Banking Authentication, Solar, Patch Tuesday, DEF CON

Kyle Fox here, back for the week of May 11–17, and yet again it seems to be a week light on news, at least the news we'd report here. My main highlight this week is about Banking Authentication issues, and I also touch on a few other stories of note and as always, there's the roundup at the end.

Banking Authentication Continues to Be Bad

As Jamal Habash wrote last week, the state of bank authentication systems still leaves much to be desired. Major issues still continue to be the lack of TOTP or FIDO2 support; instead banks are still largely relying on SMS, which as we know is interceptable either via SIM swaps or more advanced SS7 attacks. Other issues I have seen are highly restrictive password policies, which I have felt in the past limit the entropy in a password rather than increase it. I think that instead of setting rules like no words or must have special characters, passwords should be measured by the entropy in the password. Other issues are the ever-increasing arms race for password size. One institution I bank with now requires 20 characters in its password, and limits on password length; with another institution I know of still limiting passwords to 16 characters.

So, how do we fix this? Jamal suggests a number of technologies to fix a lot of these issues:

Passkeys
TOTP Support
Hardware Security Keys
Secure Recovery Paths
Password Manager Compatibility

The last one highlights an annoying issue I see with banks: They often do not let you paste a password in, or pasting a password in triggers extra checks that make it harder to log in or end up locking you out. Hopefully with more and more industry guidance behind these new methods, things will change for the better, but banks are going to have to be dragged kicking and screaming into that new way.

Researchers Claim Solar Inverters Contain Rogue Implants

Reminiscent of the great Deye bricking last year, researchers are alleging that they have found remote access devices in commercial solar equipment designed for utility scale solar setups. The reports I have seen have been quite light on details about the actual findings, instead mostly containing a lot of background information. Needless to say, I am skeptical for now, until the research is published and we get to see what is actually going on, as opposed to a sensational story like the Supermicro/Bloomberg incident.

Big Patch Tuesday

This week, Microsoft fixed a large number of issues in its monthly "Patch Tuesday" including 5 vulnerabilities currently being actively exploited in the wild. The regular patch cadence and somewhat enforced patch installation has continued to make things hard for malware writers as they have to create their own update systems to keep up.

DEF CON Continues To Get More Expensive

As hacker summer camp approaches, we note that DEF CON has climbed in price to $520 at the door. This is certainly not tracking with the previous promise that it would only go up $10 each year. Since I work with a few non-DEF CON-related events and also DEFCON Furs in Las Vegas, I have seen large changes in how contracts are being negotiated for events in the area. Before the pandemic, gaming turnover minimums were only ever hinted at and never actually discussed, and now they are a guiding metric in contract negotiations. It also does not help that Las Vegas has seen a steep decline in tourism lately with uncertainty about international travel to the US. This year will be interesting because of the problems with importing electronic hacking tools and making electronic DEF CON badges.