
Schwab password policies and two factor authentication - jeremyt
http://www.jeremytunnell.com/posts/swab-password-policies-and-two-factor-authentication-a-comedy-of-errors
======
cddotdotslash
I just called Schwab about this, and hand to whatever deity you believe in,
this is what he told me:

Representative: "One of the things we were trying to do with these passwords
was make them different from other providers. So we know that they allow
multiple character types, and are case-sensitive, so we decided to make them
different. That way, you can't use the same password you've used elsewhere and
it kind of forces you to come up with a new one."

Me: "...that is... I can't even explain how terrible that is."

Representative: "Well, Schwab does care about your security and as far as the
8-character limitation goes, the reason you can enter any arbitrary text
afterwards is so that if someone is looking over you shoulder they can't tell
that it only accepts 8."

Points for thinking on his feet?

~~~
darken
This justification actually makes some sense to me (Software engineer familiar
with crypto.)

If an attacker already has access to the password hashes, then yes, they can
brute force any 8 character case-insensitive password easily.

However, a brute force "try to login to their site" attack isn't feasible
without hitting a rate limit or alarm: (26+10)^8 = 2.8*10^12 is still a lot of
attempts to login to an account.

The weakness to this model is the password. It is easiest to guess your
password if it was the same one on your Sony account (i.e. leaked). However,
if you're forced to pick a unique password just for Schwab, it's immune from
the most common [citation needed] attack on passwords. Also, it makes the
Schwab password useless for hacking other databases, making user passwords a
less valuable target for hackers.

If the tradeoffs are worth it: I have no idea, but it's not without merits. I
personally like using a password manager with 2-factor authentication and
generating all new random PWs for my accounts. I generally don't use more than
8-character passwords, since they're isolated from each other anyways. I would
be negligibly less secure using this with Schwabs constraints than other
sites, as the security lies in isolating passwords. (I use
[https://lastpass.com/](https://lastpass.com/))

~~~
bdhe
_However, if you 're forced to pick a unique password just for Schwab, it's
immune from the most common [citation needed] attack on passwords. Also, it
makes the Schwab password useless for hacking other databases, making user
passwords a less valuable target for hackers._

I'll give you points for honesty on the [citation needed], but your entire
argument hinges on this point and there's no a priori reason to follow your
assumption.

Moreover, your idea of each website having a unique set of constraints to
force unique passwords scales horribly from a user perspective.

10/10 for a devil's advocate answer.

------
kevinburke
I had pretty much the same experience with Virgin Mobile last year (passwords
limited to 6 digits, no brute force protection). I finally told the guy I got
escalated to that if they didn't do anything I'd call the NY Times,
Consumerist, Gawker, CNET, Ars, etc and tell them about it.

They didn't do anything, so I sent around the article and pretty much every
publication I sent it to ran with it. After that they took down the login page
for about nine hours and brought it back up with brute force protection.

[https://kev.inburke.com/kevin/open-season-on-virgin-
mobile-c...](https://kev.inburke.com/kevin/open-season-on-virgin-mobile-
customer-data/)

~~~
dmix
Hmm, this might motivate me to take my complaining about security beyond
twitter.

------
userbinator
_To activate my newly received token, I was instructed to go to the homepage
and append the six digit token code onto the end of my password during a login
attempt._

This sounds like a symptom of the multilayered bureaucracy that often goes on
in banks and similar institutions - a change to the UI to add something as
simple as an extra field for the token code, and the changes required to hook
it up to the backend, might have been accompanied by so much "enterprisey"
management red-tape cruft (specification writing, approval documents, approval
meetings, meetings for scheduling meetings - I wish I was joking, etc.) that
it made the programmers find creative ways around the system.

At the least, if I were forced to concatenate fields, I'd use a separator that
couldn't occur in either one, like a comma or something else that their
password policy didn't allow... but then again, I wouldn't be surprised if
something else in their system would reject that.

------
ufmace
I've been coming to an opinion on these issues that may be unpopular with the
tech crowd: The big banks have the right idea when it comes to security, and
we are misguided at best with our obsession over the minutia of password
handling.

Why? All of these big banks and investment houses have holdings in the
neighborhood of billions of dollars. Like billions in actual cash. If they are
so vulnerable and insecure, why aren't all of the hackers targeting them, with
their potential upside of billions of dollars in cash, and instead target
little web apps to steal some credit card numbers or user data, worth tens of
thousands to maybe a few million on black markets? Think about how much effort
we've seen put towards stealing cool Twitter handles and other such trivial
things. Does anybody really believe that there aren't many more people working
much harder to hack banks, with their billion dollar paydays?

They may not be the greatest on password handling, but the evidence suggests
that they have a much more healthy security culture overall than your average
internet startup. Apparently, they are worlds better at making their systems
secure enough that nobody can steal these user databases in the first place.
They most likely also have a pile of fraud detection and validation on account
activity, especially anything involving moving significant amounts of money
out of the accounts. They are probably in the right on this - what's the point
in building a perfect lock for the front door if, once an attacker gets in,
they can transfer the whole balance to a Russian bank and nobody will notice?
Consider how, with some well-publicized recent hacks, you can apparently do
anything at all once you get through that front door at most major tech
companies.

I'll happily change my tune if any of these banks get hacked and lose big
money. Until then, maybe we should ask these banks how they get it so right
overall instead of worrying and hassling them about how long their passwords
are and how they're storing them.

