Fidelity and online passwords.

Have a question about your personal investments? No matter how simple or complex, you can ask it here.
Post Reply
mrx
Posts: 28
Joined: Mon Aug 28, 2017 12:07 am

Fidelity and online passwords.

Post by mrx » Sun Mar 11, 2018 5:39 pm

Hi there,
I have recently starting using the Fidelity phone service to do some stuff. I have always been using the website and I almost never had to call. I was very surprised by how they let me *log in* through the phone. They basically ask you to enter your username and password through the phone key pad.

I know a little bit about Software and security and hence this specific way of verifying me makes me really concerned about how they manage my password. The key idea is that you use the key pad to enter your password. For example:
  • To insert (a or b or c or A or B or C or 2) you just press 2.
  • To insert (d or e or f or D or E or F or 3) you just press 3.
  • and so on..
So if your password is something like (Password123), you enter (72779673123).

Now there is only two ways for them verify the password is correct:
  • Option A: They take the number you entered and they try to match all possible passwords against your account. So in my example above they would try to verify your password against (Password123), (password123), (Pbssword1234), etc .. This is probably not feasible because it will take them a huge number of trials before they find something the right password.
  • Option B: They store your password in plain text somewhere in their database. so when you enter the numbers they quickly matches the numbers you entered against your password.
I am almost certain that they do option 2. Which is really insane. I do not know a decent website who still saves passwords in plain texts, let alone a big financial institution that manages millions and millions of dollars for their customers. Now any database administrator with the proper permissions can just get to see all the clients password. Isn't this crazy? Am I missing something here?

I have already complaint about this, but I am a young investor and I am not sure how much my feedback would matter. I am hoping to raise the awareness here and maybe get support from some of their premium customers so they get this fixed ASAP.

Please let me know you think I am missing something, otherwise, I would really appreciate if you start complaining to them about that as well.

User avatar
JamesSFO
Posts: 3052
Joined: Thu Apr 26, 2012 10:16 pm

Re: Fidelity and online passwords.

Post by JamesSFO » Sun Mar 11, 2018 5:48 pm

How about Option C? (E.g. Fido converts your entered passcode into the numeric string, salt and hash that and compare your phone entered code accordingly.)

May not make you feel better but I don't think your assumptions about the options are exhaustive.

Further the vast majority of passwords are likely low entropy/randomness already and so this vector may not expand the risk profile while affording a lot of ease of access to customers.

Lastly if you find it unacceptable pick someone else.

User avatar
oldcomputerguy
Posts: 2918
Joined: Sun Nov 22, 2015 6:50 am
Location: In the middle of five acres of woods

Re: Fidelity and online passwords.

Post by oldcomputerguy » Sun Mar 11, 2018 6:03 pm

Typically, when a password is entered on a web site, the password is “hashed” (I.e. encrypted) and the hashed password is stored. Then when the person logs on later, the entered password is hashed, and the two hashed versions are compared. The plain-text version in that scenario is not stored.

What indication do you have that Fidelity is not using a similar procedure for passwords entered on the phone?
It’s taken me a lot of years, but I’ve come around to this: If you’re dumb, surround yourself with smart people. And if you’re smart, surround yourself with smart people who disagree with you.

MrPotatoHead
Posts: 406
Joined: Sat Oct 14, 2017 10:41 pm

Re: Fidelity and online passwords.

Post by MrPotatoHead » Sun Mar 11, 2018 6:05 pm

Why don't you ask them? Fido makes some of the largest proprietary software investments in the industry and never shys away from hiring subject matter experts some others in the mutual fund industry who use open source software that is unmodified that makes them vulnerable to any hacker who cares to apply himself. Some respected companies actually modify Oracle's JVM in such a way that makes it less prone to day to day security vulnerabilities. Fidelity has always been a stalwart of responsible it deployments. As I said unlike some other big shops I can think of that are more concerned about low cost than a secure environment that provides efficient service.

mrx
Posts: 28
Joined: Mon Aug 28, 2017 12:07 am

Re: Fidelity and online passwords.

Post by mrx » Sun Mar 11, 2018 6:57 pm

JamesSFO wrote:
Sun Mar 11, 2018 5:48 pm
How about Option C? (E.g. Fido converts your entered passcode into the numeric string, salt and hash that and compare your phone entered code accordingly.)

May not make you feel better but I don't think your assumptions about the options are exhaustive.

Further the vast majority of passwords are likely low entropy/randomness already and so this vector may not expand the risk profile while affording a lot of ease of access to customers.

Lastly if you find it unacceptable pick someone else.
Thank you for the idea, what you are saying that Password123 and password123 and pbssword123 would all work. This still sucks (Although I agree it sucks less) because the search space for the password becomes much smaller and I am the one who thought I am using a password manager to generate a complex unpredicted password. Now my password is just a trial between 00000000 and 99999999.

I would pick someone else, but do you think I can convince my employer to move my 401k to Vanguard?

mrx
Posts: 28
Joined: Mon Aug 28, 2017 12:07 am

Re: Fidelity and online passwords.

Post by mrx » Sun Mar 11, 2018 7:00 pm

oldcomputerguy wrote:
Sun Mar 11, 2018 6:03 pm
Typically, when a password is entered on a web site, the password is “hashed” (I.e. encrypted) and the hashed password is stored. Then when the person logs on later, the entered password is hashed, and the two hashed versions are compared. The plain-text version in that scenario is not stored.

What indication do you have that Fidelity is not using a similar procedure for passwords entered on the phone?
Because as I said above, while on phone I just enter numbers (3456216348). They can not just hash these numbers and compare it against the hashed and stored password because it will not match.

User avatar
JamesSFO
Posts: 3052
Joined: Thu Apr 26, 2012 10:16 pm

Re: Fidelity and online passwords.

Post by JamesSFO » Sun Mar 11, 2018 7:03 pm

mrx wrote:
Sun Mar 11, 2018 6:57 pm
JamesSFO wrote:
Sun Mar 11, 2018 5:48 pm
How about Option C? (E.g. Fido converts your entered passcode into the numeric string, salt and hash that and compare your phone entered code accordingly.)

May not make you feel better but I don't think your assumptions about the options are exhaustive.

Further the vast majority of passwords are likely low entropy/randomness already and so this vector may not expand the risk profile while affording a lot of ease of access to customers.

Lastly if you find it unacceptable pick someone else.
Thank you for the idea, what you are saying that Password123 and password123 and pbssword123 would all work. This still sucks (Although I agree it sucks less) because the search space for the password becomes much smaller and I am the one who thought I am using a password manager to generate a complex unpredicted password. Now my password is just a trial between 00000000 and 99999999.
I'm saying that it might store for PHONE purposes only the password in that format. So your examples would all work because the password is the digits only.

For the web the password is still unique.

Given what they allow over the phone this is still likely better than typical identification options.
mrx wrote:
Sun Mar 11, 2018 6:57 pm
I would pick someone else, but do you think I can convince my employer to move my 401k to Vanguard?
Ok you didn't identify 401K so very unlikely to get a change.

This may be one of those either accept the situation or "let it go" things where tilting at this windmill until Fidelity changes its phone procedures across the board is going to be challenging. Though perhaps they might turn off phone access for you (and you alone) but that likely has other bad repercussions down the road.

Alchemist
Posts: 251
Joined: Sat Aug 30, 2014 6:35 am
Location: Florida

Re: Fidelity and online passwords.

Post by Alchemist » Sun Mar 11, 2018 7:11 pm

You can also just set up Voice Print verification for phone access. It removes the need to type in a password via the phone.

User avatar
pondering
Posts: 957
Joined: Fri Jan 30, 2015 11:04 pm
Location: 412-977-3526, originally 718-273-2422

Re: Fidelity and online passwords.

Post by pondering » Sun Mar 11, 2018 7:27 pm

For personal accounts it is far more important that you check your statements then worry about your passwords.

Recent phishing attack I saw had an over 10% success rate in being followed to the first step .

Should you worry about these things yes, would it be the only thing I worry about no.
--Robert Sterbal | 412-977-3526 call/text

User avatar
JamesSFO
Posts: 3052
Joined: Thu Apr 26, 2012 10:16 pm

Re: Fidelity and online passwords.

Post by JamesSFO » Sun Mar 11, 2018 7:38 pm

Alchemist wrote:
Sun Mar 11, 2018 7:11 pm
You can also just set up Voice Print verification for phone access. It removes the need to type in a password via the phone.
Neat, did not know Fidelity offered this (like Vanguard does).

Info: https://www.fidelity.com/security/fidel ... e/overview

JoeRetire
Posts: 871
Joined: Tue Jan 16, 2018 2:44 pm

Re: Fidelity and online passwords.

Post by JoeRetire » Sun Mar 11, 2018 7:38 pm

mrx wrote:
Sun Mar 11, 2018 5:39 pm
Now there is only two ways for them verify the password is correct:
  • Option A: They take the number you entered and they try to match all possible passwords against your account. So in my example above they would try to verify your password against (Password123), (password123), (Pbssword1234), etc .. This is probably not feasible because it will take them a huge number of trials before they find something the right password.
  • Option B: They store your password in plain text somewhere in their database. so when you enter the numbers they quickly matches the numbers you entered against your password.
I am almost certain that they do option 2.
You suggest Option A and Option B, but feel certain they "do option 2". Uhm, okay.

You are simply incorrect that there are "only two ways".

