If you have thought that then you have been wrong, and that for some time now. Emil Protalinski over at ZDNet found out by accident that Facebook appears to accept different password combinations during login. He noticed the issue after finding out that he was able to log into Facebook with Caps Lock on while entering the password.

One would expect that the login attempt would be turned down, but that is apparently not the case.

Facebook later confirmed that they accept three different forms of a user password:

• The original password, obviously.
• The original password with the first letter capitalized. This is apparently only working for mobile devices.
• The original password with the letter case reversed.

If your password is ghacksIsGreat, Facebook would also accept GHACKSiSgREAT and GhacksIsGreat when connecting from a mobile device.

The reasoning behind that is to avoid to many caps lock conflicts for users logging in to the site. Numbers on the other hand are always displayed as numbers in the Facebook login prompt, which is why only letters are accepted with case changes. Facebook assumes that the caps lock key has been active if the password is send over with reverse case.

The question is this: Is the acceptance of password variations on Facebook a security issue? While brute force attacks could in theory benefit from the additional password forms that are accepted on Facebook, their impact seems to be neglectful, especially if secure passwords are selected by the site’s users.

It is still a security issue, and some users might prefer warnings that the caps lock key is active to the way Facebook is handling the issue right now.

Facebook is not the only company that was criticized for their password security. Amazon was recently in the news as well: Amazon Login May Accept Password Variants

What’s your take on this?

Bitdefender’s new tool Safego is a handy online tool for Twitter users who want to find out if they are following potentially dangerous users on Twitter.

You first need to authorize Bitdefender Safego via Twitter’s own authorization service, which means that you do not need to hand them out your username and passwords.

Once you did that you can sit back and relax a bit while Safego begins to scan all of your Twitter friends and their tweets. This can take quite a while depending on the number of friends on the social networking site. The online service uses Bitdefender’s anti-malware and anti-phishing engines to scan all urls posted by friends on Twitter.

All friends are sorted into the Safe and Suspicious groups on the Safego website. Please note that the online service does not do anything about “unsafe” or suspicious users on Twitters. It is still up to you to either unfollow them, warn them or do nothing about it.

Each friend listing links directly to that friend’s Twitter stream from where you can unfollow that user easily.

Bitdefender Safego will furthermore notify you via Twitter automatically when suspicious messages are posted by a friend. Options that are disabled by default are to scan your private messages, send you weekly reports and to automatically warn your friends if suspicious behavior was detected.

Last but not least it is possible to scan the public messages of any Twitter user, which can be a helpful thing to do before following that person.

Users who want to scan their Twitter account for safe and suspicious friends to add a little bit of extra security to it can do so right at the Bitdefender Safego website. (via)

On May 27th, a magistrate made a recommendation that, if adopted by a U.S district court in Maine, will make challenging the effectiveness of security measures employed by banks much more difficult for other small businesses and other victims. The recommendation, made after considering the legal issues and propounded analysis of what constitutes “commercially reasonable security”, was to deny Patco’s motion for summary judgment and grant the bank’s motion. David Navetta, a founding partner of the Information Law Group, explained:
“Many security law commentators, myself included, have long held that reasonable security does not mean bullet-proof security and that companies need not be at the cutting edge of security to avoid liability”.
Patco’s argument is, in part, that Ocean Bank failed to keep the terms of its contract when it allowed customers to log in to accounts using little more than a user name and password.

The bank was relying on service provider Jack Henry to process bank-to-bank transfers. The authentication process it employed required customers to log in with a company ID, userID and password. Customers also had to provide answers to three “challenge questions” if the system scored a transaction as “high risk”. The Jack Henry product utilized a scoring system developed but RSA’s Cyota and it rates the riskiness of transactions using various factors, such as the location of a user’s internet address and how a customer navigates the site and when and how often a user logs in, among others. The risk score is calculated on a scale between zero to 1000 and scores over 750 are considered “high risk”. Until 2008, Ocean Bank has set the dollar amount threshold for automatically requiring the answer to a challenge question at $100,000. However, in July of that same year, the bank lowered the threshold to $1 due to ACH fraud at the bank that targeted low-dollar amount transactions. After the change, customers were required to answer a challenge question whenever they used the bank’s system.

Sari Green, Patco’s security expert, of Sage Data Security, told the court that by setting challenge questions to be asked on every transaction, Ocean Bank greatly increased the risk that a fraudster using a banking Trojan would be able to compromise the answers to the challenge questions. Patco further argued that having the questions posed for every person on every transaction didn’t actually provide any additional security.

