It’s not without worry that I log into my online account with the Bank of Montreal. My password is a mere six characters long, no symbols or special characters allowed. It’s not exactly the sort of password I’ve been conditioned to think is secure.
By the standards of most online services it’s certainly not: Google and Twitter tell me that I should use a mix of numbers, symbols and uppercase and lowercase letters, at least 8-10 characters long. I can even setup two-step verification, which requires I log-in with my usual password, and then use a second one-time password that’s sent to my phone.
Tangerine, much like BMO, also has a six character limit – numbers only, no letters and no special symbols allowed. So how is that such short, limited passwords square with today’s oft-repeated advice that lengthier passwords are inherently more secure?
If you care about security, the answer is disappointing. Online banking, it turns out, is a delicate balancing act between security and usability – for better and for worse. Canadian banks are reluctant to make things too complex at the expense of ease of use. And it’s a conscious decision, too.
“The banks are doing a very sophisticated tradeoff about how much security they want to pay for to keep the losses down to a level they can manage. And that balance survives until some clever criminal comes along and they take a really big hit and things change,” says David Skillicorn, a professor at Queen’s University’s School of Computing.
“The reason the banks are happy ultimately is they’re willing to take the hit when people get stuck with losses.”
Tangerine and BMO, like all Canadian banks, employ intrusion and fraud detection systems, whereby an an account is locked down if a password is entered incorrectly too many times. And there are secondary layers of verification questions to test users too – say, when logging in from an unrecognized computer or from a new location.
“You can sometimes get away with requiring an easier password if you have these sort of reaction systems in place,” says Deepa Kundur, a professor at the University of Toronto’s Department of Electrical and Computer Engineering.
But security questions – which, in many cases, must be selected from a pre-determined list – aren’t as much of a deterrent as people might think. And what if an attacker is able to compromise a bank’s password database, even if it is encrypted? Brute-force techniques – by which an attacker systematically tries all possible passwords or keys until the correct one is found – take much less time the shorter a password is, especially if no symbols or case-sensitive letters are used.
Nevertheless, Canadian banks claim that their systems are secure.
“We strongly believe that a 20 to 40 character upper case, lower case, special character password wouldn’t add that much of a higher level of security than what is there today,” said Tangerine’s chief information officer Charaka Kithulegoda in an interview.
“If you look at [length] in isolation, I absolutely agree,” he later added. “But you can’t look at it in isolation. You have to look at all the other components involved in it.”
The practices of Canada’s other major banks vary, confusingly so:
- Toronto-Dominion Bank allows case sensitive 8-32 character passwords with special characters.
- Royal Bank of Canada also allows 8-32 character passwords with special characters, but isn’t case sensitive.
- Canadian Imperial Bank of Commerce and President’s Choice Financial, however, both allow case sensitive 6-12 character alphanumeric passwords, but no special characters.
- Bank of Nova Scotia’s passwords are 8-16 characters in length, aren’t case sensitive, and can’t include special characters.
According to a statement from Scotiabank: “This is based on the fact that security benefits are not materially higher after 16 characters, while the likelihood of users forgetting increases as password length increases.”
And what about two-step or two-factor verification? I can enable this feature on my Twitter, Facebook and Google accounts, so why not my bank? A statement from TD only says security standards and protection layers “may vary based on a number of risk factors,” while RBC “does not use two-factor authentication for several reasons, including a positive client experience.”
Two-step verification is not currently offered to personal or consumer customers by any Canadian bank.
“One of the design rules for passwords is it should be very difficult to guess. But one of the contradictory rules for creating a security system is it should not hinder usability,” Mr. Kundur says.
“Whether they should implement a particular security control, as they call it, really depends on whether the cost of that mechanism is below the cost of addressing the increase in intrusions because of the lack of that mechanism. Unless there’s also legislation that tells them they have to have a minimum level of security.”
And in Canada, there is no such security legislation.
PIPEDA – Canada’s Personal Information Protection and Electronic Documents Act – only says that “personal information shall be protected by security safeguards appropriate to the sensitivity of the information.” which includes, for example, “the use of passwords and encryption.”
The Office of the Superintendent of Financial Institutions’ “Cyber Security Self-Assessment Guidance” issued a template for financial institutions to evaluate their current level of preparedness in late October last year. However, the document does not call for specific standards or requirements, but offers more general guidelines – for example, that a financial institution “has sufficient number of skilled staff for the management of cyber security” – and it says “OSFI does not currently plan to establish specific guidance for the control and management of cyber risk.”
And while a Financial Consumer Protection Framework is currently being developed by the Department of Finance, John Lawford, executive director and general counsel of the Public Interest Advocacy Centre (PIAC) in Ottawa, says there are currently no specific security guidelines contained within.
“Each bank would decide how best to protect their customers when they are banking online or through any other method,” said Kate Payne, who is a spokesperson for the Canadian Bankers Association, which isn’t a regulator, and doesn’t set out guidelines for banks to follow.
In the event of unauthorized activity or a breach, each of Canada’s major banks has an online banking guarantee, wherein a customer will be fully reimbursed for financial losses – and the unlikeliness of that guarantee being invoked is key. After all, intrusions due to password length and login security aren’t banks’ biggest concerns, not when malware, phishing and password re-use are so commonplace.
Longer or more complex passwords certainly won’t thwart those types of attacks – but two-step verification will. That might make banking too complex for some, but that doesn’t mean the option for those who want it can’t be there. Because as it stands, I have more faith in the protection of my pithy tweets than that of my RRSPs.