It's not hard to store your password in encrypted fashion twice: once for when it needs to be compared from a website-entered password field and once for when it needs to be compared from a telephone-entered password prompt. Then the system encrypts the password on the way in and compares against the corresponding encrypted password.

There is no need for multiple attempts to match possible passwords, nor is there ever a need to store plain-text passwords.

Fidelity most certainly does not store passwords in plain text (at least not on any of the Fidelity systems I've worked with).

I worked for a financial services company in their R&D section. Fidelity was one of our largest customers and I worked with them many times. They take security very seriously.
Am I missing something here?
Clearly you are.

Sorry, but you are drawing conclusions without any facts and seem to be confusing yourself in the process. To be blunt, when it comes to security, you seem to be out of your element.

MrPotatoHead
Posts: 406
Joined: Sat Oct 14, 2017 10:41 pm

Re: Fidelity and online passwords.

Post by MrPotatoHead » Sun Mar 11, 2018 7:51 pm

mrx wrote:
Sun Mar 11, 2018 6:57 pm
I would pick someone else, but do you think I can convince my employer to move my 401k to Vanguard?
Oh yeah, that will make you far more secure over Fidelity- LOL. I guess you can just assume the reason Vanguard has a 3rd rate website and interface is because they invest all their IT dollars in security instead of user facing. Certainly that is the answer.

Dottie57
Posts: 3396
Joined: Thu May 19, 2016 5:43 pm

Re: Fidelity and online passwords.

Post by Dottie57 » Sun Mar 11, 2018 8:03 pm

mrx wrote:
Sun Mar 11, 2018 5:39 pm
Hi there,
I have recently starting using the Fidelity phone service to do some stuff. I have always been using the website and I almost never had to call. I was very surprised by how they let me *log in* through the phone. They basically ask you to enter your username and password through the phone key pad.

I know a little bit about Software and security and hence this specific way of verifying me makes me really concerned about how they manage my password. The key idea is that you use the key pad to enter your password. For example:
  • To insert (a or b or c or A or B or C or 2) you just press 2.
  • To insert (d or e or f or D or E or F or 3) you just press 3.
  • and so on..
So if your password is something like (Password123), you enter (72779673123).

Now there is only two ways for them verify the password is correct:
  • Option A: They take the number you entered and they try to match all possible passwords against your account. So in my example above they would try to verify your password against (Password123), (password123), (Pbssword1234), etc .. This is probably not feasible because it will take them a huge number of trials before they find something the right password.
  • Option B: They store your password in plain text somewhere in their database. so when you enter the numbers they quickly matches the numbers you entered against your password.
I am almost certain that they do option 2. Which is really insane. I do not know a decent website who still saves passwords in plain texts, let alone a big financial institution that manages millions and millions of dollars for their customers. Now any database administrator with the proper permissions can just get to see all the clients password. Isn't this crazy? Am I missing something here?

I have already complaint about this, but I am a young investor and I am not sure how much my feedback would matter. I am hoping to raise the awareness here and maybe get support from some of their premium customers so they get this fixed ASAP.

Please let me know you think I am missing something, otherwise, I would really appreciate if you start complaining to them about that as well.
I have never worked on a system where the password was stored in plain text. Passwords have been stored in encrypted format in ldap or file. When someone enters a password on a screen, software encrypts it and compares to encrypted password stored in ldap or file.

I would suspect the phone tap code (numeric value) is also encrypted and stored . And same process is used as above.

User avatar
jhfenton
Posts: 2945
Joined: Sat Feb 07, 2015 11:17 am
Location: Ohio

Re: Fidelity and online passwords.

Post by jhfenton » Sun Mar 11, 2018 8:04 pm

I have a Fidelity 401(k) too, and I've never tried the phone system. What functions are available through the telephone system? Are there any sensitive functions available?

I don't like that Fidelity limit passwords to 20 characters and exclude most symbols, but a 20-character limit is an improvement for them compared to a few years ago. It was 12 characters not too long ago.

Given the slow interface of an IVR phone system, I would think that brute-forcing a 20-digit passcode would be near impossible, even with the search space limited to 0-9 for each digit. I would also never want to try it as a customer. :oops: I'd have to convert my password ahead of time and write it down.

mrx
Posts: 28
Joined: Mon Aug 28, 2017 12:07 am

Re: Fidelity and online passwords.

Post by mrx » Mon Mar 12, 2018 12:46 pm

jhfenton wrote:
Sun Mar 11, 2018 8:04 pm
I have a Fidelity 401(k) too, and I've never tried the phone system. What functions are available through the telephone system? Are there any sensitive functions available?

I don't like that Fidelity limit passwords to 20 characters and exclude most symbols, but a 20-character limit is an improvement for them compared to a few years ago. It was 12 characters not too long ago.

