as he was led away in handcuffs, charged under the Offical Secrets Act.
Still gives me a little giggle.