This bothers me quite a bit. I was putting in the wrong password a few times and they closed my account. I called to get them to reopen it and the security guy told me that the password I was putting in was close to the right one, but I was just adding 3 extra letters to the end. So that means they can see your password and what you're trying to enter as your password.

Does this bother anyone else?

Yes, this does bother me.

Would you mind calling them and asking them about their policy?

THis is pretty common for banks. I work with many different banks in my job and many of them have support personnel for their webpages that can see this info.

I think you may not understand how Web encryption works.

When you enter the password, your browser uses encryption to send the password to Neteller (you can tell by looking at the URL of the login page - if it starts with https, it's encrypted).

After your password reaches the Neteller servers, it is decrypted. That's why the Neteller personnel can see it.

Even if Neteller were to take an extra security step and store your password on its servers in encrypted form, staff whose job it is to work with passwords would be able to decrypt and view passwords at will.

HTH.

[ QUOTE ]

Even if Neteller were to take an extra security step and store your password on its servers in encrypted form, staff whose job it is to work with passwords would be able to decrypt and view passwords at will.


[/ QUOTE ]

this is incorrect.

[ QUOTE ]
I think you may not understand how Web encryption works.

When you enter the password, your browser uses encryption to send the password to Neteller (you can tell by looking at the URL of the login page - if it starts with https, it's encrypted).

After your password reaches the Neteller servers, it is decrypted. That's why the Neteller personnel can see it.

Even if Neteller were to take an extra security step and store your password on its servers in encrypted form, staff whose job it is to work with passwords would be able to decrypt and view passwords at will.

HTH.

[/ QUOTE ]

I'm pretty sure he is not questioning web encryption. Some services (example AOL) does not let its customer care representitve see sensitive customer information like credit card on the accounts or passwords since it opens them up into much abuse.

It is only a matter of policy on the companies to ensure customer security. I know I am definately disturbed that neteller would let its customer care representitive know what your password is. I sure hope they at least have detailed background checks on their employees.

Passwords are almost always stored in an encrypted form using a one way hash. User enters their password, a one way algorithm is applied resulting in a new value (which is the one that should be stored), and there is NO way to take the encrypted form and restore it to it's original. On login the same algorithm is applied to whatever the user entered and that encrypted value is compared to the stored encrypted value.

If neteller stored their passwords properly there would be no way for employees to browse customer passwords at will.

[ QUOTE ]
Even if Neteller were to take an extra security step and store your password on its servers in encrypted form, staff whose job it is to work with passwords would be able to decrypt and view passwords at will.

[/ QUOTE ]

This is 100% wrong. In most applications, passwords are stored encrypted and noone, not even the person who wrote the application can see the password as stored in the system. It uses one-way encryption. Basically, you can encrypt a password and see if it matches the stored encrypted password, but there is no way to unencrypt an encrypted password. (I hope that makes sense.)

Here's an example. Say your password is "love". When encrypted, "love" turns into "$ds2sdf". You store "$ds2sdf" in the database as the encrypted password. Now when someone types in "love" as the password, it is encrypted to "$ds2sdf" and compared to what is in the database. It matches so it authenticates you. However, other combinations of characters can also encrypt to "$ds2sdf" so there is no way to decrypt "$ds2sdf" to love. (There is a way to get a user's password in this case. It is called brute force cracking. Basically you try every possible combination of characters, encrypt each one and compare to the encrypted password. It would take a very long time, assuming you have a decent password.)

This one-way encryption protects users' accounts from abuse by even employees. Windows works like this, unix works like this. A homegrown web application may or may not work like this. (You might wonder, then, how do you help someone who forgot their password? You have to set a new password for them since there is no way to retrieve their current password. If you call your network admin at work and tell him/her you forgot your password, they will tell you the same thing -- they can set a new password for you, but there is no way to get your current password. It is because of this one-way encryption.)

Neteller may or may not do this, but any truly secure system will employ this type of password encryption.

[ QUOTE ]
This is 100% wrong. In most applications

[/ QUOTE ]
Within your first seven words you contradicted yourself. /images/graemlins/wink.gif

But you're right in the basic premise: often passwords can also be checked by staff via a checksum (correct or not correct or semi-correct).

If that were the case, I'd reasonably expect that a developer could write a system helpful enough to tell whether an attempt is one or two letters off.

But whether this is true on the desktop or not, most large institutions don't seem to use undecryptable vital information (either that or my newspapers are broken).

[ QUOTE ]
I was putting in the wrong password a few times and they closed my account.

