Thursday, March 11, 2021

Microstory 1579: Any Password Will Do

I enter my bank password wrong, but the app still lets me sign in. I log out and try again, this time using a password that is not anywhere close to the right one. It lets me sign in this time too.

The trick: I don’t use the exact password. Instead I pick a random six-letter combination. It’s not easy to do, but there’s a little-known secret that lets me log in without making a mistake. All I have to do is get my phone to emit a strong “pattern” beep and lock pattern. If I follow this series of steps, I can log in to my bank account from my phone no matter what the password is. I started wondering how this works after I noticed this article from The Atlantic detailing how to trick Google into giving you the wrong password when you’re on an Android device. The author said that when he logged in, his bank account info and the password didn’t match. He was able to get into his account despite the fact that his password was wrong. It’s possible that this is an isolated incident. But some security experts are skeptical. “The notion that it’s really easy for hackers to break into my account if I type in this correct dubious,” says Randy Abrams, security specialist.

I’m no programmer, but I have a decent idea what happened here. There’s a line of code somewhere in my bank’s software. It’s there to help people login to their accounts. When someone inputs their password, this line is supposed to ask whether it’s correct. If not, it will return false. But if the code itself just says true, then the password is always right, no matter what. As long as they put something in the box, it will let them in. This is a problem. This could allow anyone to access anyone else’s account, assuming I’m right, and it’s a global issue, rather than some kind of caching bug that’s only happening to my device. I open my laptop, and put in my mom’s username, since we use the same bank. I randomly strike a bunch of keys, and try to get into her account. It works. It is global, it has to be. But still, I’ll try one more thing. I call my mom, and ask her to try to login to my uncle’s account. She helped him set it up, so she has his information too. She puts in the wrong password, just like I did, but it doesn’t work. Whew! I guess they solved the problem already.  Hopefully I was the first and only person to notice the glitch, and no one had the chance to exploit it. I realize my session’s been terminated because the app has been logged in too long, and I never did get to check my balance, so I have to login yet again. Feeling shaky because of what might have been, I mess up my password once more, like an idiot. But it works. I know I messed it up, my hand slipped. What the hell is going on here? I have to get help, so I call customer service, and tell them what I know. “Yes, sir,” the representative says. “You have access to all accounts, as you should.” What?” This is even weirder than that time I drove down the highway going the wrong direction, and the cop just smiled and greeted me like it was normal. Something is happening to me, and even though it all seems good, it can’t be that easy.

No comments :

Post a Comment