Neteller...



  • Hello...

    I wanted to rant a little bit about Neteller. I have created an account there since I needed a way to transfer some money in the US from germany, and since i also hate paypal, that was an option that the other party accepted.

     I dont know if I am expecting to much, but when i logged into neteller, i managed to forget my password (I manage to do this quite often, since they are somewhat cryptic). So I thought I'l request a new one. Said and done.. And a few seconds later I went and checked my Email. But instead of a new password, they send me my OLD password.

    I dont know if i am to picky, but it already annoys me when a cheap FORUM is storing my password in an retrievable format. A company that handels my MONEY should take more care with sensetive information. I wrote them an email, and wanted to know why they have stored my password in an retrievable format, but I havent got any feedback from them at all. (If I get some feedback I will post it here)

     So I think I am done with the Service.



  •  No pictures makes kitty mad!



  • @rdrunner said:

    wanted to know why they have stored my password in an retrievable format

     

    Did you want them to NOT be able to retrieve it? How did you think authentication would work?



  • @MasterPlanSoftware said:

    Did you want them to NOT be able to retrieve it? How did you think authentication would work?


    there must be some kind of a prize for this kind of ignorance.



  • @MasterPlanSoftware said:

    Did you want them to NOT be able to retrieve it? How did you think authentication would work?

     

    Hashed for example - like every sane, secure system does. How the authentication works? google: hash function, md5, etc.



  • Yes...

     I consider storing passwords in a retrievable format bad. Why should they be stored that way? I allways cringe when I see something like that.

    For authentication you only need to know if the passwords match. If they are stored in a retrievable format, then I must also trust anyone who can access the DB, even if they leave the company.



  •  Pay no attention to the trolls. I'd have dumped them too (the service, not the trolls).



  • @MasterPlanSoftware said:

    @rdrunner said:

    wanted to know why they have stored my password in an retrievable format

     

    Did you want them to NOT be able to retrieve it? How did you think authentication would work?

     

    Try hash.  Good stuff.

    Hash with salt, even better. 



  •  I guess sarcasm is a lost art nowadays....



  • @MasterPlanSoftware said:

     I guess sarcasm is a lost art nowadays....

    Yes.  You've definitely lost it. 



  • @djork said:

    Yes.  You've definitely lost it. 
     

    Thanks Captain Obvious.



  • @lanzz said:

    @MasterPlanSoftware said:

    Did you want them to NOT be able to retrieve it? How did you think authentication would work?

    there must be some kind of a prize for this kind of ignorance.

     

    HAHAHA!  

    Queue up beljerk to add some stupid post and defend his hero. 



  • @rdrunner said:

    Hello...

    I wanted to rant a little bit about Neteller. I have created an account there since I needed a way to transfer some money in the US from germany, and since i also hate paypal, that was an option that the other party accepted.

     I dont know if I am expecting to much, but when i logged into neteller, i managed to forget my password (I manage to do this quite often, since they are somewhat cryptic). So I thought I'l request a new one. Said and done.. And a few seconds later I went and checked my Email. But instead of a new password, they send me my OLD password.

    I dont know if i am to picky, but it already annoys me when a cheap FORUM is storing my password in an retrievable format. A company that handels my MONEY should take more care with sensetive information. I wrote them an email, and wanted to know why they have stored my password in an retrievable format, but I havent got any feedback from them at all. (If I get some feedback I will post it here)

     So I think I am done with the Service.

     

    Worse still... they sent your password in an e-mail!

    Even if they needed to generate a new one, sending it be e-mail is very very bad - they should send you a link that you then follow that allows you to reset it. Or something even more secure (to stop a man-in-the-middle beating you to it). 



  • @MasterPlanSoftware said:

     I guess sarcasm is a lost art nowadays....

     

     

    Whenever you get owned you always say that you were being sarcastic.  You just spout off like you know shit when you're knowledge just IS shit. 



  • @GettinSadda said:

    @rdrunner said:

    Hello...

    I wanted to rant a little bit about Neteller. I have created an account there since I needed a way to transfer some money in the US from germany, and since i also hate paypal, that was an option that the other party accepted.

     I dont know if I am expecting to much, but when i logged into neteller, i managed to forget my password (I manage to do this quite often, since they are somewhat cryptic). So I thought I'l request a new one. Said and done.. And a few seconds later I went and checked my Email. But instead of a new password, they send me my OLD password.

