Wish-it-was password security



  • I've recently decided to become a financial adult and actually invest in a few things instead of leaving all my savings lounging about lazily in scruffy low-interest accounts. And that means I've started dealing with share registries.

    Oh. My. Fn. God. And I thought banks were bad. Who is responsible for this crap?

    0_1469513372724_Screenshot - 260716 - 16:03:42.png

    To get past that login page, the only secret I need to know is a Holder Identification Number or HIN. That's a number issued to me by my broker. It seems to function as a combined username and password. It's the same for all the stocks I've bought via that broker, even those registered with registries other than the one I'm dealing with here. If it leaks, I have no way of changing it.

    And that "security code"? Nothing to do with website security. All that is, is the stock exchange codename for one of the stocks I own. That control is a dropdown list of all the stocks registered with this registry. Any one I own will work.

    0_1469514603933_Screenshot - 260716 - 14:38:47.png

    Bam. Logged in.

    Now I want to update bank account details and my tax file number, so my dividends will get paid to me without ridiculous amounts of withholding tax deducted. So I click Update Details, and get this:
    0_1469514641747_Screenshot - 260716 - 14:39:11.png

    Not too much :wtf: there. Click TFN/ABN Update:

    0_1469514905298_Screenshot - 260716 - 14:39:42.png

    They want a PIN. I don't have a PIN. Let's get one. Click "Issue a PIN":

    0_1469515033455_Screenshot - 260716 - 14:40:13.png

    Oh for :wtf:'s sake.

    0_1469515242167_Screenshot - 260716 - 14:41:15.png

    :wtf:s in this dialog:

    1. It exists.
    2. It has "security questions".
    3. There are < 10 questions in each dropdown and I can't write my own.
    4. They appear to be about to send me a password via email.
    5. The email field has a validator that won't accept a name+tag@provider.tld address.

    0_1469515474774_Screenshot - 260716 - 14:41:36.png

    After "shortly" has been more than two days, I log in again with my sooper seekrit HIN and send off a complaint via the contact form:

    First Name*
    Myname
    
    Surname*
    MySurname
    
    Email*
    identifier@provider.tld
    
    Telephone
    
    Comments*
    I have been trying to get a PIN issued so I can update my tax file number,
    but nothing comes through to my inbox.
    
    Method of Contact*
    Email
    

    And they send an email that reads

    Dear Myname,
    
    Please provide the full name and address on the holding or the HIN/SRN,
    for me to locate and advise.
    
    Thanks & Kind Regards
    Helpdesk Person
    
    (snip massive disclaimer footer)
    

    I was logged on when I used that contact form, but it apparently doesn't pass along the details that stare me in the face on every other page of the site. OK, whatever. Fukkit. Let's send everything sufficient to impersonate me on their stupid site over unsecured email to somebody I've never met.

    Name: Myname Middlename Surname
    Address: My address
    HIN: My sooper seekrit HIN
    Holdings are CODE and CODE
    

    And back comes the astonishingly helpful reply:

    Dear Myname,
    
    Please note that we do not have any email address recorded for your
    holdings under that HIN. Kindly login again and click on issue a PIN
    and follow the prompts.
    
    To update your TFN only, you can email the number to our office and
    we can update it for you.
    
    Kind Regards
    
    Helpdesk Person
    

    TFN (tax file number) is a government-issued quasi-secret as well; sending that off in an email is a breach too far. Let's stick with the idiotic "Issue a PIN" dance...

    That's exactly what I'd already done, twice, before contacting you via
    the form. Why should it work any differently this time?
    
    Also, how is logging onto your web site, which requires only information
    I've already sent you from this email address, any more secure than you
    just issuing the PIN from your end?
    
    I'll do it again all the same.
    
    Done (see attached screenshots). As expected, still no PIN in my inbox.
    
    No PIN in my Spam folder either.
    

    And back it comes:

    Hi Myname,
    
    I am not sure too.
    
    However, will ask the IT team here to reset your PIN settings.
    
    Kindly login tomorrow to issue a new PIN.
    
    Kind Regards
    
    Helpdesk Person
    

    Now, I'm pretty sure I know what's going to be the problem here. It's going to be the answers to my security questions. I used the same pattern for those I always use - a base of five groups of five lowercase letters randomly generated by KeePass, followed by the last word of the question to make the answers unique.

