On Oct 14, I received a disturbing E-mail from one of the Crowdlending platforms that I currently have investments with. This was the exact message:
Kuetzal website was attacked this Sunday, it was successfully reflected by Kuetzal, but for security reasons, some passwords may be deleted. If you can’t sign in your account, please use “reset password”, or contact Kuetzal support team.
I obviously immediately attempted to logon to my account, but couldn’t. – So I had to use the “Reset Password” feature. I then received a new randomly generated password, in clear text via E-mail. Forgive me if I’m being too technical here, but this is a huge no-go! It was not a temporary one-time password that I was forced to reset after using it, so that only made it worse.
When someone sends you a password in clear text to your E-mail, you should be worried about your (or your data’s) safety! (You should receive a unique link to reset it via a web-form!)
This experience prompted me to run a few common security-related “tests” (no systems were harmed during this test 😉 ) on all the platforms that I’m currently using (14), to uncover whether this poor security hygiene was a widespread issue.
What I uncovered was fairly shocking!
Now that I have your attention, I should start by telling you the good news; Only Kuetzal FAILED this part of the test. ALL of the other platforms uses the correct approach to the “Reset/Forgot password” function. – However, I decided to dig a little deeper.
According to the great wisdom of the Internet, 52% of users re-use their password for different services (but you don’t, right?!). I’m a pretty trusting guy, but trusting other people with my money is not easy for me – so when I do, I expect them to guard them with their life – or 2-factor authentication at the very least 😉
What is 2-factor authentication you might ask? – You know that annoying thing when you purchase something (or logon to your netbank), and you get a text-message with a verification code (or use nemid) – that’s 2-factor authentication.
Anything that has anything to do with money, should always offer 2-factor authentication, because this prevents 99% of the mis-use cases via stolen user credentials. The bad guys MIGHT have your username and password, but it’s highly unlike that they also have your cellphone (or your thumb-print for that matter). This is the beauty of 2-factor authentication. While it’s a bit annoying (I agree) it’s designed to keep the bad guys out. And it’s very effective at that!
So, the fact that only 5/14 of my used crowdlending platforms offer 2FA (6, if you count Crowdestor, who is allegedly working on it. EDIT: Crowdestor has now added 2FA) bothers me a great deal. Add to that fact that only 2/14(!) require you to use a complex password (you know: like minimum 8 characters long, use of at least one small & big letter and 1 special character) and my blood pressure started climbing faster than Alberto Contador (who currently holds the world record for the fastest climb to the top of Alpe d’Huez – in case that reference rode by you – get it?! 😛 ).
4/14 of the platforms has no minimum length requirement for the passwords! (I tested down to 4 characters). I did not want to attempt an actual brute-force of the password (attempting to do an automated logon using a long list of “common” passwords), as that would be intrusive (and I’m no computer hacker, just like Mr. T ain’t!) but I bet few would actively prevent me from logging on after xx-amount of failed attempts (thus being vulnerable to brute-force attacks, meaning someone guessing your password!). Only 3/14 of the platforms use captcha (Captcha is a verification process that requires users to enter a pre-determined code or select certain images during a logon session. It’s designed to filter out the robots!).
In short, I threw it all in an excel sheet (yes, I’m weird like that!) – and here are the results (of the great Crowdlending Platform Insecurity check):
The checklist includes:
- Does the platform offer 2-Factor Authentication?
- Does the platform require a complex password? (no using “123456” or “password”)
- Does the platform have a Password Strength Indicator (PSI) when creating your password?
- Does the platform utilize Captcha during the login process? (Can prevent brute-force/password guessing)
- Does the platform Encrypt Passwords? (never send it out in plain text)
- Can you withdraw funds to pre-approved accounts only? (most of them auto-update/add to the pre-approved list when you deposit funds from a new account)
- Is there a default withdrawal notification sent to your E-mail, when you withdraw funds from the platform?
- Do you get a Login notification from the platform, if a logon from a “suspicious”/unknown/new device is registered? (notice how only 1 platform offer this!)
- Are your ID documents VISIBLE (downloadable) in your account on the platform?
The more red you see in one row, the poorer the security hygiene of the platform. NOTE: Kuetzal added the Captchas AFTER the reported incident on Oct 14, so before that they only passed 2/9 checks. What exactly did happen during this reported “incident”? I can take a wild guess, but it would be pure speculation, so I will refrain from that today 😉 (but really, fix your shit, Kuetzal! That homemade captcha isn’t fooling anybody!).
Picture this scenario: You are one of the 52% of the users on the Internet, who are stupid enough to re-use their password for multiple services across hundreds of different sites/services (they add up, trust me). 1 of these sites/services gets hacked (because they have shit-poor security hygiene – and because it happens daily out there). The bad guys now have your login to – oh, let’s say Envestio or Kuetzal (because you use the same password!). Because Envestio and Kuetzal does not have 2FA enabled, they can now logon to your account, and transfer your “Free to use” cash to ANY account they please! Luckily, the platforms are nice enough to notify you of this transfer (phew, right!?). You (almost) dodged the bullet there, huh (the money is still gone though)!?
But wait! The bad guys now logon to your account at Viventor or Grupeer and download your ID documents – and open up an account at <insert bad place here> using YOUR ID!
Congrats, you’ve now been “pwned” (geek-talk for: you’re fucked).
All because you re-use your password, and because those stupid crowdlending providers doesn’t offer 2-factor authentication. SHAME ON THEM (and you)!
I don’t understand, why you would even have your investors ID documents downloadable on the platform?! What’s the use-case for this anyway!? HIDE THEM, DAMNIT! Guard them with your life, please!
My main concern about this, is actually not even this whole password-issue (I use strong randomly generated passwords, unique for each platform – safely stored in a password manager, so I sleep well at night). My main concern is that if the platforms doesn’t even bother offering 2-factor authentication AND/OR require complex passwords as a bare minimum (this is very simple and cheap to implement!), then what else are they slacking on!? They have my money in a “digital wallet” that I can only ASSUME is not very safe!? (They give me no reason to believe otherwise).
It should come as no surprise that Mintos is the clear leader of the pack (together with FastInvest).
To Bulkestate, (Crowdestor), Envestio, Grupeer, Kuetzal, ReInvest24, TFGCrowd, Viventor, Wisefund: give us 2-Factor Authentication, now please! – Learn from Mintos 😉
And especially to Grupeer and Viventor; at least hide our ID documents, please!