2

There is a popular money transfer service built by Square, cash.me, that uses a peculiar login system:

  1. Enter your email address or phone number on the website.
  2. Receive a six digit numeric temporary pin via email or phone number
  3. Enter pin on website
  4. If pin is correct, the user is logged in

After this, the user can view transaction history. If the user knows the CCV code for the saved debit card, they can even send money to another user (limited at a few hundred dollars).

While they have pretty aggressive rate limiting, this appears to be vulnerable to a distributed attack. While they claim that they will cover unauthorized charges, it seems like users' account information is not very secure. For a modern product released in 2011, does this make any sense, compared to a more traditional password-based approach?

user128907
  • 23
  • 3
  • Are there unlimited tries for the pin, i.e. unlimited both in number of tries and in time? – Steffen Ullrich Oct 27 '16 at 18:09
  • No. It is rate limited to five tries or so. – user128907 Oct 27 '16 at 18:15
  • 4
    Not enough info - I can't find anything about retries or key life. And without those, we can't do the math. Number of possible keys is obvious - 10^6. If it lasts 2 minutes and limits you to ten tries in that two minutes, well, that's pretty safe.. If it lasts a week and you can run through a significant portion of the keyspace in that time, it isn't. – crovers Oct 27 '16 at 18:16
  • @user128907 If it is 5 tries, then the chance of any particular code being found is 0.0005% - which is pretty small. Assuming they can't harvest these transfers in bulk and try them, Square is probably right to consider this a reasonable risk. – crovers Oct 27 '16 at 18:20
  • 3
    Possible duplicate of [Is a 6 digit numerical password secure enough for online banking?](http://security.stackexchange.com/questions/124682/is-a-6-digit-numerical-password-secure-enough-for-online-banking) – Anders Oct 27 '16 at 21:27
  • @Anders Not a duplicate of [Is a 6 digit numerical password secure enough for online banking?](https://security.stackexchange.com/q/141133/2138) because that question is about a fixed six-digit password whereas this implies that the password is different for each time one logs in. – user Oct 28 '16 at 14:36
  • @MichaelKjörling Good point. I agree. My bad. – Anders Oct 28 '16 at 19:40

4 Answers4

4

Depends on the attack vector

Some examples:

Hackers steal 45 million passwords. The six-digit PIN mechanism is immune to this sort of attack, because the PINs are generated on the fly and presumably have a short lifespan. There is nothing to steal.

How I'd hack your weak password. The six-digit PIN mechanism is immune to this sort of attack, because the user does not choose them, and they cannot be inferred from demographic information.

Brute force cracking. The six-digit PIN mechanism is not immune to this sort of attack, but the hacker only has a 1 in 1,000,000 chance of getting it right. Depending on the lockout mechanism that it uses, the hacker may have 3-5 chances, which still offers very poor odds.

On the other hand, you are in a less comfortable position if

  1. A hacker steals your email password
  2. A hacker steals your mobile phone
  3. A hacker is able to intercept your email because it was not sent securely
  4. A hacker is able to intercept your SMS, somehow....

There may be other, hidden security mechanisms

Payment processors tend to have additional security mechanisms that you can't even see. For example, your payment may end up going through a risk engine and will get blocked or sent to escalated auditing if it appears fraudulent (i.e. if someone is sending a lot of small transactions to one place, or if the IP address is in Syria, for example).

Who is at risk?

It may ease your mind to know that the security mechanisms in payment processors' sites are not so much there to protect you as they are to protect them. They are the ones who have to come up with the money if any of your funds are stolen. Your personal liability is limited to $50.

John Wu
  • 9,181
  • 1
  • 29
  • 39
3

The problem with SMS as an authentication factor is that there are a number of methods to subvert it. Firstly, there are a number of design flaws in the SS7 network that allow the spoofing and redirecting of SMS messages. Secondly, if your phone is compromised (e.g. malware apps), then your received messages can be leaked.

This paper (http://www.mulliner.org/collin/academic/publications/mulliner_dimva2013.pdf) published in 2013 goes into far more detail about the security problems with SMS.

Mind you, Square maintains a PCI-DSS level 1 certification that has various requirements for securing PII and CC data. But that doesn't mitigate against the vulnerabilities inherit in SMS, though.

Shackledtodesk
  • 1,201
  • 11
  • 10
1

There are 1 million possibilities to form the right 6 digit pin considering they use the numbers from 0 to 9. So an attacker has a 0.000005% chance to guess the pin.

If login is made via mail or phone and the site doesn't ask for password, then consider it as half of a two-factory authentication. So the attacker should crack the e-mail account or steal the phone.

Let's say that an account on this page is as secure as your e-mail account is or as your phone(physically) is.

Vini7
  • 659
  • 6
  • 15
  • Is it worth considering that you could try guessing different accounts, using multiple IP addresses? After a couple hundred thousand attempts, you would gain access to an account. I guess I'm wondering if this scheme would be considered a best practice, when certain threats could easily be remedied by using regular non-temporary passwords. – user128907 Oct 27 '16 at 20:09
  • Let's say you guessed my email address, you still need my email password to receive the 6 digit pin. – Vini7 Oct 27 '16 at 20:17
  • @Vini7 I don't need to guess *your* email address or your email password - if I happen to guess a million valid email addresses, request a pin for all of them from spoofed IP addresses, and every time claim that the PIN was 986123 without knowing the real PIN, then I'd have (on average) obtained one valid account. However, it's reasonably secure if doing that is not sufficient for any monetary gain and additional things are required for any further actions (e.g. knowing the card CVV). – Peteris Oct 27 '16 at 20:35
1

If the six digit number had just been an ordinary password it would have been horrible - you could easily brute force those hashes. But now it is a one time token. So basically what you have is what is usually the second factor as the only factor. Is that enough?

You have a million different possible numbers. As long as you can protect from brute forcing the chanse of someone guessing a number is very small. But how good can your brute force protection be?

You could easily block brute force attempts on one account and from one IP. But an attacker using a range of IPs (e.g. from a botnet) attacking accounts at random would be able to get in somewhere. If you make three guesses per IP from 1000 IPs every day for a year, you would have a million guesses. More advanced heuristics could probably catch some attacks of that kind, but I would not bet my money on being able to prevent all attacks of that kind.

So is it safe enough? I would say it depends on what you are trying to protect. Hacking a random persons social media profile is not fun enough for someone to go through all this trouble - there you want to hack a specific account. Hacking a random bank account, on the other hand, might be worth the effort...

Anders
  • 65,052
  • 24
  • 180
  • 218