~~~
brianpgordon
Did you finish the article? At the end the author claims that their two-factor
authentication can be defeated by appending extra characters to your password.
In other words, they have no two-factor authentication. This isn't a matter of
differing points of view, this is objectively awful.

With computer security, you _have_ to obsess over the minutia because a single
vulnerability is all it takes to defeat the system.

~~~
ufmace
I did, and that is a pretty epic screwup. But in the end, it seems that the
cost of them screwing that up, aside from maybe a few techies cancelling their
accounts, is zero.

I'd say that more than obsessing over the minutia, you have to obsess over the
entirety of the system as used in practice, of which the authentication system
is only a small part. I don't know finance that well so I'm kinda spitballing
here, but stuff like exactly how the system that approves transactions
actually communicates with the systems authorized to actually move money, what
types of transactions are allowed and to where, what kind of checking is done
against various transaction types, how to correlate to the user's activity
history. If user normally connects from Atlanta and uses an online billpay
system to send checks to a handful of companies, be very suspicious and
probably flag and review the transaction if somebody suddenly logs in from a
different address and requests a wire transaction to a foreign bank, etc.

The evidence (lack of constant ripoffs) suggests that they are quite good
indeed at obsessing over the minutia of the rest of the system. This allows
them to get away with authentication practices that are, depending on your
point of view, somewhere between actively awful and bending over well past
backwards to make things simpler and less error-prone for unsophisticated
users. Got any idea how many users with 7-figure or more account balances
still want to login on their flip-phones, bank online with IE6 on WinXP, use
their account even after they epically screw up their password or their TFA
key, etc? Neither do I, but I bet it's a lot higher than any of us would like.

------
paulschreiber
After receiving unsatisfactory responses from my local Schwab rep here in New
York and the customer service staff, I complained to Schwab's CISO, Bashar
Abouseido <bashar.abouseido@schwab.com>, on September 1.

He never replied.

~~~
willis77
Ahh, but he only reads the first eight letters, so all he got from your email
was "Greeting"

~~~
Khao
it was either GREETING or greeting since it's case-insensitive

------
mariusz331
I've been using Schwab for almost 5 years and haven't noticed the password
limitation until about 2 years ago. My password is pretty lengthy, so when I
mistyped the last letter and pressed enter, I expected an error message.
Instead, Schwab logged me in. I investigated a bit and ended up contacting
Schwab about the "vulnerability". I remember someone quite high up responding
saying they were aware of the length limit but that they lock you out after 3
failed password attempts. I didn't validate the claim, but I felt content and
moved on.

~~~
Glyptodon
I had a similar experience with Southwest Airlines. They limit their passwords
to something absurdly short, and it turned out I'd never noticed - I always
typed what I thought was the password, but it was actually ignoring all of it
but the first 8 characters even though I typed more in every time. I don't
think it's quite as bad as Schwab, but I don't understand why doing passwords
so wrong is so widespread.