    Given how utterly shit-grade the entire design of this farcical excuse for a website obviously is, I'd bet money that the answers to the security questions have a length limit that the frontend doesn't validate, and that the backend silently truncates them and then silently fails when both questions have identical answers.

    Let's see how long it takes these clowns to sort this out. I'm not holding my breath.



  • What a horrible site. The "Logout" button is in the wrong spot, not aligned, and not following the color scheme. Are you sure you want to invest with a firm that can't even keep up appearances? Your reservations seem trifling in comparison.



  • So... you're still trusting them with your money?



  • My first reaction when reading this was literally ":wtf:, how are they still in business?"

    I am so glad the banks in my country are actually more or less decent.
    When I started buying shares, I just met with my contact person at my local bank branch, signed all the paperwork and now I've got a depot that's cleanly integrated with my online banking, including nifty things like true 2FA.



  • @anonymous234 said in Wish-it-was password security:

    So... you're still trusting them with your money?

    this

    Id have run screaming from then after the login screen stuff



  • @all_users At the very list I'd write them an email "notifying" them of the issues, and see if they have any good excuses for them. Formal complaints may seem pointless but often they're the only way to convince the company owners that they're doing things wrong.

    I find it pretty crazy that companies managing money don't have any basic security standards they have to adhere to.



  • @anonymous234 said in Wish-it-was password security:

    I find it pretty crazy that companies managing money don't have any basic security standards they have to adhere to.

    There are. Banks are required in quite a few places to have 2FA. On the other hand, regulatory capture, so nobody enforces them with fines.



  • @anonymous234 I have to agree, why would you give money to these people?

    I thought Merrill Lynch's website was bad.



  • @anonymous234 said in Wish-it-was password security:

    So... you're still trusting them with your money?

    If I want to hold shares in the two companies who have chosen this pack of nongs as their registrar, I pretty much have to.

    @anonymous234 said in Wish-it-was password security:

    At the very list I'd write them an email "notifying" them of the issues

    Fuck that. I'm not interested in helping clowns wearing clown shoes as big as the clown shoes these clowns are wearing to pass as non-clowns.

    What I certainly will be doing, as a new shareholder in companies CODE and CODE, is writing to their boards and expressing, in the strongest possible terms I can devise while still sounding vaguely businesslike, my dismay at their choice of registrar and the reasons for that dismay.


  • Discourse touched me in a no-no place

    @flabdablet

    Are those busted-ass button labels your fault somehow, or theirs?



  • @flabdablet said in Wish-it-was password security:

    If I want to hold shares in the two companies who have chosen this pack of nongs as their registrar, I pretty much have to.

    ???

    I guess I'm not sure what kind of investing you're doing. Don't you have investment banks there, like our Merrill Lynch or American Century or Fidelity or what-not?

    Here in the US, you sign up for a Merrill Lynch account and you have access to every symbol in every US stock exchange (and most international ones), you have access to hundreds of mutual funds for free (and thousands more for a small fee), they sell/arrange CDs, etc.


  • Winner of the 2016 Presidential Election Banned

    @flabdablet said in Wish-it-was password security:

    If I want to hold shares in the two companies who have chosen this pack of nongs as their registrar, I pretty much have to.

    Then... don't invest in those two companies? If this is how they manage their shares, how badly are they managing their businesses? :headdesk:


  • Garbage Person

    @flabdablet said in Wish-it-was password security

    If I want to hold shares in the two companies who have chosen this pack of nongs as their registrar, I pretty much have to.

    This. The issuer chooses the registrar, so incompetence thrives.

    Computershite once transferred some of my shares with a completely made up cost basis and acquisition date. It was going to cost me thousands in extra taxes and took me months and many hours on hold to get straightened out. I'm very thankful my broker spent so much time helping me deal with those clowns.

    A friend of mine's issue of several years was resolved when they moved a desk and found his share certificate behind it.



  • @blakeyrat Here in Australia, the usual procedure is to sign up with a stock broker of your choice, who will then place trades for you for a brokerage fee. Brokers also offer for-fee advice about what to buy and sell.

