The Daily WTF: Curious Perversions in Information Technology
Welcome to TDWTF Forums Sign in | Join | Help
in Search

You must use a secure password

Last post 03-27-2013 2:35 PM by Ben L.. 18 replies.
Page 1 of 1 (19 items)
Sort Posts: Previous Next
  • 03-25-2013 4:12 PM

    You must use a secure password

    According to my calendar, my clock, the timestamp on all my files and my emails, and by confirmation from a random sampling of strangers in the hallway, the year is currently 2013. Ecommerce has been a thing for well over a decade, if not much more. Online payment processors are the very lifeblood of the entire ecommerce system. Protecting and securing such entities, and the data they processes, is perhaps the driving force behind modern security, cryptology, and authentication schemes-- probably right up there with the health care industry, and anti-censorship advocates.

    The flagship product of the podunk company I work for takes online payments. Given the magnitude of security that goes into being a payment processor-- and knowing that neither the company nor any of our clients wants that responsibility-- we processes everything through hosted pay pages. Basically, ever been to one of those sites that says "Now redirecting you to a secure 3rd party for payment". That concept.

    We've been happy-ish with Moneris, but one client wants us to implement another provider for them. For the sake of anonymity, let's call this other payment processor Global Payments. They're ostensibly a Fortune 100 company who has been in the payment game since 1967. A big fish who should really know better.

    There were a few niggly details that bothered me during the initial phone call between myself, the client and a sales rep from Global Payments. I chalked it up to prolonged exposure to marketspeak, and figured it would all be ok once I get the technical manual and my sandbox account. Alas.

    The email with my sandbox information eventually arrives. Link to the control panel, usename, temporary password. Peachy so far. I fire up the old fox of fire, and head over to the site. Username, copy and paste.  Password, copy and paste. Login.

    Blank screen.

    I confirm that I've completely disabled Ad Block, No Script, etc. etc., but a login is just met with a blank screen. I have my client on the line, and he can log in just fine. He's rattling off everything he sees-- folders with subfolders for users, payments, account information, etc.

    Wait, folders? Little, low-res, yellow file folders like you'd see in a VB6 application? Like you'd see in a VB6 application written in 1999? Like one that'd be targeted at Internet Explorer users who felt more comfortable with those? That's when I get my first "oh no, it couldn't be" moment. And it could be. Except worse.

    I fire up Internet Explorer, dreading that in 2013, a major player in the Ecommerce field has a site that breaks when viewed without Internet Explorer. And I was right, but so horribly off base. I navigate to the site, enter my username and password, hit logon--

    -- and I'm greeted with a dialog asking me if I want to install the site's ActiveX component.

    In 2013. An actual goddamn ActiveX-based website. I'll give you a moment to go shove a kitten into a mason jar before continuing. Done? Good.

    Okay, now that I've run the jar through the dishwasher, I log in and proceed to use the ActiveX {twitch} "website". First thing it has me do is enter a new password to replace the temporary one.It explicitly states that I "must use a secure password". I can do that. My usual password's pretty strong, and I'll just add a few characters to it.

    Typeity-type, shift, click-- enter my usual long string of numbers, letters and specials. Submit and the password is rejected.

    What? Why? I go down the list of password requirements, since it just gives the requirements and not the FAILED requirements.  Okay, fine.

    Min 8 characters? Check. 

    Letters? Check.

    Uppercase letter? Check

    Number? Check

    No special characters. Check-- wait, wait, wait-- what? NO special characters? Doesn't that make the password less secure? What possible reason could they have for disallowing "special" characters like %, ' or -  Just because they look like database control characters doesn't mean-- oh no.

    The only reason I've ever encountered to reject special characters is because the codes freak out when they can't figure out how to escape or encode them before putting them in the database. But its 2013. Everybody salts and hashes their passwords. It doesn't matter what is in the actual password, the end result will be a DB "friendly" string.

    I drop the special characters from my now less secure password, and finally get into the system. But I can't stop thinking about those special characters. I mean, they are salting and hashing, right?

    Better hide your mason jars so you they don't get any more kitten on them, because right next to the "Reset Password" link is a "Email user password" link. Does this email the user a password reset hyperlink? Does it dump a temporary password into the database and email that to the user?

    Nope. It sends an email. With the user's original password. In plaintext. Retrieved from the database. Plaintext.

    Global Payments in 2013, folks.

     

     

     


    HardwareGeek:

    <blink> and you're dead!



