Prompt
I enter my bank password wrong, but the app still lets me sign in. I log out
and try again, this time using a password that is not anywhere close to the
right one. It lets me sign in this time too.
Botner
The trick: I don’t use the exact password. Instead I pick a random
six-letter combination. It’s not easy to do, but there’s a little-known
secret that lets me log in without making a mistake. All I have to do is get
my phone to emit a strong “pattern” beep and lock pattern. If I follow this
series of steps, I can log in to my bank account from my phone no matter
what the password is. I started wondering how this works after I noticed
this article from The Atlantic detailing how to trick Google into giving you
the wrong password when you’re on an Android device. The author said that
when he logged in, his bank account info and the password didn’t match. He
was able to get into his account despite the fact that his password was
wrong. It’s possible that this is an isolated incident. But some security
experts are skeptical. “The notion that it’s really easy for hackers to
break into my account if I type in this correct password...is dubious,” says
Randy Abrams, security specialist.
Conclusion
I’m no programmer, but I have a decent idea what happened here. There’s a
line of code somewhere in my bank’s software. It’s there to help people
login to their accounts. When someone inputs their password, this line is
supposed to ask whether it’s correct. If not, it will return false. But if
the code itself just says true, then the password is always right, no
matter what. As long as they put something in the box, it will let them in.
This is a problem. This could allow anyone to access anyone else’s account,
assuming I’m right, and it’s a global issue, rather than some kind of
caching bug that’s only happening to my device. I open my laptop, and put in
my mom’s username, since we use the same bank. I randomly strike a bunch of
keys, and try to get into her account. It works. It is global, it has to be.
But still, I’ll try one more thing. I call my mom, and ask her to try to
login to my uncle’s account. She helped him set it up, so she has his
information too. She puts in the wrong password, just like I did, but it
doesn’t work. Whew! I guess they solved the problem already. Hopefully
I was the first and only person to notice the glitch, and no one had the
chance to exploit it. I realize my session’s been terminated because the app
has been logged in too long, and I never did get to check my balance, so I
have to login yet again. Feeling shaky because of what might have been, I
mess up my password once more, like an idiot. But it works. I know I messed
it up, my hand slipped. What the hell is going on here? I have to get help,
so I call customer service, and tell them what I know. “Yes, sir,”
the representative says. “You have access to all accounts, as you should.” What?” This is even weirder than that time I drove down the highway going
the wrong direction, and the cop just smiled and greeted me like it was
normal. Something is happening to me, and even though it all seems good, it
can’t be that easy.
