Security through stupidity, Banca Transilvania style

by Ciprian Dorin Craciun (⁠ciprian.craciun@gmail.com⁠) on 

About how the largest romanian bank tries to give its clients a "warm-fuzzy-feeling" of security, that is actually zero in real security terms.

// permanent-link // hacker-news // index // RSS

So, Banca Transilvania, one of the largest Romanian banks (actually number one I think) just introduced a "security feature", in which they password protect your monthly account statements that you receive by email from them.

In one of their help pages, in romanian, they state (the translation is mine, the stupid emoticon is theirs):

In short, we want to be sure that all your information contained in the account statement is confidential and can't be accessed by unauthorized persons.

Thus, we'll secure with a password all the account statements that we'll send over email, a password which should be known only by the rightful recipient of the email. Meaning you. :)

So far so good you say, they are trying to add another layer of protection. Which would be true, unless it is actually for nothing because...

First of all because the password is derived from static personal information which can't be changed by the user, one of which is actually known by all your Facebook friends, and the rest is known by anyone you've done business with; and worst, in case of firms, it's actually based on public information, known to anyone through a simple Google search, or to anyone you've done business with...

The only "secret" in both cases is the actual "algorithm" to derive said password which basically says something like "paste these and those characters together"... (It is true that I've not found publicly on the internet which is this algorithm, however it is the same for all bank customers, and thus I would personally treat it as "public knowledge".)

Secondly, this is useless because the password is quite small (up to 10 characters), which depending on the account holder (personal or firm) are actually digits or just constants that reduce their strength.

Without divulging the "secret algorithm" (but believe me it's stupid) the following is the password strength in bits:

Thus, just to prove a point, I've made a simple experiment on my 10 years old laptop, with a dumb Python script (around 20 lines) that just tries all combinations for such a "secure password", and it took around 20 minutes to find a match (in fact it didn't stop after it found it, it just iterated through all combinations until the end, thus the time is the worst case scenario). And mind you, this is without any optimization, just a dumb Python script; I bet if I were to write this in Rust or C I would obtain a 100 fold performance increase; combine that with parallelization and you get at most a minute on a decent desktop computer...

So getting back to the initial problem:

Or, in the words of Bruce Schneier:

Good work Banca Transilvania! With such security experts in your employment I can sleep well at night knowing that my money and my business are well secured...


BTW, Banca Transilvania, does any of your employees actually use email? From say a small provider like GMail? Because if so, they would had known that any email that contains a password protected attachment (including PDF) raises warnings like the following:

Encrypted attachment warning

Be careful with this attachment. This message contains 1 encrypted attachment that can't be scanned for malicious content. Avoid downloading it unless you know the sender and are confident that this email is legitimate.

But hey, you just want to improve security by training your users to ignore warnings from their email provider about the "fishiness" of the email they've just received...


P.S.: I know how to fix the password insecurity: just add some special characters at the end of the password, say !@#$%^&*()[]{}; that'll do it; now the password is 100 bazillion bits secure!