I just called Schwab about this, and hand to whatever deity you believe in, this is what he told me:
Representative: "One of the things we were trying to do with these passwords was make them different from other providers. So we know that they allow multiple character types, and are case-sensitive, so we decided to make them different. That way, you can't use the same password you've used elsewhere and it kind of forces you to come up with a new one."
Me: "...that is... I can't even explain how terrible that is."
Representative: "Well, Schwab does care about your security and as far as the 8-character limitation goes, the reason you can enter any arbitrary text afterwards is so that if someone is looking over you shoulder they can't tell that it only accepts 8."
"you can enter any arbitrary text afterwards is so that if someone is looking over you shoulder they can't tell that it only accepts 8"
Except it is public knowledge that there is an 8-character limit. Very basic footprinting would make it clear to only pay attention to the first 8 characters.
This justification actually makes some sense to me (Software engineer familiar with crypto.)
If an attacker already has access to the password hashes, then yes, they can brute force any 8 character case-insensitive password easily.
However, a brute force "try to login to their site" attack isn't feasible without hitting a rate limit or alarm: (26+10)^8 = 2.8*10^12 is still a lot of attempts to login to an account.
The weakness to this model is the password. It is easiest to guess your password if it was the same one on your Sony account (i.e. leaked). However, if you're forced to pick a unique password just for Schwab, it's immune from the most common [citation needed] attack on passwords. Also, it makes the Schwab password useless for hacking other databases, making user passwords a less valuable target for hackers.
If the tradeoffs are worth it: I have no idea, but it's not without merits. I personally like using a password manager with 2-factor authentication and generating all new random PWs for my accounts. I generally don't use more than 8-character passwords, since they're isolated from each other anyways. I would be negligibly less secure using this with Schwabs constraints than other sites, as the security lies in isolating passwords. (I use https://lastpass.com/)
I love the arbitrary restrictions that all these sites come up with that ultimately make them less safe. Yesterday I was setting up some stuff for somebody who knows nothing
about tech. IIRC it went like this:
* Google: no restrictions, as far as I could tell.
* Apple: password not accepted because it MUST contain at least one uppercase letter.
Of course, simply knowing that one of the characters MUST be an uppercase letter significantly decreases the number of combinations available
I had pretty much the same experience with Virgin Mobile last year (passwords limited to 6 digits, no brute force protection). I finally told the guy I got escalated to that if they didn't do anything I'd call the NY Times, Consumerist, Gawker, CNET, Ars, etc and tell them about it.
They didn't do anything, so I sent around the article and pretty much every publication I sent it to ran with it. After that they took down the login page for about nine hours and brought it back up with brute force protection.
To activate my newly received token, I was instructed to go to the homepage and append the six digit token code onto the end of my password during a login attempt.
This sounds like a symptom of the multilayered bureaucracy that often goes on in banks and similar institutions - a change to the UI to add something as simple as an extra field for the token code, and the changes required to hook it up to the backend, might have been accompanied by so much "enterprisey" management red-tape cruft (specification writing, approval documents, approval meetings, meetings for scheduling meetings - I wish I was joking, etc.) that it made the programmers find creative ways around the system.
At the least, if I were forced to concatenate fields, I'd use a separator that couldn't occur in either one, like a comma or something else that their password policy didn't allow... but then again, I wouldn't be surprised if something else in their system would reject that.
I've been coming to an opinion on these issues that may be unpopular with the tech crowd: The big banks have the right idea when it comes to security, and we are misguided at best with our obsession over the minutia of password handling.
Why? All of these big banks and investment houses have holdings in the neighborhood of billions of dollars. Like billions in actual cash. If they are so vulnerable and insecure, why aren't all of the hackers targeting them, with their potential upside of billions of dollars in cash, and instead target little web apps to steal some credit card numbers or user data, worth tens of thousands to maybe a few million on black markets? Think about how much effort we've seen put towards stealing cool Twitter handles and other such trivial things. Does anybody really believe that there aren't many more people working much harder to hack banks, with their billion dollar paydays?
They may not be the greatest on password handling, but the evidence suggests that they have a much more healthy security culture overall than your average internet startup. Apparently, they are worlds better at making their systems secure enough that nobody can steal these user databases in the first place. They most likely also have a pile of fraud detection and validation on account activity, especially anything involving moving significant amounts of money out of the accounts. They are probably in the right on this - what's the point in building a perfect lock for the front door if, once an attacker gets in, they can transfer the whole balance to a Russian bank and nobody will notice? Consider how, with some well-publicized recent hacks, you can apparently do anything at all once you get through that front door at most major tech companies.
