|
|
Post by batchoy on Dec 11, 2013 20:54:24 GMT
The Investment BOT thread on the FC board has go me thinking as to how secure P2P platform logins actually are as they typically all do it in the same way: email address, password and security question. Individually this is not to great an issue but they all seem use to use similar security questions that could be answered with a little judicious searching on social media. But potentially the concerning part is that require the email address, password and security question answer be typed in full which makes them ripe for attack with a key logger. Of the six platforms I use, not one of them would rate particularly well in the tests that the Consumer's Association used in their online banking security tests which is worrying given the amount of money that is being invested through them. With the sector growing quite substantially it cannot be far off the horizon for those wishing to get at our funds, so given this and with regulation soon to be on the cards and hopefully with some onus on platforms to provide security for online account things will be improving. |
|
|
|
Post by mead187 on Dec 11, 2013 21:36:16 GMT
This has crossed my mind also. To make matters worse some of the answers to questions are the same on multiple platforms so hackers could log into multiple platforms using data obtained from one site.
MRC quoted something from the FC T&C shown below. With that in mind it is a worrying prospect and with the growth of P2P/P2B lending its only a matter of time before someone makes a fraudulent attempt at nabbing some cash. I would definitely like to see more/improved security - perhaps even a phone call if someone tries to cash out all your money. Theres always a compromise between security and accessibility but atm P2P platforms look like easy pickings.
Funding Circle lender T&C "2.2 Your username, password and the answers to security questions are how we identify you, and so you must keep them secure at all times. You are responsible for all information and activity on the platform by anyone using your username and password. If you authorise an employee, sub-contractor or agent to use your Funding Circle lender account you will be responsible for their activity on the platform."
|
|
|
|
Post by batchoy on Dec 11, 2013 22:15:11 GMT
This has crossed my mind also. To make matters worse some of the answers to questions are the same on multiple platforms so hackers could log into multiple platforms using data obtained from one site. The problem is that not only are the questions (and thus potentially the answers) common a lot of them are akin to bio-metric data that once compromised cannot be changed, things like mother's maiden name, your first school etc all of which are potentially publicly available anyway particularly with the advent of social media. To combat this although it is a potential security risk I keep a coded book with the lies that I tell when recording the answers to security questions, which means that if one site is compromised not every site is compromised and my personal data is not compromised. Of all the banking sites that I use the one that I feel most comfortable with a regards security has to be ingdirect, though even then there is at least one improvement that I would instigate.
|
|
JamesFrance
Member of DD Central
Port Grimaud 1974
Posts: 1,323 
Likes: 897
|
Post by JamesFrance on Dec 12, 2013 10:34:34 GMT
To ensure you cannot have a keylogger inflicted on you you need a decent internet security program which will sandbox anything not whitelisted, such as the free one from Comodo. A good password manager like Lastpass will also keep passwords encrypted and input them without typing anything.
I also like the system used by Omaraha which shows when and from where you last accessed your account.
|
|
|
|
Post by chris on Dec 12, 2013 11:07:39 GMT
It is something that's been on our minds as well as we're aware that whilst the current login schemes are okay they're not great and there's room for improvement. As you've said the security questions are mostly worthless and we're already reviewing those. But we're also looking at external two factor authentication systems such as Authy. I'd be interested to know what you guys think. There's actually a rather perverse balance to be struck between security and making it too difficult for humans to log in. Get the balance wrong and people end up writing down passwords and using other insecure methods of reminding them how to log in, or they never register to use the service in the first place as there's too big a barrier to entry. |
|
|
|
Post by batchoy on Dec 12, 2013 11:12:28 GMT
The problem is that technology does not always work as it runs behind the criminals, I was recently involved in sorting out an incident where a trojan was inadvertently opened and started and the criminals would have got a way with several hundred thousand pounds, had it not been the fact that the final authorisation for the money transfer required a one time pin to be generated.
The immediate source of the trojan was an infected machine on company A's network, it was sent from there to the accounts department in company B as an attachment purporting to be a remittance advice, as the email was both expected and from a supposedly known source it was opened with near disastrous effect. However to get from company A to company B's mail servers it went through a well known commercial mail screening service then through company B's UTM device that is linked to one of the key players in internet security and once on company B's network was not picked up by their endpoint security which is updated on a 15 minute cycle from a third key player in the internet security business.
