Bank password policies are often substandard, study finds

A study of 17 major US banks shows that six of them have weak password handling and that their password procedures are weaker than most social websites.

The six banks, 35 percent of the test group, appear to have a significant weakness in their password policy: ignoring case sensitivity, a study by the University of New Haven Cyber Forensic Research and Education Group (UNHcFREG) showed.

The banks ask users to set up passwords that include letters and special symbols, but the study shows the passwords may not be case sensitive. This means any combination of upper and lower case letters might work and the passwords may not be reliable.

“We were very surprised when we learned that banks have fewer requirements for passwords than social media sites,” said Walter Gordillom a cyber systems major who took a lead on the UNHcFREG project.

Banks with the problem include Wells Fargo (70 million customers), Capital One (50 million customers), BB&T (undisclosed number of customers), Webster First Federal Credit Union (undisclosed number of customers), Chase Bank (50 million customers), and Citibank (200 million customers).

“What happens when a password is not case sensitive is that a machine will accept several different passwords,” said Frank Breitinger, UNH assistant professor and co-director of UNHcFREG. “In other words, the password could be JohnSmith333 or johnsmith333 or any combination of upper and lower cases letters spelling out John Smith.”

Breitinger, who oversaw the study done by UNH undergraduates in an introduction to computer security course said while online banking is the most convenient way to handle finances, customers expect their login credentials to be secure.

“Once logged in, customers can transfer funds, make deposits by taking pictures of their checks and even pay their bills,” he said. “While this offers great convenience, it also is an avenue for attacks. Consumers believe that banks with several million customers should have strong security mechanisms in place to protect accounts, starting with password policies.”

The research group, which consisted of four other undergraduate researchers and two advisors, attempted to contact the banks through their regular hotlines to inform them about what they had found and ask for a statement in reaction to the findings of the research.

“It turned out that it is almost impossible to contact and notify them about a security issue,” Breitinger said. Of those they did manage to contact, one organization claimed to have a case-sensitive password policy even though they do not, and one was not even aware of the existence of a security / IT department.

“Although one may argue that there is no such thing as perfect security, institutions that provide financial services to millions of people should always aim for having the highest-level security possible,” the group noted in a post detailing their findings.

“However, our findings raise important questions: why do social networking platforms and many others not related to personal and business finances adopt much stricter password policies? One can easily argue that a bank account is way more important than a Twitter account. Furthermore, why do these banks go out of their way to make the password policy less secure (implement a function to ignore case-sensitivity)?” they concluded.