Verified by Visa Forces Users to Select Weak Passwords

The (presumably) secure Verified by Visa payment authentication system developped by Visa forces users to select weak passwords:

  • They force the user to select passwords shorter than or equal to 8 characters, but no less than 6 characters, and
  • they prevent the use of any special characters (!@#$...). Only alphanumeric allowed.
[Update 2011-06-01: apparently Verified by Visa is not responsible for this flaw, but my bank, Wells Fargo, as a user of Verified by Visa, is the culprit for enforcing weak passwords.]

This password space is so small that if it was used on a Windows machine it would take less than 2.5 hours to bruteforce with oclHashcat on a 4 x HD 5970 machine. (Windows uses NTLM to hash passwords, which oclHashcat bruteforces at 6.194 billion per second on a single 5970: (62**8 + 62**7 + 62**6) / (4*6194e6) / 3600 = 2.49 hours).

Visa's password hashes (assuming they hash them, and with something more secure than NTLM!) are not available to attackers, but they have zero reason to enforce such a small password space:

  • Technically this violates section 8.5.10 of the PCI DSS (Payment Card Industry Data Security Standard)!: "minimum password length of at least seven character",
  • the hashes could get stolen like it happened to Hotmail, MySpace, Facebook, Gawker, Hotmail, etc, and could be bruteforced easily, and
  • it certainly unteaches strong password selection methodologies that we, IT Security Professionals, have been painfully trying to explain to users since passwords were invented.

Why does one of the world's first financial services company get security wrong? The most ironic is that a few months ago, they made the exact opposite mistake: Visa was enforcing password requirements that were overly complex. The right solution is obviously the middle ground: require passwords of at least 7 characters in length to comply with PCI DSS, and allow users to chose very complex passwords if they want to. If I want to type a fully random 128-character password, you should let me do so.

mrb Monday 30 May 2011 at 8:29 pm | | Default
Used tags: ,

twelve comments

Karoly Negyesi

This whole Verified by Visa is a joke, try forgot password, you will be offered to choose a new password based card data and your birth year and month. That’s so secret today, right?

Karoly Negyesi, - 30-05-’11 23:19
Dror Harari

Based on what Karoly says, the password strength does not really matter because it is so easy to obtain a new one with readily available ‘semi private’ data.

However, to the point of password weakness, if the only way to check if the password is correct is by trying to make a payment, and if you have a limited number of trials before the password is broke, then the password space size does not really matter.

Just forcing/recommending a long obfuscated password is not necessarily the right thing to do from security perspective.

/d

p.s., and if Visa’s computers gets hacked, I’d be worried about much more than the password hashes – I’d be worried about the monies…

Dror Harari, - 31-05-’11 00:14
Florin Montescu

A failed attempt counter in the server with a 30minute delay before allowing new password attempts will foil your brute force checker. After three failed attempts in quick sucession enable the delay.

You are just talking up a storm in a teacup.

Florin Montescu, - 31-05-’11 01:30
Anon

My VbV password is 11 chars long (maybe 8 chars is a recent change?). But agree about the special chars restriction.

Anon, - 31-05-’11 02:35
Anon

My password (created nearly at the dawn of the system) is 10chars long, so this would seem to be a regression since they implemented it.

Anon, - 31-05-’11 03:57
Luke Pryor

Unfortunately this isn’t really news as VbV’s been a complete joke from the start (as the aforementioned “reset with date or birth” proves). However, I was particularly interested to learn that they are in violation of the PCI DSS.

The Barclays VbV doesn’t even hash passwords – it asks me for the (e.g.) 1st, 3rd and 7th letter of my password, implying that the whole thing is sitting in plaintext somewhere (unless it’s got some ridiculous algorithm for generating hashes for all particular combos of letters).

Unfortunately for merchants the choice to use VbV comes down to liability – your bank will refuse to be liable for any fraudulent transactions if you do not use VbV and you may be penalised with a higher processing fee.

Luke Pryor, - 31-05-’11 04:15
Lucian Constantin

According to http://usa.visa.com/personal/security/vi.., the “password requirements are determined by each Visa card issuer.” So I think your problem might be with Wells Fargo rather than VISA itself, although the fact that VISA allows the issuing bank to use 6-character passwords is not very encouraging either.

This VbV password issue with Wells Fargo has been brought up before here: http://mettadore.com/analysis/stupid-sec..

Lucian Constantin, - 31-05-’11 06:14
Cory K

Unfortunately from what I have seen, this is not restricted to VbV. This is something that every bank I’ve ever dealt with uses, and Government of Canada websites use it as well. I think it is terrible that my email password is 28 characters long, completely random with uppercase, lowercase, numbers and symbols, yet my banking information is protected by a password that at it’s most complex is 8 characters long, and only contains letters and numbers.

Cory K, - 31-05-’11 06:26
Alvaro

I stand by @Lucian comment, this is a problem with Wells Fargo’s implementation of the protocol, rather than a restriction in the protocol itself. Of course, rather like he said, it is a failure of Visa that they certified Wells Fargo’s VbV implementation with such problems…

You might be interested in this paper http://www.cl.cam.ac.uk/~rja14/Papers/fc.. which really kicks the 3D secure protocol to the ground (many many criticisms)

Alvaro, (URL) - 31-05-’11 06:40
mrb

Florin Montescu: the lockout mechanism doesn’t work in these situations:

- when attempting the same password against 1000 accounts (like ID thieves do when buying/stealing IDs in quantity)

- in offline bruteforcing attacks on password hashes

mrb, - 31-05-’11 09:51
Rohan Singh

@Florin: It’s not just a “storm in a teacup”. The interface might only allow so many attempts per hour, but it’s quite possible that the hashed password data could be stolen via other means, much like happened with Gawker recently.

When this happens, if the password hashing is weak then brute forcing the passwords becomes trivial due to the small password space.-

Furthermore, even though only six attempts are allowed per hour, using a dictionary attack in a 6-8 character space is definitely doable over a matter of several weeks.

Rohan Singh, (URL) - 31-05-’11 10:05
Dave

This isn’t specifically a VbyV problem (although VbyV has more than enough suckage in it to make up for any external issues). The way VbyV works is that every financial institution that uses it gets to invent their own exquisitely homebrew snake oil, and then produces enough paperwork for it to overwhelm Visa’s auditors (seriously, I’ve worked with Visa on this, that’s more or less how it works). So this would be your bank screwing up, on top of the overall VbyV suckage.

Dave, - 03-06-’11 21:54
(optional field)
(optional field)
Remember personal info?
Small print: All html tags except <b> and <i> will be removed from your comment. You can make links by just typing the url or mail-address.
« Tip to Use a Dremel t… | Home | Major Attack on the W… »