One of the perks of being a graduate student is conference travel. Since research in computer science moves so quickly, we publish in conferences instead of journals, and our universities reimburse us for this travel. Over the years I’ve become adept at doing this travel as cheaply as possible. Charles Schwab offers a free checking account that reimurses you for any ATM fees you incur. That’s right – no ATM fees, ever. This is great news for someone who frequently travels. No more hunting for a no fee atm, and no more dealing with foreign currency exchange fees – just withdraw the money you need as you need it!
Schwab Bank also doesn’t charge any monthly fees, provides free checks, and have a higher interest rate than my previous bank, so last year I opened an account with them.
More recently, I had just returned to Indiana from a summer internship in the Bay Area, and was going over my budget for the year. During that process, I decided to change my password. When I typed in my desired new password, I noticed that only 8 dots appeared, even though my input was longer than 8 characters. Interest piqued, I logged out and attempted to login using only the first 8 characters of my password. I was granted access – the interface apparently ignores anything beyond the 8th character.
This is a major design flaw – an interface should not fail silently. Further, it is a huge security issue. Passwords eight characters or are extremely vulnerable to offline guessing attacks. There have been a lot of advances in this space in the past ten years. You can rent GPU clusters on Amazon for dirt cheap. Full sets of rainbow tables are available for keyspaces that small, and the hard drive space to store them is quite economical – a 4 tetrabyte hard drive is about $400 on Newegg, and cloud storage is even cheaper.
If Charles Schwab suffered a security breach which resulted in the loss of their password database, salting the hashes would stop the attackers from using rainbow tables, but a determined attacker using a large GPU cluster could probably crack a significant number of their customers’ passwords.
So back to the present. I decided this was a serious issue, and I needed to alert Charles Schwab. Schwab didn’t have a specific contact form to report security issues, and this didn’t seem like the kind of thing you report via a customer service form. DuckDuckGo didn’t help for finding someone senior in their security department. Luckily, I knew just who to talk to. After a brief email exchange with Chris Soghoian, I got the email for the “Managing Director of Information Security Risk Management” at Schwab.
I sent this man a simple email, explaining the issue. I expected to get a reply thanking me for making a responsible disclosure, assuring me they’d fix the issue, and giving me a timeframe for the change to be rolled out. Instead what I got was a condescending email assuring me that the truncation of passwords was not a security flaw. Here is the email I sent:
Hi (redacted),
My name is Greg Norcie. I’m a Charles Schwab customer, and a PhD student studying security and privacy. My colleague Chris Soghoian gave me your email. I stumbled on a bit of a security flaw on the Charles Schwab site today. I recently changed my password. When logging in, I missed a character,but was allowed in. After some trial and error, I realized that the Charles Schwab website only looks at the first 8 characters of a password.If your password hashes were ever breached, this significantly eases brute force attacks (and is indicative that there’s something really wonky going on behind the scenes in your code.)
– Greg Norcie
Here is the response I got back:
Good morning, Greg,
Thanks for writing. Your feedback is important to us. Our passwords are limited to eight characters. Any characters added beyond those eight are truncated, as you discovered. We use additional technical and operational controls to provide a multi-layered defense. In addition, we offer our clients security tokens (i.e. one-time passwords) free of charge. They provide a six-digit changing PIN that is appended to your password to make it unique upon each login. These one-time-password devices can be requested by calling us any time: 800-435-4000.
Thanks,(redacted),
CISSP Managing Director | Information Security Risk Management
This email response was buzzword laden, condescending, and wrong. Multi-layered defense might sound familiar. That’s because it’s a favorite pet phrase of the TSA. And like the TSA, Schwab is a fan of security theater. While it is admirable that Schwab offers free security tokens, Schwab’s proffering of a free two-factor token does nothing to protect against offline guessing attacks. Furthermore, the fact that their interface allows a user to select a longer password, and simply have it truncated, is pure security theater. There is absolutely no reason to restrict passwords in this manner, and offering two factor tokens does not solve the issue. The fact that their interface allows users to set a password greater than 8 characters, and fails silently (discarding the excess characters) is a very poor design. I emailed the employee who sent the above email pointing out the threat of an offline guessing attack, but got no response.
I have since moved a majority of my funds out of my Charles Schwab account, and I’m currently debating whether to close it, or to simply only keep money in it when traveling. I hope that some public pressure might convince them to adopt a better password policy (and a better security culture.)