Zopa security is worryingly confused.

Interestingly the FAQ page has changed slightly since I wrote that, perhaps someone read my email, it now has a MyZopa link and Now the Signin Link is a SignOut Link!.

The MyZopa link took me back to Dashboard.
The Signout Link did actually sign me out this time.

Is it me are they are updating things in the wrong order or are they responding to my eMail about this who knows but it's less of an issue now as it seems to make the FAQ pages a part of the main system.

I wonder if Zopa spotted my comments here as well as I notice the is at least one Zopa person who was on here yesterday PM. They are not here at the moment though

Edit~: Oops I'm now in the dashboard and selected the Help| LoansFaqs and lo the same thing occurs again. 

Edit2: Oops the whole faqs system is going to need an update to make this really correct as the user who wades through a number of faq may not realise they are infact still logged in as its not clear after the front pages. This really is flying by the seat of a developers Rse rather than logical well thought out design.

I wonder what the regulators would think of this.

Yes that is the one I reported to them sometime ago they said they had fixed it and it did work again for a day or so but I reported back to them that its not working again and they said they would review it again haven;t heard anything back yet.

My opinion on this one is they do not really understand what is going wrong and probably don't have the skill required to fix it at the moment. The real issue I feel is that the whole system is probably so badly mangled that is may need a full branch and roots, drain up review of what the real issues are. They seem to be under the impression that they can just apply fix after fix without really understanding the true nature of the problem.

My main worry is what untold mishaps are happening under the hood this is just what is easy to get a handle on from an external perspective as we are experiencing it.

The other thing with security aspects such as these you think they might give it a top priority, considering the recent TSB issues and the breaches that are happening in other systems wide and far. My experience so far is that the front end hasn't got much of a clue and speaks to the backend experts who tell them their understanding or waffle and they then pass on to me not realising that the waffle I am given will not cut much ice when it makes little sense or relevance to what I am reporting.

There is now a message on the front that they are making planned upgrades but ...
If they were planned why did the servers go down some 20 minutes or more before they put that message up.

I've become rather concerned that I managed to log into their system and got the bad gateway 502 message and thought I wasn't logged in but I was still logged in as when the server came back up i didn;t then have to login. That is a really worrying aspect of the lack of security and worse it means planned procedures are not being managed very well. 

It's still down (12:21) at the moment according to the now more helpful message above. 

I'm getting that as well at the moment, the whole thing is a bit of a debacle, i've been speaking to them and have given them 2 hours to come up with a good reason for basically compromising mine and everyone who may have tried to login for the 15 minutes they were down before they started to react. The message I got before was the planned one.

The thing is I'm not sure they have a water tight secure approach to upgrades. They have a 15 minute time on inactivity on the browser but anone not realising they are logged in will not be aware that a simple reload on the screen will bring up the whole access again if it comes back up in the inactivity period.

They say it's planned so why not block the access correctly - i think that's why they are pulling all access points that can get through hence the reason clicking the login button on that screen is going no where. I argued that they should be warning customers and finding a better approach back in June and they seemed to be taking it on board but I guess not.   

I rang them about an hour ago and gave them until 14:00 today to either find some answers to why they are compromising my investments with a distinct disregard to security or I would have to speac to the regulator about these issues. Not sure what they will come back with all relevant managers seemed to be out of the office somewhere or just plain unavailable.

I think that Zopa is using tracking and timer cookies of some kind that sometimes get very confused when going outside of Zopa links I think that is fails when using back and forward buttons and also using copied links etc.

I too have been thrown out by the login sequence but I wonder if their tracking timers are getting confused as well by themselves. The other day I got caught in a loop and could neither logout or login but be presented as if I had alrady logged in but Zopa admitted to me that they had had a mini meltdown with some backend servers and not "Planned Updates" as their messages eventually suggested at the time (The 4 hour+ outage last week on the 24th hit me).

In a discussion with Zopa recently they said they had dropped the auto logout time from 15 Mins last week to 4 Mins and my Reloader extension in chrome did seem to fail until I moved it down to 4 mins.(I'm doing manual lending at the moment and trying to keep £10 lending so need to be updating lend as and when it goes below 1999 Max. This means I keep the queue loaded up)

This does mean that the logouts don't work as Zopa expects.

I have also also had times when not using my Page Reloader that the logout sequence is not correct and they are investigating some of this - to be honest they say its been fixed and it fails again and then its fixed and then it fails I'm not completely sure they know what is wrong there. I do try to send them an email of the date and time it goes wrong and they are using these to find the issues in their logs I guess.

Latest weird security issue is that the lower level loggout option is no longer moving back to the dashboard but resulting in this screen
so I thought i'm logged out now but I wasn't as clicking the "Sign into Zopa" actually took me straight back into the Dashboard so I thought ok it's probably going to send me back out after I click on either the "Invest" or the "ISA" button but no it just took me straight back in to full access.

All a bit odd but it ok as I have been reliably informed by someone on the "P2P Top 50 list" that the security will not allow anyone to change my bank account and then take my money so that's ok|!. Thing is though they also told me the 15 min auto signoff was reduced to 4 mins (My tests on that suggest that its still more like 15 mins but who knows who is right and quite frankly at the moment Zopa online has a complete mind of its own from day to day)