|
Post by isecguy on Jan 8, 2018 18:26:43 GMT
This really should set alarm bells ringing for any potential investor/borrower who uses the welendus.com website and provides their personal/financial information through it! In my experience, in most cases when those behind an initial idea/product are also entirely responsible for building/maintaining the website/platform behind it, there's probably going to be some pretty big security flaws present! "co-founders", etc - who may well have basic website building skills - won't necessarily also have adequate security knowledge and skills in order to make their websites actually "secure". For example, the supposedly "secure" welendus.com site supports the insecure SSL 3 protocol, weak Diffie-Hellman (DH) ciphers, and insecure RC4 ciphers - which makes the website vulnerable to both POODLE and LOGJAM attacks. Well, you really know how to bring the mood down don't you?
Do you take bookings for parties?
LOL... my apologies - the intent was certainly not to "ruin the party", but rather; 1) to remind investors that they should be very careful about entering personal and especially financial information on "young" websites created with limited security knowledge/experience/personnel behind them. Whilst "15% returns backed by a PF" certainly sounds attractive, don't let that cloud your judgement into parting with your personal/financial details without first doing a little DD into their website/security/data handling too! 2) to give welendus.com a friendly kick up the back side! As with all the various P2P platforms I've looked into the security of previously, I want them all to do well and succeed, and welendus.com is no different! I have no evidence to suggest that welendus.com has been "hacked" - but there are security vulnerabilities, which I hope that nsiam and his "co-founder" can now work to address, to make it a safe and truly "secure" site for both borrowers and lenders alike. Anyway, back to the party..
|
|
alison
Member of DD Central
Sanctuary!!
Posts: 356
Likes: 99
|
Post by alison on Jan 8, 2018 19:42:01 GMT
Happy to risk a toe in the water on this one so have created and activated an account as per the website. Problem now is that trying to login gives a Login failed message each time. Requested and received a link to reset the password which worked fine but login attempts still break down with Login failed messages. Have emailed them but the automatic reply says they will aim to respond within 5 working days!! Not great for a login problem. But at least I received my token by email an hour and a half later!! Shame I can't login to use it!! Maybe next Monday? Could be worth calling 0800 368 9553 if you don't get reply by tomorrow Thanks. Got an email from Nadeem shortly after, asking me to check cookies are enabled and offering for them to call me if this doesn't fix it. Cookies were enabled - Chrome and FireFox so will probably need to go down the call route.
|
|
stub8535
Member of DD Central
personal opinions only. Not qualified to advise on investment products.
Posts: 1,442
Likes: 945
|
Post by stub8535 on Jan 8, 2018 20:48:11 GMT
Well, you really know how to bring the mood down don't you?
Do you take bookings for parties?
LOL... my apologies - the intent was certainly not to "ruin the party", but rather; 1) to remind investors that they should be very careful about entering personal and especially financial information on "young" websites created with limited security knowledge/experience/personnel behind them. Whilst "15% returns backed by a PF" certainly sounds attractive, don't let that cloud your judgement into parting with your personal/financial details without first doing a little DD into their website/security/data handling too! 2) to give welendus.com a friendly kick up the back side! As with all the various P2P platforms I've looked into the security of previously, I want them all to do well and succeed, and welendus.com is no different! I have no evidence to suggest that welendus.com has been "hacked" - but there are security vulnerabilities, which I hope that nsiam and his "co-founder" can now work to address, to make it a safe and truly "secure" site for both borrowers and lenders alike. Anyway, back to the party.. Thanks for your very valued and consistent comments about platform security isecguy. I do hope the owners take on board what you are saying and react accordingly before goung fully live.
|
|
Greenwood2
Member of DD Central
Posts: 4,252
Likes: 2,695
|
Post by Greenwood2 on Jan 8, 2018 20:56:13 GMT
Could be worth calling 0800 368 9553 if you don't get reply by tomorrow Thanks. Got an email from Nadeem shortly after, asking me to check cookies are enabled and offering for them to call me if this doesn't fix it. Cookies were enabled - Chrome and FireFox so will probably need to go down the call route. I had a similar problem with login. I think the site didn't like my password, although I didn't get a message to say what was wrong with it, after a few tries (on change password) I tried a simpler password and login worked.
|
|
|
Post by nsiam on Jan 8, 2018 21:45:08 GMT
Between myself and my co-founder, yes. We do all the website updates ourselves. We are a very small team doing all the work in house and extremely busy ... This really should set alarm bells ringing for any potential investor/borrower who uses the welendus.com website and provides their personal/financial information through it! In my experience, in most cases when those behind an initial idea/product are also entirely responsible for building/maintaining the website/platform behind it, there's probably going to be some pretty big security flaws present! "co-founders", etc - who may well have basic website building skills - won't necessarily also have adequate security knowledge and skills in order to make their websites actually "secure". For example, the supposedly "secure" welendus.com site supports the insecure SSL 3 protocol, weak Diffie-Hellman (DH) ciphers, and insecure RC4 ciphers - which makes the website vulnerable to both POODLE and LOGJAM attacks. Hi isecguy , Thank you for raising your concern which is very much welcomed. We do take all comments on board and will do act on them during our beta stage. With regards to our security background as a team, we do have very good in house skills and experience. In fact, some of our team members were leading the security teams at some large global financial organisations. I do actually see having in house technical knowledge as one of our strength compared to other companies that outsource most of the work. Since you seem to come from a security background, we can get slightly technical but I will try to be simple as well for others to follow. First of all as you know, no business or individual can be 100% secure when it comes to cyber security and protect again all threats. With that being said, there are different levels of threats ranging for low to medium to high risk. With that in mind, we are aware of the SSL 3 protocol weak points but we consider these as low risk. We have done our security testing last year using Acunetix and Nessus web scanners and also performed some custom web security testing and no high-level or medium level vulnerabilities have been found. Of course the rank of vulnerabilities may have increased since, but still this is not a high-priority threat. Here is more description: www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/ As far as we know, most latest browsers versions have the SSL3 disabled by default, so our users should be safe still. It is actually very interesting topic and we would be very interested to hear what other vulnerabilities you can find so we can make Welendus stronger and safer. Happy to discuss further. It's maybe worth having a separate topic for platforms security vulnerabilities if it doesn't exist yet?
|
|
|
Post by isecguy on Jan 8, 2018 22:32:18 GMT
First of all as you know, no business or individual can be 100% secure when it comes to cyber security and protect again all threats. With that being said, there are different levels of threats ranging for low to medium to high risk. With that in mind, we are aware of the SSL 3 protocol weak points but we consider these as low risk. I appreciate the fast response, nsiam ! ...it's encouraging to learn that you're willing to engage on matters of security (when many platforms aren't!) With regards to the specific link you refer to in your post ( www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/) it should be noted that this article is now over 3 years old. As such, the information contained within isn't current (security "best practice" way back in 2014, doesn't necessarily reflect security "best practice" in 2018!) . However, that said, the article you refer to does categorically state: " unless there is still the specific need to support the legacy Internet Explorer 6 browser, SSL 3.0 should be disabled" ...or are welendus still supporting IE6? ...if so, the comment that "our users should be safe still" (because they're using modern web browsers) - doesn't really hold up if you're still supporting IE6. Disabling of SSL 3 support on a server takes a matter of minutes to do. Perceived as "Low risk", perhaps, but why wouldn't you want to switch off SSL 3 support and completely mitigate the risk of a POODLE attack!? For further information and guidance on disabling SSL 3 and why you really should, please see: blog.qualys.com/ssllabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attackscotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/For further information on weak Diffie-Hellman (DH) key exchange, please see: weakdh.orgFor further information on the insecure RC4 cipher, please see: blog.qualys.com/ssllabs/2013/03/19/rc4-in-tls-is-broken-now-whatwww.beyondsecurity.com/scan_pentest_network_vulnerabilities_ssl_rc4_cipher_suites_supportedIn summary, whilst these 3 specific issues I've highlighted may be considered by welendus as "low risk", they are still risks none the less - but all of which can be 100% mitigated server-side with VERY minimal effort, and with no noticeable impact to end users (apart from any IE6 ones!). It would be complacent to ignore such risks (especially for a website dealing with personal & financial information), when these particular vulnerabilities can be so easily mitigated by welendus. Finally, it's encouraging that welendus have "performed some custom web security testing" and that "no high-level or medium level vulnerabilities have been found" - however, if no high or medium level vulnerabilities are found as a result of security testing/scans, the focus should then be on addressing the lower level risks - and not just simply ignoring and dismissing them! I appreciate that welendus is in its infancy, and I want to see the platform grow and flourish, but I hope the platform will demonstrate their commitment to security as a being top priority, and not fall into a complacent or dismissive attitude to security vulnerabilities. It's maybe worth having a separate topic for platforms security vulnerabilities if it doesn't exist yet? Not a bad idea, nsiam ! (of course, there's always this topic)
|
|
|
Post by nsiam on Jan 9, 2018 5:33:03 GMT
First of all as you know, no business or individual can be 100% secure when it comes to cyber security and protect again all threats. With that being said, there are different levels of threats ranging for low to medium to high risk. With that in mind, we are aware of the SSL 3 protocol weak points but we consider these as low risk. I appreciate the fast response, nsiam ! ...it's encouraging to learn that you're willing to engage on matters of security (when many platforms aren't!) With regards to the specific link you refer to in your post ( www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/) it should be noted that this article is now over 3 years old. As such, the information contained within isn't current (security "best practice" way back in 2014, doesn't necessarily reflect security "best practice" in 2018!) . However, that said, the article you refer to does categorically state: " unless there is still the specific need to support the legacy Internet Explorer 6 browser, SSL 3.0 should be disabled" ...or are welendus still supporting IE6? ...if so, the comment that "our users should be safe still" (because they're using modern web browsers) - doesn't really hold up if you're still supporting IE6. Disabling of SSL 3 support on a server takes a matter of minutes to do. Perceived as "Low risk", perhaps, but why wouldn't you want to switch off SSL 3 support and completely mitigate the risk of a POODLE attack!? For further information and guidance on disabling SSL 3 and why you really should, please see: blog.qualys.com/ssllabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attackscotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/For further information on weak Diffie-Hellman (DH) key exchange, please see: weakdh.orgFor further information on the insecure RC4 cipher, please see: blog.qualys.com/ssllabs/2013/03/19/rc4-in-tls-is-broken-now-whatwww.beyondsecurity.com/scan_pentest_network_vulnerabilities_ssl_rc4_cipher_suites_supportedIn summary, whilst these 3 specific issues I've highlighted may be considered by welendus as "low risk", they are still risks none the less - but all of which can be 100% mitigated server-side with VERY minimal effort, and with no noticeable impact to end users (apart from any IE6 ones!). It would be complacent to ignore such risks (especially for a website dealing with personal & financial information), when these particular vulnerabilities can be so easily mitigated by welendus. Finally, it's encouraging that welendus have "performed some custom web security testing" and that "no high-level or medium level vulnerabilities have been found" - however, if no high or medium level vulnerabilities are found as a result of security testing/scans, the focus should then be on addressing the lower level risks - and not just simply ignoring and dismissing them! I appreciate that welendus is in its infancy, and I want to see the platform grow and flourish, but I hope the platform will demonstrate their commitment to security as a being top priority, and not fall into a complacent or dismissive attitude to security vulnerabilities. It's maybe worth having a separate topic for platforms security vulnerabilities if it doesn't exist yet? Not a bad idea, nsiam ! (of course, there's always this topic) Hi isecguy, good to hear we are more or less on the same page. Disabling SSL 3 is quite quick and easy as you mentioned and we will look into disabling it but it may mean more users may find difficulty using Welendus if they are using old browsers. Thanks for the link to the security discussion forum. We will go through it in more details.
|
|
marka
Member of DD Central
Posts: 224
Likes: 175
|
Post by marka on Jan 9, 2018 11:57:32 GMT
The success of this obviously depends on there being a steady stream of borrowers, so as the site launched for borrowers yesterday I thought I'd see if it popped up in a google search when posing as a potential borrower. What I found was that there are many many payday loan (and similar) companies out there, but welendus didn't come up in any search (at least not on the first couple of pages, or on a couple of comparison sites). Can you share with us what marketing is currently being undertaken please nsiam. Thanks
|
|
|
Post by skint4achange on Jan 9, 2018 16:24:26 GMT
I received the email stating that the Beta version is now online for borrowers and investors alike but my payment is still showing as unconfirmed and is still sitting on my pending payments from my bank account.
I assume that there have been no loans made yet or that they will not call my payment in until there are loans flowing in?
Or, am I sitting here waiting for something that has already happened but there is just a problem with my account??
|
|
|
Post by df on Jan 9, 2018 16:39:32 GMT
I received the email stating that the Beta version is now online for borrowers and investors alike but my payment is still showing as unconfirmed and is still sitting on my pending payments from my bank account.
I assume that there have been no loans made yet or that they will not call my payment in until there are loans flowing in?
Or, am I sitting here waiting for something that has already happened but there is just a problem with my account?? In my understanding, it takes 7 working days for your payment to arrive. When you funds arrive it will be marked as confirmed and will be put in the queue to be lent.
|
|
|
Post by skint4achange on Jan 9, 2018 16:48:21 GMT
Thanks you guys. I will wait and see what happens in a few days time.
Can't believe in this day and age it takes 7 days for a debit card payment to happen!
|
|
|
Post by df on Jan 9, 2018 16:52:42 GMT
I received the email stating that the Beta version is now online for borrowers and investors alike but my payment is still showing as unconfirmed and is still sitting on my pending payments from my bank account.
I assume that there have been no loans made yet or that they will not call my payment in until there are loans flowing in?
Or, am I sitting here waiting for something that has already happened but there is just a problem with my account?? Hi skint4achange , it took 7 working days to bring my card payment funds on-board W. during this time it remained as showing 'pending' on both platform and Bank, could fly around the World quicker with a Tortoise. Oh, when it finally arrives you'll need to preset auto-allocation. All the best, J. Edit: crossed with df . That's the longest card payment I've ever experienced . I think Nadeem has mentioned in one of the posts that they anticipate to reduce it to 3 days in future.
|
|
|
Post by df on Jan 9, 2018 17:05:18 GMT
The success of this obviously depends on there being a steady stream of borrowers, so as the site launched for borrowers yesterday I thought I'd see if it popped up in a google search when posing as a potential borrower. What I found was that there are many many payday loan (and similar) companies out there, but welendus didn't come up in any search (at least not on the first couple of pages, or on a couple of comparison sites). Can you share with us what marketing is currently being undertaken please nsiam . Thanks Good point. I've tried the same this morning, typed "pay day loans", went through 5 pages of results and Welendus wasn't there. I don't think many people searching for loans will go any further than 5 pages.
|
|
|
Post by skint4achange on Jan 9, 2018 17:09:38 GMT
Now they need to put their hands in their pockets to pay and become a sponsored result on Google!!
|
|
alison
Member of DD Central
Sanctuary!!
Posts: 356
Likes: 99
|
Post by alison on Jan 9, 2018 17:33:12 GMT
Thanks. Got an email from Nadeem shortly after, asking me to check cookies are enabled and offering for them to call me if this doesn't fix it. Cookies were enabled - Chrome and FireFox so will probably need to go down the call route. I had a similar problem with login. I think the site didn't like my password, although I didn't get a message to say what was wrong with it, after a few tries (on change password) I tried a simpler password and login worked. Bullseye!! Got a bit fed up waiting for another email response to my problem so requested another password reset. This time I took heed of your comment and dropped the ? mark special characters from the new password. Bonzer - it sailed straight in!! Notified Welendus of my resolution and got a quick email back from Nadeem advising they will add more info to the website regarding accepted password characters. Now just got to wait the week for my debit payment to clear - crazy timescale in this day and age.
|
|