|
|
Post by isecguy on Mar 13, 2017 17:43:35 GMT
Hi all! There have been a number of threads here in recent weeks about a variety of security concerns people have with various P2P sites (i.e. 1, 2, 3, etc) which I've been following with interest. As an independent security researcher, I thought it was perhaps about time to conduct an in-depth review into the current state of security within the growing UK P2P lending industry, and the results were... well, pretty depressing... but at the same time I'm sure will be of interest to folks here! Some of the key findings* were: - 82% ignore security-related correspondence
- 64% reveal account disclosure via their websites
- 49% allow passwords <8 characters long
- 23% allow single character passwords
- 18% were potentially vulnerable to "CloudBleed"
- 8% share common SSL certificates with "adult" websites
- 8% offer (optional) Two-Factor Authentication (2FA)
- 5% still vulnerable to "POODLE" attacks
You can read the full article here: The State of Security in the UK P2P Lending Industry
* based on analysis of the 39 UK P2P sites which had their own boards within the forums here at time of analysis in February 2017. |
|
ozboy
Member of DD Central
Mine's a Large One! (Snigger, snigger .......)
Posts: 3,168 
Likes: 4,859
|
Post by ozboy on Mar 13, 2017 17:50:45 GMT
Hi all! There have been a number of threads here in recent weeks about a variety of security concerns people have with various P2P sites (i.e. 1, 2, 3, etc) which I've been following with interest. As an independent security researcher, I thought it was perhaps about time to conduct an in-depth review into the current state of security within the growing UK P2P lending industry, and the results were... well, pretty depressing... but at the same time I'm sure will be of interest to folks here! Some of the key findings* were: - 82% ignore security-related correspondence
- 64% reveal account disclosure via their websites
- 49% allow passwords <8 characters long
- 23% allow single character passwords
- 18% were potentially vulnerable to "CloudBleed"
- 8% share common SSL certificates with "adult" websites
- 8% offer (optional) Two-Factor Authentication (2FA)
- 5% still vulnerable to "POODLE" attacks
You can read the full article here: The State of Security in the UK P2P Lending Industry
* based on analysis of the 39 UK P2P sites which had their own boards within the forums here at time of analysis in February 2017.Thanks isecguy, very interesting & helpful. "Security" btw means many things in P2P so best you confirm you mean "IT/Computer/PC/Software/Systems Security".
|
|
adrianc
Member of DD Central
Posts: 10,027
Likes: 5,152
|
Post by adrianc on Mar 13, 2017 18:30:47 GMT
It's a very thorough analysis, and shame on the platforms who couldn't be bothered to respond properly - even if only to say "Sorry, but we're not telling you."... There's no reason not to say, since security-through-obscurity is not secure.
One thing doesn't appear to have been considered, though, in the 2-factor authentication section. Parallels are drawn with online banking. Yes, sure. But... Banks provide authentication devices FOC to customers, often to work with their bank cards. Obviously, that's not feasible for P2P platforms. So the 2FA that is there is via mobile phone - an SMS is sent. Great, everybody has a mobile, right? No. Not everybody! No, this is NOT by choice. I have zero mobile signal on ANY network at home... Making 2FA mandatory, via SMS, would make a platform a total and utter non-starter for me.
(BTW - "sudo-impressive"? ITYM "pseudo-impressive"... Yer geek's showing!)
|
|
|
|
Post by isecguy on Mar 13, 2017 18:40:28 GMT
Thanks isecguy, very interesting & helpful. "Security" btw means many things in P2P so best you confirm you mean "IT/Computer/PC/Software/Systems Security". Thanks ozboy, I've modified the topic title to avoid any potential confusion
|
|
|
|
Post by isecguy on Mar 13, 2017 18:50:43 GMT
I have zero mobile signal on ANY network at home... Making 2FA mandatory, via SMS, would make a platform a total and utter non-starter for me. It's a very valid point! ...and given the choice, I'd rather to see the non-2FA and 2SV sites move over to optional 2FA, than for the current 3 sites offering it as an option 2FA to start "enforcing" it. (BTW - "sudo-impressive"? ITYM "pseudo-impressive"... Yer geek's showing!) Ha! Good spot! ...I've corrected to "pseudo" for the non-geeks out there!
|
|
adrianc
Member of DD Central
Posts: 10,027
Likes: 5,152
|
Post by adrianc on Mar 13, 2017 19:00:17 GMT
Should add that I was very impressed with Google Authentificationifierisation at this year's tax-return o'clock, so wouldn't necessarily rule that out. But there's probably (hefty?) cost implications for the platform.
|
|
|
|
Post by isecguy on Mar 13, 2017 19:59:41 GMT
Looking at the blog entry, I know that the OP has spent a considerable amount of effort and time compiling this information and a simple 'like' doesn't cover my appreciation in the slightest. I'm so pleased this is being pulled kicking and screaming into the open. And like the blog says, it doesn't take much to fix 95% of this. There's no excuse. I owe you a pint. Thanks paul123 - I really appreciate your comments! The last thing we all want is for there to be a serious breach in a P2P site, which could in turn undermine the industry and make it all come crashing down - so my hope is that in publishing this it will serve as a much needed "wake up" call to the industry to improve!
|
|
beh
Member of DD Central
Posts: 175
Likes: 77
|
Post by beh on Mar 13, 2017 20:04:40 GMT
Wow, that's very thorough, a great effort.
Only thing I would question would be the bit about running old or EOL server software, are you perhaps ignoring backporting?
Quite surprised at the sites using shared certificates on cloudflare, it seems embarrassingly cheap not to upgrade to the necessary paid plan.