I'll happily change my tune if any of these banks get hacked and lose big money. Until then, maybe we should ask these banks how they get it so right overall instead of worrying and hassling them about how long their passwords are and how they're storing them.
A substantial volume of low-level fraud occurs every day and is baked into the cost of doing business because that costs less than reengineering fundamentally insecure systems.
A system where you can pull money by knowing a set of "secret" numbers shared with every entity an account holder has ever done business with is just insane to begin with.
We rely on reading transactions after the fact looking for red flags. You can beat the filters sometimes by running millions of credit cards. You can't really expect to move $100 billion from an investment bank to your checking account without anyone noticing and using their central authority to reverse the transaction.
Excuse the short answer, with family for the evening. In short I think that the reason you see hackers target web startups and credit cards is because you can get away with it. Example - it's easy to use a credit card, buy something online, and have it shipped to a big office or apartment.
And to steal from a bank account? You'd need another bank account! Bank accounts require you to put up your own personal info, which is a huge barrier for Off shore hackers to overcome
Did you finish the article? At the end the author claims that their two-factor authentication can be defeated by appending extra characters to your password. In other words, they have no two-factor authentication. This isn't a matter of differing points of view, this is objectively awful.
With computer security, you have to obsess over the minutia because a single vulnerability is all it takes to defeat the system.
After receiving unsatisfactory responses from my local Schwab rep here in New York and the customer service staff, I complained to Schwab's CISO, Bashar Abouseido <[email protected]>, on September 1.
I've been using Schwab for almost 5 years and haven't noticed the password limitation until about 2 years ago. My password is pretty lengthy, so when I mistyped the last letter and pressed enter, I expected an error message. Instead, Schwab logged me in. I investigated a bit and ended up contacting Schwab about the "vulnerability". I remember someone quite high up responding saying they were aware of the length limit but that they lock you out after 3 failed password attempts. I didn't validate the claim, but I felt content and moved on.
I had a similar experience with Southwest Airlines. They limit their passwords to something absurdly short, and it turned out I'd never noticed - I always typed what I thought was the password, but it was actually ignoring all of it but the first 8 characters even though I typed more in every time. I don't think it's quite as bad as Schwab, but I don't understand why doing passwords so wrong is so widespread.
I went to far as to get in contact with senior staff members at Schwab to alert them to the issue, and got a pretty condescending response.
I mentioned it to a friend at a burrito truck outside the Mozilla office, and soon found out it was a top post on /r/personalfinance.
I got a call from Schwab shortly after that. But the rep I talked to just said they were "working on" allowing more characters in the password.
I must say though, this post does a great job detailing their 2F solution. I never set it up since it seemed like wearing a fishnet condom given the rest of their security, so I never got to see how bad it is.
I filed a support ticket about the password length. They told me it was due to "government standards" and they would reevaluate after a new standard came out. I didn't inquire further into this obvious BS. They provide a good service otherwise so it's strange that they have this blind spot.
It may be much worse than you think. Another large brokerage company I know of has similar password requirements. They also have a phone banking system, to use it you have to touch tone in your password. On a whim I tried entering the keypad version of my password on the website and surprise! it worked. Luckily for me there is zero customer liability for fraud on their retirement accounts.
Having worked on some major financial web sites (globally), including password code, I can say a few things that may be relevant.
The thing is, you never get a sense of how bad legacy code can be at restricting options in reforming sanity until you have worked on such sites.
It took me about 5 months to restore sanity to one codebase with a bunch of problems regarding encryption and passwords. Fortunately security was a priority, and not just security checkboxes in PCI requirements but real security. But it wasn't cheap and it wasn't easy, and we ran into a lot of unpleasant surprises along the way.
Looking at this the chance is that you have tons of legacy code, and these fit together in not very nice ways. People are afraid to change things because of PCI requirements, security scan results, etc. And the cost of fixing things my be very high. In these cases, I can imagine a "don't rock the boat" mentality developing and a large part of security-critical code becoming effectively untouchable.
> I've never, ever seen this "append stuff onto your password" approach being used.
Then he doesn't have an eBay or PayPal token, because they both do it. Or rather, it is an option to do it that way, in order to skip over the "submit, enter token, submit" workflow.
It's worth noting that some of the two-factor systems that integrate with RADIUS also use this same method, where you can't control how the end system prompts users to authenticate.
Not that this is an excuse, but keep in mind that Schwab probably has had the mentality that a compromise of a user's online account, while bad, is not the end of the world.
They have been frustratingly slow in implementing features like linking external bank accounts using trial deposits instead of mailing them a voided check from the external account.
Their slowness to adopt these new features has meant that if you got access to the online account, there wasn't much you could do as a third party that moved money out of the already linked accounts of the victim. You could cause headaches or buy/sell securities but not access the money easily. And if you did link an account or add a biller the victim would get an email.
Things have probably changed recently since I think you can link external accounts now, and there's probably a way to send yourself a check as a bill payment.
Totally not an excuse though.
Note:
I was fooled by the password length as well. Sometimes I would hit what I thought was the wrong last few letters on my phone keyboard yet the password would still work somehow. Turns out you can just type the first eight and be done.
> Schwab probably has had the mentality that a compromise of a user's online account, while bad, is not the end of the world
Hmmm. Where have we heard that before? Yes, Sony!!! There's probably a better link but here is the first one I found:[1]
Back in 2007, Jason Spaltro, then the executive
director of information security at Sony Pictures
Entertainment, was shockingly cavalier about
security in an interview with CIO Magazine.
He said it was a “valid business decision to
accept the risk” of a security breach, and that
he wouldn’t invest $10 million to avoid a
possible $1 million loss.
Has anyone heard recently about how that's working out for them? :)
Like many others, I just filed a support ticket as well. I'd like one of two outcomes: 1. A public response and plan from Schwab, or 2. An alternative bank/brokerage company that a) takes security seriously and b) is easy to move to.
"Schwab takes online security very seriously, and all clients are protected against fraud with our SchwabSafe guarantee. This guarantee is available to review online at www.schwab.com/schwabsafe.
"I reviewed the website you referenced in your email, but this is well outside my area of expertise. To discuss these items, I would suggest you contact our Technology Support Group at the Help Desk. Their number is 800-433-9196."
Uh, no. I'm not going to sit on the phone waiting to tell your Help Desk about why they shouldn't store my password in their DB; that's your fuckin job. I'm much more inclined to spend that hour and a half moving my accounts somewhere secure.
The banking system functions largely on the choice, application and integration of technology, and banking is more of a technology business than just about any other. And let's be fair here - Schwab is not a bank, and even among investment firms is an outlier with the noted bad practices.
We need some sort of interenet security reformation. This is even more ridiculous than when the Chase mobile banking app for Android didn't check if SSL certs were authentic before sending credentials.
Thanks for calling attention to this. I've been frustrated by it. One thing that I did was let LastPass generate 32 random characters for the password but used it to change the username. I depend on LastPass to remember that.
It's not much but it was all I could come up with.
My wife wants to use the Schwab app to deposit checks on her phone but I don't trust their security. One lost phone could lead to our retirement funds being transferred to Belize (or wherever).
I complained to Schwab about their password policies numerous times over the 3 years I was a bank/brokerage customer. A few months ago I finally moved my accounts to TD.
Schwab's standard response was 1) to assure me that they had "intelligent" fraud monitoring systems on their backend and 2) to offer me a hard token, which would have been a pain and may have caused issues with Mint.
I have called and complained many times about their password policies.
They let you choose a random user id, as in, change the user id whenever you want. I bet you the security guys over at Schwab are using that as a reason to not improve password options. I can see the argument being - "The idiotic password limitations are not a big deal because of the random userids".
Apparently they insure you against someone breaking into your account, but this is clearly the case of a bunch of old boys who don't understand tech being in charge.
[+] [-] cddotdotslash|11 years ago|reply
Representative: "One of the things we were trying to do with these passwords was make them different from other providers. So we know that they allow multiple character types, and are case-sensitive, so we decided to make them different. That way, you can't use the same password you've used elsewhere and it kind of forces you to come up with a new one."
Me: "...that is... I can't even explain how terrible that is."
Representative: "Well, Schwab does care about your security and as far as the 8-character limitation goes, the reason you can enter any arbitrary text afterwards is so that if someone is looking over you shoulder they can't tell that it only accepts 8."
Points for thinking on his feet?
[+] [-] egsec|11 years ago|reply
Except it is public knowledge that there is an 8-character limit. Very basic footprinting would make it clear to only pay attention to the first 8 characters.
[+] [-] darken|11 years ago|reply
If an attacker already has access to the password hashes, then yes, they can brute force any 8 character case-insensitive password easily.
However, a brute force "try to login to their site" attack isn't feasible without hitting a rate limit or alarm: (26+10)^8 = 2.8*10^12 is still a lot of attempts to login to an account.
The weakness to this model is the password. It is easiest to guess your password if it was the same one on your Sony account (i.e. leaked). However, if you're forced to pick a unique password just for Schwab, it's immune from the most common [citation needed] attack on passwords. Also, it makes the Schwab password useless for hacking other databases, making user passwords a less valuable target for hackers.