The bank involved has multilayer security for login involving a userid required in full and which bares no direct relation to the user i.e. not their email address, a pin from which only random numbers are requested and a password again from which only random characters are requested but in the end it was the fact that a one time pin is required in order to authorize transactions and change user pins and passwords that prevented the theft occurring. Compared with this the typical P2P and P2B site is a piece of cake to gain access to.
|
|
|
|
Post by chris on Dec 12, 2013 11:22:09 GMT
Authy provides that kind of one time pin, and there are other similar systems available.
Another thing I'm going to make sure is implemented sooner rather than later is specifying a designated bank account for withdrawals.
At the moment all withdrawals need manual approval by the Assetz staff plus they are then verified by Grant Thornton before being approved. But designating a bank account that requires manual approval to change would help strengthen that procedure.
|
|
|
|
Post by batchoy on Dec 12, 2013 11:36:58 GMT
It is something that's been on our minds as well as we're aware that whilst the current login schemes are okay they're not great and there's room for improvement. As you've said the security questions are mostly worthless and we're already reviewing those. But we're also looking at external two factor authentication systems such as Authy. I'd be interested to know what you guys think. There's actually a rather perverse balance to be struck between security and making it too difficult for humans to log in. Get the balance wrong and people end up writing down passwords and using other insecure methods of reminding them how to log in, or they never register to use the service in the first place as there's too big a barrier to entry. the problem is that I am already writing information down all be it in an encoded form because the security questions being asked are too common, and the true answers are potentially available on the internet should one search using my email address, thus I am giving false and different answers to each site and I have to keep track of them. As I mentioned above my favourite system is that employed by IngDirect which requires you to enter a customer number and your surname on the first page and then to key in a six digit security number and a favourite date on the second page however these numbers are entered by clicking on a randomised numeric keypad on the screen not using the keyboard. If I was building the a system myself I would drop the surname on the first page as it is an immediate link to an individual just like an email address, and on the second page only ask for random digits from the two numbers not the full six digits in each case. However its not just the logon that is the issue its how the site behaves once you are in. I know from experience that AC times out and you have to login again but other sites don't, there is also the issue of being able to change key information including passwords and security phrases without the need to re-enter password or security phrases as a confirmation etc.
|
|
|
|
Post by batchoy on Dec 12, 2013 11:46:13 GMT
Another thing I'm going to make sure is implemented sooner rather than later is specifying a designated bank account for withdrawals. I am in two minds about this one, on the one hand it means that should people gain access to one's account they can't direct funds elsewhere, but on the other it unless the details are obscured in some form when displayed on the screen it means that people have immediate access to your bank details. I like the idea of Authy, but it means involving a third party, and there is the issue of having my mobile available, with a signal and importantly with a charged battery. I have already been caught out with the latter and electronic tickets.
|
|
JamesFrance
Member of DD Central
Port Grimaud 1974
Posts: 1,323
Likes: 897
|
Post by JamesFrance on Dec 12, 2013 12:45:30 GMT
I also use ING direct and have to use a mobile for a one time pin code whenever setting up a new payment. isePankur do that for withdrawals and only allow them to the originating account.
|
|
|
|
Post by chris on Dec 12, 2013 15:48:13 GMT
Another thing I'm going to make sure is implemented sooner rather than later is specifying a designated bank account for withdrawals. I am in two minds about this one, on the one hand it means that should people gain access to one's account they can't direct funds elsewhere, but on the other it unless the details are obscured in some form when displayed on the screen it means that people have immediate access to your bank details. I like the idea of Authy, but it means involving a third party, and there is the issue of having my mobile available, with a signal and importantly with a charged battery. I have already been caught out with the latter and electronic tickets. I believe Authy uses a desktop app as well, giving you more than one route. I think the app also supports a time based RSA style key, so a signal wouldn't be needed, but I need to investigate it further. In some ways I like that it's a third party as long as they are a trusted company as it would mean two separate systems would need to be compromised in order to gain access to your account via the web interface, and they cannot access your account as they wouldn't have the information that ties their authentication details with your login. I'm also in two minds as to whether such a system should be mandatory or opt in. The problem we face is placing barriers to entry for new registrations. If we insisted on the most stringent of login criteria that are possible but our registration conversion rate drops to 10% of what it is today, then are we serving the market well if our new lender registrations dries up and they all go and register with other sites instead? Taken to the extreme it could even ultimately drive us out of business if no one registers with us and they go elsewhere. So we do have to strike a balance and given the low barriers other sites are putting in place I do need to be careful about being too onerous on new registrations even if we then offer options for further securing individual accounts. I don't think there is a reason why we couldn't offer more than one solution and let lenders choose what is best for them.
