this post was submitted on 05 Apr 2024
12 points (100.0% liked)

Security

647 readers
5 users here now

A community for discussion about cybersecurity, hacking, cybersecurity news, exploits, bounties etc.

Rules :

  1. All instance-wide rules apply.
  2. Keep it totally legal.
  3. Remember the human, be civil.
  4. Be helpful, don't be rude.

Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient

founded 1 year ago
MODERATORS
LinearArray
12
Fidelity and passwords via T9 (sh.itjust.works)
submitted 7 months ago* (last edited 7 months ago) by [email protected] to c/security
1 comments fedilink hide all child comments
 

Anyone here use fidelity (https://www.fidelity.com/)? I had to call to get something done with my account and thought it was weird that they have you (more/less) T9 dial your password into the system, though its not real T9 in that (for example) one press of 2 would mean either a,A,b,B,c,C,2. They say for special characters just give a * sign.

Any thoughts on if that is safe on their part? It seems weird to me since they either need the password in plaintext on their end or I guess the hash of the T9 version of the password which would be less secure anyways because of: all one case and only one type of 'special character'.

And yes: before you ask this was 100% the actual fidelity phone number: +1 800-343-3548

In their defense they did ask for other verification information once I got a person, but still felt really weird.

Any thoughts on the security of this mechanism?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 2 points 7 months ago

I've seen past discussions on this question, but no definitive answers. We can only guess, as I'm sure Fidelity themselves wants to say as little as possible.

I'm going to assume that Fidelity is storing a T9 string of your password as a kind of default "security question" prompt for phone calls. So Fidelity would be storing your password hash, and alongside it, storing your T9 string hash. If that is the case, I don't think it's necessarily a bad practice.

Given that it's handled by the automated system, and not by a live service agent, let's give them the benefit of the doubt and assume that they are hashing your keypad entry and comparing it against a properly salted+hashed T9 string of your password. This is unlikely to expose your credentials during transmission, since this isn't any worse than entering your password in a form field on the web.

But what about if Fidelity gets breached, and attackers get the hashes of not only your password, but also the T9 hash? Then, attackers could start trying to crack everyone's T9 hashes, and using the T9, figure out the length and likely characters of your password. This would make cracking individual passwords faster.

But if Fidelity had a large scale breach tomorrow, and put out a statement that all of their password hashes were leaked, wouldn't they already be fucked? Like, they would force a password reset on every account anyways. It's not like the fact that attackers can crack passwords faster or slower than normal would change how they should respond to a breach where password hashes are stolen. The cat's already out of the bag at that point.

TL;DR: As long as they are storing this T9 string separately from your actual password hash, it's not likely IMO to make or break the security of your account