Given the slow interface of an IVR phone system, I would think that brute-forcing a 20-digit passcode would be near impossible, even with the search space limited to 0-9 for each digit. I would also never want to try it as a customer. :oops: I'd have to convert my password ahead of time and write it down.
You can mega backdoor Roth conversion only through the phone system.

Raladic
Posts: 196
Joined: Fri Jan 03, 2014 4:56 pm

Re: Fidelity and online passwords.

Post by Raladic » Mon Mar 12, 2018 1:04 pm

mrx wrote:
Sun Mar 11, 2018 6:57 pm
I would pick someone else, but do you think I can convince my employer to move my 401k to Vanguard?
I wouldn't move to Vanguard for more security, as an example, Vanguard only offers text-based 2 Factor Authentication (which security experts including the National Institute of Standards and Technology have long said to not be safe - https://pages.nist.gov/800-63-3/sp800-63b.html) instead of real app generated hashes.

Just as others have mentioned, your conclusions are shortsighted and most likely wrong.

mrx
Posts: 28
Joined: Mon Aug 28, 2017 12:07 am

Re: Fidelity and online passwords.

Post by mrx » Mon Mar 12, 2018 1:08 pm

JoeRetire wrote:
Sun Mar 11, 2018 7:38 pm
mrx wrote:
Sun Mar 11, 2018 5:39 pm
Now there is only two ways for them verify the password is correct:
  • Option A: They take the number you entered and they try to match all possible passwords against your account. So in my example above they would try to verify your password against (Password123), (password123), (Pbssword1234), etc .. This is probably not feasible because it will take them a huge number of trials before they find something the right password.
  • Option B: They store your password in plain text somewhere in their database. so when you enter the numbers they quickly matches the numbers you entered against your password.
I am almost certain that they do option 2.
You suggest Option A and Option B, but feel certain they "do option 2". Uhm, okay.

You are simply incorrect that there are "only two ways".

It's not hard to store your password in encrypted fashion twice: once for when it needs to be compared from a website-entered password field and once for when it needs to be compared from a telephone-entered password prompt. Then the system encrypts the password on the way in and compares against the corresponding encrypted password.

There is no need for multiple attempts to match possible passwords, nor is there ever a need to store plain-text passwords.

Fidelity most certainly does not store passwords in plain text (at least not on any of the Fidelity systems I've worked with).

I worked for a financial services company in their R&D section. Fidelity was one of our largest customers and I worked with them many times. They take security very seriously.
Am I missing something here?
Clearly you are.

Sorry, but you are drawing conclusions without any facts and seem to be confusing yourself in the process. To be blunt, when it comes to security, you seem to be out of your element.
Thank you for the elaborate response, and I am sorry if I offended you in anyways. I am clearly not a security expert and that's why I was looking for more answers on this forum.

However, if you do not mind tell me more about option 3? I assume it's the same as Option C that JamesSFO mentioned in the first reply. I - being the non security expert I am - would still imagine that option 3 is still not even close to being secure and it exposes all clients to great risk.

To make it a simpler conversation, here is my understanding to how option 3 would work:
  • During sign up on Fidelity for the first time. I get to enter a password.
  • The web client sends two values to the server.
    • hash(password)
    • hash(convertToNumbers(password))
  • The server stores the two hashes, uses the first one for online authentication, and uses the second one for phone authentication.
Now, basic (and limited) security information that I have:
  • What happens if hash(password) is leaked? Probably nothing, the hash is almost impossible to reverse to it's original format, and if the attacker would like to hash(EveryPossiblePasswordInTheWorld) to try to guess my password. It would take them (26 (a-z) + 26 (A-Z) +10 (0-9))^12 = 3.2262668e+21 trials to find my password (assuming a 12 characters long password that used to be the maximum).
  • What happens if hash(convertToNumbers(password)) is leaked? Well, the attacker needs to try hash(0) to hash(10^12) and compare the results against the hashes only to find out the sequence of numbers which is convertToNumbers(password). 10^12 doesn't seem like a big enough to be impossible. Once they have this number. It will be a much easier problem to try to guess your password (ask auto correct or swipe keyboards)
Now I am curious where do my logic fall apart? I tried to think carefully through this to see if there is something I am missing, maybe you can help me out with it?
Last edited by mrx on Mon Mar 12, 2018 1:21 pm, edited 1 time in total.

JBTX
Posts: 3195
Joined: Wed Jul 26, 2017 12:46 pm

Re: Fidelity and online passwords.

Post by JBTX » Mon Mar 12, 2018 1:12 pm

I had a pretty long and complicated password. I really wasn't going to try to enter it on a phone keypad. I rarely had a need to call into Fido. I would usually go through a couple of prompts and just get a rep and let them verify me that way.