    I dont know if i am to picky, but it already annoys me when a cheap FORUM is storing my password in an retrievable format. A company that handels my MONEY should take more care with sensetive information. I wrote them an email, and wanted to know why they have stored my password in an retrievable format, but I havent got any feedback from them at all. (If I get some feedback I will post it here)

     So I think I am done with the Service.

     

    Worse still... they sent your password in an e-mail!

    Even if they needed to generate a new one, sending it be e-mail is very very bad - they should send you a link that you then follow that allows you to reset it. Or something even more secure (to stop a man-in-the-middle beating you to it). 

     

     

    Kinda funny that he says he hates paypal, but his main complaint about this company is something that paypal does (send user to a link to reset the password). Teehee 



  • Well...

     I hate paypal for other reasons ;)

     

    If you recieve Money from them, its not as instant as it looks... They are quite liberal in reversing the charges on your account if they feel like it...

     



  • @rdrunner said:

    Well...

     I hate paypal for other reasons ;)

     

    If you recieve Money from them, its not as instant as it looks... They are quite liberal in reversing the charges on your account if they feel like it...

     

     

     

    They will reverse it if the payer files a dispute and can prove that they are entitled for a refund. I've never been in that situation, but it's the same as a regular credit card dispute, no?



  • @Lysis said:

    They will reverse it if the payer files a dispute and can prove that they are entitled for a refund. I've never been in that situation, but it's the same as a regular credit card dispute, no?

     

    Actually no, they will reverese it if the payer files a dispute; no entitlement or proof needed.  It is then up to the receiver to prove that he really does deserve to be paid.  In the end, the payer ends up with an item for free in most instances. 

    With a credit card it works kinda the same way.  You buy something, then dispute without proof and they reverse the charge, the company then disputes the reversal and they reverse it, if you dispute a second time it now requires proof from both parties.



  • @rdrunner said:

    I consider storing passwords in a retrievable format bad. Why should they be stored that way? I allways cringe when I see something like that.

    Actually, I worked on a system that stored passwords in plain text.  I don't work for the company anymore.  Would it be bad form to post a link and see how quick you can hack it?



  • @GettinSadda said:

    Even if they needed to generate a new one, sending it be e-mail is very very bad - they should send you a link that you then follow that allows you to reset it. Or something even more secure (to stop a man-in-the-middle beating you to it).
     

    Yeah, like, they should provide a link, but when you get to that page, you have to enter some word in order to pass through and change your password. 



  • @MasterPlanSoftware said:

    Did you want them to NOT be able to retrieve it? How did you think authentication would work?

    Nominated for the Mug

     

    Sorry, friend, but Lysis is right on that one. If nothing else, tell me how you "nominate people for the Mug" sarcastically. Not knowing something is acceptable (even though this case is pretty common sense), attacking people and then not admitting it makes an ass out of you.

    As for the topic, it's unfortunate, yes, but if the rest of their system is properly secured, so that the password file cannot be acessed from outside, I'd find it still acceptable. Then again, if they don't get this bit right, chances probably aren't very good about the rest.

    I guess the only thing you can do in this case is to always hold only the minimum amount of money in the system.



  • @PSWorx said:

    Sorry, friend, but Lysis is right on that one. If nothing else, tell me how you "nominate people for the Mug" sarcastically. Not knowing something is acceptable (even though this case is pretty common sense), attacking people and then not admitting it makes an ass out of you.
     

    Sorry, but if you took it serious, you have deeper issues.



  • @Lysis said:

    Kinda funny that he says he hates paypal, but his main complaint about this company is something that paypal does (send user to a link to reset the password). Teehee 

     

    I think it's clear from the post, that this company has turned out to be even worse then PayPal.

    I don't like PayPal either, I posted a sidebar WTF about them a while back. 



  • @SpoonMeiser said:

    @Lysis said:

    Kinda funny that he says he hates paypal, but his main complaint about this company is something that paypal does (send user to a link to reset the password). Teehee 

     

    I think it's clear from the post, that this company has turned out to be even worse then PayPal.

    I don't like PayPal either, I posted a sidebar WTF about them a while back. 

     

     

    I <3 Paypal.