    "Where is grumpy cat?"
    - Mozilla's MOST ADVANCED USER!
  • 03-25-2013 4:14 PM In reply to

    Re: You must use a secure password

     Since I realize that's a wall of text, summary: Fortune 100 company Global Payments demands a secure password, rejects special characters, then saves it in plaintext in their database. In 2013.

    Oh, and when I cheekily avoided using their name then linked directly to their Wikipedia entry as a joke, I didn't expect to scroll down and discover a whole other level of sad.

    Wikipedia:

    Security breach

    The company was hit with a security breach in March 2012 affecting anywhere from 50,000 to 10 million credit card holders.[3]

    Global Payments Inc. announced on Friday, March 30, 2012, that it identified and self-reported unauthorized access into its processing system. The company believes that the affected portion of its processing system is confined to North America and less than 1,500,000 card numbers may have been exported. The investigation to date has revealed that Track 2 card data may have been stolen, but that cardholder names, addresses and social security numbers were not obtained by the criminals. Based on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained.[4]

    In a letter to possibly affected card holders, Global Payments writes "This data may have included your name, social security number and the business bank account number designated for the deposit of merchant processing proceeds." This statement by the company directly contradicts their attempts at damage control reported in the LA Times. Affected card holders are informed "We have provided additional information at www.2012infosecurityupdate.com"



    HardwareGeek:

    <blink> and you're dead!



    "Where is grumpy cat?"
    - Mozilla's MOST ADVANCED USER!
  • 03-25-2013 4:38 PM In reply to

    Re: You must use a secure password

    Isn't there a way to report companies for PCI compliance issues like this?
  • 03-25-2013 4:43 PM In reply to

    Re: You must use a secure password

    Do they even encrypt during transport ? I suggest wireshark or disassembling the ActiveX. (I am amazed by the level of wtf)
  • 03-25-2013 7:25 PM In reply to

    Re: You must use a secure password

    swayde:
    Do they even encrypt during transport ? I suggest wireshark or disassembling the ActiveX. (I am amazed by the level of wtf)
    Even if they do encrypt, that's no guarantee that they use a secure cipher. I must get round to writing up the time I forced a third party payment gateway to accelerate their deployment plans for a version which used a modern cipher by sending them attack code which broke what they were using at the time.
    You'll probably find that the forum experience is improved by going to the "Site Options" tab of "Edit Profile" and turning off "Display User Signatures".
  • 03-25-2013 7:36 PM In reply to

    • Ben L.
    • Top 10 Contributor
    • Joined on 12-22-2010
    • Inventor of the 186-hour work week
    • Posts 3,608

    Re: You must use a secure password

    pjt33:
    swayde:
    Do they even encrypt during transport ? I suggest wireshark or disassembling the ActiveX. (I am amazed by the level of wtf)
    Even if they do encrypt, that's no guarantee that they use a secure cipher. I must get round to writing up the time I forced a third party payment gateway to accelerate their deployment plans for a version which used a modern cipher by sending them attack code which broke what they were using at the time.
    xor_0xff_encryption()
  • Morbs is the smartest!
  • 03-25-2013 8:32 PM In reply to

    Re: You must use a secure password

    I hate stories without an ending.

    So what did you say to the client? "Fuck your payment processor, not only are we NOT adding it, but we recommend YOU stop using it too"? How did they react? I MUST KNOW!

      <-  I couldn't make my shit work, so here's a Godzilla head.
  • 03-25-2013 9:54 PM In reply to

    Re: You must use a secure password

    Holy shit.

    You could require the user to write their ATM PIN on a piece of paper, put it on a wooden table next to their ATM card, scan it and upload it as a JPG and it would still be more secure than this pile of fail.

  • 03-26-2013 6:17 AM In reply to

    • Zecc
    • Top 25 Contributor
    • Joined on 06-12-2007
    • and hasn't left since.
    • Posts 2,068

    Re: You must use a secure password

    flabdablet:

    Holy shit.

    You could require the user to write their ATM PIN on a piece of paper, put it on a wooden table next to their ATM card, scan it and upload it as a JPG and it would still be more secure than this pile of fail.

    That's two-factor authentication right there.

