OBC Release Notes 1.33.0
Release Date: Wednesday, June 17, 2015
Release Number: 1.33.0
PCI Modifications and Enhancements
Password Length Requirements
Reference D-16212 and D-16220:
In this release, we strengthened the user password requirements for the Online Business Center. Previously, user passwords could be seven characters and did not require a number. To help prevent potential brute force attacks, we have modified the following password conditions:
- Passwords must be at least eight characters and must include at least one number.
- Passwords cannot be identical to the user name or email address.
Previously, user passwords could be all numbers. Now, the User Profile and Forgot Password features will reject numeric passwords.
Password Recovery Questions
Previously, when users forgot their passwords, they had to answer specific questions to recover or reset their passwords. To avoid potential brute force attacks, we have replaced the original recovery questions with strong, industry-approved security questions.
Agreement Entry Security
Previously, the Agreement Checklist page was vulnerable to multiple agreement submissions. In this release, we integrated anti-automation measures so that users can only submit one agreement at a time. If users attempt to submit more than one agreement within a specific timeframe, the users will see an "Access Denied" error, and the submission will not be entered.
To protect against potential information vulnerabilities, we have enhanced cookie credentials by removing the user name and by using a secure random key generator.
Cross Site Scripting Security
To protect against potential Cross Site Scripting attacks, we have integrated sanitation components and techniques on all web pages of the Online Business Center.
Brute Force Security
Previously, if users were attempting to use the "Forgot Password" feature, they were asked for a username. If an invalid username was entered, an error page displayed. If a valid username was entered, the process continued to the next step in the recovery attempt.
To protect against potential brute force attacks, we have updated the password recovery functionality to treat valid and invalid usernames the same. The error page, therefore, will not show if an invalid username is entered. The new functionality will not reveal whether or not a username is valid.