I have recently starting using the Fidelity phone service to do some stuff. I have always been using the website and I almost never had to call. I was very surprised by how they let me *log in* through the phone. They basically ask you to enter your username and password through the phone key pad.
I know a little bit about Software and security and hence this specific way of verifying me makes me really concerned about how they manage my password. The key idea is that you use the key pad to enter your password. For example:
- To insert (a or b or c or A or B or C or 2) you just press 2.
- To insert (d or e or f or D or E or F or 3) you just press 3.
- and so on..
Now there is only two ways for them verify the password is correct:
- Option A: They take the number you entered and they try to match all possible passwords against your account. So in my example above they would try to verify your password against (Password123), (password123), (Pbssword1234), etc .. This is probably not feasible because it will take them a huge number of trials before they find something the right password.
- Option B: They store your password in plain text somewhere in their database. so when you enter the numbers they quickly matches the numbers you entered against your password.
I have already complaint about this, but I am a young investor and I am not sure how much my feedback would matter. I am hoping to raise the awareness here and maybe get support from some of their premium customers so they get this fixed ASAP.
Please let me know you think I am missing something, otherwise, I would really appreciate if you start complaining to them about that as well.