    I trade with CommSec, the brokerage arm of one of the Big Four Australian banks; they charge me $30 per trade for online trades under $10,000 or a small percentage for trades over that. If I had elected to open a Commonwealth Bank Trading Account as well, that $30 would drop to $20. The Big Four are as full of WTF as you'd expect from any large bank and I have no desire to argue with them about my money, so I use an account at my own bank instead and just pay the extra $10/trade.

    Having bought shares in an ASX-listed company through CommSec, I become a CHESS Sponsored Holder. The company I've bought into then sends me a nice Welcome To Our Company snail mail containing a form that invites me to become an Issuer Sponsored Holder. I have yet to learn of any advantage to being an Issuer Sponsored Holder as opposed to a CHESS Sponsored Holder, so I haven't done that. At the end of every month in which I've traded shares, I get a stack of CHESS paperwork in the mail listing those trades and the resulting holdings balances.

    However, just being a CHESS Sponsored shareholder is not necessarily enough to get me my dividend payments. Some of the companies I hold will mail paper cheques; others will only do direct deposits to a bank account. I can't be arsed depositing cheques, so I want to lodge direct deposit and Tax File Number details with all the companies I hold.

    Most Australian companies outsource the maintenance of those details to one of several Share Registries instead of doing it in-house. Two of mine have chosen to use the completely verkakte Share Registry I'm complaining about.

    Not that any of the others are much better. But this is the only one I've used so far that actually does implement wish-it-was password security.



  • @flabdablet Australia sounds like a dystopia.



  • @blakeyrat Meh. I'd rather live somewhere that sounds like a dystopia than somewhere that actually is one.

    contrary to popular belief, no Australian Prime Minister has ever been eaten by a salt-water crocodile



  • @FrostCat said in Wish-it-was password security:

    Are those busted-ass button labels your fault somehow, or theirs?

    Depends whether you consider using Firefox to be a "fault". They're a bit less busted in Chrome. I'm sure they look just fine in IE6.


  • Discourse touched me in a no-no place

    @blakeyrat said in Wish-it-was password security:

    Australia sounds like a dystopia.

    Haven't you seen The Road Warrior?


  • Discourse touched me in a no-no place

    @flabdablet said in Wish-it-was password security:

    Depends whether you consider using Firefox to be a "fault".

    Yes. But I was actually thinking of "caused by a Stylish rule" or something.


  • area_can

    @ScienceCat said in Wish-it-was password security:

    I am so glad the banks in my country are actually more or less decent.


  • Discourse touched me in a no-no place

    @flabdablet said in Wish-it-was password security:

    contrary to popular belief, no Australian Prime Minister has ever been eaten by a salt-water crocodile

    :doing_it_wrong:


  • Garbage Person

    @blakeyrat Oh. You invest with them? See: WTFCorp Thread.



  • Today's exciting episode:

    So today I logged in and tried again. The steps I used were exactly the
    same as those I documented for you in the screenshots I sent last time.
    Again, the site told me to expect a PIN to be sent "shortly". Still no
    sign of any PIN arriving in my inbox or my spam folder. How many days is
    "shortly"?
    

    And the reply:

    Myname,
    
    At our end I cannot see any email address recorded at all. 
    
    To avoid any further delays, can I ask you to complete the attached form
    and return to our office for processing via email, mail or fax. Also advise
    on the form that you want your details updated for [CODE] & [CODE] holdings.
    
    Kind Regards
    
    Helpdesk Person
    

    All this newfangled online nonsense is just a passing fad. If pen and paper were good enough for my great-grandfather, they're good enough for you.



  • @flabdablet said in Wish-it-was password security:

    Given how utterly shit-grade the entire design of this farcical excuse for a website obviously is, I'd bet money that the answers to the security questions have a length limit that the frontend doesn't validate, and that the backend silently truncates them and then silently fails when both questions have identical answers.

    Nailed it (though to be fair, it might not have been the length; it might have been the spaces). After telling their Issue a PIN form that my pet's name is am0iq4zhhgrb9ka5 and my mother's maiden surname is ic73msl743xjb7fd, it actually issued a PIN.

    Dear Investor(s)
    
    We welcome you as a registered member of Our Shitgrade Registry Investor Online Service.
    
    Your New Security PIN is 829057
    
    Please do not write your PIN anywhere but store it in a secure place.
    Please contact our office on +61 9 9999 9999 should you have any queries.
    