Now that they have voice authentication you should be able to bypass all that.

mrx
Posts: 28
Joined: Mon Aug 28, 2017 12:07 am

Re: Fidelity and online passwords.

Post by mrx » Mon Mar 12, 2018 1:20 pm

JBTX wrote:
Mon Mar 12, 2018 1:12 pm
I had a pretty long and complicated password. I really wasn't going to try to enter it on a phone keypad. I rarely had a need to call into Fido. I would usually go through a couple of prompts and just get a rep and let them verify me that way.

Now that they have voice authentication you should be able to bypass all that.
Bypassing the problem doesn't mean it doesn't exist. Your password (or a less secure encryption form of it) is stored on their systems waiting for the next leak to happen. Whether you avoid using it or not does not make it any safer.

wanderer
Posts: 85
Joined: Sat Aug 16, 2014 4:09 pm
Location: Houston, Texas, USA

Re: Fidelity and online passwords.

Post by wanderer » Mon Mar 12, 2018 1:30 pm

I have been happy with the voice print process.

JBTX
Posts: 3195
Joined: Wed Jul 26, 2017 12:46 pm

Re: Fidelity and online passwords.

Post by JBTX » Mon Mar 12, 2018 1:42 pm

mrx wrote:
Mon Mar 12, 2018 1:20 pm
JBTX wrote:
Mon Mar 12, 2018 1:12 pm
I had a pretty long and complicated password. I really wasn't going to try to enter it on a phone keypad. I rarely had a need to call into Fido. I would usually go through a couple of prompts and just get a rep and let them verify me that way.

Now that they have voice authentication you should be able to bypass all that.
Bypassing the problem doesn't mean it doesn't exist. Your password (or a less secure encryption form of it) is stored on their systems waiting for the next leak to happen. Whether you avoid using it or not does not make it any safer.
Not saying it does. I have often wondered the same thing you have. You can come up with the best of password but ultimately it seems like it would be no better than a multi digit numeric password on a phone keypad.

I would say that in spite of this, their bigger weakness could be the social engineering side. One time I called in and their voice recog system didn't work, and another my voice print didn't match, probably because I was on speaker phone. Then you go through a couple of security questions, most of which are probably out there in the dark web stratosphere. They claim to ask question specific to your situation, but a couple of times they asked "who is one of the beneficiaries on one of your accounts" - which is very easily guessed in most situations if you have a retirement account.

JoeRetire
Posts: 871
Joined: Tue Jan 16, 2018 2:44 pm

Re: Fidelity and online passwords.

Post by JoeRetire » Mon Mar 12, 2018 1:53 pm

mrx wrote:
Mon Mar 12, 2018 1:08 pm
Thank you for the elaborate response, and I am sorry if I offended you in anyways.
The only part I actually found offensive is an attempt to recruit others in some sort of anti-Fidelity crusade based on a faulty understanding of security and a completely incorrect assumption regard what Fidelity "must be doing" with the storage of their passwords. Basically this part:

"I am almost certain that they do option 2. Which is really insane. I do not know a decent website who still saves passwords in plain texts, let alone a big financial institution that manages millions and millions of dollars for their customers. Now any database administrator with the proper permissions can just get to see all the clients password. Isn't this crazy? Am I missing something here?

I have already complaint about this, but I am a young investor and I am not sure how much my feedback would matter. I am hoping to raise the awareness here and maybe get support from some of their premium customers so they get this fixed ASAP.

Please let me know you think I am missing something, otherwise, I would really appreciate if you start complaining to them about that as well."
The web client sends two values to the server.
- hash(password)
- hash(convertToNumbers(password))
It's extremely unlikely that the web client would do the hashing, nor would it send two values to the server. Almost certainly any hashing and creation of a second password is done server-side (assuming it's done this way at all - we don't know that).
What happens if hash(convertToNumbers(password)) is leaked? Well, the attacker needs to try hash(0) to hash(10^12) and compare the results against the hashes only to find out the sequence of numbers which is convertToNumbers(password). 10^12 doesn't seem like a big enough to be impossible. Once they have this number. It will be a much easier problem to try to guess your password (ask auto correct or swipe keyboards)

Now I am curious where do my logic fall apart? I tried to think carefully through this to see if there is something I am missing, maybe you can help me out with it?
Without the Salt value(s) and the hash function(s) used to generate the hashed passwords, the leaked hash(convertToNumbers) value isn't helpful.

Again, I don't know specifically how their phone system handles password security. Nor do you.
You can assume it's less secure if you like and complain to them about getting it "fixed", or you could move to a brokerage that seems more secure to you.

But you should check your assumptions here.

User avatar
JamesSFO
Posts: 3052
Joined: Thu Apr 26, 2012 10:16 pm

Re: Fidelity and online passwords.

