|
|
Post by Collateral Rep on Mar 14, 2017 11:20:33 GMT
Hi isecguy , I just want to make a couple of observations and comments re your detailed article. Firstly just to clarify, Peter was a little reluctant initially to engage with yourself because you hadn't put a signature or introduction to yourself on your email, it was just questions with no idea of who was asking those questions. You explained you wanted to be anonymous, but to be fair it was a little unusual. As far as we are aware the contact form has always worked, there is an email address for investors when logged in and there is a telephone number on the footer of all the front end pages. So to get in touch with Collateral is quite straight forward. On another note we were all ready going through security checks etc, and as of the articles date, the 13th of March 2017, you are not correct on five of your key factors. The two we haven't done yet are the Forward and Cookie points but are on with these. I hope you don't mind me making these points and as the article is dated, we would appreciate the information on Collateral being updated to reflect where we were and are at the time of publishing. Many thanks, Gordon |
|
|
|
Post by isecguy on Mar 14, 2017 11:35:30 GMT
Hi isecguy , I just want to make a couple of observations and comments re your detailed article. Firstly just to clarify, Peter was a little reluctant initially to engage with yourself because you hadn't put a signature or introduction to yourself on your email, it was just questions with no idea of who was asking those questions. You explained you wanted to be anonymous, but to be fair it was a little unusual. As far as we are aware the contact form has always worked, there is an email address for investors when logged in and there is a telephone number on the footer of all the front end pages. So to get in touch with Collateral is quite straight forward. On another note we were all ready going through security checks etc, and as of the articles date, the 13th of March 2017, you are not correct on five of your key factors. The two we haven't done yet are the Forward and Cookie points but are on with these. I hope you don't mind me making these points and as the article is dated, we would appreciate the information on Collateral being updated to reflect where we were and are at the time of publishing. Many thanks, Gordon Hey Gordon! Many thanks for your response, and for the previous communication I've had with Peter. I'm happy to clarify that the information in my article was correct at time of analysis (February 2017), and have added this as a footnote to the original article. I'm also pleased to hear you've already addressed the majority of issues I'd previously raised with Peter, and are working on the remainder! I will be posting a follow-up article in the next few days, collating various platform responses received since publication of my article, and I'm more than happy to include your update in this! Thanks again for engaging and for taking security seriously! 
|
|
am
Posts: 1,495 
Likes: 601
|
Post by am on Mar 14, 2017 14:07:31 GMT
While I don't really want to suggest more work, it would be interesting to compare standards/thoroughness/robustness of p2p platforms as a whole with day-to-day banking sites (barclays, lloyds, etc), insurance/building society/shares ISA providers (Legal & General, Hationwide, HL, etc), utilities (British Gas, etc), or even HMRC. I wonder if the report being a little unfair singling out P2P or is the feeling that the other sectors mentioned have far less to do - perhaps because there have already been (public) breaches in security there that have focused minds on security sooner? 2 factor authorisation isn't universal among banks, building societies, brokers, etc. They do tend to be more consistent about requiring two stage verification (which as the OP points out usually doesn't do much), and often require you to enter specific characters from a password, rather than the whole password, which I am willing to believe reduces the risks of man-in-the-middle attacks.
|
|
|
|
Post by isecguy on Mar 14, 2017 18:51:36 GMT
Just to keep you all updated, today I've had some quite good and encouraging responses from a number of the platforms in relation to the questions in my original correspondence to them, and to the research article itself (namely from ArchOver, Collateral, LandBay and PropLend - many thanks guys!)
I'm collating and will publish these responses in the next day or so, and so I'd like to take this opportunity to again invite responses from those platforms/platform reps who have so far remained silent...
|
|
|
|
Post by isecguy on Mar 15, 2017 14:19:58 GMT
More progress today; three more platforms have responded via social media asking if I can resend a copy of my original correspondence to them - which I'm happy to oblige! I've also had responses this afternoon from RateSetter's Head of Information Security, and from Invest & Fund, and I'm anticipating additional responses from both Growth Street and Money & Co shortly too... The following platforms, who have so far remained silent, are also most welcome to respond... |
|
|
|
Post by andrewholgate on Mar 15, 2017 14:34:44 GMT
The tone is slightly passive aggressive and displays a lack of knowledge on us as you've tagged two credit people. I will say that silence comes from not even being aware you had asked me a question. Unless I get tagged, quoted or DMd, I won't see 95% of what is posted on here. I've flagged with chris who is better placed to respond. |
|
ilmoro
Member of DD Central
'Wondering which of the bu***rs to blame, and watching for pigs on the wing.' - Pink Floyd
Posts: 11,333
Likes: 11,552
|
Post by ilmoro on Mar 15, 2017 14:36:02 GMT
isecguy contact for Lending Works Matthew just to complete the list might be better to tag chris for Assetz as hes the CTO, also at Funding LendingWell
|
|
|
|
Post by chris on Mar 15, 2017 14:43:58 GMT
isecguy contact for Lending Works Matthew just to complete the list might be better to tag chris for Assetz as hes the CTO, also at Funding Well LendingWell, and not any more. I was only ever advisory and stepped back from that earlier this year as their plans changed and they needed different and more full time support. In terms of the AC response, the original questions made their way to me this morning and I've sent our response to our compliance officer and head of marketing for clearance. Any public response will then be down to them, taking into account wider considerations than just the technical insights I can provide.
|
|
|
|
Post by isecguy on Mar 15, 2017 15:06:28 GMT
The tone is slightly passive aggressive... Apologies Andrew if you felt my tone was "passive aggressive" - that certainly wasn't the intention! I have previously reached out to AC via both email and Social Media, with no response, so I'm just trying to give your platform every opportunity to respond should you wish, hence the reason for tagging you and David (the two most recently active AC representatives on these forums) in the above post. No "aggression" is intended!
|
|
|
|
Post by stevefindlay on Mar 15, 2017 18:36:48 GMT
We don't reply to questions regarding the specifics of our security set up.