    
    Kind Regards
    

    So there you go. It's perfectly OK for them to send my wish-it-was-a password over unsecured email, but it's not OK for me to write it down. And yet I'm supposed to "store it in a secure place". Perhaps I am supposed to read it out loud into one of those modern wax cylinder recording doodads, then drive my horse and buggy down to the bank to put that in my safety deposit box?

    Secure place, my arse.

    (now there's an idea)

    Edit: turns out that every form that can alter any of my details has an input box for my PIN. Do you even sessions, bro?

    Time to close this support ticket.

    After a bit more messing about with your online Issue A Pin form, I
    finally got it to issue one.
    
    Turns out that "agipc fhhsb bgwax mijfb suylw pet" and "agipc fhhsb
    bgwax mijfb suylw surname" are unacceptable names for my pet and my
    mother's maiden surname. "1k39inv7sz1017uk" and "2trghi3g0i0067cw", on
    the other hand, work just fine.
    
    Please pass on the following feedback to your IT team:
    
    Words cannot begin to express my dismay at your website's astonishingly
    poor security design. Who built it, the CEO's nephew? Whoever it was,
    they weren't worth what you paid them.
    

  • Notification Spam Recipient

    I'm dealing with 3 different share registries, and all of them require "security" questions. One of them lets me specify the question instead of picking one from a list, so it's not completely bad.

    I just hope it's not some kind of ASIC requirement that says "You must have security questions".



  • @bb36e said in Wish-it-was password security:

    @ScienceCat said in Wish-it-was password security:

    I am so glad the banks in my country are actually more or less decent.

    Welcome to Germany. We might have other Problems, but at least our Banking IT (sort of) knows what they're doing.



  • @cark said in Wish-it-was password security:

    I'm dealing with 3 different share registries

    Then your country's system is probably :doing_it_wrong: . I have shares in several (>5) companies, but never had to deal with a single share registry myself. I assume my bank/broker handles that for me, since the "you got x€ dividend for your Y-shares"-letters also come from them.



  • @flabdablet said in Wish-it-was password security:

    Time to close this support ticket.

    After a bit more messing about with your online Issue A Pin form, I
    finally got it to issue one.
    
    Turns out that "agipc fhhsb bgwax mijfb suylw pet" and "agipc fhhsb
    bgwax mijfb suylw surname" are unacceptable names for my pet and my
    mother's maiden surname. "1k39inv7sz1017uk" and "2trghi3g0i0067cw", on
    the other hand, work just fine.
    
    Please pass on the following feedback to your IT team:
    
    Words cannot begin to express my dismay at your website's astonishingly
    poor security design. Who built it, the CEO's nephew? Whoever it was,
    they weren't worth what you paid them.
    

    If you really wrote that, you're my hero!



  • @ScienceCat I did write that, and I sent it as well. No response so far.



  • @ScienceCat said in Wish-it-was password security:

    I assume my bank/broker handles that for me, since the "you got x€ dividend for your Y-shares"-letters also come from them.

    As an investment n00b I had assumed that the same sane arrangement would apply here, which is why I just filed all the snail-mail paperwork that came from the companies I was investing in rather than actually comprehending and responding to any of it. Only after the first dividend cheque turned up in the mail, along with a letter from the company's own share registry, did I twig that something else really did need doing.



  • @cark said in Wish-it-was password security:

    I'm dealing with 3 different share registries,

    I really don't understand why you don't have investment banks. This is such an enormous pain in the ass.



  • @ScienceCat said in Wish-it-was password security:

    I am so glad the banks in my country are actually more or less decent.

    This isn't a bank. Not that Australian banks are be any better, mind you. NAB has a 16 characters password limit for instance...


  • ♿ (Parody)

    @blakeyrat@another_sam said in Wish-it-was password security:

    @flabdablet Australia sounds like a dystopia.What kind of third world hellhole do you live in?


  • ♿ (Parody)

    @FrostCat said in Wish-it-was password security:

    Yes. But I was actually thinking of "caused by a Stylish rule" or something.

    Maybe he has their primary letter CDN adblocked.



  • @boomzilla Adblock Plus reports no blockable items on any of the affected pages and NoScript isn't blocking any scripts.

    It looks better if I tell NoSquint to apply 90% text zoom, and there's an awful lot of "font-size:95%" in the CSS, so I'm thinking it's been thoroughly WOMM-tested on a browser I don't use with a font I don't have installed.