|
|
|
|
Post by chris on Dec 12, 2013 15:49:41 GMT
I also use ING direct and have to use a mobile for a one time pin code whenever setting up a new payment. isePankur do that for withdrawals and only allow them to the originating account. I do like the idea of using a separate authentication scheme for authorising withdrawals as well. batchoy - forgot to say that if you nominate a bank account for withdrawals then we could show a redacted version on the site, such as only the last four digits of the account number, much as sites do when they show stored credit card details.
|
|
|
|
Post by batchoy on Dec 12, 2013 16:22:56 GMT
I'm also in two minds as to whether such a system should be mandatory or opt in. The problem we face is placing barriers to entry for new registrations. If we insisted on the most stringent of login criteria that are possible but our registration conversion rate drops to 10% of what it is today, then are we serving the market well if our new lender registrations dries up and they all go and register with other sites instead? Taken to the extreme it could even ultimately drive us out of business if no one registers with us and they go elsewhere. So we do have to strike a balance and given the low barriers other sites are putting in place I do need to be careful about being too onerous on new registrations even if we then offer options for further securing individual accounts. I don't think there is a reason why we couldn't offer more than one solution and let lenders choose what is best for them. Lowest common denominator security is not the way to go, rather good security should be a marketing differentiator particularly given the sums of money that are involved. If the consumers association (or even easteregg) were to do security review of P2P sites along the lines of their 2011 Online Banking Security Review which in IMHO would rate P2P sites well below the poorest of the banks back in 2011, I wonder how many people would actually walk away let alone join.
|
|
oldgrumpy
Member of DD Central
Posts: 5,087
Likes: 3,233
|
Post by oldgrumpy on Dec 12, 2013 16:31:42 GMT
It only needs one P2P to go BANG!  in this way to spook everybody in all platforms. I think being ahead of the game as far as possible matters in security. |
|
|
|
Post by chris on Dec 12, 2013 16:48:42 GMT
At the same time it's already an expensive marketing proposition to attract new lenders on to a platform (to the best of my knowledge FC have never turned a profit despite millions of investment and vast amounts spent on marketing, for example). Around half of all people drop out of the registration process just because we ask them to identify themselves - something we're required to do by law. Another large percentage of people go through the registration process, ID check, but then never lend. Some even deposit money but never lend it out, which I find bizarre. For every user that understands that better security is offered, there'll be another that doesn't care, and many more that don't understand and find all this talk about security a worry putting them off using the service.
Also imagine the customer service nightmare when existing users suddenly can't use the site as they've made a mistake in setting up their new security settings.
Finally you are going to have a hard time getting people to agree on which systems and security setup is best. Personally I'm not that bothered about key loggers for example - if someone has administrator access to your computer there are many other mechanisms via which you can be compromised than key logging, and if someone has physical access to the room you're in then there are even ways of logging which keys you are pressing based on the EM radiation from your wired keyboard or using acoustic analysis. I'm sure some experts would agree with me whilst other experts who know far more than me will say that it's a threat worth protecting against.
So I do agree with much of your sentiment but I also have to make sure that whatever we do will be well received by our users, will not put people off using our service, and will actually make a material difference to the security of our users funds rather than give a false sense of security or have an overall adverse effect. Merely offering additional security as an option would put us ahead of the competition for those that care and we can always review and either make it required or at least more prominent further down the line.
I like the idea of using a separate device and service to gain access to your account using a time based cryptographic key, much like Barclays bank uses. Combined with a username and password I feel that would be adequate protection for most users and much better than the existing schemes used by all other peer to peer sites. But I'd need a lot of persuading to make that mandatory from day one without first seeing what the takeup was like and gathering feedback from users.
|
|
