shimself
Member of DD Central
Posts: 2,561
Likes: 1,170
|
Post by shimself on Jun 9, 2016 12:16:02 GMT
In the prolonged endeavour to get myself unsubscribed from collateral I had cause to use the lost password facility.
To my horror I was sent my old password in a plain text email.
I told them of this security danger in a private message here. Their reply made no mention of it, apparently they don't care.
|
|
locutus
Member of DD Central
Posts: 1,059
Likes: 1,622
|
Post by locutus on Jun 10, 2016 14:36:01 GMT
In the prolonged endeavour to get myself unsubscribed from collateral I had cause to use the lost password facility. To my horror I was sent my old password in a plain text email. I told them of this security danger in a private message here. Their reply made no mention of it, apparently they don't care. Basics like this are unacceptable in 2016. Really undermines credibility when people can't get the easy stuff right.
|
|
|
Post by earthbound on Jun 10, 2016 21:55:22 GMT
In the prolonged endeavour to get myself unsubscribed from collateral I had cause to use the lost password facility. To my horror I was sent my old password in a plain text email. I told them of this security danger in a private message here. Their reply made no mention of it, apparently they don't care. Basics like this are unacceptable in 2016. Really undermines credibility when people can't get the easy stuff right. Fully agree... just been talking about them favorably elsewhere as well... come on collateral can we see a post here asap to say its sorted?
|
|
|
Post by collateral on Jun 11, 2016 8:39:34 GMT
earthbound This will be resolved this weekend. It would have been earlier, the delay is because our IT security specialist has been on holiday and returns tomorrow. Thank you
|
|
|
Post by vanthel on Jun 11, 2016 16:42:41 GMT
earthbound This will be resolved this weekend. It would have been earlier, the delay is because our IT security specialist has been on holiday and returns tomorrow. Thank you I'm a lurker on these forums but I had to make an account to post.. As a software developer in the privacy and security space, this is a massive red flag. I am afraid for me this brings into question the quality of your hiring practices, and means I can no longer trust the platform. Any 'IT security specialist' would have ensured the protection of this data from the start or the moment they were brought on board - not when it is flagged by a user. FCA rules are very clear on 'technical measures' to protect this data so I highly doubt there will be a chance of Collateral getting into the IFISA space any time in the near future. It is a shame because I just joined, and really liked what I saw so far. I will be immediately withdrawing.
|
|
oldgrumpy
Member of DD Central
Posts: 5,087
Likes: 3,233
|
Post by oldgrumpy on Jun 11, 2016 16:54:16 GMT
earthbound This will be resolved this weekend. It would have been earlier, the delay is because our IT security specialist has been on holiday and returns tomorrow. Thank you Was this an unfortunate basic error or is he bought in and unqualified/not up to the job? Presumably the platform is not large enough yet to employ its own full time top tier IT person, like Chris or von Shuang? I see just two names as "the team" so far. I'd love to fund more than a just handful of small pawn deals, but ..... On another point, embazoned across the home page is "We now accept card payments." No you don't! When I try it still says "coming soon".
|
|
|
Post by vanthel on Jun 11, 2016 17:37:33 GMT
I'm afraid that I was put off this platform a month ago by this post for which I am eternally grateful: p2pindependentforum.com/post/114485/threadthere's been no explicit acknowledgement of this issue by the platform and I decided that I would only consider them if I wished to reduce my exposure on MT and SS and only then if someone in here would be able to confirm that it had been fixed. Until then, I regard the platform as too immature or too naive to trust with my hard earned cash. This current thread doesn't help at all. As a programmer, I admit it probably matters more to me than some. Thank you for pointing out that post paul123. I have seen a fair few fledgling FinTech companies go up in smoke due to the likes of security, rounding errors, off-by-one errors.. There are hints to the latter occurring as well in other posts on this subforum. I'm not suggesting that Collateral's founders are in this stereotype, but often they are founded by financial entrepreneurs that made a lot of money as graduates, realise how much more money they are making their firm and decide to go their own way. They then go cheap and fail to get the correct technical teams around them, assuming it can't be that hard. When you go into a firm surrounded by well sealed financial terminals and expensive software I can see where the complacency comes from.
|
|
arbster
Member of DD Central
Posts: 810
Likes: 426
|
Post by arbster on Jun 12, 2016 5:45:38 GMT
I'm afraid that I was put off this platform a month ago by this post for which I am eternally grateful: p2pindependentforum.com/post/114485/threadthere's been no explicit acknowledgement of this issue by the platform. As you point out, paul123 it's notable that the only post not responded to by the platform was that very constructive post by iano. Personally, I have also yet to dip my toe into the water here. It seems to me that setting up a website and listing loans based on fairly generic pawn-type collateral could be relatively easy to do, and a site with one testimonial and blog posts stretching back 3 months just feels a little bit young for me. Forgive me fellow forum members, but I'll wait for you to report a few loan repayments and maybe experience a default or two before I make a deposit...
|
|
|
Post by earthbound on Jun 20, 2016 22:23:13 GMT
Oooo i'm glad you IT techies are lurking, i'm in at collateral , only to the tune of half a 'k' , but i was about to invest up to 2k , i have no idea what the IT issues are, or what they mean , i can barely send an e-mail.... a little expansion on the issues would help the non-techies like me understand exactly what the issues entail. TIA.
|
|
shimself
Member of DD Central
Posts: 2,561
Likes: 1,170
|
Post by shimself on Jun 20, 2016 22:58:39 GMT
Oooo i'm glad you IT techies are lurking, i'm in at collateral , only to the tune of half a 'k' , but i was about to invest up to 2k , i have no idea what the IT issues are, or what they mean , i can barely send an e-mail.... a little expansion on the issues would help the non-techies like me understand exactly what the issues entail. TIA. the security is done badly making it easier for hackers
|
|
|
Post by earthbound on Jun 20, 2016 23:03:07 GMT
Oooo i'm glad you IT techies are lurking, i'm in at collateral , only to the tune of half a 'k' , but i was about to invest up to 2k , i have no idea what the IT issues are, or what they mean , i can barely send an e-mail.... a little expansion on the issues would help the non-techies like me understand exactly what the issues entail. TIA. the security is done badly making it easier for hackers So.. are we talking someone could get into the sight and get usernames and passwords?
|
|
shimself
Member of DD Central
Posts: 2,561
Likes: 1,170
|
Post by shimself on Jun 21, 2016 6:41:28 GMT
And it also shows recklessness on the part of the company so it doesn't bode well for those procedures we can't see from the outside.
|
|
locutus
Member of DD Central
Posts: 1,059
Likes: 1,622
|
Post by locutus on Jun 21, 2016 7:33:17 GMT
Currently, it seems the only remaining issue is that they send your password to you by email if you've forgotten it. This is bad in two ways. 1. emails are not encrypted so anyone who intercepts the email (and emails tend to travel through multiple computers on their way to you) has your password. 2. It means that emails are being stored by collateral un-encrypted or that they are encrypted but using a "two-way" method where they can be encrypted and un-encrypted as needed. This means that when/if a hacker does got into their site, that hacker should be able to get all the passwords of all the users. Normally, passwords would be stored using a one-way method so they encrypt your password and store it the first time. Then on subsequent visits, the password you enter is encrypted in the same way and a check to see if the stored encrypted password matches the entered encrypted password. I think you mean storing of passwords unhashed is unsecure. Hashed means the original can't be recovered and it is not bi-directional. Encryption is bi-directional. Apart from that, I agree.
|
|
|
Post by bracknellboy on Jun 21, 2016 7:38:38 GMT
... 2. It means that emails are being stored by collateral un-encrypted or that they are encrypted but using a "two-way" method where they can be encrypted and un-encrypted as needed. This means that when/if a hacker does got into their site, that hacker should be able to get all the passwords of all the users. Normally, passwords would be stored using a one-way method so they encrypt your password and store it the first time. Then on subsequent visits, the password you enter is encrypted in the same way and a check to see if the stored encrypted password matches the entered encrypted password. paul123. Thank you for that explanation. If nothing else it satisfies my intellectual curiousity.
|
|
|
Post by Collateral Rep on Jun 21, 2016 9:34:42 GMT
Hi,
Unfortunately we can't go into too much detail on a public forum, but I can assure all our investors we do not store passwords. All passwords are 256bit hashed and the random code to re-set passwords is also hashed.
Many thanks,
Gordon
|
|