Also, it may be worth noting that the review covers the front end of these websites, which may be structured differently to the back end.
It would be interesting to compare the results of this analysis to the same analysis repeated on more traditional financial services websites - e.g. banks and share dealing services.
Good luck with this initiative.
|
|
|
|
Post by isecguy on Mar 27, 2017 15:06:22 GMT
|
|
sl125
Member of DD Central
Posts: 85
Likes: 64
|
Post by sl125 on Mar 27, 2017 18:25:16 GMT
isecguy
I have to say that the idea of an information security analysis being conducted through an anonymous blog and tweets fills me with alarm. And reading the responses from the various platform spokespeople (all of whom transparently declare their credentials) it appears they are equally concerned at receiving anonymous correspondence asking for detailed information about their approaches to security.
Put the ball on the other foot: if you were the CISO for an organisation, how would you respond to such an email from an anonymous source, particularly when there are so many such emails arriving in your inbox - some of which are genuine, most of which are deliberate attempts at phishing / fishing for information.
On your blog you state (by way of justifying treating their lack of engagement with you as a negative) "if a company is implementing their security correctly and taking it seriously, they should have no issues answering the kind of questions I asked. Inability to answer such basic questions demonstrates paranoia and a lack of understanding of basic security fundamentals". Not to beat about the bush on this, but a good demonstration of basic security fundamentals would usually entail engaging in such discussions only with people who have gained your trust in such matters in the first place. It is hardly surprising that most platforms did not respond to you. I would be more worried about those platforms that immediately told told you where the sweeties were hidden.
"Come come, Mr Total Stranger, I trust you so much I'm going to show you where I keep my keys"...
|
|
|
|
Post by isecguy on Mar 27, 2017 19:44:59 GMT
Hey sl125 - thanks for your comments! If you'll allow me, I'd like to pick up on a couple of them.. Put the ball on the other foot: if you were the CISO for an organisation, how would you respond to such an email from an anonymous source, particularly when there are so many such emails arriving in your inbox - some of which are genuine, most of which are deliberate attempts at phishing / fishing for information. I actually do handle security for a global software vendor and I would have no issue responding to an email containing the same content as the ones I sent in my research, regardless of who the sender was. I think its fair to say that most security professionals can tell the difference between legitimate security questions (and understand their own security measures well enough to know that responding to such questions does not pose an increase threat, or provide someone with an "attack vector"), and "phishing" emails designed to entice and deceive people into clicking a malicious link, or part with their login details/passwords, etc. No links (clickable or otherwise) were present in my emails to the 39 platforms, nor were any requests made for access to any individual's password/credentials/account details, etc It is hardly surprising that most platforms did not respond to you. I would be more worried about those platforms that immediately told told you where the sweeties were hidden. If the platforms are doing their security right, I'm not quite sure what "sweeties" you perceive would have been revealed through answering the specific questions I asked? Also, please do have a look at how businesses like Dropbox openly disclose how they store passwords - that information has been put in the public domain by Dropbox themselves - how is that in any way revealing "sweeties"? I'd also refer back to " Security Through Obscurity" Finally, at the end of the day it's not really about who I am - and that shouldn't be the focus - what really matters is that there's now (hopefully) a greater awareness and subsequent strengthening of IT security within the UK P2P industry, which we as investors can only benefit from! |
|
Neil_P2PBlog
P2P Blogger
Use @p2pblog to tag me :-)
Posts: 355
Likes: 209
|
Post by Neil_P2PBlog on Mar 27, 2017 20:45:00 GMT
A couple of them make a (IMHO) reasonable excuse that they thought it was someone/ an agency trying to engage them in order to sell them something.
|
|
sl125
Member of DD Central
Posts: 85
Likes: 64
|
Post by sl125 on Mar 28, 2017 20:38:24 GMT
Hi Infosecguy
Whilst I commend you for the intent of your analysis, I still cannot agree with your view that an organisation's CISO has any responsibility to respond to an unsolicited email from an anonymous blogger asking them about their security policies.
Newp2p hits the nail on the head when he draws a distinction between the use of "security through obscurity" at a technical level (which I agree are counter productive) versus obscuring what security policies an organisation has put in place (which is very much encouraged).
Indeed, your own analysis points out the reasons for obscuring certain things (eg. account disclosure via password reset... absolutely good advice you give there to ensure the message conveyed to the user does not give away the inclusion or omission of that user account in the set of valid users). And that is my point - no information security officer in their right mind would disclose what techniques they use to a person they have no knowledge of, and so cannot trust.
So yes, it is about who you are, since trust is the key to personnel security.
Where I would agree on re: the obscurity debate is the implementation of security technologies. Take encryption: we know that public-private key encryption is robust because of the wealth of peer-reviewed scientific evidence that is freely available concerning the mathematical relationship between the keys (and the research into finding a proof for the Riemann Hypothesis).
As was pointed out by some of the respondents, your analysis was simply conducted against their "front door" and so it would be simplistic to infer anything about the wider security policies of those organisations. Often, it's the business processes behind the scenes that are the weakest link.
Finally, you might want to look at NCSC's latest guidance on password policies (https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach), and why they consider complex password policies are a bad idea.
|
|
