Very odd circumstance with a US bank (Edit: Fidelity) and I’m unsure how I feel about it, but I wanted to share if any interest here.
I called into my bank and they now ask for your online banking username or social via the phone keypad. Letters in your login name are substituted for the corresponding number on the keypad, or to enter your SSN.
I didn’t see a reason to enter my online ID, so I entered my SSN. Fairly normal, but what happened next surprised me. The automated system then asked for my online banking password, again substituting numbers for the corresponding letter. So for example a “b” or “C” is entered simply “2”.
This was odd, but how could they possibly be authenticating me this way? In any case, after some brief consideration I diligently opened my PW manager and began entering the corresponding numbers for my randomly generated alpha-numeric as I was instructed by the automated system.
After a brief hold I was connected to an agent who made the changes to my account as I requested. It was a fairly simple interaction and she stated I had already confirmed my identity during the process.
How could the simple numbers I entered on the keypad be sufficient to authenticate my password? I doubt they are storing my PW in plain-text, but am I right to feel odd about how my PW is being stored in this circumstance?
Couple items that might come up:
- I verified the phone number
- I verified the source the phone number through multiple sources
- The interaction was fairly normal and un-noteworthy compared to any other banking related phone call.
I doubt they aren’t, given the situation
It’s a well known bank, Fidelity. So a fairly reputable national chain. I am thoroughly confused by the event.
So I called back and went through the process again by entering my online ID.
- I entered the numeric version of my user ID
- When prompted for the numeric version of my password I did so as before, but entered bad values for about 4 or so characters. The system did not authenticate me.
- When prompted again I entered my password with a single incorrect “number”. Again, the number was just a numerical representation of the actual character.
The system sent me to a human rep who then needed to verify me by sending a SMS code to the number on file. This did not happen when I entered the “correct” “password” before.
Interestingly, I discovered all of this in the process of setting up their TOTP codes and enabling their “lockdown” mode. Which has given me a pretty bad security impression. (Converting Fidelity's Symantec VIP token to TOTP to use with Authy | Random Thoughts From a Random Guy)
Anyway - I don’t know how to feel at the moment. Just sharing in case anyone here is interested. The automated phone system made sure to tell me they are now on r/fidelityinvestments if anyone cares enough to share the story there.
Edit: Last update for awhile. I changed my password on the online portal and a plain text numerical representation was presented to me. So at best they are storing a plain-text numerical form of the “encrypted”? <20 character passphrase.
I’m used to companies screwing up basic security, but upon further reflection it’s probably too hasty to assume this is the case, and I agree they likely don’t store your password in plain-text actually.
They could very trivially take your password when you set it and hash it for storage, and also convert your password to phone keys, hash that version, and store that hash separately as well.
Doing this does still drastically reduce the uniqueness of the password hash though, so… I wouldn’t reuse this password on other sites lol
I believe you are correct. It looks like they are assigning a “phone password” during password creation. Perhaps not plain text, but after changing my password they printed on screen my “phone password” which is just the numerical form of their >20 character password string. I took a screenshot and redacted information, but was uncomfortable posting in this thread publicly.