Hoping some of these platforms get back to you with some updates after seeing your blog.
|
|
bigfoot12
Member of DD Central
Posts: 1,817
Likes: 816
|
Post by bigfoot12 on Mar 13, 2017 20:40:12 GMT
I have zero mobile signal on ANY network at home... Making 2FA mandatory, via SMS, would make a platform a total and utter non-starter for me. TuGo on the O2 network worked very well for me when my office at work was in the basement and there was no network signal (it uses wifi). Text worked much better than calls. I am now on three and (before I moved upstairs) three to go was okay. I use it at home. Edit: Both are official apps of their respective networks.
|
|
nick
Member of DD Central
Posts: 1,056
Likes: 825
|
Post by nick on Mar 13, 2017 20:46:28 GMT
It's a very thorough analysis, and shame on the platforms who couldn't be bothered to respond properly - even if only to say "Sorry, but we're not telling you."... There's no reason not to say, since security-through-obscurity is not secure. One thing doesn't appear to have been considered, though, in the 2-factor authentication section. Parallels are drawn with online banking. Yes, sure. But... Banks provide authentication devices FOC to customers, often to work with their bank cards. Obviously, that's not feasible for P2P platforms. So the 2FA that is there is via mobile phone - an SMS is sent. Great, everybody has a mobile, right? No. Not everybody! No, this is NOT by choice. I have zero mobile signal on ANY network at home... Making 2FA mandatory, via SMS, would make a platform a total and utter non-starter for me. (BTW - "sudo-impressive"? ITYM "pseudo-impressive"... Yer geek's showing!) Even if you don't have a mobile, you can use a free SMS message board service where the SMS gets displayed on a public website. There are a lot of sites that offer this service, eg www.receivesmsonline.net/ . Although the code is displayed on a public website along with the sender's number, it is useless to third parties unless your hacker knows you have directed your SMS to that particular site (and they have the rest of your log-in details). I tend to use this when I travel abroad as I find SMS sometimes unreliable when on non-native networks.
|
|
daveb4
Member of DD Central
Posts: 220
Likes: 116
|
Post by daveb4 on Mar 13, 2017 20:47:40 GMT
Thanks a lot for this.
This is my major concern re risk in P2P.
Hopefully the P2P companies will take note and implement some of your concerns. I especially look forward to updates which I am sure will come in thick and fast!
Personally I would be happy to reduce interest rates/pay a little towards sorting this out.
With confidence in security I would be happy to increase limits in specific companies and start reducing in the offenders.
|
|
adrianc
Member of DD Central
Posts: 10,027
Likes: 5,152
|
Post by adrianc on Mar 13, 2017 20:59:15 GMT
I have zero mobile signal on ANY network at home... Making 2FA mandatory, via SMS, would make a platform a total and utter non-starter for me. TuGo on the O2 network worked very well for me when my office at work was in the basement and there was no network signal (it uses wifi). Text worked much better than calls. I am now on three and (before I moved upstairs) three to go was okay. I use it at home. Edit: Both are official apps of their respective networks. Interesting, ta. But looking at Voda's web page (they're the only network with anything like usable coverage round these parts), you need a pay-monthly contract and one of a very short list of relatively new, high-spec phones... www.vodafone.co.uk/explore/network/network-improvements/wi-fi-calling/They have the microcells, too, and we're lucky enough we've got adequate broadband since fibre finally made an appearance - but many around here don't. www.vodafone.co.uk/shop/accessories/sure-signal/
|
|
|
|
Post by isecguy on Mar 13, 2017 21:01:00 GMT
Thanks a lot for this. Hopefully the P2P companies will take note and implement some of your concerns. I especially look forward to updates which I am sure will come in thick and fast! With confidence in security I would be happy to increase limits in specific companies and start reducing in the offenders. You've hit the nail on the head! That's essentially what it boils down to - confidence in a platform's attitude and approach to security, and a lot of that is down to communication as much as it is the various security issues themselves. This exercise has been a real eye opener to me - and my perception of the attitude and approach to security of each platform has somewhat shifted from what it was before I embarked on this research, to what it is now. There were platforms that I had expected would be quite open, responsive and willing to engage on security issues which in the end weren't, and others that I wasn't expecting much from, but I was pleasantly surprised by their subsequent engagement! I certainly do hope the platforms take note, and address their various issues, and I very much look forward to some more platform responses too (given most ignored my private attempts to contact them directly!) to help instil more confidence in their platforms!
|
|
registerme
Member of DD Central
Posts: 6,624
Likes: 6,437
|
Post by registerme on Mar 13, 2017 21:31:58 GMT
That's an impressive piece of work. It will be interesting to see how the platforms (and regulators, and p2pfa?) respond.
|
|
bigfoot12
Member of DD Central
Posts: 1,817
Likes: 816
|
Post by bigfoot12 on Mar 13, 2017 21:33:52 GMT
TuGo on the O2 network worked very well for me when my office at work was in the basement and there was no network signal (it uses wifi). Text worked much better than calls. I am now on three and (before I moved upstairs) three to go was okay. I use it at home. Edit: Both are official apps of their respective networks. Interesting, ta. But looking at Voda's web page (they're the only network with anything like usable coverage round these parts), you need a pay-monthly contract and one of a very short list of relatively new, high-spec phones... www.vodafone.co.uk/explore/network/network-improvements/wi-fi-calling/I haven't used vodafone, and I did have an O2 contract, but TU Go could by used on a web browser. In fact I preferred sending text messages from my PC. No need for a new phone I have a Nexus 4. Phone calls could be hit an miss, however, sometimes I sounded like I was using a flanger and echo machine.
|
|
