|
Post by westonkevRS on Mar 12, 2016 10:17:40 GMT
In comparison, which doesn't make it right, all of the P2P platforms use the basic email or user ID and password combination. FC also have one-from-three memorable question/answer pairs every time you log in. (The "right" answer doesn't have to be accurate, of course, just memorable...) But, yes, all the platforms are in a similar position. This two stage questions I (in my layman expert position) think does add some security because the log-in device typically doesn't automatically remember two passwords per domain. They automatically-fill can only remember one password per site, so FC is always a little more fiddly to log-in but perhaps safer from third party log-in. But as I said, more important is what happens once your in and how easy it is to change details or remove money. This isn't something any platforum or equity dealing site will be transparent on. So any comment here is ignorant of the facts and actual security comparison. Kevin.
|
|
|
Post by GSV3MIaC on Mar 12, 2016 14:32:06 GMT
The FC two part login is flawed, because the web page actually decides which question/answer pair to send (so you can always get in if you can guess just one answer).
Hint: never give correct answers .. Too easy to discover. "Place of birth?" Pick a cute answer like 'troutstream' or 'mars'. 8>.
|
|
ribs
Probably not James Marshall
Posts: 148
Likes: 151
|
Post by ribs on Mar 12, 2016 14:51:43 GMT
It's fine. No, really, it's fine. They use up-to-date encryption standards, and presumably their internal systems are well run. Presumably... But how would we know? For all I know, Ratesetter has been siphoning off my money to pay off some dodgy gambling debts. If anything, that's probably a greater risk then their website security. If you care that much about security, you could do a lot worse than using something like Lastpass. I literally have no idea what my ratesetter password is. Lastpass knows it; it's long, complicated, impossible to remember, but it's encrypted by my one complex password I have memorized (so I forget that, I'm somewhat screwed). Want to kick it up a notch? Maybe boot from a Live USB memory stick on your computer when you want to use Ratesetter. Build a custom made PC using only open hardware you can verify. Keep that PC in a locked cabinet/room, and encrypt the snot out of the aforementioned USB stick. Oh, and make sure you've got some really good security on your firewall and upstream Internet connection; only allow connections to and from ratesetter and nowhere else. Don't forget to delete those security certificates from China whilst you're at it! Don't lose any sleep now.
|
|
adrianc
Member of DD Central
Posts: 9,012
Likes: 4,824
|
Post by adrianc on Mar 12, 2016 15:00:01 GMT
If you care that much about security, you could do a lot worse than using something like Lastpass. I literally have no idea what my ratesetter password is. Lastpass knows it; it's long, complicated, impossible to remember, but it's encrypted by my one complex password I have memorized (so I forget that, I'm somewhat screwed). Does that prevent somebody from getting into your email and requesting a password reset?
|
|
ribs
Probably not James Marshall
Posts: 148
Likes: 151
|
Post by ribs on Mar 12, 2016 15:08:53 GMT
If you care that much about security, you could do a lot worse than using something like Lastpass. I literally have no idea what my ratesetter password is. Lastpass knows it; it's long, complicated, impossible to remember, but it's encrypted by my one complex password I have memorized (so I forget that, I'm somewhat screwed). Does that prevent somebody from getting into your email and requesting a password reset? Requesting a reset from Ratesetter? No. But I also don't know my email password. Good luck trying to guess or brute-force something like this: 0iZOZ9la3AwVbkDDOUJ4 (I just asked Lastpass to generate a new password for me to get that). I also use two factor on my email, which helps a fair bit. So even with my email and password, you'd have a hard time getting in. You can't 'reset' your Lastpass password, as your password is the decryption key; even though Lastpass 'stores' your passwords for you, it's a mess of encrypted information that even they can't read. If you lose/forget it, it's gone, alongside your passwords. If you happen to have a machine logged into Lastpass (which you shouldn't do), it's possible to recover it from that machine, as it's resident in memory, but that's it. Lastpass logs me out every time I close my browser, so I would be wasting a lot of time clicking "forgot your password?" links all over the place if that happened to me. Having a fresh password for everything is important. Sure, your password may well be 0iZOZ9la3AwVbkDDOUJ4, and you use it everywhere. Great! What happened to you when Adobe.com got hacked and your password exposed? Oh yeah, that's the same password for eBay, your email, Paypal, etc etc. Whoops. Lastpass allows me to have a genuinely unique password everywhere, and I never have to care. Really clever technology. Lastpass isn't the only game in town, but it's the one I use.
