13 October, 2008

Wells Fargo login not secure enough

Updated 17-Oct-08.
Some good news on the Wells Fargo security front.

  1. Though the ignoring of extra password characters is still true, you have to exceed 14 characters before you see this behavior. A 14 character password is sufficiently long enough where this should not be a significant issue.
  2. The reason behind the case insensitive username and password is so the same system can support phone interaction as well. Though this lowers the security level, it is compensated for by limiting failed logins to 3 attempts. After the 3rd failure, the user must contact the bank before they can try again.

In listening to Security Now, a TWiT Network netcast, staring Steve Gibson and Leo Laporte has reported over several episodes in September that the Wells Fargo online login is not as secure as it should be. This report came from users of Secuirty Now.
  • The first report was that the password would still work if it had extra charcters at the end of it. It was not determined to whether the length was ignored after a specific number of characters or if it ignores anything longer than your password length.
  • The second reported issue is that the password is case insensitive.
  • The third report is that the username is case insensitive.
As of the last episode that I've listened too (September 11th), there has been no reports of correction. I find it real disappointing that a bank, of all websites, would have these types of security vulnerabilities. With poor security practices used by typical users, these vulnerabilities make it much easier to guess usernames and passwords.

If you are a Wells Fargo customer, I would recommend you let them know about the security problem at a minimum, and change banks if you do not see reasonable effort to correct this.

No comments: