Security can be tricky

by Stubborn Mule on 27 October 2013 · 9 comments

Qantas CashQantas has recently launched Qantas cash, a pre-paid Mastercard which you can charge up with cash in multiple currencies. The contemporary equivalent of traveller’s cheques, cards like this can be as convenient as a credit card with the added advantage of reducing the uncertainty associated with exchange rate volatility. If you have a rough idea of how much you will need in euro, you can charge up the card with euro at today’s exchange rate without having to worry about the Australian dollar dropping in value while you are half way through your trip.

As a Qantas frequent flyer account holder, I received a Qantas cash card in the mail and it seemed worth investigating. However after activating the card, my interest in the card itself was quickly displaced by disappointment in the insecure design of the Qantas cash website.

Computer security is not easy. It should be left to the experts. I am no expert myself, but I have listened to enough of the Security Now podcast to recognise poor security when I see it.

The first sign of trouble came with setting my password. The password had to be 6 to 8 characters long. A maximum of only 8 characters? The longer the password length, the more secure it is and 8 characters is far too short for a secure password.

Somewhat disconcerted, I pressed on, creating a password made up of 8 random characters. Random passwords are far more secure than real words (or even transparently modified “w0rd5″). They are also impossible to remember, but there are plenty of secure password storage tools (such as LastPass) that make that unnecessary.

Having set everything up, I was then prompted to log in. Unexpectedly, instead of being prompted to enter my password, I was asked to enter the “3rd, 4th and 5th character of the password”. Alarm bells started ringing. Quite apart from the irritation that this caused as it prevented LastPass from automatically filling in the password, it confirmed my initial fears that the website’s security model was flawed.

What I had realised was that Qantas servers must be storing passwords. For anyone unfamiliar with password security, this may seem blindingly obvious. If the servers don’t store the password, how can the website confirm you have entered the correct password when you log in?

In fact, there is a far more secure approach, which makes use of so-called “one way functions“. A one-way function takes a string of characters (a password, for example) as input produces a different string of characters as its output. The key feature of a one-way function is that it extremely difficult to reverse the process: given the output, working out what the input must have been is computationally highly intensive. Applying a one-way function is also known as (cryptographic) “hashing”.

Armed with a good one-way function, instead of storing passwords, a web server can store a hash of the password*. Then, whenever a user enters a password, the web site applies the one-way function and compares the result to its database. The password itself can be discarded immediately. The webserver’s user database should only ever contain hashes of user passwords and never the “plain text” original version of the password.

While this approach to password storage is well-established practice in the security community, many corporate websites are not designed by security experts. Back in 2011, hackers were able to get hold of more than a million passwords from Sony which had been stored in plain text.

Unfortunately, it would appear that Qantas cash is not following best practice in its website security. If the site was only storing hashed passwords, it would be impossible for the site to verify whether users were correctly entering the 3rd, 4th and 5th character of the password. Taking a password hash and trying to determine individual characters of the original password is just as difficult as reverse engineering the whole password.**

I then called Qantas cash to seek clarification. I was assured that all passwords were “encrypted” using the same security techniques that any other commercial website, such as Amazon, would use. Furthermore, the requirement to enter individual characters of the password was an additional security measure to prevent users from copying and pasting passwords.

This did not reassure me. Even if the passwords are encrypted, the Qantas cash server itself clearly has the capability of decrypting the passwords, which makes it just as vulnerable as Sony. I am also sure that Amazon does not use this approach. And preventing copying and pasting is a furphy. By preventing users from using secure password stores, this approach simply encourages the use of weaker passwords.

The Qantas cash developers may think they have come up with some excellent security features. But these developers are clearly not experts in security and, as a result, have produced a far less secure site. The call centre promised that the technical team would email me more details of the site’s security. My hopes are not high.

Needless to say, I will not be using the Qantas cash card. This is an e-commerce site, not a movie chat forum. When money is involved, security should be paramount.

Keep your eyes open for news about a Qantas cash website hack.

* Strictly speaking, a “salted hash” should be stored to add an additional layer of security and protect against the use of rainbow tables.

** In principle, Qantas could store hashes of three character combinations (56 hashes would have to be stored or 336 if order is significant). In practice I doubt this is being done.

Possibly Related Posts (automatically generated):

{ 8 comments… read them below or add one }

1 Simon October 28, 2013 at 8:22 am

At least Qantas didn’t send you back your password over the internet.
http://plaintextoffenders.com/
Or did they do that as well?

2 Stubborn Mule October 28, 2013 at 8:48 am

@Simon fortunately they haven’t gone that far (yet!).

3 Scott Murray October 28, 2013 at 1:26 pm

Your assumption is not correct that Qantas cannot be using one-way functions.

They could have calculated all possible three letter subsets of your password and saved all those in a one way function and then discarded your password. For an 8 letter password there are only 56 such 3 letter combinations.

The reason why the 3 letter combos are used by some sites is because it protects against key stroke loggers.

I also use LastPass but I don’t trust LastPass with my most important passwords (e.g. bank, share trading accounts).

Tools like LastPass are not a panacea.

Long passwords randomized are not a panacea as people then can’t remember them and have to write them down or save them in tools like LastPass.

Making people change their passwords regularly is not a panacea as it also makes it more likely people will then have to write them down as they can never remember them.

My least worst solution is LastPass for sites that can at worst lead to someone buying something on my credit card (e.g. amazon), with the 2 factor option (using Google Authenticator). Credit card providers have pretty strict rules for dispute handling and so you as long as you dispute it early you are not out of pocket.

And for real money stuff (e.g. bank accounts) I use a encrypted file stored on my PC that contains password clues, but not outright passwords.

4 Stubborn Mule October 28, 2013 at 3:21 pm

@Scott you are correct. It is logically possible that the servers are storing hashes for all the character combinations (I am not sure yet whether you can be prompted for, say “4th, 2nd and 6th character” which would increase the requirement to 336!). I do, however, think that it is unlikely in practice. When I spoke to Qantas, they said they “encrypted the password” not the character combinations. I have not yet received further details from their technical team, but I will post the results if it turns out the character combinations are being hashed.

5 Stubborn Mule October 28, 2013 at 3:26 pm

@Scott I have also added a footnote to cover your observation.

6 Scott Murray October 28, 2013 at 3:56 pm

Ta. I would be surprised if Qantas will give you the details of their security model (but good on you for trying to find out).

As a developer whose worked in similar companies I can see your request being forwarded to some manager to approve the release of the details and never being signed off.

BTW I know several UK banks and credit card companies that operate the ‘enter 2 or 3 characters of your password’ model.

7 Stubborn Mule October 28, 2013 at 7:20 pm

@Scott your surprise is well-founded! I received an email from Qantas but there was no detail at all. I’ve asked some follow up questions and will post an update in the next day or so.

8 Stubborn Mule November 9, 2013 at 8:56 pm

@Scott: I tried to find out whether Qantas was hashing individual letter combinations. Their response:

Thank you for your email. Your previous question has been queried with our technical team. They have advised that we cannot discuss in any depth the security protocols and practices of our products.

I am more convinced than ever that their security is dodgy!

Leave a Comment

{ 1 trackback }

Previous post:

Next post: