Bad Security Spotted in the Wild
Working as a UI developer for four years at an XML Security Company doesn’t make you a security expert. But somehow, it does make you notice bad security when you see it. Today, I bring you four examples of ridiculous security policies that I have recently experienced.
Ridiculous Security Policy #1: Washington Mutual
Some time last year, my WaMu ATM card developed a tear and would no longer read properly. I called the 800 number and ordered a new one. It arrived a few days later and a new PIN number arrived separately for security reasons. No problem there. I didn’t like my new PIN though and I wanted to use my old one. So I went into a WaMu branch to change my PIN.
They were very friendly, but not very secure. I was brought over to the PIN machine and was told to enter my new desired PIN.
Me: Don’t you mean enter my old PIN?
WaMu: No, enter the one you want to use.
Me: But how do you know this is my card?
WaMu: Well… if it wasn’t your card you wouldn’t know that it didn’t have a PIN.
Me: I see.
So I changed my PIN and walked out. The next day, my card stopped working and I got another new one in the mail. I guess after I left, they either realized that they skipped the important identification step, or (more likely) they grew suspicious over all my questions and cancelled my card.
Worth pointing out: a year later, I changed my account type and got another new card. I had to enter my old PIN before changing it.
Ridiculous Security Policy #2: Sprint PCS Web Login
The web access on my cell phone pretty much sucks, but I use it often for the web mail feature. I have a copy of all of my regular mail forwarded to my phone so that I can check my mail while waiting in line to change my WaMu PIN. When I first got the phone, I was puzzled by the fact that it seemed like I was randomly asked for my username and password. Since typing in my username involved about about 27 key presses, this was annoying.
I called up Sprint to find out why it sometimes let me in and sometimes required a login. The rep was knowledgable and explained the web app’s security policy to me:
- If you have not connected to the web since you last restarted or powered on the phone, you are allowed in without your password.
- If you have been online within the last 5 minutes, you are allowed in without your password.
- If you have not been online within the last 24 hours, you are allowed in without your password.
This means that the only time you are prompted for your password is if you we online more than 5 minutes ago but less than 24 hours ago. This is absurd.
Me: Why does it need a password at all?
Sprint: It’s a security feature.
Me: But if someone just waited 24 hours or restarted my phone, they could get in.
Sprint: I know. It’s not a very good security feature.
Ridiculous Security Policy #2: Credit Card Verification Codes
I don’t really have a problem with web sites that request the last three digits from the back of your credit card. I mean technically, that longer the number, the less likely it is for someone to get all the digits. The thing I object to is the rationale that some of these web sites use. I’ve seen this multiple times:
Why do you need the three numbers from the back of my card?
By entering your card’s security code, we know that you are in physical possession of the card.
What??? Do those numbers change while I’m sleeping at night? Are humans incapable of remembering an extra three digits (okay, I am, but I suspect that there’s some credit card thief out there who has that kind of memory capacity).
Ridiculous Security Policy #4: ING Direct’s Increasingly Absurd Login
ING Direct takes security seriously. When I first became a member, they would require you to login using your customer number, your PIN, and a question about yourself that changes each time you log in. Questions would be pretty simple — your area code, the first three digits of your social security number, or your zip code.
ING also put in some HTML magic so that your browser wouldn’t store your customer ID and password — even if you wanted it to. This is not unprecedented — lots of sites disable that browser feature. But most of those you can fix by using a bookmarklet that adjusts the page to turn the feature back on. Such bookmarklets don’t work for ING, presumably because they change the field name or something like that.
I figure, so be it. It’s kind of a pain, but I can deal with it. Last month, though, they rolled out their new super-annoying security feature — the graphical PIN pad. Now when you log into ING Direct, you have to use the mouse and actually click the numbers of your PIN on a graphical keyboard. The numbers correspond to letters, which are entered into the password field. If you don’t want to use the mouse, you can still use the pad to cross-reference your numbers to the appropriate letters and type them in manually. This is in addition to the customer number and random question. And it still won’t remember any of these values.
Take a look at this monstrosity:
I had the pleasure of using the graphical PIN pad for the first and last time as I moved my money into Emigrant Direct. By the way, if you get confused by this page and you have to call them for help, just be careful that they don’t fire you as a customer.