    Don't proxy off of a chinese server though and accidentally forget to turn it off before accessing your Paypal account.  They flag your account as compromised and you have to send in a shit ton of proof that you're not teh red dots! :(



  • @bstorer said:

    @GettinSadda said:

    Even if they needed to generate a new one, sending it be e-mail is very very bad - they should send you a link that you then follow that allows you to reset it. Or something even more secure (to stop a man-in-the-middle beating you to it).
     

    Yeah, like, they should provide a link, but when you get to that page, you have to enter some word in order to pass through and change your password. 

    There are better ways to do it.

    One possibility would be that the https page that you use to request a reset then sends you to another https page that asks for a code. This code is sent to your e-mail address and has to be entered on that https page (in the same session as you requested the reset). 



  • That won't really help -- if someone can intercept your email, it's trivial for them to request a password reset themselves, wait for the email to be sent, and then enter the code. Any system that relies on an email is vulnerable to this kind of attack, but at least anything that doesn't send the password in plaintext (and uses a one-time link) prevents someone from accessing your account when they read your email sometime later after you've made the request yourself. Systems that rely on a "secret question" or some such are more secure, but are basically just a second password (and usually a not very good one, since many of the questions are vulnerable to dictionary attacks or are things that could potentially be found out about you), which means you can forget the answer to them, too (especially if they're implemented with restrictions on what the answers can be, as many WTFs have demonstrated). Biometrics are probably the best way to go in the long term, but it'll be a long time before the technology to do that is sufficiently deployed, even though it exists today. (And even biometrics have problems -- what happens when you severely burn your hands, and now you can't access your bank account to boot?)



  •  Community Server did it again ...




  • @tirerim said:

    Systems that rely on a "secret question" or some such are more secure, but are basically just a second password (and usually a not very good one, since many of the questions are vulnerable to dictionary attacks or are things that could potentially be found out about you), which means you can forget the answer to them, too (especially if they're implemented with restrictions on what the answers can be, as many WTFs have demonstrated)
     

     

    Yeah my troll buddies and I got into someone's hotmail account that way.  The secret question is shown if you ask for it, and this little yenta's question was "what is my favorite movie?"  So, being the good trolls that we are we went to the forums and made some retarded thread about our favorite move and asked the forum what their favorite movie is.  Hook line and sinkerrrrrrrrr.



  • @belgariontheking said:

     Community Server did it again ...


     

    kkthx.  Keep up the good  work and make sure to point out every person who has a 0 post count cuz we care!



  • @belgariontheking said:

     Community Server did it again ...


    There's a reason for that. Like other forum software (including popular expensive PHP based ones like IPB) Community Server tries to do you a favour, and save on unnecessary database writes. To do this, it doesn't immediately update the "post count" for users- it queues it up to do later in a bulk load. Less DB intensive that way. Not a WTF, and certainly not worth pointing out.



  • Hey Masterplan,

     Just for grins and giggles, can you explain how to properly implement good password security? 

    Lack of a response indicates that there was no sarcasm in this thread :)

      To the OP:

     Lets hope that NetTeller was at least using encryption on their database column, and not using plain text. However, I disagree with using encryption because that is essentially security by obscurity.

     There are ways to be very open about your security model and still be very hard to break.



  • @tirerim said:

    Systems that rely on a "secret question" or some such are more secure, but are basically just a second password (and usually a not very good one, since many of the questions are vulnerable to dictionary attacks or are things that could potentially be found out about you)

    And they cause other problems, especially for web comics authors: [url=http://www.pvponline.com/2008/03/04/pvp-presents-real-email-transcripts/]Exhibit A[/url], [url=http://www.penny-arcade.com/comic/2006/07/12]Exhibit B[/url].



  •  5 bites and counting.... see the Master Troll at work ;-)



  • @Jonathan Holland said:

    password security
     

    I think y'all mean pbuttword security. 



  • @tirerim said:

    That won't really help -- if someone can intercept your email, it's trivial for them to request a password reset themselves, wait for the email to be sent, and then enter the code.

    not if the code is linked to that specific session that is kept open and won't work for other sessions.


  • Discourse touched me in a no-no place

    @lanzz said:

    @tirerim said:

    That won't really help -- if someone can intercept your email, it's trivial for them to request a password reset themselves, wait for the email to be sent, and then enter the code.

    not if the code is linked to that specific session that is kept open and won't work for other sessions.