Post by JamesSFO » Mon Mar 12, 2018 2:45 pm

mrx wrote:
Mon Mar 12, 2018 1:08 pm

To make it a simpler conversation, here is my understanding to how option 3 would work:
  • During sign up on Fidelity for the first time. I get to enter a password.
  • The web client sends two values to the server.
    • hash(password)
    • hash(convertToNumbers(password))
  • The server stores the two hashes, uses the first one for online authentication, and uses the second one for phone authentication.
It is unlikely that the passwords are salted and stored in the browser. But it is theoretically possible. A more typical architecture would send the full password to the server for checking against various rules/requirements and then salting/hashing/storing would occur.

I think inevitably the phone password channel is likely less secure. However, the next question is ask is: less secure than what? E.g. typical knowledge-based schemes that are trivial for anyone with a piece of your mail and social to "hack"? Or phrased differently, what would you propose they do for voice-based authentication?

For me, from this perspective, Fidelity's existing approach is more robust than most financial institutions that solely use the account # and something like home address/orally-shared secret phrase like mother's maiden name or first pet. And sure some people will make their mother's maiden name a "fake" name which is actually a password, e.g. "MyMotherHasNoMaidenNameDarnIt", but those are going to be few and far between. Further, password complexity is only one aspect of security and aside from voice verification (offered), I am not sure what you would like them to implement that would be more robust/preferrable?

JBTX
Posts: 3195
Joined: Wed Jul 26, 2017 12:46 pm

Re: Fidelity and online passwords.

Post by JBTX » Mon Mar 12, 2018 3:21 pm

JamesSFO wrote:
Mon Mar 12, 2018 2:45 pm
mrx wrote:
Mon Mar 12, 2018 1:08 pm

To make it a simpler conversation, here is my understanding to how option 3 would work:
  • During sign up on Fidelity for the first time. I get to enter a password.
  • The web client sends two values to the server.
    • hash(password)
    • hash(convertToNumbers(password))
  • The server stores the two hashes, uses the first one for online authentication, and uses the second one for phone authentication.
It is unlikely that the passwords are salted and stored in the browser. But it is theoretically possible. A more typical architecture would send the full password to the server for checking against various rules/requirements and then salting/hashing/storing would occur.

I think inevitably the phone password channel is likely less secure. However, the next question is ask is: less secure than what? E.g. typical knowledge-based schemes that are trivial for anyone with a piece of your mail and social to "hack"? Or phrased differently, what would you propose they do for voice-based authentication?

For me, from this perspective, Fidelity's existing approach is more robust than most financial institutions that solely use the account # and something like home address/orally-shared secret phrase like mother's maiden name or first pet. And sure some people will make their mother's maiden name a "fake" name which is actually a password, e.g. "MyMotherHasNoMaidenNameDarnIt", but those are going to be few and far between. Further, password complexity is only one aspect of security and aside from voice verification (offered), I am not sure what you would like them to implement that would be more robust/preferrable?
I'm not a techie or security expert, but is there a mechanism that could theoretically "hack" a password by random or guessing over a phone line? Seems like after a few failed attempts it would bail out. I don't know if the phone line channel would work any differently.

The issue for Fidelity or any other company is they have to balance security features, with the fact that a great deal of their customers are in retirement and many of them probably not too tech savvy - and making it too complex may make it less customer friendly for those that value that over security.

I wonder if they could require the same norton security app code key on the phone as they do online? But I'm sure that would be way too confusing for some. It would have to be an optional feature.

mrx
Posts: 28
Joined: Mon Aug 28, 2017 12:07 am

Re: Fidelity and online passwords.

Post by mrx » Mon Mar 12, 2018 3:24 pm

JamesSFO wrote:
Mon Mar 12, 2018 2:45 pm
mrx wrote:
Mon Mar 12, 2018 1:08 pm

To make it a simpler conversation, here is my understanding to how option 3 would work:
  • During sign up on Fidelity for the first time. I get to enter a password.
  • The web client sends two values to the server.
    • hash(password)
    • hash(convertToNumbers(password))
  • The server stores the two hashes, uses the first one for online authentication, and uses the second one for phone authentication.
It is unlikely that the passwords are salted and stored in the browser. But it is theoretically possible. A more typical architecture would send the full password to the server for checking against various rules/requirements and then salting/hashing/storing would occur.

I think inevitably the phone password channel is likely less secure. However, the next question is ask is: less secure than what? E.g. typical knowledge-based schemes that are trivial for anyone with a piece of your mail and social to "hack"? Or phrased differently, what would you propose they do for voice-based authentication?