  • Discourse touched me in a no-no place

    @flabdablet said in Wish-it-was password security:

    a font I don't have installed.

    Probably. I was going to say "I thought all the cool kids were using downloadable fonts these days" but then I remembered--banking/finance site.


  • Notification Spam Recipient

    @ScienceCat said in Wish-it-was password security:

    @cark said in Wish-it-was password security:

    I'm dealing with 3 different share registries

    Then your country's system is probably :doing_it_wrong: . I have shares in several (>5) companies, but never had to deal with a single share registry myself. I assume my bank/broker handles that for me, since the "you got x€ dividend for your Y-shares"-letters also come from them.

    Our share registries provide company specific services like vote in AGMs online instead of having to attend one physically. My broker only charges for transactions and not account or holding fees, and they don't do anything apart from buying/selling stocks. This way, brokerage stays cheap while companies can choose to pay dividends in foot massages if they wish; The share registries are contracted to handle this stuff



  • @cark said in Wish-it-was password security:

    Our share registries provide company specific services like vote in AGMs online instead of having to attend one physically.

    Merrill Lynch does that on behalf of the companies you hold shares in.



  • @blakeyrat Under your system, what would happen if you were to buy shares in some selection of companies through ML, and subsequently top up your holdings in those same companies by buying them through other investment banks? Would you end up with (number of banks) * (number of companies) records of holdings, or would you be able to sell all your holdings in any given company via any one of your investment banks, or what?



  • @flabdablet said in Wish-it-was password security:

    Would you end up with (number of banks) * (number of companies) records of holdings,

    Probably that.

    Presumably there's some way of transferring holdings between banks/institutions without incurring a tax penalty (i.e. not requiring you to sell and re-buy them); the US has that pretty much solved for retirement accounts, for example.


  • Garbage Person

    @ScienceCat said in Wish-it-was password security:

    I have shares in several (>5) companies, but never had to deal with a single share registry myself. I assume my bank/broker handles that for me, since the "you got x€ dividend for your Y-shares"-letters also come from them.

    When you buy shares directly from the issuer the shares can be delivered in book-entry form. At that point, you have to deal with the registry.



  • @anonymous234 said in Wish-it-was password security:

    I find it pretty crazy that companies managing money don't have any basic security standards they have to adhere to

    Inversion of Security priority protocol.

    If it's meaningless trivial information, you'll need 2FA.
    If it gives you access to your money, you'll be lucky if they don't store your password in plain text.

    I have better security for my WoW account than my bank.



  • @Deadfast said in Wish-it-was password security:

    16 characters password limit

    That's acceptable if you're doing CP437 interpreted as UCS-4



  • @xaade I'm really happy with the online security arrangements my bank uses. They do everything right.

    For their web-based banking facility, I have a completely ordinary username and a password. The login page is password-manager friendly. No 2FA is required to log on. If I request a funds transfer to any account other than one of mine, and the destination account is not listed as a favorite, then 2FA is required during the final confirmation step. I can configure my account to make 2FA work via one-time codes sent over SMS, or via a TOTP dongle (I use the dongle).

    They have apps for iOS and Android, both of which use the same underlying authentication as the web facility but hide it behind an app-authenticated 4-digit PIN.

    If I want to use their phone-based voice-menu banking, there's a separate PIN for that. I can get a new phone PIN issued either by talking to bank staff on the phone or via my web-based banking facility.

    To authenticate myself when talking to bank staff over the phone, there's a phone security password that's separate from all the others. Mine's the maximum length allowed (16 characters) and held in KeePass. If that fails, there's a reasonably in-depth phone interview process I need to go to in order to demonstrate that I am who I claim to be. None of that involves transferring any of the other security secrets.

    Last but not least, there's a secure messaging facility built into the web banking stuff, so I can mail them stuff I'm not happy to see sent via standard email.

    Last year they "upgraded" their web site to make it all modern-like and phone-friendly, so it doesn't work as well as it used to because it's now got colored rectangle tiny font hipster whitespace disease. Even so, it still works better than any site I've seen offered by any other financial institution.

    Anybody charged with making any decision about the best way to implement an online financial portal for customers would be well advised to open an account with Bank Australia and see what they do.


Log in to reply