So, Banca Transilvania, one of the largest Romanian banks (actually number one I think) just introduced a "security feature", in which they password protect your monthly account statements that you receive by email from them.
In one of their help pages, [in romanian], they state (the translation is mine, the stupid emoticon is theirs):
In short, we want to be sure that all your information contained in the account statement is confidential and can't be accessed by unauthorized persons.
Thus, we'll secure with a password all the account statements that we'll send over email, a password which should be known only by the rightful recipient of the email. Meaning you. :)
So far so good you say, they are trying to add another layer of protection. Which would be true, unless it is actually for nothing because...
First of all because the password is derived from static personal information which can't be changed by the user, one of which is actually known by all your Facebook friends, and the rest is known by anyone you've done business with; and worst, in case of firms, it's actually based on public information, known to anyone through a simple Google search, or to anyone you've done business with...
The only "secret" in both cases is the actual "algorithm" to derive said password which basically says something like "paste these and those characters together"... (It is true that I've not found publicly on the internet which is this algorithm, however it is the same for all bank customers, and thus I would personally treat it as "public knowledge".)
Secondly, this is useless because the password is quite small (up to 10 characters), which depending on the account holder (personal or firm) are actually digits or just constants that reduce their strength.
Without divulging the "secret algorithm" (but believe me it's stupid) the following is the password strength in bits:
- in case of personal accounts: it's between 23 and 24 bits, that is around 12 million unique combinations; although 3 bits are based on publicly known information, and the rest on pseudo-personal information;
- in case of firm accounts: it's between 26 and 27 bits, that is around 100 million unique combinations; although 10 bits are based on publicly known information, and the rest are known to anyone you've done business with;
Thus, just to prove a point, I've made a simple experiment on my 10 years old laptop, with a dumb Python script (around 20 lines) that just tries all combinations for such a "secure password", and it took around 20 minutes to find a match (in fact it didn't stop after it found it, it just iterated through all combinations until the end, thus the time is the worst case scenario). And mind you, this is without any optimization, just a dumb Python script; I bet if I were to write this in Rust or C I would obtain a 100 fold performance increase; combine that with parallelization and you get at most a minute on a decent desktop computer...
So getting back to the initial problem:
- lately there have been lots of data breaches, leaks, phishing attacks, etc., that have left the "e-industry consumer" worried;
- thus Banca Transilvania wants to give its users the feeling of security and professionalism in these tried times;
- therefore it tries to identify, with minimal costs, how it can achieve an improvement in its security image; (I repeat security image, not to be confused with actual security, as only few can asses real security, but many think they understand catch-phrases like "password", "encryption", etc...)
- and thus they land "password secured account statements", with the security properties stated above;
Or, in the words of Bruce Schneier:
- "something must be done" -- i.e. we need to improve our perceived security;
- "this is something" -- i.e. it costs us nothing to password protect some PDF's in some emails, although the password we use is weak because it is based on pseudo-public information;
- "therefore we must do it" -- i.e. password protected account statements over email;
Good work Banca Transilvania! With such security experts in your employment I can sleep well at night knowing that my money and my business are well secured...
BTW, Banca Transilvania, does any of your employees actually use email? From say a small provider like GMail? Because if so, they would had known that any email that contains a password protected attachment (including PDF) raises warnings like the following:
Encrypted attachment warning
Be careful with this attachment. This message contains 1 encrypted attachment that can't be scanned for malicious content. Avoid downloading it unless you know the sender and are confident that this email is legitimate.
But hey, you just want to improve security by training your users to ignore warnings from their email provider about the "fishiness" of the email they've just received...
P.S.: I know how to fix the password insecurity: just add some special characters at the end of the password, say !@#$%^&*()[]{}; that'll do it; now the password is 100 bazillion bits secure!