I have griped privately in the past about my bank (well, credit union, but functionally identical for this purpose) not being all that smart in regards to it's security authentication practices for their online banking system. When you have an account with them*, you have the option for signing up for what they refer to as NetBranch, which has quite a few useful features. It also has a few could get you screwed royally if someone breaks into your account features. Thus, their methods of authentication matter.
Under the old system, your user name was the significant** subset of your account number, which is 8 digits; an easy way to set up automated account creation. While non-optimal in my opinion, this is an acceptable way to do things, as someone should always have their account number handy, either on a check, or deposit slip, or on their debit card. Passwords under the old system were a string of no more than 8 characters, with apparently no other criteria to match against. (I say this because, for a very short time, my mother's password was a rather-unknown-but-in-full-compliance-with-normal-English-language-rules single word with no capitalization. [I fixed that rather quickly when I discovered it.]) Yes, I said no more than 8. That is not a typo. I found this out when using one of my variations-on-a-theme standard passwords which was 9 characters, only to find that the input field on the page itself capped length at 8. I was not so pleased that day.
There is also a second tier password, referred to as a 'security question', which is presented if one does not send a specific cookie at login. The security question can be bypassed after the first presentation with a 'remember this device' option. The questions offered are stock, but the answers themselves are freeform text, which I have not yet run into the limits on.
Recently, they announced that they were changing the system, which, in addition to adding a few meta-account features we will not go into just yet, also mandated a new user name. I became acquainted with the new system yesterday, when, after logging in the old-fashioned way, I was presented with the following*** message:
We are upgrading your NetBranch Online access. With these enhancements, you will use one username and password to access all your [BANK] accounts instead of using your account number to log on to each of your individual accounts
What does this mean for you? Your account access will be more convenient and even more secure, because you'll be using a unique logon you create to access your information
What do you need to do? Please update your username and password. Once you select your name from the list below, you will be asked a series of questions to verify your identity. The questions are pulled from your public records, and are not connected to your credit report or other sensitive personal information.
Examples of questions that might be asked include data related to your vehicle or home purchases, addresses or other similar information. This information is public data and [BANK] does not furnish it. It is used solely for the purpose of establishing your identity. Once you have successfully completed the questions, you will have the opportunity to choose a new username, password and security question.
Below that message was a drop-down list which had both account holder's names listed.
This concerns me for multiple reasons:
First of all, there is the fact that you could get to this screen by picking the right ticket out of a hat of 663420431289062500000000**** possibilities, which is not entirely impossible. Pick the correct ticket, and you are presented with a list of account holders. So, there you have an account number and a name to go with it.
Second, once getting this far, you know that further verification is coming from public records. And now you know what to research to get full access to this account.
Third, once you select the name you wish to create a new login for, you are presented with a series of four questions. In my case, two of those questions were address-related, one was education related, and one was transportation related. One of them I was not even sure of, and another was infuriatingly non-accurate*****. After that round, I was presented with another question (I think I got one of the first round wrong) which, aside from being difficult to know the answer to naturally, is also trivially easy to discover without much work.
Once you get past the public information 'identity verification' questions, you are presented with the new login creation form, which has it's own joys and horrors.
Usernames must be 8 - 20 characters long
, start with an alphabetical character,
contain a numeric character,
and not contain invalid special characters. While the length is an improvement, why are we working so hard for entropy in the user name? Why are we including an number, but it cannot be the first character? Apparently, [BANK] wants to field more calls along the lines of 'I don't know my username'. Making it hard to say who you even are is just mind-numbingly silly.
Passwords are at least sensible, required to be 8 - 20 characters long
, not contain invalid special characters
, and meet the 3-of-4 rule. This is passwords-done-reasonably, at least, and where you want the entropy. (Telling you who I am should be easy, proving it is the part you want me to work for.)
And we must recreate our security question. Stock list of 'anybody COULD know this' questions, and a free-form answer field. AHA, so there is a limit on how long the string can be (15 characters? You want the SECURITY question to be LESS difficult than the actual login information?)
And you're done. Assuming the username you wanted is unused, and you did not use any invalid characters, you have just successfully and 'securely' created a new account on [BANK]'s system. Which, as a bonus, gives you access to ANY account that the name you chose earlier is entitled access too. (I told you we'd come back to those meta-account features.) Automatically. Without even attempting to link them yourself. So, if I had access to 2, 3, or 30 accounts with them, whoever just got that login has access to those too. Without the layer of 'at least only one account at a time is at risk.' Which, personally, ok, I'd have linked them anyway, because I'm lazy, but it would have been very nice to have been given the option.
I'm really not sure what I want to do about [BANK]'s actions here. Admittedly, they're trying, I guess, but this level of trying does not inspire my confidence.
*We are being nice and not identifying them publicly here.
** Significant in that leading 0s could be dropped.
*** Sanitized to protect the institution in question
**** There are 10^8 account numbers, and 95^8 possible passwords (if one is generous and assumes all ASCII printable characters are valid for the old password scheme. 10^8 = 100000000, 95^8 = 6634204312890625. If one optimizes for known password mechanics, that number shrinks considerably,
*****Do YOU remember the year model of your ride 4 cars ago? Or that if you went to College X, and they changed their name to College Y after you left, you are considered to have gone to College Y?
