stevio
Member of DD Central
Posts: 2,065 
Likes: 894
|
Post by stevio on Jan 3, 2017 19:47:09 GMT
It's a serious hacking concern with fundingsecureA username password combination is meant to give multiple permutations to make it very difficult for a hacker to access your account If you openly publish 50% of someone's security details, it naturally makes it 50℅ easier for a hacker (ie. the hacker already has half of your security details given away freely by @fundindsecure) along with an idea of the amounts you invest and the likely amounts they might be able to access Combine that with the simple fact that the majority of people use the same username password combination for multiple systems, should a hacker gain access to your password from another less secure site (eg a forum for instance), they then can Google your username and clear out any accounts were the combination is used PayPal has been an easy target this way, it sends the username (email address) in any transaction It's hardly a difficult thing to annonymize a username in bids. But fundingsecure doesn't care about lenders security as it was brought to their attention some time ago and they couldn't be bothered to change it |
|
james
Posts: 2,205
Likes: 955
|
Post by james on Jan 3, 2017 22:53:40 GMT
It's a serious hacking concern with fundingsecure A username password combination is meant to give multiple permutations to make it very difficult for a hacker to access your account Yes, it is a serious security concern, as Tesco recently demonstrated in the first major UK bank financial loss to a single organised attack, that was caused by them leaking account IDs. Tesco issued consecutive debit card numbers so an attacker who knew one could get both the next number and it's expiration date easily. So both were usually right when "guessing". Normal properly secure practice is to issue randomised numbers so you cannot "guess" accurately an unknown card number and expiration date. Which means that your high wrong details rate makes it far easier to identify that an attack is happening and automatically block it. Funding"Secure" has the same sort of issue, every account ID guess can be right via account ID harvesting. The Tesco issue was made worse by a card brand that didn't rate limit multiple attempts to use the card at different sites, so you could try the same card number and expiration with other info at 1000 different sites and not be blocked, letting you continue to guess at what you haven't already been told. The other major issuer does block that with a rate limit.
|
|
Neil_P2PBlog
P2P Blogger
Use @p2pblog to tag me :-)
Posts: 355
Likes: 209
|
Post by Neil_P2PBlog on Jan 3, 2017 23:07:44 GMT
It's a serious hacking concern with fundingsecure A username password combination is meant to give multiple permutations to make it very difficult for a hacker to access your account Yes, it is a serious security concern, as Santander recently demonstrated in the first major UK bank financial loss to a single organised attack, that was caused by them leaking account IDs. Santander issued consecutive debit card numbers so an attacker who knew one could get both the next number and it's expiration date easily. So both were usually right when "guessing". Normal properly secure practice is to issue randomised numbers so you cannot "guess" accurately an unknown card number and expiration date. Which means that your high wrong details rate makes it far easier to identify that an attack is happening and automatically block it. Funding"Secure" has the same sort of issue, every account ID guess can be right via account ID harvesting. The Santander issue was made worse by a card brand that didn't rate limit multiple attempts to use the card at different sites, so you could try the same card number and expiration with other info at 1000 different sites and not be blocked, letting you continue to guess at what you haven't already been told. The other major issuer does block that with a rate limit. Earlier today I accidentally googled my email address (rather than the email provider) and the first result was a website listing all the hacks it had been in with the opportunity to view the data for $4 worth of bitcoin. Scary stuff.
|
|
|
|
Post by eascogo on Jan 3, 2017 23:47:04 GMT
If the latest comments by stevio, samford71, and james with regard to security are justified then why has the alarm not been sounded earlier and fundingsecure taken steps to close a security loophole? |
|
james
Posts: 2,205
Likes: 955
|
Post by james on Jan 4, 2017 3:07:38 GMT
The alarm was apparently raised and they chose not to address it, up to them to say why.
Star use or use of identifiers that aren't also valid for login would be two ways to address it while preserving the part of the functionality that doesn't involve telling people by "name" what someone else is doing.
Mitigations can include checks of passwords against dictionaries of common passwords to make password guessing attacks harder but that won't work in the case stevio described. That risk can be partly addressed by comparing IDs and the hashes of the passwords with the hashes of passwords from recent attacks. Hashes for this because I assume that they aren't foolish enough to store actual passwords anywhere on their systems and their systems are new enough to have implemented this basic security measure. Locations of login attempts and client browser properties can also be used as a risk of compromise indicator, perhaps combined with delay in allowing use of a new account for withdrawing and assumption that the email address may also have been compromised.
Non-financial places have a role to play in financial site security as well, by never storing actual passwords on their systems. If not stored they can't be taken and tried at financial sites. We can help with this by using different email addresses and other login details so that compromised details won't work. I use different email addresses for roughly every firm and person I provide email addresses to outside work. Places like Gmail let you add a modifier to your base email address to create new ones every time.
If a base Gmail address is abc@gmail.com all of these forms are also automatically valid to get mail to that address: a.bc a....bc abc+somewebsite a.b.c+someotherwebsite. So you can just add something after the + that is different for each place. The base email address is always known but the after + variation used for different places isn't and that will be sufficient to block email address reuse in logins. Humans or clever tools may be able to guess the suffix so a bit of care is needed by high value target individuals but most attacks will just use the unmodified compromised email address from one place in the attempts at others.
|
|
james
Posts: 2,205
Likes: 955
|
Post by james on Jan 4, 2017 3:37:27 GMT
Earlier today I accidentally googled my email address (rather than the email provider) and the first result was a website listing all the hacks it had been in with the opportunity to view the data for $4 worth of bitcoin. Scary stuff. Yes, someone who knows the email address used at a site they want to get in to can use that sort of approach to find all of the compromised passwords used with the address. Then try those first so they have more chance of getting in without being affected by a rate limit or block for too many wrong tries. After those, a dictionary of common passwords can be tried. I don't yet know of a jurisdiction where it is a crime to store actual passwords for login checking but the economic and other harm caused by such insecure practices is non-trivial so that is the way things can go for new systems and transition time for others, along with strict liability for all consequential financial losses that result if the information is stolen and reused.
|
|
stevio
Member of DD Central
Posts: 2,065
Likes: 894
|
Post by stevio on Jan 6, 2017 18:39:11 GMT
Looks like fundingsecure took notice - now anonymised usernames shown! Also, they list on the Available Investments the LTV and allow sorting by LTV (not sure if this is new?) |
|