For me, from this perspective, Fidelity's existing approach is more robust than most financial institutions that solely use the account # and something like home address/orally-shared secret phrase like mother's maiden name or first pet. And sure some people will make their mother's maiden name a "fake" name which is actually a password, e.g. "MyMotherHasNoMaidenNameDarnIt", but those are going to be few and far between. Further, password complexity is only one aspect of security and aside from voice verification (offered), I am not sure what you would like them to implement that would be more robust/preferrable?
Interesting insight! I now agree that all phone systems are less secure. Maybe I am just used to it. What I am not used to and what freaked me out is the possibility of my password being leaked. It seems like I value my password more than my money :D.

User avatar
Epsilon Delta
Posts: 7422
Joined: Thu Apr 28, 2011 7:00 pm

Re: Fidelity and online passwords.

Post by Epsilon Delta » Mon Mar 12, 2018 3:45 pm

JoeRetire wrote:
Mon Mar 12, 2018 1:53 pm
The web client sends two values to the server.
- hash(password)
- hash(convertToNumbers(password))
Without the Salt value(s) and the hash function(s) used to generate the hashed passwords, the leaked hash(convertToNumbers) value isn't helpful.
This is true but completely irrelevant. The reason hashes and salts are used is because it is assumed that the hash method, the hashed passwords and the salts will be leaked. If there was no danger of leaking it would be safe to store the passwords as plain text.

Assuming that the web server stores, hashed and salted, both hash(password) and hash(convertToNumber(password)) and leaks both of them. If password is say 12 characters long then they can find convertToNumber(password) in 10^12 hashes and then find password with 7^12 = 10^10 hashes. This is likely to be a feasible attack. Of course Fidelity may take steps to store the two hashes separately so they can't both be leaked at once, but this has other problems and would only be implemented if they have better than average programmers and security experts.

I should also point out that you can't completely rule out that Fidelity just stores hash(password) and tries all 7^12 possible passwords when you use the phone. Probably in some intelligent order based on word recognition. In most cases it would only require a few hundred hashes, and depending on the hash and hardware the worst case might only be a couple of seconds.

JoeRetire
Posts: 871
Joined: Tue Jan 16, 2018 2:44 pm

Re: Fidelity and online passwords.

Post by JoeRetire » Mon Mar 12, 2018 4:10 pm

Epsilon Delta wrote:
Mon Mar 12, 2018 3:45 pm
..if they have better than average programmers and security experts.
IMHO, they do (at least the ones I've dealt with). Much, much better than average.
They were a pain in the @ss to deal with, but they knew their stuff.

User avatar
JamesSFO
Posts: 3052
Joined: Thu Apr 26, 2012 10:16 pm

Re: Fidelity and online passwords.

Post by JamesSFO » Mon Mar 12, 2018 4:26 pm

JBTX wrote:
Mon Mar 12, 2018 3:21 pm
I'm not a techie or security expert, but is there a mechanism that could theoretically "hack" a password by random or guessing over a phone line? Seems like after a few failed attempts it would bail out. I don't know if the phone line channel would work any differently.

The issue for Fidelity or any other company is they have to balance security features, with the fact that a great deal of their customers are in retirement and many of them probably not too tech savvy - and making it too complex may make it less customer friendly for those that value that over security.

I wonder if they could require the same norton security app code key on the phone as they do online? But I'm sure that would be way too confusing for some. It would have to be an optional feature.
There are mechanisms and presumably Fidelity has a number of rate-limiting and other countermeasures in place to prevent random attacks. E.g. bailout after 2-3 attempts. Lock account after a certain number of calls, etc.

Balancing security and usability is key. For example, they could require the norton key generator, but what about customers who have no mobile OR who lose their mobile phone? Etc. The recovery mechanism for a lost password and/or key often becomes the weakest link.
mrx wrote:
Mon Mar 12, 2018 3:24 pm
JamesSFO wrote:
Mon Mar 12, 2018 2:45 pm
...
I think inevitably the phone password channel is likely less secure. However, the next question is ask is: less secure than what? E.g. typical knowledge-based schemes that are trivial for anyone with a piece of your mail and social to "hack"? Or phrased differently, what would you propose they do for voice-based authentication?

For me, from this perspective, Fidelity's existing approach is more robust than most financial institutions that solely use the account # and something like home address/orally-shared secret phrase like mother's maiden name or first pet. And sure some people will make their mother's maiden name a "fake" name which is actually a password, e.g. "MyMotherHasNoMaidenNameDarnIt", but those are going to be few and far between. Further, password complexity is only one aspect of security and aside from voice verification (offered), I am not sure what you would like them to implement that would be more robust/preferrable?
Interesting insight! I now agree that all phone systems are less secure. Maybe I am just used to it. What I am not used to and what freaked me out is the possibility of my password being leaked. It seems like I value my password more than my money :D.
Focus on the money. They are going to have a variety of secondary protocols in place to reduce hacking efforts and it is not going to be perfect. Best thing you can do is check your account balance and statements periodically. Additionally, a longer/more complex password is still helpful on the phone because it is harder to guess and has more entropy (e.g. using all 20 digits vs. 8, etc.)