      Did you read what you quoted? The 'someone' instigates the reset, and intercepts the email.

    They already have the specific session you mention. 



  • Hotmail@Lysis said:

    Yeah my troll buddies and I got into someone's hotmail account that way.  The secret question is shown if you ask for it, and this little yenta's question was "what is my favorite movie?"

     

    Hotmail used to be worse than that. I forgot my own password, and never set a secret question. Since there was no secret question, I could just choose a new password. There was no authentication whatsoever. In this case I didn't mind, because otherwise I would probably never be able to use the account. I did check whether some of my friends had set a secret question though ;-).

     



  •  @Lysis said:

    kkthx.  Keep up the good  work and make sure to point out every person who has a 0 post count cuz we care!
    That's a screencap from this thread. A screencap from tirerim's post in this thread. He made. A. Post. His post count is still zero. Have I made things simple enough for you?

    Why this happens has been answered. It's still a WTF though.



  • @m0ffx said:

     @Lysis said:

    kkthx.  Keep up the good  work and make sure to point out every person who has a 0 post count cuz we care!
    That's a screencap from this thread. A screencap from tirerim's post in this thread. He made. A. Post. His post count is still zero. Have I made things simple enough for you?

    Why this happens has been answered. It's still a WTF though.

    Yeah, I was simply pointing out that it happened again.  I didn't expect anyone to respond, just chuckle and move on to the next post. 



  • @MasterPlanSoftware said:

    Sorry, but if you took it serious, you have deeper issues.

    You pretend to be stupid, and someone thus assumes that you really are stupid. How's that an issue?



  • @fbjon said:

    @MasterPlanSoftware said:
    Sorry, but if you took it serious, you have deeper issues.

    You pretend to be stupid, and someone thus assumes that you really are stupid. How's that an issue?

    Obviously, it's not. He's just hoping that by obfuscating the issue -- that he was trivially wrong about password security -- he can make it go away. This is a common belief among children, narcissists, and other pathological liars.



  • We've hired a web development company to provide a jobs board for our website. I went through testing, tried the "forgot password" link, and sure enough, got my original password in plain text in an email. I raised an issue asking for some half-decent security, and it got immediately closed as "This feature is not a part of the <product name> system." Keep up the good work guys. :-/



  • @viraptor said:

    Hashed for example - like every sane, secure system does. How the authentication works? google: hash function, md5, etc.

     <hints id="hah_hints"></hints>
    I sincerely hope that my bank is not storing passwords with an MD5 hash, salt or no salt.  High-security environments should be using bcrypt, or, if the designers are masochists, SRP.

    Common hashes are alright for your average forum/blog/portal software, where the effort required to brute-force even the most naïve MD5/SHA1 scheme is generally much greater than the potential payoff.  In that case, a salt can also help prevent your standard dictionary/rainbow-table attacks.  However, when an attacker potentially stands to profit millions or even billions of dollars, rest assured that they'll come prepared with a roomful of FPGAs and will probably have your whole database cracked within a night.  The only way to prevent this is to use an encryption algorithm that's difficult to implement and slow to run, which MD5 is neither of.



  • Dear NETELLER Client,

    For security reasons please send all future correspondence from the
    registered E-mail address on your NETELLER account.  Please note that
    NETELLER encrypts all personal information, once you initiate the
    retrieval steps correctly it is decrypted and sent to you so you are
    able to read your requested information. You are only able to change
    your personal information within your NETELLER account.  For more
    information please refer to NETELLER's Privacy Policy. (
    https://www.neteller.com/legalpolicies/index.jsf
    <https://www.neteller.com/legalpolicies/index.jsf> )

    Kind Regards,



  • @rdrunner said:

    Dear NETELLER Client,

    For security reasons please send all future correspondence from the
    registered E-mail address on your NETELLER account.  Please note that
    NETELLER encrypts all personal information, once you initiate the
    retrieval steps correctly it is decrypted and sent to you so you are
    able to read your requested information. You are only able to change
    your personal information within your NETELLER account.  For more
    information please refer to NETELLER's Privacy Policy. (
    https://www.neteller.com/legalpolicies/index.jsf
    <https://www.neteller.com/legalpolicies/index.jsf> )

    Kind Regards,

    You have nothing to worry about because, clearly, they can word it in a way that it sounds secure to someone who doesn't understand security! 


Log in to reply