![comment count unavailable]()
comments
Under the old system, your user name was the significant** subset of your account number, which is 8 digits; an easy way to set up automated account creation. While non-optimal in my opinion, this is an acceptable way to do things, as someone should always have their account number handy, either on a check, or deposit slip, or on their debit card. Passwords under the old system were a string of no more than 8 characters, with apparently no other criteria to match against. (I say this because, for a very short time, my mother's password was a rather-unknown-but-in-full-compliance-with-normal-English-language-rules single word with no capitalization. [I fixed that rather quickly when I discovered it.]) Yes, I said no more than 8. That is not a typo. I found this out when using one of my variations-on-a-theme standard passwords which was 9 characters, only to find that the input field on the page itself capped length at 8. I was not so pleased that day.
There is also a second tier password, referred to as a 'security question', which is presented if one does not send a specific cookie at login. The security question can be bypassed after the first presentation with a 'remember this device' option. The questions offered are stock, but the answers themselves are freeform text, which I have not yet run into the limits on.
Recently, they announced that they were changing the system, which, in addition to adding a few meta-account features we will not go into just yet, also mandated a new user name. I became acquainted with the new system yesterday, when, after logging in the old-fashioned way, I was presented with the following*** message:
We are upgrading your NetBranch Online access. With these enhancements, you will use one username and password to access all your [BANK] accounts instead of using your account number to log on to each of your individual accounts
What does this mean for you? Your account access will be more convenient and even more secure, because you'll be using a unique logon you create to access your information
What do you need to do? Please update your username and password. Once you select your name from the list below, you will be asked a series of questions to verify your identity. The questions are pulled from your public records, and are not connected to your credit report or other sensitive personal information.
Examples of questions that might be asked include data related to your vehicle or home purchases, addresses or other similar information. This information is public data and [BANK] does not furnish it. It is used solely for the purpose of establishing your identity. Once you have successfully completed the questions, you will have the opportunity to choose a new username, password and security question.
Below that message was a drop-down list which had both account holder's names listed.
This concerns me for multiple reasons:
First of all, there is the fact that you could get to this screen by picking the right ticket out of a hat of 663420431289062500000000**** possibilities, which is not entirely impossible. Pick the correct ticket, and you are presented with a list of account holders. So, there you have an account number and a name to go with it.
Second, once getting this far, you know that further verification is coming from public records. And now you know what to research to get full access to this account.
Third, once you select the name you wish to create a new login for, you are presented with a series of four questions. In my case, two of those questions were address-related, one was education related, and one was transportation related. One of them I was not even sure of, and another was infuriatingly non-accurate*****. After that round, I was presented with another question (I think I got one of the first round wrong) which, aside from being difficult to know the answer to naturally, is also trivially easy to discover without much work.
Once you get past the public information 'identity verification' questions, you are presented with the new login creation form, which has it's own joys and horrors.
Usernames must be 8 - 20 characters long
, start with an alphabetical character,
contain a numeric character,
and not contain invalid special characters. While the length is an improvement, why are we working so hard for entropy in the user name? Why are we including an number, but it cannot be the first character? Apparently, [BANK] wants to field more calls along the lines of 'I don't know my username'. Making it hard to say who you even are is just mind-numbingly silly.
Passwords are at least sensible, required to be 8 - 20 characters long
, not contain invalid special characters
, and meet the 3-of-4 rule. This is passwords-done-reasonably, at least, and where you want the entropy. (Telling you who I am should be easy, proving it is the part you want me to work for.)
And we must recreate our security question. Stock list of 'anybody COULD know this' questions, and a free-form answer field. AHA, so there is a limit on how long the string can be (15 characters? You want the SECURITY question to be LESS difficult than the actual login information?)
And you're done. Assuming the username you wanted is unused, and you did not use any invalid characters, you have just successfully and 'securely' created a new account on [BANK]'s system. Which, as a bonus, gives you access to ANY account that the name you chose earlier is entitled access too. (I told you we'd come back to those meta-account features.) Automatically. Without even attempting to link them yourself. So, if I had access to 2, 3, or 30 accounts with them, whoever just got that login has access to those too. Without the layer of 'at least only one account at a time is at risk.' Which, personally, ok, I'd have linked them anyway, because I'm lazy, but it would have been very nice to have been given the option.
I'm really not sure what I want to do about [BANK]'s actions here. Admittedly, they're trying, I guess, but this level of trying does not inspire my confidence.
*We are being nice and not identifying them publicly here.
** Significant in that leading 0s could be dropped.
*** Sanitized to protect the institution in question
**** There are 10^8 account numbers, and 95^8 possible passwords (if one is generous and assumes all ASCII printable characters are valid for the old password scheme. 10^8 = 100000000, 95^8 = 6634204312890625. If one optimizes for known password mechanics, that number shrinks considerably,
*****Do YOU remember the year model of your ride 4 cars ago? Or that if you went to College X, and they changed their name to College Y after you left, you are considered to have gone to College Y?