oik
Member of DD Central
Posts: 254 
Likes: 349
|
Post by oik on Mar 11, 2016 11:10:43 GMT
How comfortable are others with Ratesetter's apparently very basic account login security compared with that used by banks and building societies? The Ratesetter login requires just your usual email address and a single password in a single text field - ideal for key-loggers. I also notice that should you leave the page and forget to log out, you (or anyone with access to your pc or tablet) can go back into the account without re-entering the password just by using the back button.
If you forget your password a new one will be sent with just the answer to your "secret question". The question isn't one set by the account holder but chosen from a very short list: such as what was the make and model of your first car. It's probably surprisingly easy in many cases to guess the first car of someone if you know their age.
This all seems very insecure compared with even the simplest multi-field systems used by the banks I use, less secure than many web forums and the like. Yet many people may have pretty hefty sums in their Ratesetter account and well worth a bit of effort by fraudsters.
Of course gaining access to an account doesn't in itself allow money to be withdrawn to another bank account but I don't know how much more cautious Ratesetter are with a request to change a nominated account. Nor do I know whether their backoffice security is as lax or better than for account access. I hope it is but would welcome some reassurance.
|
|
|
|
Post by yorkshireman on Mar 11, 2016 11:48:04 GMT
How comfortable are others with Ratesetter's apparently very basic account login security compared with that used by banks and building societies? The Ratesetter login requires just your usual email address and a single password in a single text field - ideal for key-loggers. I also notice that should you leave the page and forget to log out, you (or anyone with access to your pc or tablet) can go back into the account without re-entering the password just by using the back button. If you forget your password a new one will be sent with just the answer to your "secret question". The question isn't one set by the account holder but chosen from a very short list: such as what was the make and model of your first car. It's probably surprisingly easy in many cases to guess the first car of someone if you know their age. This all seems very insecure compared with even the simplest multi-field systems used by the banks I use, less secure than many web forums and the like. Yet many people may have pretty hefty sums in their Ratesetter account and well worth a bit of effort by fraudsters. Of course gaining access to an account doesn't in itself allow money to be withdrawn to another bank account but I don't know how much more cautious Ratesetter are with a request to change a nominated account. Nor do I know whether their backoffice security is as lax or better than for account access. I hope it is but would welcome some reassurance. If my daughter’s experience is typical then changing a nominated account and address takes an eternity. They managed to change the bank account reasonably quickly even though the address on that account was different to that held by RS (and they make a big deal about checking that addresses tally) Some 4 months later the address had still not been changed on the RS account and the whole procedure had to be started again. The moral of that has got to be that there are questions to be asked about back office procedures and competence.
|
|
toffeeboy
Member of DD Central
Posts: 506
Likes: 362
|
Post by toffeeboy on Mar 11, 2016 11:51:02 GMT
I haven't done it but I believe that you can add extra security to your account via the contact details tab if you so wish.
|
|
|
|
Post by newlender on Mar 11, 2016 17:03:42 GMT
I was asked to set my own security question and answer - no drop-down menu appeared. This isn't used for logon though so I'm a bit mystified! I use the mobile PIN option with other sites and it works well but I haven't set it up with RS yet as it can be a pain if the phone is off or battery flat etc. Zopa have an extra question when you log on but the answers could be discovered by a determined hacker and I believe they're the same questions for all users. I suppose the answer is to have a really strong password (mine's pa$$word, for example  ) and to log off after every session. I don't think that an option to stay logged on for 180 minutes or more when there's no activity is at all responsible and RS should get rid of it. Key logging is a bit old hat now and anyway the good virus checkers will zap them immediately. |
|
adrianc
Member of DD Central
Posts: 9,012
Likes: 4,824
|
Post by adrianc on Mar 11, 2016 18:04:43 GMT
I was asked to set my own security question and answer - no drop-down menu appeared. This isn't used for logon though so I'm a bit mystified! It's used for "I forgot my password".
|
|
|
|
Post by GSV3MIaC on Mar 11, 2016 18:31:44 GMT
I suppose the answer is to have a really strong password (mine's pa$$word, for example ) You're supposed to set it to 'incorrect', so the computer can remind you ("Your password is incorrect"). 8>.
|
|
|
|
Post by westonkevRS on Mar 11, 2016 18:40:00 GMT
I haven't done it but I believe that you can add extra security to your account via the contact details tab if you so wish. If you want you can add mobile 2-d authentication, i.e. every time you log in you must also add a mobile number code we text you. Unique every time, so a fraudster would need to know your email, password and have hold of your physical mobile phone. This isn't mandatory as RateSetter doesn't think it required. We have a number of sophisticated back office continuous monitoring and ad-hoc checks in the background. Sometimes this can mean things take time if you want to change an important piece of customer data, which shouldn't be seen as a Customer Services fail but an indicator of how seriously security is taken. But lenders aren't to know this, so the mobile 2-d functionality is there if it makes them feel safer. I personally don't use the 2-d functionality. Kevin.
|
|
adrianc
Member of DD Central
Posts: 9,012
Likes: 4,824
|
Post by adrianc on Mar 11, 2016 18:57:43 GMT
If you want you can add mobile 2-d authentication, i.e. every time you log in you must also add a mobile number code we text you. Unique every time, so a fraudster would need to know your email, password and have hold of your physical mobile phone. Not terribly helpful if you don't actually have a mobile signal at home, like me. Also a bit flawed for those who may be logging in from their smartphone.
|
|
|
|
Post by rarrar on Mar 11, 2016 19:10:21 GMT
Agree that 2-d verification can be a pain if the mobile signal in the house is unreliable.
