October 15, 2007

When good security goes bad

My new job with StubHub came with a host of excellent benefits, including a shiny, new 401K with Charles Schwab. Schwab is generally known as a good, stable company with a strong online presence, so I was shocked by what arrived in the mail today. About a week after signing up for my 401K, I received a letter from Schwab titled “Confirmation of Personal Identification Number Change,” and right below the subject line is the password I had chosen for the website! To make matters worse, the letter came in an envelope from Charles Schwab labeled “Personal and Confidential,” ie. “STEAL ME.”

This letter got me thinking about all the supposedly strong security mechanisms employed by various online companies that I deal with that just make matters worse. The schwabplan.com PIN # confirmation is just one example. I used one of my common passwords expecting Schwab would treat it with the utmost care. To me, this would mean storing it in an encrypted, non-human readable form. Ideally, the password itself would not be stored at all. Instead, a hash of the password would be stored, and any time I entered my password, the hash of what I entered would be compared to the stored hash. This would protect my password from unscrupulous Schwab insiders, since statistics show that approximately 70% of security breaches occur from the inside.

Instead, not only does Schwab store the password, but they printed it out! Think for a second of all the hands my printed password went through. The printed letter hand to be put into an envelope. This may have been handled by a machine, but the machine still has an operator who could intercept the letter. The letter was then handled by a mail clerk at Schwab. From there, it passed through the Schwab postman, a postal clerk at Schwab’s local post office, at least one transport driver (probably more like 5) to get the letter from Ohio to my city, my local postal sorter, and my local postal delivery person. My wife brought the mail in, so that is one more hand.

That makes at least 8, and possibly 15-20 people who had physical possession of my carefully chosen password without my permission. The only thing keeping any of them from stealing my password, and ultimately my money, was a thin envelope. Since I was not expecting this letter to arrive, any one of them could have stolen the password, and I would have never known about it.

So why would Schwab send me my password? Since I had chosen it, in theory I know what it is. If they were worried that I was not the person who changed the password, they could have sent me a letter saying the password had changed on a specific date, and to call them if I was not the person who changed the password. Most likely, the reason they sent out my password was to cut down on their support calls. The letter includes this helpful instruction: “We recommend that you memorize this number and maintain this letter with your personal records.” In other words, we’ve written your password down for you, so you won’t call us. I’m surprised they didn’t print it on a sticker I could affix to my monitor!

So now I’m faced with a dilemma. I can’t change companies, because this is an employer sponsored program. I can’t change my password, because they’ll just mail it to me again! I could choose to not participate, but that would cost me thousands of dollars per year in lost benefits (tax breaks, employer matches, etc). The best I can do is “trust” that the system has not been compromised, or that if it is, Schwab will reimburse me if my account gets “hacked.”

There is a good lesson here for anyone designing password security for a website, or any other computer system. Password security is always a balance between security and usability, but there are some simple steps that can be used to make the security of your password system more “secure” without negatively impacting user experience:

1) Never, ever store user passwords in clear text. Either encrypt them, or better yet, use a 1-way hashing algorithm and store just the hash. This prevents a system admin or DBA from stealing the list of passwords.
2) Never use social security number as a username or password, and never store it clear text either. Did I mention that Schwab uses SS# as its username and I cannot change it? This again causes insider issues.
3) Do not log either the username or the password for successful or failed logins. Since Schwab uses my SS# as my username, a log of my username if I mistype my password would invalidate any encrypted storage of that number in their database.
4) Don’t ask for confidential information that will threaten your customers’ identities if stolen as a secondary password. For example, asking for mother’s maiden name, or city of birth, while seemingly innocuous, puts your customers at risk? How? Well if I can steal their name and mother’s maiden name, I can use that on other poorly designed sites to recover a password.
5) If a user forgets their password, validate some other piece of information before allowing them to reset the password. Preferably, ask them some transactional data that only they should know, and that changes frequently. For instance, ask them what the last stock they purchased, last widget they bought, last deposit they made was. This information changes faster than favorite color, first car, or pet’s name, so its value if stolen is reduced.
6) When a user forgets their password, never send the user the old password via snail mail, e-mail, fax, phone or carrier pigeon. Since you are not storing the password (see #1 above), you won’t have it to send anyway. Right? Instead, give the user a mechanism to change the password. For added security, send the user a confirmation to an alternate address that the password was changed. In other words, if you e-mail them a link for changing the password, send a snail mail confirmation letter. Or call the phone number on record to confirm. It is harder for someone to compromise two communication methods than it is one.

For the record, Schwabplan.com violated at least 4 of these precepts. I don’t know how they log failed password accounts, so I can’t speak to #3, but I don’t have high expectations. I expect to see a press release in the future that their security has been “compromised,” but they “take security seriously.”

Did I mention I am now a LifeLock affiliate? When financial companies treat our personal information so poorly, services like LifeLock may be the only answer. Check them out!

LifeLock Identity Theft Prevention - Save 10%

Digg!

Thanks for stopping by.
If you found this article useful, please leave a tip.

5 Comments »

  1. Darrell Wright said,

    October 15, 2007 @ 11:00 am

    One thing to remember is the people they are dealing with. These are the same people that already printed out the page with the password and put it in a file so that they can later use it to logon to the site.

    Now if what they wanted was a way to verify the tie between the physical you and the online you, there are definitely better ways. Especially seeing as this does neither. Something like mailing you the password that allows you to be asked more questions. Somewhat the beginning of a CHAP session.

    But, back to my original point. The people they are dealing with most likely requested something like this. Also, the laws around opening others mail are very severe compared to intercepting wire communications.

  2. Matthew’s Weblog » Wishful Security Thinking said,

    October 17, 2007 @ 9:29 am

    […] that his password had been mailed to him in plaintext from his ’shiny, new 401k’ and he wrote about the disconcerting experience of a financial services company being careless with securi…. Having worked in a financial services company, I can only say that the troubles he encountered are […]

  3. Schwabbed said,

    November 7, 2007 @ 4:36 pm

    Yeek! Yes, they really are that “steal me” about this info there, but it doesn’t matter because whenever the markets are getting squirrelly you can’t even log into their site for a day or two, because they’re so busy taking care of important people. Or something.

    No, if you selected the email-only choice you don’t get anything in the US mail.

    When we got moved to Schwab they were pushing the email/web option but it then (maybe still) required the user to agree that if their software says you clicked on “Yes” then you can’t argue that didn’t happen. It seemed pretty dumb.

    I went through this password question with my own employer when all got switched to Schwab a few years ago.

    That was before Schwab even had their cute little PIN option.

    I was just hoping to turn up a blog discussing the actual choices Schwabplan offers.

    Things like:
    Charles Schwab Stable Value Fund

    WRAP ISSUERS*
    1. AIG Financial Products 16.2%
    2. AEGON 16.2%
    3. Bank of America 16.2%
    4. IXIS Financial Products 16.2%
    5. State Street Bank 16.2%
    6. UBS 16.2%

    Is this “State Street Bank” the same entity as the State Street being sued in the news for putting people’s money into wildly risky stuff inappropriately?

    Yes, I’ve asked Schwab’s help email folks that several times. No response.

  4. JR said,

    May 20, 2008 @ 6:38 pm

    I have a schwab account and just the other day i went to log in..for the last character of my password i hit the wrong key, and it logged my in. So i decided to sign out and sign back in hitting the wrong key agian…and In I am logged!?!?!

  5. John Dunkelberg said,

    September 20, 2011 @ 6:29 am

    It’s 2011 now and Charles Schwab still hasn’t fixed this – I just ran into it. Needless to say I won’t be putting any money there beyond my 401k match level.

RSS feed for comments on this post · TrackBack URI

Leave a Comment

©2006 William L. Dougherty • Design based on Corporate Pro by Mystical Twilight ·