If the tradeoffs are worth it: I have no idea, but it's not without merits. I personally like using a password manager with 2-factor authentication and generating all new random PWs for my accounts. I generally don't use more than 8-character passwords, since they're isolated from each other anyways. I would be negligibly less secure using this with Schwabs constraints than other sites, as the security lies in isolating passwords. (I use https://lastpass.com/)
[+] [-] arenaninja|11 years ago|reply
* Google: no restrictions, as far as I could tell.
* Apple: password not accepted because it MUST contain at least one uppercase letter.
Of course, simply knowing that one of the characters MUST be an uppercase letter significantly decreases the number of combinations available
[+] [-] chris_mongohq|11 years ago|reply
[+] [-] kevinburke|11 years ago|reply
They didn't do anything, so I sent around the article and pretty much every publication I sent it to ran with it. After that they took down the login page for about nine hours and brought it back up with brute force protection.
https://kev.inburke.com/kevin/open-season-on-virgin-mobile-c...
[+] [-] dmix|11 years ago|reply
[+] [-] userbinator|11 years ago|reply
This sounds like a symptom of the multilayered bureaucracy that often goes on in banks and similar institutions - a change to the UI to add something as simple as an extra field for the token code, and the changes required to hook it up to the backend, might have been accompanied by so much "enterprisey" management red-tape cruft (specification writing, approval documents, approval meetings, meetings for scheduling meetings - I wish I was joking, etc.) that it made the programmers find creative ways around the system.
At the least, if I were forced to concatenate fields, I'd use a separator that couldn't occur in either one, like a comma or something else that their password policy didn't allow... but then again, I wouldn't be surprised if something else in their system would reject that.
[+] [-] ufmace|11 years ago|reply
Why? All of these big banks and investment houses have holdings in the neighborhood of billions of dollars. Like billions in actual cash. If they are so vulnerable and insecure, why aren't all of the hackers targeting them, with their potential upside of billions of dollars in cash, and instead target little web apps to steal some credit card numbers or user data, worth tens of thousands to maybe a few million on black markets? Think about how much effort we've seen put towards stealing cool Twitter handles and other such trivial things. Does anybody really believe that there aren't many more people working much harder to hack banks, with their billion dollar paydays?
They may not be the greatest on password handling, but the evidence suggests that they have a much more healthy security culture overall than your average internet startup. Apparently, they are worlds better at making their systems secure enough that nobody can steal these user databases in the first place. They most likely also have a pile of fraud detection and validation on account activity, especially anything involving moving significant amounts of money out of the accounts. They are probably in the right on this - what's the point in building a perfect lock for the front door if, once an attacker gets in, they can transfer the whole balance to a Russian bank and nobody will notice? Consider how, with some well-publicized recent hacks, you can apparently do anything at all once you get through that front door at most major tech companies.
I'll happily change my tune if any of these banks get hacked and lose big money. Until then, maybe we should ask these banks how they get it so right overall instead of worrying and hassling them about how long their passwords are and how they're storing them.
[+] [-] superuser2|11 years ago|reply
A system where you can pull money by knowing a set of "secret" numbers shared with every entity an account holder has ever done business with is just insane to begin with.
We rely on reading transactions after the fact looking for red flags. You can beat the filters sometimes by running millions of credit cards. You can't really expect to move $100 billion from an investment bank to your checking account without anyone noticing and using their central authority to reverse the transaction.
[+] [-] cdolan|11 years ago|reply
And to steal from a bank account? You'd need another bank account! Bank accounts require you to put up your own personal info, which is a huge barrier for Off shore hackers to overcome
[+] [-] briholt|11 years ago|reply
[+] [-] brianpgordon|11 years ago|reply
With computer security, you have to obsess over the minutia because a single vulnerability is all it takes to defeat the system.
[+] [-] paulschreiber|11 years ago|reply
He never replied.
[+] [-] willis77|11 years ago|reply
[+] [-] mariusz331|11 years ago|reply
[+] [-] Glyptodon|11 years ago|reply
[+] [-] bjorn2404|11 years ago|reply
[+] [-] greggarious|11 years ago|reply
I went to far as to get in contact with senior staff members at Schwab to alert them to the issue, and got a pretty condescending response.
I mentioned it to a friend at a burrito truck outside the Mozilla office, and soon found out it was a top post on /r/personalfinance.
I got a call from Schwab shortly after that. But the rep I talked to just said they were "working on" allowing more characters in the password.
I must say though, this post does a great job detailing their 2F solution. I never set it up since it seemed like wearing a fishnet condom given the rest of their security, so I never got to see how bad it is.