Even HMRC are now almost insisting on it before allowing you access to your tax return !
|
|
registerme
Member of DD Central
Posts: 6,212
Likes: 6,020
|
Post by registerme on Mar 11, 2016 19:13:39 GMT
I don't know why everybody doesn't just use Google Authenticator. No need even for a signal.
|
|
oik
Member of DD Central
Posts: 254
Likes: 349
|
Post by oik on Mar 11, 2016 19:49:41 GMT
Using an email address to login that's likely to be known by countless people is plain potty and not a level of security that would impress even on a simple bulletin board. Which is why banks have more secure systems. Email addresses are likely to be given out to countless people, including to bulletin boards like this one, which could be hosted anywhere and there's no way of knowing who might have access to the server and database.
Lax security can lead to mischief at the very least. In another thread people are reporting being inexplicably locked out at the login - including me. I can't be completely certain I entered my password correctly the first time but was surprised to be locked out immediately without a second chance. Do Ratesetter really lock out after a single incorrect entry because if they don't that may suggest failed attempts had already been made by someone else. It could have been done completely accidentally by someone with a similar addy or possibly for a more malign reason.
While it's clear the login security at Ratesetter falls well below normal standards, there's no way of knowing if security systems in areas we can't see are equally poor. Ratesetter needs to look at the way banks, stockbrokers, and others who handle client's money do these things.
|
|
|
|
Post by newlender on Mar 11, 2016 21:16:06 GMT
The sending of codes to mobile phones to re-set passwords has been compromised recently at NatWest. It's called SIM swap fraud and is quite sophisticated - see Mr Google for more details or the NatWest forum. I totally agree about not having email addresses as usernames but many companies do it so that customers remember their login name easily. A strong password is still the best defence against hackers.
|
|
|
|
Post by eascogo on Mar 11, 2016 23:29:32 GMT
The sending of codes to mobile phones to re-set passwords has been compromised recently at NatWest. It's called SIM swap fraud and is quite sophisticated - see Mr Google for more details or the NatWest forum. I totally agree about not having email addresses as usernames but many companies do it so that customers remember their login name easily. A strong password is still the best defence against hackers. Other P2P sites such as FS, MT, and SS do not offer a third ID layer either, though FS and MT request username rather than email addresses. Marginally safer IMO. However I would much prefer a third layer to be provided. Routine questions such as school or mother's maiden name offer the option of a second password because the answers can be anything you like.
|
|
|
|
Post by westonkevRS on Mar 12, 2016 6:56:48 GMT
In comparison, which doesn't make it right, all of the P2P platforms use the basic email or user ID and password combination. Some have memorable word, and I think only RateSetter offers the additional mobile verification tool. You can argue about whether user name or email is more secure, but the basic security access is the same.
Interestingly this is also how most equity dealing platforms operate. I use Barclays, Share Centre, Halifax, and Selftrade/equiniti. All used basic user name password entry, none use mobile authentication or tokens.
Only banks use tokens as a required additional layer, and rightly so because the current account is central and money can be moved around. This isn't true for P2P platforms and equity dealing sites. What's important is what damage could a fraudster do if he did manage do log in, other than knowing the customers portfolio. What happens behind the scenes, and largely in Customer Services and self-change abilities, is what's important. RateSetter has robust processes and monitoring, and the sometimes unavoidable impact on service for which I make limited apology.
Now I'm no cyber security expert, that's not my job. Although you'd be amazed how many lenders seem to consider themselves amateur experts. But RateSetter has the same security as all of these comparables, so I don't think it fair to pull us out. And almost spread gossip or rumour, this should be a question in the general P2P thread. So unless there are any actual security expert black hats out there that would like to visit the office, I'll leave it there.
Kevin.
|
|
adrianc
Member of DD Central
Posts: 9,012
Likes: 4,824
|
Post by adrianc on Mar 12, 2016 8:00:42 GMT
In comparison, which doesn't make it right, all of the P2P platforms use the basic email or user ID and password combination. FC also have one-from-three memorable question/answer pairs every time you log in. (The "right" answer doesn't have to be accurate, of course, just memorable...) But, yes, all the platforms are in a similar position.
|
|
) and to log off after every session. I don't think that an option to stay logged on for 180 minutes or more when there's no activity is at all responsible and RS should get rid of it. Key logging is a bit old hat now and anyway the good virus checkers will zap them immediately.