As Navetta said, the magistrate considered the question of whether the bank’s security was sufficient. Security guidelines were established in 2005 by banking regulators at the FFIEC and they require the use of “multi-factor authentication” by incorporating at least two of three checks: Something the user knows (such as a password), something the user has (such as the passcode generated by a one-time token) and something the user is, such as a biometric identifier. The bank argued that the password-based scheme used by them was multi-factor as described in the FFIEC. According to Navetta , “To some degree the court acknowledged that the bank’s security could have been better. Even so, it was technically multi-factor as described in the FFIEC guidance in the court’s opinion, and ‘the best’ was not necessary.” In fact, the ruling by the magistrate seems to suggest that the fault was actually with Patco for not securing its account credentials well enough.

Avivah Litan, fraud and bank security analyst at Gartner, called this suggestion “an outrage”.

“In my opinion, this is frankly an egregious injustice against small U.S. businesses,” Litan said. “It is also a complete failure of the bank regulatory system in the United States, which should come as no surprise, given the history of the regulators in the 21st century.”

One has to question the ethicality of a statement that suggest that “the best” security isn’t necessary for banks to employ. If the magistrate’s ruling is accepted by the court and Ocean Bank’s movement is granted, it will set precedence for liability challenges in the future, potentially leaving businesses without recourse when suffering a loss such as Patco’s. It remains to be seen what the Judge’s decision will be, though the court is not expected to overturn the ruling.

The implications of this ruling, should it be formally recognized by the court (and it most likely will be) are far reaching and should give any consumer pause. What’s really being decided here is bigger than Patco vs the bank. What is at stake here is future liability rulings: Who’s responsible for this type of heist: End users or Banks? If the banks aren’t going to be expected to have the “best” security available, protecting their own networks for malicious intrusion, what recourse will small business have in the event of a similar heist?

This news is especially interesting given today’s revelation that Citibank was hacked and the information of 200,000 users was compromised, and additionally because of LulzSecs recent antics showcasing the incredible security flaws of some of the biggest companies in the world.
There’s no doubt that security is a huge issue since we do so much online, and in fact are even rewarded for doing banking, shopping, etc online and penalized when wanting to speak with a human being, or go the old fashioned route of paying in person or with cash or checks. So the question is, since institutions are pushing for us to make their lives easier by doing everything online, should they be held to a higher standard of security?

Please note, if you ever get an e-mail requesting your username and password, it is phishing for it. See our phishing protection tips for some tips on how to protect yourself. There is also a phishing flowchart to help you identify phishing. In addition to this, Gmail has a lab that will verify PayPal and eBay e-mails.

Websites Already Have it

While one would hope passwords are encrypted and kept out of harm’s reach, that is not always the case. In many systems security is an after thought. Sometimes security policies and programs are not seen as necessary until after a breach. Important customer information is not always protected the way that it should be.

In a system like this your password my not be encrypted. It may be stored in plain text (sometimes called “clear text”). There may not be proper access controls in place either.

With the usernames and passwords so easily accessed, no one from the company needs to ask you for them. The company, or a number of employees within it, has access to them. This is a part of why it is important to use different passwords on different sites.

Top Level Staff May Have Access

A system with good security will encrypt your passwords. Even if someone who was not supposed to have access to the file containing passwords gained it, it would look like gibberish. There are ways get around this under certain circumstances, but over all the encryption keeps people from being able to read customer information.

That said, there will be people higher up who have access to the key which can decipher passwords. If a legitimate need for the information arose, such as a court order, then a ranking company official would be involved, not you.

While not directly relating to passwords, Dropbox works in a similar fashion. All data that Dropbox stores is encrypted, protected from staff and general misuse. The higher-ups are able to access the data, but only under special circumstances. They can give access to authorities, but it must be by court order. It is an example of how an encrypted system is still controlled by someone in the company.

Your Password May Not Be Stored Verbatim

Some sites and systems may use a cleaver trick to log you in. You would think, when you login, a server compares the username and password that you send with a username and password on record. That is not always the case.

Some systems will use your password and a random number, put them into a formula, and get a crazy looking code of letters, numbers, and symbols. This code is virtually perfectly unique to your password. The site stores this code and the random number.

virtually perfectly unique
http://blogs.msdn.com/b/tomarcher/archive/2006/05/10/are-hash-codes-unique.aspx

Unlike encryption, where the password can be retrieved if a key is used, the created code cannot be unlocked to reveal your password. It is a one-way process designed to make your password unreadable. It is difficult to figure out the password based on the code. The point to a system like this is that they do not want to know your password.

When you login again, you send your username and password. The system takes the password you send, puts it and the random number back in the formula, and forms the crazy code again. It then compares that code to the code on file. If they match, you are allowed in; if they do not match, you get an error. Voila, login without a stored password.

The crazy code has a special name: a hash value. Sony disclosed their use of hash values after the Play Station Network was brought down by hackers.

The System May Force Resets

Some systems will give limited tools to IT personnel (by policy, access, or design). In these cases, the only tool they may have available is a password reset. This is done to remedy the frequent problem of lost passwords. Passwords can be safely encrypted or hashed, yet access can be easily restored.

Facebook uses this system. You have to tell the website something about yourself first, but it will reset your password after you have. This automates the process so you do not have to wait for tech support.

Many Functions Do Not Require Your Password

In most systems, the employee logs in, is verified by the system, and has the appropriate access for the role they play in the company. The software they use may be able to modify your contact information, account balances, length of service, view your history with the company, etc. Heck, sometimes they can outright delete you. Think about how a bank teller can deduct money from your account when you ask for cash. By far, their username and password trumps your username and password. There is nothing legitimate that a bank could need your password for.

In Summary

As it has been stated by every reputable company, there is never a reason to give someone your password. The company will never ask for your username or password. These occurrences prey on ignorance. If you know someone who you think might fall for a ploy like this, educate them. They should be less likely to give the information out if they know why it is never needed.

But these location based services can also pose a threat, especially if they are linked with social networking sites and public status information.

Please Rob Me demonstrates the dangers of location based services by allowing searches for Twitter usernames or locations on their website.

Returned are Twitter messages of users who post that they are not at home, hence the name of the website Please Rob Me as this would be an ideal opportunity for someone to scout an object and rob the user who posted the status update.

The website conveniently links to the Google Maps location of the person who posted the status update (which usually is the user’s home address).

The danger is publicly telling people where you are. This is because it leaves one place you’re definitely not… home. So here we are; on one end we’re leaving lights on when we’re going on a holiday, and on the other we’re telling everybody on the internet we’re not home. It gets even worse if you have “friends” who want to colonize your house. That means they have to enter your address, to tell everyone where they are. Your address.. on the internet.. Now you know what to do when people reach for their phone as soon as they enter your home. That’s right, slap them across the face.

The goal of the project is of course not to provide criminals with an opportunity to rob houses but to raise awareness that location based services if linked to public notifications can be dangerous to the individual. (via Caschy)

This means that more than 30 million complete sets of emails, usernames and passwords were exposed to third parties. At least one hacker managed to get hold of all the data of which the passwords and a small sample was posted on the Internet.

RockYou users who have an account at the service should immediately change the passwords for all their services that use the password and email address to avoid that these accounts are hacked.

RockYou did not only store login information about its own service but also for third party websites like Facebook or MySpace to make it as easy as possible for the users to use the data in their social networking accounts. This means that MySpace, Bebo or Facbeook login information have also been stored on the Rockyou servers if the user has entered them before on their website (see Techcrunch for additional information)

Security company Imperva got hold of the 30+ million passwords that have been selected by RockYou users to secure their accounts. Their findings are alarming:

• About 30% of users chose passwords whose length is equal or below six characters.
• Moreover, almost 60% of users chose their passwords from a limited set of alpha-numeric characters.
• Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive
  digits, adjacent keyboard keys, and so on). The most common password among Rockyou.com
  account owners is “123456”.

The password popularity chart is therefor dominated by easy to guess passwords just as 123456, Password, rockyou or abc123. The full report of the findings can be downloaded from the Imperva server as a pdf document.

If a hacker would have used the list of the top 5000 passwords as a dictionary for brute force attack on Rockyou. com users, it would take only one attempt (per account) to guess 0.9% of the users passwords or a rate of one success per 111 attempts. Assuming an attacker with a DSL connection of 55KBPS upload rate and that each attempt is 0.5KB in size, it means that the attacker can have 110 attempts per second. At this rate, a hacker will gain access to one new account every second or just less than 17 minutes to compromise 1000 accounts. And the problem is exponential. After the frst wave of attacks, it would only take 116 attempts per account to compromise 5% of the accounts, 683 attempts to compromise 10% of accounts and about 5000 attempts to compromise 20% of accounts.

Recommendations for users

• Choose a strong password for sites you care for the privacy of the information you store. Bruce Schneir’s advice is useful: “take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m”. That nine-character password won’t be in anyone’s dictionary.”
• Use a different password for all sites – even for the ones where privacy isn’t an issue. To help remember the passwords, again, following Bruce Schneier’s advice is recommended: “If you can’t remember your passwords, write them down and put
  the paper in your wallet. But just write the sentence – or better yet – a hint that will help you remember your sentence.”
• Never trust a 3rd party with your important passwords (webmail, banking, medical etc.)

The easiest way to ensure all this is to use a password manager that can generate strong passwords and save them for the user. We recommend Last Pass which is available for several popular web browsers.

A recent study shows on the other hand that password recovery questions are usually answered honestly. Questions about the birth town, mother’s maiden name or first animal name can sometimes be easily guesses. The study asked acquaintances of 32 webmail users to guess the answer to the secret question. Roughly 20% of these answers were guessed correctly.

Password recovery questions should therefor not be answered honestly. Experienced users fill them out with password like characters which makes the answers more or less impossible to guess. These answers can then be stored in password managers as notes.

How do you handle password recovery questions?