Anyone here use fidelity (https://www.fidelity.com/)? I had to call to get something done with my account and thought it was weird that they have you (more/less) T9 dial your password into the system, though its not real T9 in that (for example) one press of 2 would mean either a,A,b,B,c,C,2. They say for special characters just give a * sign.
Any thoughts on if that is safe on their part? It seems weird to me since they either need the password in plaintext on their end or I guess the hash of the T9 version of the password which would be less secure anyways because of: all one case and only one type of ‘special character’.
And yes: before you ask this was 100% the actual fidelity phone number: +1 800-343-3548
In their defense they did ask for other verification information once I got a person, but still felt really weird.
Any thoughts on the security of this mechanism?
It certainly reduces the search space for a brute-force attack, but presumably they have some kind of mitigation like locking access after a few attempts.
Personally, I use long and complex passwords, so I would have just mashed buttons until it gave me a person. Or used the chat support on their site, if available.
I greatly prefer chat as well. In this case they told me the part of the site I needed was down and that I should call instead.