Tuesday, 5 January 2016

Bank of Montreal has horrible password policies and does not store them securely

One of the aspects of a bank is that it generally touts some pretty decent physical security controls. They maintain a safe in every branch to ensure valuables cannot be taken without authorization and they generally require some level of identification in order to make a transaction. However, it doesn't appear to be the case when it comes to some banks' online services.

It was made aware to me that Bank of Montreal (BMO) has a very inadequate password policy for its online banking service, stating that you could only use the letters A-Z and the numbers 0-9 to a maximum of six characters with no special characters such as ampersands or spaces.

This seems really problematic considering that most people with decent knowledge in security would recommend a minimum of 8 characters to start, ignoring the whole special characters problem here.

A Real Problem

On the surface, BMO's problem seems almost benign: it's a really weak password scheme. However, it gets worse when you start to examine it closely.

One may think that with these restrictions that there would be 62^6 possible combinations based on that keyspace, or 56 billion possible passwords based on the assumption that they're allowing upper-case and lower-case characters and the digits 0 through 9.

However, we get no indication of such and in fact we're told that the password is used to access online, mobile, and telephone banking. Here's a picture to illustrate where this becomes a huge gaping problem:

When you sign into your telephone banking, you're prompted for the very same password and are told to enter the password based on the letters on your dialpad. What does this mean? Well here's a list of passwords:

All of these passwords are the same when you use your telephone banking--assuming you have the password dialed in as "788743". When you go into BMO's online portal to set your password, it's not storing the password but the digits it will look for when you press them into your phone. So if you were to set your password to "stupid", it would become "788743".

This all would mean that in addition to that password, you could also input "788743" or any of the above list and you'd be able to authenticate just fine. As a result, instead of 56 billion possible passwords it really just boils down to a million. BMO claims that it has over seven million customers, so we don't have quite a lot of passwords to go around here.

I had two BMO customers test this out and they were able to log in with passwords that did not match what they had intended. If you want to try this out for yourself, make a mental note of your password, look at your telephone keypad, and then just jumble the letters around based on which digit your existing password matches.

This is stupid and unfortunately not unique to BMO either as I have heard of anecdotes where other banks in the United States have similar systems in place.

Do any of the big banks do password security right?

TD does. Here's how it looks when you attempt to set a password:

That implies to me that they on the surface store the password in a sane manner because I can put anything I want into the field as long it meets their requirements. Since I am setting this password via a password manager and it's accepting it, everything appears to be in good order.

What does BMO have to say about it?


BMO declined to reply on Twitter about the matter and instead opted to request I provide some contact details so they could go off-the-record to explain why they have such a lousy password policy.

If you're looking for a major bank in Canada that likely has better online banking security, go for TD or someone else that has taken the time to upgrade their banking services to work in the 21st Century.