------
greggarious
I pointed this out to them over a year ago:
[http://norcie.com/2013/09/01/schwab-
unsafe/](http://norcie.com/2013/09/01/schwab-unsafe/)

I went to far as to get in contact with senior staff members at Schwab to
alert them to the issue, and got a pretty condescending response.

I mentioned it to a friend at a burrito truck outside the Mozilla office, and
soon found out it was a top post on /r/personalfinance.

I got a call from Schwab shortly after that. But the rep I talked to just said
they were "working on" allowing more characters in the password.

I must say though, this post does a great job detailing their 2F solution. I
never set it up since it seemed like wearing a fishnet condom given the rest
of their security, so I never got to see how bad it is.

------
modeless
I filed a support ticket about the password length. They told me it was due to
"government standards" and they would reevaluate after a new standard came
out. I didn't inquire further into this obvious BS. They provide a good
service otherwise so it's strange that they have this blind spot.

~~~
ryan-c
The modern government standard for classified systems is 15 characters
minimum.

~~~
jcrawfordor
My guess would be that by "government standards" they were referring to PCI-
DSS (actually an industry group standard), which in the current version
requires passwords of at least 7 characters and with at least letters and
numbers (PCI-DSS v3.0 8.2.3).

...However, the standard explicitly permits any other password requirement of
the same or greater entropy.

...However, these requirements do not apply to consumer accounts at all (!).
As far as I can tell, PCI-DSS actually has no requirements whatsoever for
safeguarding of consumer user accounts. The more you know, the more you worry.

------
tuzakey
It may be much worse than you think. Another large brokerage company I know of
has similar password requirements. They also have a phone banking system, to
use it you have to touch tone in your password. On a whim I tried entering the
keypad version of my password on the website and surprise! it worked. Luckily
for me there is zero customer liability for fraud on their retirement
accounts.

------
einhverfr
Having worked on some major financial web sites (globally), including password
code, I can say a few things that may be relevant.

The thing is, you never get a sense of how bad legacy code can be at
restricting options in reforming sanity until you have worked on such sites.

It took me about 5 months to restore sanity to one codebase with a bunch of
problems regarding encryption and passwords. Fortunately security was a
priority, and not just security checkboxes in PCI requirements but real
security. But it wasn't cheap and it wasn't easy, and we ran into a lot of
unpleasant surprises along the way.

Looking at this the chance is that you have tons of legacy code, and these fit
together in not very nice ways. People are afraid to change things because of
PCI requirements, security scan results, etc. And the cost of fixing things my
be very high. In these cases, I can imagine a "don't rock the boat" mentality
developing and a large part of security-critical code becoming effectively
untouchable.

------
mdaniel
> I've never, ever seen this "append stuff onto your password" approach being
> used.

Then he doesn't have an eBay or PayPal token, because they both do it. Or
rather, it is _an option_ to do it that way, in order to skip over the
"submit, enter token, submit" workflow.

[https://www.paypal.com/us/webapps/helpcenter/helphub/article...](https://www.paypal.com/us/webapps/helpcenter/helphub/article/?solutionId=FAQ2357#helpcenter_article_content)

~~~
McGlockenshire
It's worth noting that some of the two-factor systems that integrate with
RADIUS also use this same method, where you can't control how the end system
prompts users to authenticate.

------
deet
Not that this is an excuse, but keep in mind that Schwab probably has had the
mentality that a compromise of a user's online account, while bad, is not the
end of the world.

They have been frustratingly slow in implementing features like linking
external bank accounts using trial deposits instead of mailing them a voided
check from the external account.

Their slowness to adopt these new features has meant that if you got access to
the online account, there wasn't much you could do as a third party that moved
money out of the already linked accounts of the victim. You could cause
headaches or buy/sell securities but not access the money easily. And if you
did link an account or add a biller the victim would get an email.

Things have probably changed recently since I think you can link external
accounts now, and there's probably a way to send yourself a check as a bill
payment.

Totally not an excuse though.

Note:

I was fooled by the password length as well. Sometimes I would hit what I
_thought_ was the wrong last few letters on my phone keyboard yet the password
would still work somehow. Turns out you can just type the first eight and be
done.

