Tag: branch banking and trust

BB&T Bank Passwords

Posted by Eric – October 20, 2008

I just happened to change my password recently on my online banking. I found out that Branch Banking and Trust (BB&T) limits the maximum password length to 12 characters, cannot contain any special characters like an exclamation point, and the passwords are not case sensitive. Screenshots are below of the online banking interface.

New password screen for BBT
New password screen for BBT
Error page for BBT Online Banking

Error page for BBT Online Banking

Putting such restrictive limits on passwords seems to be very common. Multiple listeners of Security Now! have written in saying that their bank also has poor password policies. Mostly due to legacy requirements or compatibility with disparate systems.

Security Now! 162

Leo: Good luck. Jon Kuhn in Ann Arbor, Michigan has discovered that Wells Fargo is in bad company. Oh, boy. After hearing about Wells Fargo on the Security Now! podcast, I decided to try out all of my GRC Perfect Password-derived passwords, all of them alphanumeric with upper and lower case. I found that Chase, Citibank, Vanguard, and my credit union all have non-case-sensitive passwords. Just thought you might find that interesting.

Steve: So Wells Fargo is sharing the doghouse with these other people. But given that they’ve got lockout provisions, and I imagine that our listeners may now be curious to poke at their – deliberately log in incorrectly and see what it takes, verify in fact that anyone trying to guess their passwords will be shut down very quickly and then have to go through the extra reauthenticating hoop-jumping in order to get their account reactivated. Which, again, it certainly does mitigate the problem of passwords being non-case sensitive.
Leo: There’s got to be a reason they’re doing this. Is it possible that some older computers or older…
Steve: Matter of fact, if you keep reading, we will come to the reason.
Leo: Ah. I like it. I like it. Steve is always way ahead of me. Brent McLaren in Ajax, which is near Toronto in Ontario, Canada, brings up a very good point. It’s a point about case-insensitive banking passwords.
Steve: Speak of the devil.
Leo: He says: Hi, Steve. Been listening to Security Now! since Episode 1. I really enjoy the show. Me, too. Even though I work in IT and spend my days working with security and networking technology, I’ve found your insight and ability to explain complex topics very valuable. So I just wanted to pipe in on the topic of case insensitivity for Wells Fargo’s online banking log-in. I know that for my bank the password used for online banking is shared with telephone banking. As a result the password has to be limited to alphanumeric passwords with no case sensitivity. It’s also limited to six characters. I believe this is one of those tradeoffs between security and usability that is necessary. Having separate passwords for the different channels would be beyond confusing to people. That’s a very good point.
Steve: Isn’t that a good point? I liked that because you could imagine trying to explain to somebody that you’ve got, you know, what a circumflex is or…
Leo: I don’t think there’s a circumflex on my phone. Yeah, you’re right.
Steve: Or the pound sign. What? Well, it’s that number sign, the thing, you know, I mean, so if passwords were really complex, it could be difficult for them to be used, the same password to be used, essentially repurposed through different venues with the same institution. And so it’s like, okay, that makes some sense. You could imagine that trying to explain your password over the phone to somebody could be a problem, much more so than you typing in some strange concoction with shift keys and so forth on your keyboard.
Leo: And I actually remember that I got started in online banking with Bank of America in 1984 or something with phone banking. And so I think that probably it’s the same system it’s been all along. In fact, and this is what made me ask the question earlier, I remember it was almost a TTY the first time I started doing online banking. A black screen would come up with white letters on it, all uppercase. The menu structure would be, you know, type “1″ for this item, type “2.” I mean, it was very primitive. And I bet you it’s the same back end.

Steve: It may very well be that they just stuck a web server on the front of it.

On a positive note, BB&T is slowly improving it’s security because my original password only had six characters and now the minimum is eight. In the future, there is the possibility of implementing two-factor authentication because they recently launched BB&T Mobile and BB&T Alerts. Both of these systems can interact with your phone via text messaging.

BB&T Bank tracking it’s users

Posted by Eric – March 27, 2008

Check out the homepage of Branch Banking and Trust, it’s got invisible tracking voodoo from Doubleclick/Google.

BBT Bank homepage

This is the unadorned BB&T website. No visible external advertising or mention of Doubleclick at all.

Doubleclick uncovered

The first thing you’ll notice is the two warnings displayed by noscript in the upper-left corner. Remember this was supposed to be blank white space. Doubleclick doesn’t appear on other pages and it sure as hell doesn’t appear in the online banking. Just being on the homepage is bad enough because of the enormous database owned by Doubleclick about nearly all Internet users. Through their advertising network Doubleclick can track me from website to website. Then of course they can also identify me when I go to login to my bank. BB&T now has detailed information about it’s customers provided by Doubleclick.

From the BB&T Privacy Notice

BB&T also gives itself permission to share the information it has about me to other companies that do marketing for the bank, i.e. Doubleclick.

In addition, we may disclose the information we collect about you described above to companies that perform marketing services on our behalf and to financial institutions for the purpose of jointly offering financial products and services to you, such as mortgage life insurance.