If I didn’t know better, I would have thought that the Verified by Visa service offered by arcot.com was a man-in-the-middle attack that was poorly designed to look like a trusted service from Visa (my credit card) and USAA (my bank).
Why your instinct should be to not trust arcot.com
Here’s a few reasons why my instinct was to distrust both Verified by Visa and arcot.com:
- https://secure2.arcot.com/ was not united.com, where I began my purchase
- https://secure2.arcot.com/ was not visa.com, my credit card
- https://secure2.arcot.com/ was not usaa.com, my bank
- https://secure2.arcot.com/ was asking for personal information (name, credit card secuirty code, expiration date, and birth date) that I had already provided united.com
- https://secure2.arcot.com/ has an unprofessional text-only website that reads “This is Secure2.arcot.com. This is the Arcot OBO verified by visa service. Please visit visa website for more details.” Notice it has no outgoing links, so no referrals traffic would be noticed by visa.com
- https://www.arcot.com/ doesn’t exist and displays an SSL Connection Error (error 107)
- http://www.arcot.com/ automatically redirects you to http://www.ca.com/us/multifactor-authentication.aspx, which is yet another party
- USAA’s website has no mention of arcot.com
- Visa’s website has a few mentions of arcot.com buried in PDF documents
- United’s website has no mention of arcot.com
Why Verifed by Visa and arcot.com looked like a man-in-the-middle attack
A MITM attack requires that the attacker place himself between two parties that are trying to communicate (me and united.com) and impersonate at least one of the parties (look like Visa or USAA). The arcot.com site required me to enter my name, the three-digit security code on the back of my Visa, the expiration date of my card, and my birth date — all of which was information that I already provided to united.com.
arcot.com has a very weak password policy
I knew arcot.com was legit even though it’s behavior is quite suspect. I believe a newegg.com purchase first exposed me to this process. But this time, arcot.com required me to create a password for their service.
Their password requirement reads: “To create your password enter 6 to 10 characters, without spaces.” But each time I entered a password, it would get rejected by this message: “Your password does not conform to the Password Policy. Please try again.” The is no link to a Password Policy and the link to Help does not contain information about their password policy.
Here are the five passwords I attempted:
- hup52!eChu
- XeW=A#rA5&
- #re_aqeS7s
- 4racrE$rec
- beNu&Em9fu
Each of which is between 6 to 10 characters and would take a desktop PC about 58 years to crack). What ended up working was a much weaker alpha-numeric 10-character password that would take a desktop PC about 6 years to crack. That was the best level of security Verified for Visa and arcot.com afforded me.
Password limits imply poor security
Restricting users to a small selection of characters and a length of 6 to 10 characters gives the impression that arcot.com is storing user-entered passwords in an insecure form (like plain text).
The best practice for collecting and storing user submitted passwords is to:
- Permit any character (entropy)
- Permit an unlimited number of characters (length)
- Add salt (unique random data added to each user’s password)
- Hash the user password with appended salt (algorithm to change variable length data to a fixed length)
- Re-hash several times (fixed is fine, but random per user would be better)
- Store the final hash in an encrypted database, the unique-per-user salt in a separate encrypted database, and the random-number-of-hashes-per-user in a third encrypted database — each database on separate systems with separate credentials
Because arcot.com limits me to 10 alpha-numeric characters, I’m given the uneasy impression that they do not hash my password. If they did hash my password they would not care if I put in 20 characters or 2,000 characters, the hash would produce the same 256-character result (regarding length).
Shame on United, Visa, and USAA
Shame on the three of you for working with a third-party service that looks like a man-in-the-middle attack. I applaud you for wanting to improve your security and reduce online fraud, but this implementation is terrible and leads me to question your priority for security.
If you want to increase a security layer, do so from your own sites (which we trust) and not from a website we’ve never heard of. Use of subdomains would be fine. Additionally, permit users to enter very long and very complex passwords. Tools like LastPass automate this process.
Visa and banks in particular need to be vigilant in teaching their customers how to be secure and then practice what they preach. USAA has published several articles about online security and should be ashamed for having any connection to arcot.com’s Verified By Visa implementation.