[+] [-] modeless|11 years ago|reply
[+] [-] ryan-c|11 years ago|reply
[+] [-] tuzakey|11 years ago|reply
[+] [-] einhverfr|11 years ago|reply
The thing is, you never get a sense of how bad legacy code can be at restricting options in reforming sanity until you have worked on such sites.
It took me about 5 months to restore sanity to one codebase with a bunch of problems regarding encryption and passwords. Fortunately security was a priority, and not just security checkboxes in PCI requirements but real security. But it wasn't cheap and it wasn't easy, and we ran into a lot of unpleasant surprises along the way.
Looking at this the chance is that you have tons of legacy code, and these fit together in not very nice ways. People are afraid to change things because of PCI requirements, security scan results, etc. And the cost of fixing things my be very high. In these cases, I can imagine a "don't rock the boat" mentality developing and a large part of security-critical code becoming effectively untouchable.
[+] [-] mdaniel|11 years ago|reply
Then he doesn't have an eBay or PayPal token, because they both do it. Or rather, it is an option to do it that way, in order to skip over the "submit, enter token, submit" workflow.
https://www.paypal.com/us/webapps/helpcenter/helphub/article...
[+] [-] McGlockenshire|11 years ago|reply
[+] [-] deet|11 years ago|reply
They have been frustratingly slow in implementing features like linking external bank accounts using trial deposits instead of mailing them a voided check from the external account.
Their slowness to adopt these new features has meant that if you got access to the online account, there wasn't much you could do as a third party that moved money out of the already linked accounts of the victim. You could cause headaches or buy/sell securities but not access the money easily. And if you did link an account or add a biller the victim would get an email.
Things have probably changed recently since I think you can link external accounts now, and there's probably a way to send yourself a check as a bill payment.
Totally not an excuse though.
Note:
I was fooled by the password length as well. Sometimes I would hit what I thought was the wrong last few letters on my phone keyboard yet the password would still work somehow. Turns out you can just type the first eight and be done.
[+] [-] PhantomGremlin|11 years ago|reply
Hmmm. Where have we heard that before? Yes, Sony!!! There's probably a better link but here is the first one I found:[1]
Has anyone heard recently about how that's working out for them? :)[1] http://fusion.net/story/31469/sony-pictures-hack-was-a-long-...
[+] [-] elsewhen|11 years ago|reply
http://www.schwab.com/public/schwab/nn/legal_compliance/schw...
When payouts on this security guarantee begin to become a meaningful burden, I am sure Schwab will improve their security practices.
[+] [-] polarix|11 years ago|reply
[+] [-] codementum|11 years ago|reply
[+] [-] ladelfa|11 years ago|reply
"Schwab takes online security very seriously, and all clients are protected against fraud with our SchwabSafe guarantee. This guarantee is available to review online at www.schwab.com/schwabsafe.
"I reviewed the website you referenced in your email, but this is well outside my area of expertise. To discuss these items, I would suggest you contact our Technology Support Group at the Help Desk. Their number is 800-433-9196."
Uh, no. I'm not going to sit on the phone waiting to tell your Help Desk about why they shouldn't store my password in their DB; that's your fuckin job. I'm much more inclined to spend that hour and a half moving my accounts somewhere secure.
[+] [-] michaelfeathers|11 years ago|reply
[+] [-] reustle|11 years ago|reply
[+] [-] Thimothy|11 years ago|reply
http://en.wikipedia.org/wiki/Sony_Bank
[+] [-] personZ|11 years ago|reply
The banking system functions largely on the choice, application and integration of technology, and banking is more of a technology business than just about any other. And let's be fair here - Schwab is not a bank, and even among investment firms is an outlier with the noted bad practices.
[+] [-] tootie|11 years ago|reply
[+] [-] jdeibele|11 years ago|reply
It's not much but it was all I could come up with.
My wife wants to use the Schwab app to deposit checks on her phone but I don't trust their security. One lost phone could lead to our retirement funds being transferred to Belize (or wherever).
[+] [-] elahd|11 years ago|reply
Schwab's standard response was 1) to assure me that they had "intelligent" fraud monitoring systems on their backend and 2) to offer me a hard token, which would have been a pain and may have caused issues with Mint.
[+] [-] flavor8|11 years ago|reply
You'll be back to Schwab before you know it. TD are beyond awful. Schwab have pretty much the best customer service going.
[+] [-] cddotdotslash|11 years ago|reply
[+] [-] yalogin|11 years ago|reply
They let you choose a random user id, as in, change the user id whenever you want. I bet you the security guys over at Schwab are using that as a reason to not improve password options. I can see the argument being - "The idiotic password limitations are not a big deal because of the random userids".
[+] [-] benguild|11 years ago|reply