     

    If mixed metaphors were illegal, I'd be having an indigestion.
    typeof NaN == 'number'
    var ò_ó, ಠ⁔ಠ, ᄒᆺᄒ, ᅙᅳᅙ, ᖛᨓᖜ, ꖴᅩꖴ, ఠᨋఠ; // Naming your variables is serious business
  • 03-26-2013 6:56 AM In reply to

    • dkf
    • Top 50 Contributor
    • Joined on 04-24-2008
    • Manchester, UK
    • Posts 1,138

    Re: You must use a secure password

    Zecc:
    That's two-factor authentication right there.
    "Too fucked"or would be closer.
  • 03-26-2013 10:56 AM In reply to

    Re: You must use a secure password

    Ben L.:
    xor_0xff_encryption()
    Worse.
    You'll probably find that the forum experience is improved by going to the "Site Options" tab of "Edit Profile" and turning off "Display User Signatures".
  • 03-26-2013 11:05 AM In reply to

    • Ben L.
    • Top 10 Contributor
    • Joined on 12-22-2010
    • Inventor of the 186-hour work week
    • Posts 3,608

    Re: You must use a secure password

    pjt33:
    Ben L.:
    xor_0xff_encryption()
    Worse.
    double_rot13_xor_0xff_twice_encryption()
  • Morbs is the smartest!
  • 03-26-2013 11:21 AM In reply to

    Re: You must use a secure password

    pjt33:
    Ben L.:
    xor_0xff_encryption()
    Worse.

    //email_to_joe_for_encryption() // on holiday
    email_to_intern_jake_for_encryption()
    
    Begging the question since 2007.
  • 03-26-2013 12:01 PM In reply to

    Re: You must use a secure password

    Faxmachinen:
    //email_to_joe_for_encryption() // on holiday email_to_intern_jake_for_encryption()

    I was wondering why I haven't been receiving any emails for encryption since my vacation.

    Signatures are stupid.
  • 03-26-2013 5:37 PM In reply to

    • Ben L.
    • Top 10 Contributor
    • Joined on 12-22-2010
    • Inventor of the 186-hour work week
    • Posts 3,608

    Re: You must use a secure password

    Faxmachinen:

    pjt33:
    Ben L.:
    xor_0xff_encryption()
    Worse.

    //email_to_joe_for_encryption() // on holiday
    email_to_intern_jake_for_encryption()
    
    Pros: cannot be read by computers

    Cons: requires manual "decryption"

  • Morbs is the smartest!
  • 03-26-2013 11:53 PM In reply to

    • nic
    • Not Ranked
    • Joined on 11-04-2010
    • Posts 3

    Re: You must use a secure password

    Lorne Kates:

    Better hide your mason jars so you they don't get any more kitten on them, because right next to the "Reset Password" link is a "Email user password" link. Does this email the user a password reset hyperlink? Does it dump a temporary password into the database and email that to the user?

    Nope. It sends an email. With the user's original password. In plaintext. Retrieved from the database. Plaintext.

    Global Payments in 2013, folks.

     

     

     

    I don't know what you're so surprised about, password security is absolute shit in a lot of companies these days. Nearly every single company I have applied for (job wise) have had the god-damn audacity to email me back my password. I'm not talking about random temp passwords, no I mean that actual damn password. I've taken to giving them a weak password and testing them before giving them anything resembling a decent password. It'd be funny if one of the companies that emailed my password wasn't a government IT security place.

  • 03-27-2013 6:03 AM In reply to

    Re: You must use a secure password

     

    pjt33:
    swayde:
    Do they even encrypt during transport ? I suggest wireshark or disassembling the ActiveX. (I am amazed by the level of wtf)
    Even if they do encrypt, that's no guarantee that they use a secure cipher. I must get round to writing up the time I forced a third party payment gateway to accelerate their deployment plans for a version which used a modern cipher by sending them attack code which broke what they were using at the time.
    You're lucky they were at least competent enough not to yell YOU hacked them.

  • 03-27-2013 2:32 PM In reply to

    Re: You must use a secure password

    nic:
    Nearly every single company I have applied for (job wise) have had the god-damn audacity to email me back my password. I'm not talking about random temp passwords, no I mean that actual damn password.
     

    Next time set your password to "who/is/stupid/enough/to/store/passwords/unencrypted?"

  • 03-27-2013 2:35 PM In reply to

    • Ben L.
    • Top 10 Contributor
    • Joined on 12-22-2010
    • Inventor of the 186-hour work week
    • Posts 3,608

    Re: You must use a secure password

    Cassidy:
    who/is/stupid/enough/to/store/passwords/unencrypted'
    If it denies that password, you know a little bit more about how much you REALLY want to use the site.
  • Morbs is the smartest!
Page 1 of 1 (19 items)
Powered by Community Server (Non-Commercial Edition), by Telligent Systems