- Individuals
- Businesses
- Professionals
- About Us
The following was written by Equity Trust Company Chief Information Security Officer Jason Nester.
Since modifying our password policies to encourage the usage of “passphrases” and adding MultiFactor Authentication to our logon process, we have received a lot of great feedback and questions from our customers. Four specific questions have popped up more than others, and I wanted to take a moment to address them.
Why are your password policies different from everyone else?
This is the question we receive most often, and it is also the most important aspect of our new policies. Being different from other online services was exactly our goal.
Prior to our policy change, nearly every successful unauthorized logon to a myEQUITY.com account could be traced back to a compromise of a different website that the customer utilized. Due to customers reusing the same password across multiple websites, a single breach elsewhere allowed the attacker to access other website accounts, including myEQUITY.
We specifically designed our new policy to be unique from other websites to help prevent customers from reusing a common password, thereby providing better security for their myEQUITY accounts. So far, this policy change has proven to be very effective.
Video: myEQUITY Security Enhancements
Doesn’t MultiFactor Authentication remove the risk of unauthorized logons?
MultiFactor certainly helps reduce this risk, which is why we have deployed it. However, our records show that an overwhelming majority of our customers chose the least secure option of SMS/Voice when enrolling into our MultiFactor program rather than following our recommendation to use a MultiFactor application installed on their smartphone.
SMS is the weakest form of multifactor authentication and has several attack vectors. The most prevalent method of attacking SMS authentication is by tricking, or even bribing, employees at mobile phone stores to transfer control of a cellular number to a device under the control of the attacker. Your cellphone carrier likely employs tens of thousands of people who have the ability to transfer your phone number to another device. Each of these employees is a potential attack target for someone trying to gain access to your account.
Password reuse is also an issue here, as it is reasonable to expect customers who regularly reuse passwords do so on their cellular provider’s website as well. This provides an avenue for an attacker to make changes to a customer’s cell phone plan without their knowledge.
Recently, security reporter Brian Krebs wrote an excellent article detailing a far simpler and faster way for attackers to gain access to SMS text messages which I would encourage everyone to read.
In short, while we believe that adding MultiFactor Authentication to our logon process has greatly improved the security of our customers, we do not believe this to be a foolproof solution, and additional precautions must be taken to keep our customer’s accounts safe from attack.