mrb's blog

Verified by Visa Forces Users to Select Weak Passwords

By Marc Bevand

30 May 2011

Keywords: finance security

The (presumably) secure Verified by Visa payment authentication system developped by Visa forces users to select weak passwords:

  • They force the user to select passwords shorter than or equal to 8 characters, but no less than 6 characters, and
  • they prevent the use of any special characters (!@#$...). Only alphanumeric allowed.

[Update 2011-06-01: apparently Verified by Visa is not responsible for this flaw, but my bank, Wells Fargo, as a user of Verified by Visa, is the culprit for enforcing weak passwords.]

This password space is so small that if it was used on a Windows machine it would take less than 2.5 hours to bruteforce with oclHashcat on a 4 x HD 5970 machine. (Windows uses NTLM to hash passwords, which oclHashcat bruteforces at 6.194 billion per second on a single 5970: (62**8 + 62**7 + 62**6) / (4*6194e6) / 3600 = 2.49 hours).

Visa's password hashes (assuming they hash them, and with something more secure than NTLM!) are not available to attackers, but they have zero reason to enforce such a small password space:

  • Technically this violates section 8.5.10 of the PCI DSS (Payment Card Industry Data Security Standard)!: "minimum password length of at least seven character",
  • the hashes could get stolen like it happened to Hotmail, MySpace, Facebook, Gawker, Hotmail, etc, and could be bruteforced easily, and
  • it certainly unteaches strong password selection methodologies that we, IT Security Professionals, have been painfully trying to explain to users since passwords were invented.

Why does one of the world's first financial services company get security wrong? The most ironic is that a few months ago, they made the exact opposite mistake: Visa was enforcing password requirements that were overly complex. The right solution is obviously the middle ground: require passwords of at least 7 characters in length to comply with PCI DSS, and allow users to chose very complex passwords if they want to. If I want to type a fully random 128-character password, you should let me do so.

Comments

Karoly Negyesi wrote: This whole Verified by Visa is a joke, try forgot password, you will be offered to choose a new password based card data and your birth year and month. That's _so secret_ today, right? 31 May 2011 06:19 UTC

Dror Harari wrote: Based on what Karoly says, the password strength does not really matter because it is so easy to obtain a new one with readily available 'semi private' data.

However, to the point of password weakness, if the only way to check if the password is correct is by trying to make a payment, and if you have a limited number of trials before the password is broke, then the password space size does not really matter.

Just forcing/recommending a long obfuscated password is not necessarily the right thing to do from security perspective.

/d

p.s., and if Visa's computers gets hacked, I'd be worried about much more than the password hashes - I'd be worried about the monies... 31 May 2011 07:14 UTC

Florin Montescu wrote: A failed attempt counter in the server with a 30minute delay before allowing new password attempts will foil your brute force checker. After three failed attempts in quick sucession enable the delay.

You are just talking up a storm in a teacup. 31 May 2011 08:30 UTC

Anon wrote: My VbV password is 11 chars long (maybe 8 chars is a recent change?). But agree about the special chars restriction. 31 May 2011 09:35 UTC

Anon wrote: My password (created nearly at the dawn of the system) is 10chars long, so this would seem to be a regression since they implemented it. 31 May 2011 10:57 UTC

Luke Pryor wrote: Unfortunately this isn't really news as VbV's been a complete joke from the start (as the aforementioned "reset with date or birth" proves). However, I was particularly interested to learn that they are in violation of the PCI DSS.

The Barclays VbV doesn't even hash passwords - it asks me for the (e.g.) 1st, 3rd and 7th letter of my password, implying that the whole thing is sitting in plaintext somewhere (unless it's got some ridiculous algorithm for generating hashes for all particular combos of letters).

Unfortunately for merchants the choice to use VbV comes down to liability - your bank will refuse to be liable for any fraudulent transactions if you do not use VbV and you may be penalised with a higher processing fee. 31 May 2011 11:15 UTC

Lucian Constantin wrote: According to http://usa.visa.com/personal/security/visa_security_program/vbv/verified_by_visa_faq.html#anchor_11, the "password requirements are determined by each Visa card issuer." So I think your problem might be with Wells Fargo rather than VISA itself, although the fact that VISA allows the issuing bank to use 6-character passwords is not very encouraging either.

This VbV password issue with Wells Fargo has been brought up before here: http://mettadore.com/analysis/stupid-security-verified-by-visa/ 31 May 2011 13:14 UTC

Cory K wrote: Unfortunately from what I have seen, this is not restricted to VbV. This is something that every bank I've ever dealt with uses, and Government of Canada websites use it as well. I think it is terrible that my email password is 28 characters long, completely random with uppercase, lowercase, numbers and symbols, yet my banking information is protected by a password that at it's most complex is 8 characters long, and only contains letters and numbers. 31 May 2011 13:26 UTC

Alvaro wrote: I stand by @Lucian comment, this is a problem with Wells Fargo's implementation of the protocol, rather than a restriction in the protocol itself. Of course, rather like he said, it is a failure of Visa that they certified Wells Fargo's VbV implementation with such problems...

You might be interested in this paper http://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf which really kicks the 3D secure protocol to the ground (many many criticisms) 31 May 2011 13:40 UTC

mrb wrote: Florin Montescu: the lockout mechanism doesn't work in these situations:

- when attempting the same password against 1000 accounts (like ID thieves do when buying/stealing IDs in quantity)

- in offline bruteforcing attacks on password hashes 31 May 2011 16:51 UTC

Rohan Singh wrote: @Florin: It's not just a "storm in a teacup". The interface might only allow so many attempts per hour, but it's quite possible that the hashed password data could be stolen via other means, much like happened with Gawker recently.

When this happens, if the password hashing is weak then brute forcing the passwords becomes trivial due to the small password space.-

Furthermore, even though only six attempts are allowed per hour, using a dictionary attack in a 6-8 character space is definitely doable over a matter of several weeks. 31 May 2011 17:05 UTC

Dave wrote: This isn't specifically a VbyV problem (although VbyV has more than enough suckage in it to make up for any external issues). The way VbyV works is that every financial institution that uses it gets to invent their own exquisitely homebrew snake oil, and then produces enough paperwork for it to overwhelm Visa's auditors (seriously, I've worked with Visa on this, that's more or less how it works). So this would be your bank screwing up, on top of the overall VbyV suckage. 04 Jun 2011 04:54 UTC

Doroham wrote: Two years later this expletive unitelligent expletive mendicants haven't fixed this. I am disgusted and appalled. Such incompetency is unacceptable. I am furious at the thought of an 8 character cap from a company trying to create the sense of security in an online medium. I cannot believe the failed thinking that lead to this. As of today I no longer trust my bank. How have they not fixed this? 15 Dec 2013 04:16 UTC