this post was submitted on 05 Apr 2024
12 points (100.0% liked)

Security

646 readers
5 users here now

A community for discussion about cybersecurity, hacking, cybersecurity news, exploits, bounties etc.

Rules :

  1. All instance-wide rules apply.
  2. Keep it totally legal.
  3. Remember the human, be civil.
  4. Be helpful, don't be rude.

Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient

founded 1 year ago
MODERATORS
[email protected]
12
Fidelity and passwords via T9 (self.security)
submitted 7 months ago* (last edited 7 months ago) by csm10495 to c/[email protected]
3 comments fedilink hide all child comments
 

Anyone here use fidelity (https://www.fidelity.com/)? I had to call to get something done with my account and thought it was weird that they have you (more/less) T9 dial your password into the system, though its not real T9 in that (for example) one press of 2 would mean either a,A,b,B,c,C,2. They say for special characters just give a * sign.

Any thoughts on if that is safe on their part? It seems weird to me since they either need the password in plaintext on their end or I guess the hash of the T9 version of the password which would be less secure anyways because of: all one case and only one type of 'special character'.

And yes: before you ask this was 100% the actual fidelity phone number: +1 800-343-3548

In their defense they did ask for other verification information once I got a person, but still felt really weird.

Any thoughts on the security of this mechanism?

you are viewing a single comment's thread
view the rest of the comments
[โ€“] [email protected] 1 points 7 months ago (1 children)

It certainly reduces the search space for a brute-force attack, but presumably they have some kind of mitigation like locking access after a few attempts.

Personally, I use long and complex passwords, so I would have just mashed buttons until it gave me a person. Or used the chat support on their site, if available.

[โ€“] csm10495 1 points 7 months ago

I greatly prefer chat as well. In this case they told me the part of the site I needed was down and that I should call instead.