You must use a secure password


  • Trolleybus Mechanic

    According to my calendar, my clock, the timestamp on all my files and my emails, and by confirmation from a random sampling of strangers in the hallway, the year is currently 2013. Ecommerce has been a thing for well over a decade, if not much more. Online payment processors are the very lifeblood of the entire ecommerce system. Protecting and securing such entities, and the data they processes, is perhaps [b]the[/b] driving force behind modern security, cryptology, and authentication schemes-- probably right up there with the health care industry, and anti-censorship advocates.

    The flagship product of the podunk company I work for takes online payments. Given the magnitude of security that goes into being a payment processor-- and knowing that neither the company nor any of our clients wants that responsibility-- we processes everything through hosted pay pages. Basically, ever been to one of those sites that says "Now redirecting you to a secure 3rd party for payment". That concept.

    We've been happy-ish with Moneris, but one client wants us to implement another provider for them. For the sake of anonymity, let's call this other payment processor Global Payments. They're ostensibly a Fortune 100 company who has been in the payment game since 1967. A big fish who should really know better.

    There were a few niggly details that bothered me during the initial phone call between myself, the client and a sales rep from Global Payments. I chalked it up to prolonged exposure to marketspeak, and figured it would all be ok once I get the technical manual and my sandbox account. Alas.

    The email with my sandbox information eventually arrives. Link to the control panel, usename, temporary password. Peachy so far. I fire up the old fox of fire, and head over to the site. Username, copy and paste.  Password, copy and paste. Login.

    Blank screen.

    I confirm that I've completely disabled Ad Block, No Script, etc. etc., but a login is just met with a blank screen. I have my client on the line, and he can log in just fine. He's rattling off everything he sees-- folders with subfolders for users, payments, account information, etc.

    Wait, folders? Little, low-res, yellow file folders like you'd see in a VB6 application? Like you'd see in a VB6 application written in 1999? Like one that'd be targeted at Internet Explorer users who felt more comfortable with those? That's when I get my first "oh no, it couldn't be" moment. And it could be. Except worse.

    I fire up Internet Explorer, dreading that in 2013, a major player in the Ecommerce field has a site that breaks when viewed without Internet Explorer. And I was right, but so horribly off base. I navigate to the site, enter my username and password, hit logon--

    -- and I'm greeted with a dialog asking me if I want to install the site's ActiveX component.

    In 2013. An actual goddamn ActiveX-based website. I'll give you a moment to go shove a kitten into a mason jar before continuing. Done? Good.

    Okay, now that I've run the jar through the dishwasher, I log in and proceed to use the ActiveX {twitch} "website". First thing it has me do is enter a new password to replace the temporary one.It explicitly states that I "[b]must use a secure password[/b]". I can do that. My usual password's pretty strong, and I'll just add a few characters to it.

    Typeity-type, shift, click-- enter my usual long string of numbers, letters and specials. Submit and the password is rejected.

    What? Why? I go down the list of password requirements, since it just gives the requirements and not the FAILED requirements.  Okay, fine.

    Min 8 characters? Check. 

    Letters? Check.

    Uppercase letter? Check

    Number? Check

    No special characters. Check-- wait, wait, wait-- what? [b]NO[/b] special characters? Doesn't that make the password less secure? What possible reason could they have for disallowing "special" characters like %, ' or -  Just because they look like database control characters doesn't mean-- oh no.

    The only reason I've ever encountered to reject special characters is because the codes freak out when they can't figure out how to escape or encode them before putting them in the database. But its 2013. Everybody salts and hashes their passwords. It doesn't matter what is in the actual password, the end result will be a DB "friendly" string.

    I drop the special characters from my now less secure password, and finally get into the system. But I can't stop thinking about those special characters. I mean, they are salting and hashing, right?

    Better hide your mason jars so you they don't get any more kitten on them, because right next to the "Reset Password" link is a "Email user password" link. Does this email the user a password reset hyperlink? Does it dump a temporary password into the database and email that to the user?

    Nope. It sends an email. With the user's original password. In plaintext. Retrieved from the database. Plaintext.

    Global Payments in 2013, folks.

     

     

     


  • Trolleybus Mechanic

     Since I realize that's a wall of text, summary: Fortune 100 company Global Payments demands a secure password, rejects special characters, then saves it in plaintext in their database. In 2013.

    Oh, and when I cheekily avoided using their name then linked directly to their Wikipedia entry as a joke, I didn't expect to scroll down and discover a whole other level of sad.