~~~
PhantomGremlin
> Schwab probably has had the mentality that a compromise of a user's online
> account, while bad, is not the end of the world

Hmmm. Where have we heard that before? Yes, Sony!!! There's probably a better
link but here is the first one I found:[1]

    
    
       Back in 2007, Jason Spaltro, then the executive
       director of information security at Sony Pictures 
       Entertainment, was shockingly cavalier about
       security in an interview with CIO Magazine.
       He said it was a “valid business decision to
       accept the risk” of a security breach, and that
       he wouldn’t invest $10 million to avoid a
       possible $1 million loss.
    

Has anyone heard recently about how that's working out for them? :)

[1] [http://fusion.net/story/31469/sony-pictures-hack-was-a-
long-...](http://fusion.net/story/31469/sony-pictures-hack-was-a-long-time-
coming-say-former-employees/)

------
elsewhen
Schwab offers security protection with all accounts:

[http://www.schwab.com/public/schwab/nn/legal_compliance/schw...](http://www.schwab.com/public/schwab/nn/legal_compliance/schwabsafe/security_guarantee.html)

When payouts on this security guarantee begin to become a meaningful burden, I
am sure Schwab will improve their security practices.

------
polarix
Yeah, this flow is completely nuts. After setting up 2fac, in general, though,
the thing to do is probably test that you can't log in without it.

------
codementum
Like many others, I just filed a support ticket as well. I'd like one of two
outcomes: 1. A public response and plan from Schwab, or 2. An alternative
bank/brokerage company that a) takes security seriously and b) is easy to move
to.

~~~
ladelfa
Here's how my rep replied to my email today:

"Schwab takes online security very seriously, and all clients are protected
against fraud with our SchwabSafe guarantee. This guarantee is available to
review online at www.schwab.com/schwabsafe.

"I reviewed the website you referenced in your email, but this is well outside
my area of expertise. To discuss these items, I would suggest you contact our
Technology Support Group at the Help Desk. Their number is 800-433-9196."

Uh, no. I'm not going to sit on the phone waiting to tell your Help Desk about
why they shouldn't store my password in their DB; that's your fuckin job. I'm
much more inclined to spend that hour and a half moving my accounts somewhere
secure.

------
michaelfeathers
Banks aren't technology companies. Someday a technology company will become a
bank.

~~~
personZ
[http://www.businessinsider.com/bank-it-
spending-2012-12](http://www.businessinsider.com/bank-it-spending-2012-12)

The banking system functions largely on the choice, application and
integration of technology, and banking is more of a technology business than
just about any other. And let's be fair here - Schwab is not a bank, and even
among investment firms is an outlier with the noted bad practices.

~~~
michaelfeathers
> banking is more of a technology business than just about any other.

They don't behave like Google or Facebook. Their DNA is not technical.

~~~
personZ
Yet they behave like Microsoft, or IBM, or HP. And those are unquestionably
technology businesses.

------
tootie
We need some sort of interenet security reformation. This is even more
ridiculous than when the Chase mobile banking app for Android didn't check if
SSL certs were authentic before sending credentials.

------
jdeibele
Thanks for calling attention to this. I've been frustrated by it. One thing
that I did was let LastPass generate 32 random characters for the password but
used it to change the username. I depend on LastPass to remember that.

It's not much but it was all I could come up with.

My wife wants to use the Schwab app to deposit checks on her phone but I don't
trust their security. One lost phone could lead to our retirement funds being
transferred to Belize (or wherever).

------
elahd
I complained to Schwab about their password policies numerous times over the 3
years I was a bank/brokerage customer. A few months ago I finally moved my
accounts to TD.

Schwab's standard response was 1) to assure me that they had "intelligent"
fraud monitoring systems on their backend and 2) to offer me a hard token,
which would have been a pain and may have caused issues with Mint.

~~~
flavor8
> A few months ago I finally moved my accounts to TD.

You'll be back to Schwab before you know it. TD are beyond awful. Schwab have
pretty much the best customer service going.

------
yalogin
I have called and complained many times about their password policies.

They let you choose a random user id, as in, change the user id whenever you
want. I bet you the security guys over at Schwab are using that as a reason to
not improve password options. I can see the argument being - "The idiotic
password limitations are not a big deal because of the random userids".

~~~
benguild
Apparently they insure you against someone breaking into your account, but
this is clearly the case of a bunch of old boys who don't understand tech
being in charge.

------
timeal
This story needs to be upvoted 1000 times. Why are financial institution so
_bad_ at password policies?

~~~
feld
Probably mainframes that they can't get rid of, or systems emulating / used to
working with them.

~~~
colinbartlett
I presume they "can't" because it's too expensive?

How expensive is too expensive for some of the richest companies in the world?

~~~
nkantar
When it costs more than the perceived value of benefits.

"Acceptable risk" is the usual term, I believe.

------
superuser2
Online banking is largely a read-only proposition. It's mostly for reading
account activity. Some of the more forward-looking banks will even let you
initiate ACH transfers, but generally sending money to a new recipient
triggers a 2FA prompt (debit card number prompt, phone call, text) and several
secondary notifications, with several days to say "that wasn't me" before the
money is gone.

I wouldn't voluntarily post my bank account credentials on the internet, but
at the end of the day, the security of an online banking account just doesn't
matter very much.

The security of the transaction mechanisms do, sure, but that's got little to
do with online banking passwords.

------
timdierks
I'm guessing that if they had a major breach because of this kind of idiocy,
they'd find a way to fix it after the fact.

Which sort of implies to me that they should find a way to fix it before they
have a big breach.

If nothing else, the fact that they've been warned repeatedly and done nothing
could be pretty compelling if there was ever litigation over losses.

For example, I could imagine someone successfully disavowing a trade at Schwab
because they don't enforce the password authentication they claim to, and thus
can't convincingly claim that the trader was in fact the account owner.

------
spac
I did report this a while ago to Schwab both over the phone and on Twitter and
I have been equally ignores. Thanks for writing a blog post about it.

Edit: forgot to mention that the passwords are case insensitive!!!!!!

~~~
cdolan
You are factually incorrect that the passwords are case insensitive.

~~~
AjithAntony
Verified, mine is case-insensitive. If phone-keypad-password-entry is a
requirement, then that makes sense.

~~~
cdolan
Im confused, are you verifying that the passwords _are_ or _are not_ case
sensitive? Mine is certainly case sensitive (watch me get hacked now, 8
characers, one is capital!)

~~~
gknoy
"Case sensitive" means that it matters whether you keep characters matching
the same case. So, let's imagine a hypothetical service:

    
    
      # This should work for any such service:
      Service.set_password('MyPassword')
      Service.verify('MyPassword')
    

Logging in with the mixed-case password (which should, of course, work) does
not tell us anything about whether it's case sensitive. However, if alternate-
case verisons of your passwords work, your service has case insensitive
password:

    
    
      # These fail if a case-sensitive service
      Service.verify('mypassword')
      Service.verify('MYPASSWORD')
    

If we can give it either too many or too few characters, then they are likely
truncating your password before storing/testing it:

    
    
      # They drop characters if these work:
      Service.verify('My')
      Service.verify('MyVoice')
    

Edit: And, in case they are trying to be nice and allow you to log in with
your phone, they might do something lame like store your password as the
numbers-you-would-type, rather than the actual characters, in which case this
might work:

    
    
      # I hope not: 'mypassword' phone pad digits
      Service.verify(6972779673)
      # Even worse, if they might store only the first digits:
      Service.verify(6972)
    

Apologies if I've made any typos, but I hope that clarifies how one might
verify that passwords are treated as case sensitive or not.

------
overgard
Some of their competitors are just as bad. I remember I started to sign up for
a TD Ameritrade account a few years ago, but when the password "requirements"
came up (which were very similar), it was clear that they were probably
storing passwords as plaintext, so I stopped.

Then I got phone calls from them asking why I hadn't finished, so I had to
explain to a person that clearly wasn't technical (not his fault, of course),
that his company had no idea what they were doing security wise.

Maybe they finally fixed it though. I can only hope.

------
11thEarlOfMar
Offers little consolation...

Schwab has "...a system which locks you out if you guess the
[username,password] combination incorrectly more than twice.."

Schwab can improve your security via Verisign and verbal passwords, but you
have to ask for it: "... Schwab has several additional (optional) verification
methods."

[http://www.marottaonmoney.com/schwab-verisign-security-
measu...](http://www.marottaonmoney.com/schwab-verisign-security-measures/)

------
markcerqueira
Quite shameful. Fortunately, I only use Schwab because of their awesome
checking account that covers ATM fees. Definitely won't put more of my assets
in there until they get their act together.

I may be wrong, but I think user IDs can be longer than 8 characters too which
makes this all even worse.

LinkedIn did something similar with having to append your auth token to the
end of your password, but they actually checked the token AFAIK.

~~~
mariusz331
Are there benefits to append the token to the end of the password over adding
a field for it in the form?

~~~
thesimon
Convenience for the user (no need to move to a different field) and UI
advantages (no need for an third field which might make the form look
complicated and confuse users who don't have 2FA activated.

Not saying that this is a good idea, but there are some benefits for appending
the token.

~~~
jeremyt
I might buy it if two factor activation wasn't a one time operation.

As it stands, there's no need to confuse existing users. You just need a
separate pathway to activate the token.

THEN you just ask for the token as a step two in the login process. That's
actually how Schwab handles things right now.

~~~
markcerqueira
For some shitty services, like PayPal that don't give you a long-lived auth
token, it is an every-time process. :|

As expected, Schwab isn't the only perpetrator of bad two-factor auth. I think
PayPal still DOES NOT support two-factor auth on their mobile clients.

Shameless plug of my blog posts about Paypal's terrible two factor auth:

[http://mark.gg/2014/10/22/paypal-and-delusions-of-
grandeur/](http://mark.gg/2014/10/22/paypal-and-delusions-of-grandeur/)

[http://mark.gg/2014/06/04/kicking-the-tires-with-
paypal/](http://mark.gg/2014/06/04/kicking-the-tires-with-paypal/)

------
spacefight
"Like probably millions of people I have a Schwab brokerage account, and that
account holds a good portion of my savings for retirement."

OpSec 101: replace that sentence with "Like probably millions of people I have
a Schwab brokerage account, and that account holds just a few bucks of play
money to try out trading strategies."

------
jkupferman
Fidelity had a similarly terrible password policy (6-12 characters, only
letters and numbers). I complaining to their tech six months ago and got a
stock "we're looking into it" answer. In the past month they've actually fixed
the issue and now require 6 characters (upper case, lower case, number and
symbol).

------
paulschreiber
Schwab does let you enter your token code on a separate screen. If you enter
your username and password (without appended token code), you'll get this
screen:
[https://www.flickr.com/photos/paul/16079572151/](https://www.flickr.com/photos/paul/16079572151/)

~~~
jeremyt
You're correct, but that doesn't fix the first activation, which is what I
wrote the post about. The real problem is that I thought I had two factor
activated for months when I didn't.

~~~
paulschreiber
True. I was so confused when I got my token — it didn't come with
instructions, and there was no activation link on the site.

I ended up calling support to figure out how to set things up.

------
bhartzer
Thanks for posting, I've passed this on to my contact at Schwab to see if it
can get fixed properly ;)

~~~
nhstanley
This has been a problem for years that they refuse to fix. The legacy password
thing (Strike one) is bullshit, they could just force everyone to update their
passwords when they implement a properly designed system.

I would be even more disheartened if customer complaints and an article in Ars
can't get this fixed, but someone "passing it on to a contact" could. It's
disgusting that this is how they've handled it. I minimize how much money I
keep with them and will be closing the account when I get back to the States.

~~~
bhartzer
I understand your frustration, but let's see how 'passing it on to a contact'
will (or will not) work in this case.

------
jrochkind1
Recently, on a Schwab competitors site, I couldn't recall my password -- which
was required to have upper, lower, and punctuation.

Not being able to recall my password, I was able to reset it by supplying only
my mother's maiden name and my date of birth.

Um.

------
brini
I've also bemoaned Schwab's password policy. I reacted by changing my login ID
to something nonsensical which would be difficult to guess or to associate
with anyone's identity, let alone mine.

------
Flott
8 digits password...

It sound like DES encryption stored directly in the database. (This is pure
speculation of course) This alone is a huge red flag. Adding the fact that the
2 factor auth. is broken is not a good news.

~~~
psykovsky
How about the case insensitivity on the passwords? How does that fit with DES
encryption, or any kind of encryption at all?

~~~
MichaelGG
User friendliness. FB did something similar where they'd store several
versions of your password. That way they could tell if you had caps lock on or
other problems.

~~~
psykovsky
You really used facebook as a best practices example? Where is the source code
of facebook's function that deals with case insensitive passwords? How can you
be sure such source code is actually being used in production? It's as good as
plaintext without any of those assurances...

------
acconrad
I, too, complained months ago about the poor password protection. I
immediately had them send me a 2-factor FOB. While it isn't a great solution,
it's one I would ask for asap.

~~~
DrJosiah
Did you read the article?

~~~
cdolan
While I see your implied point, DrJosiah, the above commenter did not say that
the authenticator was without issue. Moreover, the blog post did not attempt
to prove that the 2 factor auth did not work IF configured properly, but that
the UI was incredibly misleading when activating the token.

~~~
DrJosiah
Go read the article (or the first 2 paragraphs even), then come back and read
the comment.

The point of the article was that Schwab's login security is so broken, even
when you do all of the right things yourself, Schwab's implementation of
passwords and 2-factor auth may make you think that everything worked when it
didn't.

It is my opinion that someone who had read the article, had a Schwab account,
and who had enabled 2-factor auth for that account would have responded to or
added to the experiences expressed by Jeremy Tunnell. But there are no words
in acconrad's post that leads me to believe that they read the article before
posting, as it basically amounts to, "When I contacted them about crappy
password security, I ended up with a 2-factor fob. You should get one too."
... which is great advice for any system offering 2-factor auth, but it
basically ignores the whole purpose of the article, which was to point out how
utterly broken the _entire_ process is.

Could I be wrong and acconrad actually read the article first? Sure. But I
asked a question which embodied my opinion on the matter, based on what I read
up until that point. And so far, I've not seen any evidence to the contrary to
change my belief that acconrad commented without reading the article (your
reply doesn't contain information/evidence that is applicable to the question
that I asked, as I have at no point offered an opinion that you are responding
to).

But I've spent entirely too long replying, and won't be following up further.
Good day.

------
et2o
I recently filled out a support ticket concerning password policies too, after
opening an account. I received a rather absurd reply and decided not to
transfer any of my money to them.

------
themckman
It's really a shame they're so bad at all of this. I've had nothing but a
fantastic experience when dealing with them for my Investing and Checking
accounts.

------
gesman
Enterprise support:

Q: "Your secure banking portal has critical vulnerability!"

A: "Did you try to reboot your computer?"

------
based2
tx ldap active directory [http://www.richardhyland.com/diary/2009/05/06/8-bit-
characte...](http://www.richardhyland.com/diary/2009/05/06/8-bit-characters-
in-active-directory/)

------
caycep
How do the other big consumer trading services compare? i.e. Vanguard,
Fidelity, etc?

~~~
ntucker
I used to have my retirement accounts at Fidelity. One day I needed some
assistance with something I was seeing on their web UI, so I called them up.
The support person said (not an exact quote, but the gist), "in order to see
what you're seeing, I'm going to need to log in as you. I need your permission
in order to do that. Security precautions prevent me from being able to see
your password, so I will need to change your password to a temporary password
of '123456fidelity' to proceed. Is this ok?"

I was kind of speechless, but I said, no, that's ok, I've decided I don't need
help anymore, and shortly thereafter I closed all of my accounts. I've moved
to a smaller firm where I've specifically asked for my accounts to be
inaccessible from the internet in any way, and I have a financial advisor
assigned. If I need something done, I can call him or his assistant. I can't
make big financial moves at the click of a button, which suits me just fine.

~~~
kelnos
Certainly less important than a financial institution, but I had the exact
same experience calling Virgin America's support a few months ago when their
then-new website would consistently error out every time I tried to book a
flight.

------
lukastsai
a more readable version:
[https://getscroll.com/r/ba19m](https://getscroll.com/r/ba19m)