[/ QUOTE ]

Wait, so you don't just have it entered automatically for you by firefox so you just have to hit the sign in button?

[ QUOTE ]
I'd reasonably expect that a developer could write a system helpful enough to tell whether an attempt is one or two letters off.

[/ QUOTE ]
I'm sorry, but you know nothing of which you speak.

Good hashing functions change approximately half of the output bits for every bit change in the input. This is Hashing 101. Determining whether a given string was "one or two letters off" requires either a so-weak-as-to-be-pointless hashing algorithm, or a collosal amount of iterative effort that won't be accomplished in real time during a support phone call.

This is all meta-discussion, however, since it's quite apparent that NT's backend password storage is insecure and their developers are unfamiliar with standard operating procedure.

(I'm baffled that they not only can see user's passwords, they can even see user's failed attempts at passwords. Yiiikes.)

[ QUOTE ]
I'm sorry, but you know nothing of which you speak.

[/ QUOTE ]
Alright, alright, I bow to the one with practical experience in corporate backend security. /images/graemlins/grin.gif

I would hope (and assume) that the "security guy" whom you dealt with is vetted a bit more thoroughly than the run-of-the-mill customer service rep. Having spoken at length with a couple of these neteller "security guys", however, I can assure you that neteller security does not inspire confidence in any regard. /images/graemlins/shocked.gif

[ QUOTE ]
Alright, alright, I bow to the one with practical experience in corporate backend security. /images/graemlins/grin.gif

[/ QUOTE ]
Funny, but this stuff is indeed part of my job.

One which I'm neglecting by posting on 2+2 in the middle of the day, I might add. Whoops.

Or moreover that when the user is getting it wrong, they're giving hints on how to get it right. I'm pretty sure that's not policy right there.

There is no "semi-correct". It's either correct of incorrect.

<font class="small">Code:</font><hr /><pre>
[/Users/me]$ echo blahblah | md5
7ec306b6fa01510ffc4e0d0fac97c23e
[/Users/me]$ echo blahbla | md5
1c0cb377e98d89d226530fe42a22c9d4
</pre><hr />

Can you tell if those are close?

I'm not trying to be a jerk here but your way off base. I think your personally doing a disservice to people here by making claims which are completely incorrect.

As to the issue at hand, this is a HUGE deal. I still can't believe they're doing this. I'm shocked. Any database developer with even an ounce of intelligence knows this is a gigantic security hole.

Think about it like this. Most likely ANY of their support staff has access to all the passwords for any user. The DB administrators certainly have access to this info. ANYONE who cracks into this site will have access to this info. Given the inept decision to do this in the first place, I can't imagine the security for their site is anything more than pathetic. Now think of how much money is available. Thats a pretty big incentive for someone to get access to this info.

[ QUOTE ]
Here's an example. Say your password is "love". When encrypted, "love" turns into "$ds2sdf". You store "$ds2sdf" in the database as the encrypted password. Now when someone types in "love" as the password, it is encrypted to "$ds2sdf" and compared to what is in the database. It matches so it authenticates you. However, other combinations of characters can also encrypt to "$ds2sdf" so there is no way to decrypt "$ds2sdf" to love. (There is a way to get a user's password in this case. It is called brute force cracking. Basically you try every possible combination of characters, encrypt each one and compare to the encrypted password. It would take a very long time, assuming you have a decent password.)

[/ QUOTE ]

Wow never knew how internet encryption worked. So if my pw was love, but sand gave the same encrypted value...either would work as my pw?

[ QUOTE ]
Wow never knew how internet encryption worked. So if my pw was love, but sand gave the same encrypted value...either would work as my pw?

[/ QUOTE ]
To be clear, that's not how "internet encryption" works, it's the standard procedure for hashing and password checks.

Yes, a "hash collision" could result in two different strings resulting in the same hash; it's a known issue, and the reason why people who are interested in super-secure systems don't typically use MD5 for their hashing algorithm any more (see here (http://www.cryptography.com/cnews/hash.html)).

The probability of finding two single-word English phrases that hash the same in MD5 or SHA1 (the two most common algos) is astronomical even by gamblers' standards.

[ QUOTE ]
This bothers me quite a bit. I was putting in the wrong password a few times and they closed my account. I called to get them to reopen it and the security guy told me that the password I was putting in was close to the right one, but I was just adding 3 extra letters to the end.

[/ QUOTE ]

Really weird this exact same thing happened to me too. Seriously. The password limit length there is 20 characters I was told. They said they didn't know why the system let me input 23 in the first place.

Yeah, not confidence inspiring.

Wow. This is rather horrifying to be honest. As others have elaborated, it is Security 101 that passwords should never be stored in retrievable form. Only one-way hashes should be stored, period. CS reps/hackers/con men should never be able to get the password from storage. If the user forgets it, CS reps should have to reset to a new one, not be able to look up the old one.

Sure, your average web forum or whatever can get away with storing passwords, but it is simply inexcusable for a site that deals with money. And if their security department doesn't understand this incredibly basic security concept, who knows what else might be lacking.

[ QUOTE ]
Wait, so you don't just have it entered automatically for you by firefox so you just have to hit the sign in button?

[/ QUOTE ]
That is a BIG no!!!!!

[ QUOTE ]
This bothers me quite a bit. I was putting in the wrong password a few times and they closed my account. I called to get them to reopen it and the security guy told me that the password I was putting in was close to the right one, but I was just adding 3 extra letters to the end. So that means they can see your password and what you're trying to enter as your password.

Does this bother anyone else?

[/ QUOTE ]

They've always said to me they don't have this info available to them or the secure ID even. When I've accidentally started to give out the secure ID on the phone with them, they've stopped me mid sentence.

Not doubting what you are relating, just saying it's contrary to what I had believed there protocol was/is. Scary stuff.

Nigel

He asked you for your password?

Security Guidelines
In order to protect your NETELLER account, please keep the following guidelines in mind:

1. Never share your NETELLER Password or Secure ID with anyone. You will never be asked to disclose your password or Secure ID by a NETELLER representative or anyone affiliated with NETELLER.

[ QUOTE ]
[ QUOTE ]
Here's an example. Say your password is "love". When encrypted, "love" turns into "$ds2sdf". You store "$ds2sdf" in the database as the encrypted password. Now when someone types in "love" as the password, it is encrypted to "$ds2sdf" and compared to what is in the database. It matches so it authenticates you. However, other combinations of characters can also encrypt to "$ds2sdf" so there is no way to decrypt "$ds2sdf" to love. (There is a way to get a user's password in this case. It is called brute force cracking. Basically you try every possible combination of characters, encrypt each one and compare to the encrypted password. It would take a very long time, assuming you have a decent password.)

[/ QUOTE ]

Wow never knew how internet encryption worked. So if my pw was love, but sand gave the same encrypted value...either would work as my pw?

[/ QUOTE ]

In theory, maybe, but there are so many combinations of characters (including caps, lower, numbers, symbols) that in practice this just isn't going to happen. The important thing is that it is one-way and there is no way to get to the exact original password even if you know the encrypted form and the encryption method.

I just e-mailed them and asked - let's see what answer I get.

I'll post it as soon as I do.

I sent them a link to this thread so they will know what I am talking about.

[ QUOTE ]
[ QUOTE ]
Wait, so you don't just have it entered automatically for you by firefox so you just have to hit the sign in button?

[/ QUOTE ]
That is a BIG no!!!!!

[/ QUOTE ]

Why?

Also, I'm not worried about people stealing my $0.00

[ QUOTE ]
I just e-mailed them and asked - let's see what answer I get.

I'll post it as soon as I do.

I sent them a link to this thread so they will know what I am talking about.

[/ QUOTE ]

That makes 2 e-mails with links sent. /images/graemlins/cool.gif

[ QUOTE ]
[ QUOTE ]
This is 100% wrong. In most applications

[/ QUOTE ]
Within your first seven words you contradicted yourself. /images/graemlins/wink.gif

[/ QUOTE ]

No I didn't. The original quote was:

[ QUOTE ]
Even if Neteller were to take an extra security step and store your password on its servers in encrypted form, staff whose job it is to work with passwords would be able to decrypt and view passwords at will.

[/ QUOTE ]

This IS 100% wrong. If Neteller encrypted the passwords there would be no way to decrypt and view the passwords at will. Apparently Neteller doesn't encrypt their passwords. Ask any Windows, Unix or Linux network admin how to decrypt passwords in any of those systems. Even the system admin. YOU CAN'T.

I started by saying the quote above is 100% wrong. (Which it is.) And then, separately, described how most secure systems implement encrypted passwords. The 100% in the first part is correct (referring to the quote), and the "most" in the second part is correct as well (referring to applications/systems). Where is the contradiction?

[ QUOTE ]
[ QUOTE ]
[ QUOTE ]
This is 100% wrong. In most applications

[/ QUOTE ]
Within your first seven words you contradicted yourself. /images/graemlins/wink.gif

[/ QUOTE ]

No I didn't.



[/ QUOTE ]

If you feel that strongly about being 100% right, you're 100% right. /images/graemlins/smirk.gif

Dunno.
Since I have all my sites' passwords entered automatically there is, I suppose, no real differance.

this is really, really, bad. I'm a developer, and as is said by other's in this thread, it's just BAD. Just gives me another reason to hate netteller, aside from there crappy interface. I think firepay is 10x easier to use.

Here's the latest. I sent an email to Neteller and their response is below. I don't know who to believe. I respect Kurosh as a poster. On the other hand, I can't imagine any financial company would be this retarded. Ugg.

[ QUOTE ]

Dear Mr. xxxxx,

Customer service representatives do not have access to passwords. If you are
entering the wrong password, we can see that. However, we can not see what
the right password is. Additionally, we can see the answer to your security
question which is not/should not be the same as your password.

Please review the following section of our Terms of Use, which you agreed to
when you signed up your Neteller account:

III. Responsibilities of NETeller plc
12. NETeller is responsible for keeping your records and personal
information secure and confidential. NETeller protects your information from
error, loss, and unauthorized access. Our employees who have access to your
information are made aware of this and each employee must sign an agreement
stating that maintaining confidentiality is a condition of employment with
NETeller.

If you have any questions, please contact our Customer Service Department at
1-888-258-5859 and we will be more than happy to assist you. Please choose
option #0 then select option #1 from the phone menu to be connected directly
to an agent.

The following Countries can dial Toll Free +800-7767-6343:.
Austria, Singapore, China, Hong Kong, Portugal, Japan, Australia, Taiwan,
Israel, UK, France. Germany N, Netherlands, Spain, Denmark, Italy, Norway,
Sweden, Finland, Greece, Poland, Macao, Ireland and Belgium.
Other International locations please contact us at +403-233-9466.

Alternatively you may contact us by email (support@neteller.com) or Live
Help (www.neteller.com).

Thank you,


[/ QUOTE ]

[ QUOTE ]
[ QUOTE ]
[ QUOTE ]
[ QUOTE ]
This is 100% wrong. In most applications

[/ QUOTE ]
Within your first seven words you contradicted yourself. /images/graemlins/wink.gif

[/ QUOTE ]

No I didn't.



[/ QUOTE ]

If you feel that strongly about being 100% right, you're 100% right. /images/graemlins/smirk.gif

[/ QUOTE ]

I didn't say I'm 100% right. I said his statement is 100% wrong. Geez, can anyone actually quote me correctly? Maybe I need to use smaller words.

You can verify quite easily that neteller can send your password to your email address any time you request it. It's right on the logon webpage.

They can also send your acct# and secid# to your email address any time you request it.

Ok, let me clarify. I am not positive that they do not encrypt passwords. It was the logical conclusion from what happened. This is what happened exactly.

I gave the wrong password a few times, which was my real password + 3 extra letters. IE, if my actual password was vaginaf, I was typing in vaginaface. My account was locked. I called the security department. They asked me some questions to confirm my identity, then they unlocked the account and the conversation went as follows.
"Do you know what your password is now? It's very close to what you were typing in, only 3 letters at the end are different."
"Yes, I do. Thanks."

I took this to mean that they could see my password and what my failed attempts were.

[ QUOTE ]
Here's the latest. I sent an email to Neteller and their response is below. I don't know who to believe. I respect Kurosh as a poster. On the other hand, I can't imagine any financial company would be this retarded. Ugg.

[ QUOTE ]

Dear Mr. xxxxx,

Customer service representatives do not have access to passwords. If you are
entering the wrong password, we can see that. However, we can not see what
the right password is. Additionally, we can see the answer to your security
question which is not/should not be the same as your password.

Please review the following section of our Terms of Use, which you agreed to
when you signed up your Neteller account:

III. Responsibilities of NETeller plc
12. NETeller is responsible for keeping your records and personal
information secure and confidential. NETeller protects your information from
error, loss, and unauthorized access. Our employees who have access to your
information are made aware of this and each employee must sign an agreement
stating that maintaining confidentiality is a condition of employment with
NETeller.

If you have any questions, please contact our Customer Service Department at
1-888-258-5859 and we will be more than happy to assist you. Please choose
option #0 then select option #1 from the phone menu to be connected directly
to an agent.

The following Countries can dial Toll Free +800-7767-6343:.
Austria, Singapore, China, Hong Kong, Portugal, Japan, Australia, Taiwan,
Israel, UK, France. Germany N, Netherlands, Spain, Denmark, Italy, Norway,
Sweden, Finland, Greece, Poland, Macao, Ireland and Belgium.
Other International locations please contact us at +403-233-9466.

Alternatively you may contact us by email (support@neteller.com) or Live
Help (www.neteller.com).

Thank you,


[/ QUOTE ]

[/ QUOTE ]
They mentioned nothing about the security department.

[ QUOTE ]
Ok, let me clarify. I am not positive that they do not encrypt passwords. It was the logical conclusion from what happened. This is what happened exactly.

I gave the wrong password a few times, which was my real password + 3 extra letters. IE, if my actual password was vaginaf, I was typing in vaginaface. My account was locked. I called the security department. They asked me some questions to confirm my identity, then they unlocked the account and the conversation went as follows.
"Do you know what your password is now? It's very close to what you were typing in, only 3 letters at the end are different."
"Yes, I do. Thanks."

I took this to mean that they could see my password and what my failed attempts were.

[/ QUOTE ]


WTF! my password is vaginaface /images/graemlins/mad.gif

[ QUOTE ]
[ QUOTE ]
[ QUOTE ]
This is 100% wrong. In most applications

[/ QUOTE ]
Within your first seven words you contradicted yourself. /images/graemlins/wink.gif

[/ QUOTE ]

No I didn't. The original quote was:

[ QUOTE ]
Even if Neteller were to take an extra security step and store your password on its servers in encrypted form, staff whose job it is to work with passwords would be able to decrypt and view passwords at will.

[/ QUOTE ]

This IS 100% wrong. If Neteller encrypted the passwords there would be no way to decrypt and view the passwords at will. Apparently Neteller doesn't encrypt their passwords. Ask any Windows, Unix or Linux network admin how to decrypt passwords in any of those systems. Even the system admin. YOU CAN'T.

[/ QUOTE ]

You can't actually decrypt passwords, but if you have access to the password file, you can crack every single password on it.

What all cracking tools do, is they encrypt strings (words from dictionary, words close to it like player1, and finally strings with brute force) and compare the hashes.

Only issue is time.

Most passwords will crack in no time as they are too short and easy words.

[ QUOTE ]
You can verify quite easily that neteller can send your password to your email address any time you request it. It's right on the logon webpage.

They can also send your acct# and secid# to your email address any time you request it.

[/ QUOTE ]

True enough. If they can email your password to you, then it is not stored encrypted on their system. Incredibly stupid. For a web forum who cares, but for a financial system...

[ QUOTE ]
[ QUOTE ]
You can verify quite easily that neteller can send your password to your email address any time you request it. It's right on the logon webpage.

They can also send your acct# and secid# to your email address any time you request it.

[/ QUOTE ]

True enough. If they can email your password to you, then it is not stored encrypted on their system. Incredibly stupid. For a web forum who cares, but for a financial system...

[/ QUOTE ]

As a test I just clicked the link and got them to email me my password. Sure enough, they sent it to me. That scares the crap out of me now that I think about it.

[ QUOTE ]
As a test I just clicked the link and got them to email me my password.

[/ QUOTE ]
Your password was sent cleartext through email?

Change your password.

[ QUOTE ]
[ QUOTE ]
As a test I just clicked the link and got them to email me my password.

[/ QUOTE ]
Your password was sent cleartext through email?

Change your password.

[/ QUOTE ]

Done.

I just spoke on teh phone to someone there.
His answer was that yes, some people CAN see the password.

I told him it was a serious problem and he asked me to e-mail a link to this thread to the security department.
Let's see what happens.

[ QUOTE ]
You can't actually decrypt passwords, but if you have access to the password file, you can crack every single password on it.

What all cracking tools do, is they encrypt strings (words from dictionary, words close to it like player1, and finally strings with brute force) and compare the hashes.

Only issue is time.

Most passwords will crack in no time as they are too short and easy words.

[/ QUOTE ]

Although weak passwords are easily cracked, you would find it very difficult to crack a 14 digit password with mixed case, digits and symbols. As in not in your lifetime difficult.

[ QUOTE ]
Your password was sent cleartext through email?

Change your password.

[/ QUOTE ]

Pacific emails you a password of their choice and they will not allow you to change it. That's what I was told when I called them and asked to change my password, anyway.