|
|
warn
Member of DD Central
Curmudgeon
Posts: 605
Likes: 632
|
Post by warn on Mar 14, 2016 7:19:01 GMT
Sure, your password may well be 0iZOZ9la3AwVbkDDOUJ4, Hey!! That's my Mother's Maiden Name. How the heck did you get that???
|
|
|
Post by newlender on Mar 14, 2016 7:55:04 GMT
No, it's my place of birth actually.
|
|
|
Post by bluechip on Mar 14, 2016 17:01:17 GMT
I like the fact I can log on in micro-seconds, the extra password thing that some sites use is just to appease those people that worry about the surface too much imo. As Kev has said it's what happens behind the scenes that is important.
If it was easy to steal from accounts it would have been done long before now. I'd argue that this whole topic is more problematic than the system itself as it could attract the wrong type of attention and create an unnecessary worry. Don't get me wrong I have often thought "wow that was quick to get into my account considering I have X amount in there", but it isn't really in my account, it's in thousands of borrowers and it is not going to be easy to transfer out to an alternative bank account - so it's worrying for worrying's sake. (I hope).
|
|
|
Post by nutfield on Mar 14, 2016 17:31:21 GMT
I was impressed to note that when I withdrew some cash from my Zopa account they e-mailed me to confirm the action before actually parting with the cash. This seems like a worthwhile (and cheap!) safeguard. Do RS do this?
|
|
|
Post by Deleted on Mar 15, 2016 5:51:49 GMT
The option to be sent an email on every account login attempt, successful or failed, would be a nice (and simple) addition
|
|
pikestaff
Member of DD Central
Posts: 2,136
Likes: 1,484
|
Post by pikestaff on Mar 15, 2016 7:54:24 GMT
I'd hate, it so it would have to be an option.
A security checkup the first time cash is withdrawn to the designated account is sufficient for me. It's a while since I opened a new account on RS but I'm pretty sure this is being done already.
|
|
shimself
Member of DD Central
Posts: 2,561
Likes: 1,170
|
Post by shimself on Mar 15, 2016 8:18:12 GMT
|
|
adrianc
Member of DD Central
Posts: 9,012
Likes: 4,824
|
Post by adrianc on Mar 16, 2016 8:14:45 GMT
Coming soon: Prof of cybersecurity at Cambridge gets account cleaned out by telephone banking scam Prof of cybersecurity at Cambridge gets account cleaned out by cheque fraud Since when did Oxbridge academics ever display familiarity with the real world and basic common sense?
|
|
shimself
Member of DD Central
Posts: 2,561
Likes: 1,170
|
Post by shimself on Mar 16, 2016 10:14:53 GMT
Coming soon: Prof of cybersecurity at Cambridge gets account cleaned out by telephone banking scam Prof of cybersecurity at Cambridge gets account cleaned out by cheque fraud Since when did Oxbridge academics ever display familiarity with the real world and basic common sense? This is the virtual world and computerists. Earlier this week the head of the national bank of Bangladesh lost his job because they got hacked for £100M. This stuff happens.
|
|
adrianc
Member of DD Central
Posts: 9,012
Likes: 4,824
|
Post by adrianc on Mar 16, 2016 10:20:29 GMT
Even simpler than that, though. This is somebody who spends all day thinking about internet security, and who only has the loosest of relationships with the real world. No real surprise that he internally magnifies the risks and gets a bit panicky.
Of course there are risks to online fintech, at all levels, but sticking your head in the sand doesn't make them go away, and doing that doesn't change other risks.
|
|