UNH Research Finds Bank Password Policies Often Weak (Updated)

2016-03-21

WFSB 3 Connecticut

Please see the clarification at the end of this article!

Story was also on WTNH.

WEST HAVEN, CONN. – A study of 17 major banks by the University of New Haven Cyber Forensic Research and Education Group (UNHcFREG) shows that six of them have weak password handling and that their password procedures are weaker than most social websites.

The six banks, 35 percent of the test group, appear to have a significant weakness in their password policy: ignoring case sensitivity, the UNH study showed.

The banks ask users to set up passwords that include letters and special symbols, but the study shows the passwords may not be case sensitive. This means any combination of upper and lower case letters might work and the passwords may not be reliable.

The problem could affect more than 370 million people who bank via a smartphone, tablet or computer.

“We were very surprised when we learned that banks have fewer requirements for passwords than social media sites,” said Walter Gordillo ’16, of Norwalk, Conn., a cyber systems major who took a lead on the UNHcFREG project.

Banks with the problem include Wells Fargo (70 million customers), Capital One (50 million customers), BB&T (undisclosed number of customers), Webster First Federal Credit Union* (undisclosed number of customers), Chase Bank (50 million customers), and Citibank (200 million customers).

“What happens when a password is not case sensitive is that a machine will accept several different passwords,” said Frank Breitinger, UNH assistant professor and co-director of UNHcFREG. “In other words, the password could be JohnSmith333 or johnsmith333 or any combination of upper and lower cases letters spelling out John Smith.”

Breitinger, who oversaw the study done by UNH undergraduates in an introduction to computer security course said while online banking is the most convenient way to handle finances, customers expect their login credentials to be secure.

“Once logged in, customers can transfer funds, make deposits by taking pictures of their checks and even pay their bills,” he said. “While this offers great convenience, it also is an avenue for attacks. Consumers believe that banks with several million customers should have strong security mechanisms in place to protect accounts, starting with password policies.”

Also working on the research with Gordillo were Kevin Gonzalez ’16, of West Haven, Conn.; Daniel Tornero ’16, of Danbury, Conn., Bekhzod Umarov ’17, of West Haven, Conn., and Jeremiah Wright ’16, of Fishkill, N.Y.  They were assisted by Breitinger and Ibrahim (Abe) Baggili, Elder Family Chair in engineering and co-director of UNHcFREG.

The research group attempted to contact the banks through their regular hotlines to inform them about what they had found and ask for a statement in reaction to the findings of the research.

“It turned out that it is almost impossible to contact and notify them about a security issue,” Breitinger said. “Our findings raise an important question: why do social networking platforms and many others not related to personal and business finances adopt much stricter password policies?” Breitinger asked.

For more details about the research, go to: http://tinyurl.com/jtjgqhf .

The University of New Haven is a private, top-tier comprehensive institution recognized as a national leader in experiential education. Founded in 1920 the university enrolls approximately 1,800 graduate students and more than 4,600 undergraduates.

*Please click here for a clarifying press release as to Webster First Financial Credit Union (Update: 03/21/2016).

Some venues that picked up this story: