undefined | Better HN

0 pointsharshreality7y ago0 comments

Yes, heavily regulated banks and medical providers have wonderful security. You can see that they do whenever they require punctuation (but not spaces or $) in the password, and demand an 8 character password (but reject anything over 16 or 24 characters). /sarcasm

I especially like financial companies that have you login by using symantec VIP[1] which you append to your password. There's no way anyone thought that was a good idea. They did it that way because they had a worthless legacy authentication stack they couldn't rewrite, didn't understand 2FA well enough to implement it themselves, went with Symantec because "nobody ever got fired for contracting $importantfunction to $bigcompany", and the only way they could shoehorn any 2FA auth into their login flow was to concatenate it with the password.

[1] If you haven't had the pleasure of using it, it's a proprietary 2FA app that has a single seed per app install, shared between the app and symantec's database. It generates 6 digit codes that make it look similar to standard TOTP, but it's not TOTP. If you need to use it for multiple websites, you give them all the same seed hash (displayed by the app) which they use to synchronize your auth credentials with your account at symantec. IOW, it doesn't scale securely. There's also no way to have a backup 2FA device with this system; at least the two companies I've used it for haven't let me set up my account with two VIP apps on two different devices. Since normally you'll only have a single 2FA device using this Symantec VIP service, that means you have to go through a manual, insecure identity verification process to get back into your account if your one Symantec VIP device gets lost or broken.

0 comments

apesti7y ago

Symantec's system does suck but there's actually a way to use it with Google Authenticator:

https://www.cyrozap.com/2014/09/29/reversing-the-symantec-vi...

harshrealityOP7y ago

Interesting. So it's just a bunch of obfuscation and 3rd party api crap around a core of TOTP shared secrets between the app and symantec? Why don't they implement it that way, and make it transparent, so that their app can add multiple VIP credentials, rather than obfuscating everything, locking it down to a single shared credential for all sites?

closeparen7y ago

Heavily regulated companies have a lot of Microsoft Word paperwork to fill out and months long approval cycles to wait through to get any work done, but even nastier, more bug- and vulnerability-riddled legacy codebases than the rest. Security is inextricable from software quality. Not exactly something EHR systems are known for.

maxxxxx7y ago

And fixing things is very difficult because you have to go through endless approval cycles with the approvers mostly not being security experts.

j / k navigate · click thread line to collapse