User avatar
JamesSFO
Posts: 3052
Joined: Thu Apr 26, 2012 10:16 pm

Re: Fidelity and online passwords.

Post by JamesSFO » Mon Mar 12, 2018 4:35 pm

Epsilon Delta wrote:
Mon Mar 12, 2018 3:45 pm
I should also point out that you can't completely rule out that Fidelity just stores hash(password) and tries all 7^12 possible passwords when you use the phone. Probably in some intelligent order based on word recognition. In most cases it would only require a few hundred hashes, and depending on the hash and hardware the worst case might only be a couple of seconds.
While possible it seems unlikely that those can be tested intelligently and quickly enough for near instant sign on if you've used their system. Though with faster computers thanks to Moore's law it would become more and more tractable each passing year.[100 quintillion possible passwords using 10 digits with 20 allowed characters, 10^20th btw. And each expands to ~4 (3 letters + number itself) so that's a huge array of possible spaces to check not sure where you got 7^12.]

ryman554
Posts: 997
Joined: Sun Jan 12, 2014 9:44 pm

Re: Fidelity and online passwords.

Post by ryman554 » Mon Mar 12, 2018 4:55 pm

mrx wrote:
Mon Mar 12, 2018 12:46 pm
You can mega backdoor Roth conversion only through the phone system.
Untrue.

Back when I had a 401(k) which allowed this option, everything was done online. I did have a fido IRA, so perhaps that makes a difference.

Step 1: Make sure you have your $$ in your "workplace" account and not BrokerageLink. Takes a couple of days if your automatic investments are in place.
Step 2. Take a distribution from your account online, and send it to a fido account. Goes in one business day and generates the proper 1099s at year end for both accounts.

I was also able to do this successfully for a rollover of a different 401(k) to IRAs after leaving a job, again, all online with no phone agent involved.

note: I didn't try to separate growth from basis into roth and tIRA. You shouldn't have a lot of this, anyhow. And I did everything internal to fidelity, but no phone call or paper forms were required. If you are sending it to Vanguard or something, you may need a live agent, either on phone, or my preference, in their office.

User avatar
Epsilon Delta
Posts: 7422
Joined: Thu Apr 28, 2011 7:00 pm

Re: Fidelity and online passwords.

Post by Epsilon Delta » Mon Mar 12, 2018 5:06 pm

JamesSFO wrote:
Mon Mar 12, 2018 4:35 pm
Epsilon Delta wrote:
Mon Mar 12, 2018 3:45 pm
I should also point out that you can't completely rule out that Fidelity just stores hash(password) and tries all 7^12 possible passwords when you use the phone. Probably in some intelligent order based on word recognition. In most cases it would only require a few hundred hashes, and depending on the hash and hardware the worst case might only be a couple of seconds.
While possible it seems unlikely that those can be tested intelligently and quickly enough for near instant sign on if you've used their system. Though with faster computers thanks to Moore's law it would become more and more tractable each passing year.[100 quintillion possible passwords using 10 digits with 20 allowed characters, 10^20th btw. And each expands to ~4 (3 letters + number itself) so that's a huge array of possible spaces to check not sure where you got 7^12.]
I'm assuming case sensitive passwords and 12 character length which were given somewhere up thread. Most digits have seven possible mappings e.g 2,a,A,b,B,c,C. The server has the phone password (digits) since the user has just typed them in, all that needs to be tested is all the letters that could correspond to the know digits.

20 character case insensitive passwords would mean 4^20 possibilities, which is similar in magnitude to 7^12 so also more or less tractable.

User avatar
tuningfork
Posts: 316
Joined: Wed Oct 30, 2013 8:30 pm

Re: Fidelity and online passwords.

Post by tuningfork » Mon Mar 12, 2018 9:05 pm

JBTX wrote:
Mon Mar 12, 2018 3:21 pm
I'm not a techie or security expert, but is there a mechanism that could theoretically "hack" a password by random or guessing over a phone line? Seems like after a few failed attempts it would bail out. I don't know if the phone line channel would work any differently.
It would be relatively trivial to write a program that uses an analog modem to send touch-tone digits into an IVR to try to hack it. Very time consuming to make enough guesses to break in, but the programming would be simple.

I'm certain Fidelity locks your account after a small number of failed attempts to login via the phone. About 20 years ago I needed to access my Fidelity account via phone (before they had web access, or at least before I had set it up). Whatever my PIN/password was at the time, I entered it wrong 3 times. I didn't know how to backspace or cancel on the phone. After the third wrong attempt my account was locked until I could call during business hours to unlock it. Had I known I only had 3 tries I would have been more careful.

I doubt they have made this aspect of their system less secure in the intervening years.

Post Reply