    @Wikipedia said:

    Security breach

    The company was hit with a security breach in March 2012 affecting anywhere from 50,000 to 10 million credit card holders.[3]

    Global Payments Inc. announced on Friday, March 30, 2012, that it identified and self-reported unauthorized access into its processing system. The company believes that the affected portion of its processing system is confined to North America and less than 1,500,000 card numbers may have been exported. The investigation to date has revealed that Track 2 card data may have been stolen, but that cardholder names, addresses and social security numbers were not obtained by the criminals. Based on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained.[4]

    In a letter to possibly affected card holders, Global Payments writes "This data may have included your name, social security number and the business bank account number designated for the deposit of merchant processing proceeds." This statement by the company directly contradicts their attempts at damage control reported in the LA Times. Affected card holders are informed "We have provided additional information at www.2012infosecurityupdate.com"




  • Isn't there a way to report companies for PCI compliance issues like this?



  • Do they even encrypt during transport ? I suggest wireshark or disassembling the ActiveX. (I am amazed by the level of wtf)



  • @swayde said:

    Do they even encrypt during transport ? I suggest wireshark or disassembling the ActiveX. (I am amazed by the level of wtf)

    Even if they do encrypt, that's no guarantee that they use a secure cipher. I must get round to writing up the time I forced a third party payment gateway to accelerate their deployment plans for a version which used a modern cipher by sending them attack code which broke what they were using at the time.



  • @pjt33 said:

    @swayde said:
    Do they even encrypt during transport ? I suggest wireshark or disassembling the ActiveX. (I am amazed by the level of wtf)

    Even if they do encrypt, that's no guarantee that they use a secure cipher. I must get round to writing up the time I forced a third party payment gateway to accelerate their deployment plans for a version which used a modern cipher by sending them attack code which broke what they were using at the time.

    xor_0xff_encryption()



  • I hate stories without an ending.

    So what did you say to the client? "Fuck your payment processor, not only are we NOT adding it, but we recommend YOU stop using it too"? How did they react? I MUST KNOW!



  • Holy shit.

    You could require the user to write their ATM PIN on a piece of paper, put it on a wooden table next to their ATM card, scan it and upload it as a JPG and it would still be more secure than this pile of fail.



  • @flabdablet said:

    Holy shit.

    You could require the user to write their ATM PIN on a piece of paper, put it on a wooden table next to their ATM card, scan it and upload it as a JPG and it would still be more secure than this pile of fail.

    That's two-factor authentication right there.

     


  • Discourse touched me in a no-no place

    @Zecc said:

    That's two-factor authentication right there.
    "Too fucked"or would be closer.



  • @Ben L. said:

    xor_0xff_encryption()

    Worse.



  • @pjt33 said:

    @Ben L. said:
    xor_0xff_encryption()

    Worse.

    double_rot13_xor_0xff_twice_encryption()



  • @pjt33 said:

    @Ben L. said:
    xor_0xff_encryption()
    Worse.

    //email_to_joe_for_encryption() // on holiday
    email_to_intern_jake_for_encryption()
    

  • Considered Harmful

    @Faxmachinen said:

    //email_to_joe_for_encryption() // on holiday
    email_to_intern_jake_for_encryption()

    I was wondering why I haven't been receiving any emails for encryption since my vacation.



  • @Faxmachinen said:

    @pjt33 said:

    @Ben L. said:
    xor_0xff_encryption()

    Worse.


    //email_to_joe_for_encryption() // on holiday
    email_to_intern_jake_for_encryption()

    Pros: cannot be read by computers


    Cons: requires manual "decryption"



  • @Lorne Kates said:

    Better hide your mason jars so you they don't get any more kitten on them, because right next to the "Reset Password" link is a "Email user password" link. Does this email the user a password reset hyperlink? Does it dump a temporary password into the database and email that to the user?

    Nope. It sends an email. With the user's original password. In plaintext. Retrieved from the database. Plaintext.

    Global Payments in 2013, folks.

     

     

     

    I don't know what you're so surprised about, password security is absolute shit in a lot of companies these days. Nearly every single company I have applied for (job wise) have had the god-damn audacity to email me back my password. I'm not talking about random temp passwords, no I mean that actual damn password. I've taken to giving them a weak password and testing them before giving them anything resembling a decent password. It'd be funny if one of the companies that emailed my password wasn't a government IT security place.



  •  @pjt33 said:

    @swayde said:
    Do they even encrypt during transport ? I suggest wireshark or disassembling the ActiveX. (I am amazed by the level of wtf)
    Even if they do encrypt, that's no guarantee that they use a secure cipher. I must get round to writing up the time I forced a third party payment gateway to accelerate their deployment plans for a version which used a modern cipher by sending them attack code which broke what they were using at the time.
    You're lucky they were at least competent enough not to yell YOU hacked them.



  • @nic said:

    Nearly every single company I have applied for (job wise) have had the god-damn audacity to email me back my password. I'm not talking about random temp passwords, no I mean that actual damn password.
     

    Next time set your password to "who/is/stupid/enough/to/store/passwords/unencrypted?"



  • @Cassidy said:

    who/is/stupid/enough/to/store/passwords/unencrypted'

    If it denies that password, you know a little bit more about how much you REALLY want to use the site.


Log in to reply