My Brokerage Firm Is A Security Vulnerability
In 2012 I discovered that my bank is a security vulnerability. Today, while calling support, I happened upon the realization that my brokerage firm is too. One of the first things the automated system had me do was type in my account password via the number pad on my phone. It was at this point that I was reminded of why I don’t trust anyone with anything. Allow me to explain the red flags that shot up.
Strength in numbers
For the sake of explanation, let’s assume we’re working with a 10-character password. It is the unfortunate truth that many financial institutions place very weird limits on user passwords. For example, it is not uncommon to disallow special characters, and to limit the password to 12 characters. So for this explanation, we’ll use a 10-character alpha-numeric password with a-z, A-Z, and 0-9. This gives us roughly 8.39*10^17 possibilities (it’s actually lower than that because certain passwords like aaaaaaaaaa are not allowed).
Now, think about what I was asked to do. The brokerage firm asked me to type in my password on my phone’s number pad. There are multiple consequences here. First, my password complexity has been reduced from a 62-character alphabet to a 10-character alphabet. This means that there are only 10^10 possibilities. We have reduced the complexity by almost 8 orders of magnitude! Are the red flags flying up yet?
Everything is broken
What followed is equally concerning. After punching in 10 numeric keys on my phone, the system successfully authenticated me! Uhm, what?! Depending on the key that was pressed, there are up to 9^10 possible passwords (some keys, like 7, have nine possible characters that they represent in this alphabet). There are a few possibilities that could explain this:
- The brokerage firm hashed all 9^10 possible strings and compared every hash to my hashed password in their database. Not only is this very unlikely, but it creates a collision attack by design.
- The brokerage firm isn’t hashing my password, but is storing it with a two-way encryption scheme like AES. When I attempt to login, the firm decrypts my password, translates it to a T-9 representation (which is extremely easy to do), and compares. But if an attacker (or rogue employee) ever obtains that encryption key, I’m screwed.
- The brokerage firm is storing a pre-computed T-9 representation of my password in their database. It’s extremely easy to do, and would require no additional work on their part. This is only negligibly better than storing my password in plaintext.
- The brokerage firm is storing my password in plaintext. If that’s the case, then all hope is lost.
I feel like I’m taking crazy pills
All of these options leave me feeling very insecure about my money. I’m inclined to look into transferring my funds to a different company, but if this AAA firm can’t get it right, will anyone?