One cannot ignore the amount of online banking users in today’s networked economy. We have become accustomed to relying on the banking industry to implement best of breed security practices and standards. Notwithstanding, a recent security study by the University of New Haven Cyber Forensics Research and Education Group (UNHcFREG) revealed that major banks adopt what some may regard as substandard password policies. These policies lead to a number of different passwords allowing access to one’s bank account due to the case-insensitive passwords adopted by some these banks.
Online banking is the most convenient way to handle our finances as it allows us to manage everything without actually leaving our bed; all a customer needs is to enter a username and password – unless two factor authentication is employed – which is highly advised by security experts. Once logged in, customers can transfer funds, make deposits by taking pictures of their checks, and even pay their bills. While online banking offers great convenience it is also an avenue for attacks. Consumers believe that banks with more than a million customers should have strong security mechanisms in place to protect accounts – starting with password policies.
Password policies are guidelines on how to create valid and strong passwords. Most applications require a mixture of uppercase, lowercase, numbers and sometimes, special characters. A password is case-sensitive if the authenticating method differentiates between uppercase and lowercase characters. For instance, “ABC” and “abc” should be treated as different passwords.
The topic of case sensitive passwords was explored by five undergraduate researchers at UNHcFREG – Walter Gordillo, Jeremiah Wright, Kevin Gonzalez, Bekhzod Umarov, and Daniel Tornero – together with their advisors, Dr. Frank Breitinger and Dr. Ibrahim (Abe) Baggili (co-directors of the University of New Haven Cyber Forensics Research and Education Group). They were interested in the following research question: “Do banks actually use the highest standards with respect to their password policies?”. In order to find answers to this question, they conducted a study of password policies of seventeen major banks in the United States.
The investigation revealed that out of these seventeen major banks six (~35%) of them have a significant weakness in their password policy – they ignore case-sensitivity. In total, this security weakness may impact more than 350 million customers nationally more than the population of the United States.
Wells Fargo (70 million customers),
Capital One (50 million customers),
BB&T (undisclosed amount),
Webster First Federal Credit Union (undisclosed amount)*,
Chase Bank (50 million customers), and
Citibank (200 million customers).
In the second step of the research study, we attempted to contact the banks to inform them about this issue and tried to ask for a statement why they decided to pursue a weak password policy. It turned out that it is almost impossible to contact and notify them about a security issue – we couldn’t find any e-mail address or phone number to report this security issues, but some banks offered phishing notification e-mail accounts and phone numbers. This coincided with earlier findings when we tried to contact App-developers about security issues we uncovered in mobile messaging applications.
Therefore, all banks were contacted through their regular hotlines. Our conversations with the representatives showed that most of them are only trained for everyday business activities. For instance:
one organization was adamant that they have a case-sensitive password policy, but our testing showed otherwise
one organization was not even aware of the existence of a security / IT-department
one organization simply said that this is their policy without any further statement or explanation
Although one may argue that there is no such thing as perfect security, institutions that provide financial services to millions of people should always aim for having the highest-level security possible. However, our findings raise important questions: why do social networking platforms and many others not related to personal and business finances adopt much stricter password policies? One can easily argue that a bank account is way more important than a Twitter account. Furthermore, why do these banks go out of their way to make the password policy less secure (implement a function to ignore case-sensitivity)?
Here are some of the more technical details what case insensitive password means: By default, there are 26 letters in English. US layout keyboard produces 52 letters (lowercase + uppercase) + 10 numbers = 62 unique characters (special characters not included). If passwords are case-insensitive, meaning that the computer will not differentiate between uppercase and lowercase characters, we lose 26 (half of 52) characters from the password resulting in 36 possible unique characters. This makes all used passwords more vulnerable to hacking attacks as it is easier to guess the password, e.g., “YourLastName2015”, “YoUrLaStName2015” and “yourlastname2015” would all allow access to your account.
*Please click here for a clarifying press release as to Webster First Financial Credit Union (Update: 03/21/2016).