Wish-it-was password security



  • I've recently decided to become a financial adult and actually invest in a few things instead of leaving all my savings lounging about lazily in scruffy low-interest accounts. And that means I've started dealing with share registries.

    Oh. My. Fn. God. And I thought banks were bad. Who is responsible for this crap?

    0_1469513372724_Screenshot - 260716 - 16:03:42.png

    To get past that login page, the only secret I need to know is a Holder Identification Number or HIN. That's a number issued to me by my broker. It seems to function as a combined username and password. It's the same for all the stocks I've bought via that broker, even those registered with registries other than the one I'm dealing with here. If it leaks, I have no way of changing it.

    And that "security code"? Nothing to do with website security. All that is, is the stock exchange codename for one of the stocks I own. That control is a dropdown list of all the stocks registered with this registry. Any one I own will work.

    0_1469514603933_Screenshot - 260716 - 14:38:47.png

    Bam. Logged in.

    Now I want to update bank account details and my tax file number, so my dividends will get paid to me without ridiculous amounts of withholding tax deducted. So I click Update Details, and get this:
    0_1469514641747_Screenshot - 260716 - 14:39:11.png

    Not too much undefined there. Click TFN/ABN Update:

    0_1469514905298_Screenshot - 260716 - 14:39:42.png

    They want a PIN. I don't have a PIN. Let's get one. Click "Issue a PIN":

    0_1469515033455_Screenshot - 260716 - 14:40:13.png

    Oh for undefined's sake.

    0_1469515242167_Screenshot - 260716 - 14:41:15.png

    undefineds in this dialog:

    1. It exists.
    2. It has "security questions".
    3. There are < 10 questions in each dropdown and I can't write my own.
    4. They appear to be about to send me a password via email.
    5. The email field has a validator that won't accept a name+tag@provider.tld address.

    0_1469515474774_Screenshot - 260716 - 14:41:36.png

    After "shortly" has been more than two days, I log in again with my sooper seekrit HIN and send off a complaint via the contact form:

    First Name*
    Myname
    
    Surname*
    MySurname
    
    Email*
    identifier@provider.tld
    
    Telephone
    
    Comments*
    I have been trying to get a PIN issued so I can update my tax file number,
    but nothing comes through to my inbox.
    
    Method of Contact*
    Email
    

    And they send an email that reads

    Dear Myname,
    
    Please provide the full name and address on the holding or the HIN/SRN,
    for me to locate and advise.
    
    Thanks & Kind Regards
    Helpdesk Person
    
    (snip massive disclaimer footer)
    

    I was logged on when I used that contact form, but it apparently doesn't pass along the details that stare me in the face on every other page of the site. OK, whatever. Fukkit. Let's send everything sufficient to impersonate me on their stupid site over unsecured email to somebody I've never met.

    Name: Myname Middlename Surname
    Address: My address
    HIN: My sooper seekrit HIN
    Holdings are CODE and CODE
    

    And back comes the astonishingly helpful reply:

    Dear Myname,
    
    Please note that we do not have any email address recorded for your
    holdings under that HIN. Kindly login again and click on issue a PIN
    and follow the prompts.
    
    To update your TFN only, you can email the number to our office and
    we can update it for you.
    
    Kind Regards
    
    Helpdesk Person
    

    TFN (tax file number) is a government-issued quasi-secret as well; sending that off in an email is a breach too far. Let's stick with the idiotic "Issue a PIN" dance...

    That's exactly what I'd already done, twice, before contacting you via
    the form. Why should it work any differently this time?
    
    Also, how is logging onto your web site, which requires only information
    I've already sent you from this email address, any more secure than you
    just issuing the PIN from your end?
    
    I'll do it again all the same.
    
    Done (see attached screenshots). As expected, still no PIN in my inbox.
    
    No PIN in my Spam folder either.
    

    And back it comes:

    Hi Myname,
    
    I am not sure too.
    
    However, will ask the IT team here to reset your PIN settings.
    
    Kindly login tomorrow to issue a new PIN.
    
    Kind Regards
    
    Helpdesk Person
    

    Now, I'm pretty sure I know what's going to be the problem here. It's going to be the answers to my security questions. I used the same pattern for those I always use - a base of five groups of five lowercase letters randomly generated by KeePass, followed by the last word of the question to make the answers unique.

    Given how utterly shit-grade the entire design of this farcical excuse for a website obviously is, I'd bet money that the answers to the security questions have a length limit that the frontend doesn't validate, and that the backend silently truncates them and then silently fails when both questions have identical answers.

    Let's see how long it takes these clowns to sort this out. I'm not holding my breath.



  • What a horrible site. The "Logout" button is in the wrong spot, not aligned, and not following the color scheme. Are you sure you want to invest with a firm that can't even keep up appearances? Your reservations seem trifling in comparison.



  • So... you're still trusting them with your money?



  • My first reaction when reading this was literally "undefined, how are they still in business?"

    I am so glad the banks in my country are actually more or less decent.
    When I started buying shares, I just met with my contact person at my local bank branch, signed all the paperwork and now I've got a depot that's cleanly integrated with my online banking, including nifty things like true 2FA.



  • @anonymous234 said in Wish-it-was password security:

    So... you're still trusting them with your money?

    this

    Id have run screaming from then after the login screen stuff



  • @all_users At the very list I'd write them an email "notifying" them of the issues, and see if they have any good excuses for them. Formal complaints may seem pointless but often they're the only way to convince the company owners that they're doing things wrong.

    I find it pretty crazy that companies managing money don't have any basic security standards they have to adhere to.



  • @anonymous234 said in Wish-it-was password security:

    I find it pretty crazy that companies managing money don't have any basic security standards they have to adhere to.

    There are. Banks are required in quite a few places to have 2FA. On the other hand, regulatory capture, so nobody enforces them with fines.



  • @anonymous234 I have to agree, why would you give money to these people?

    I thought Merrill Lynch's website was bad.



  • @anonymous234 said in Wish-it-was password security:

    So... you're still trusting them with your money?

    If I want to hold shares in the two companies who have chosen this pack of nongs as their registrar, I pretty much have to.

    @anonymous234 said in Wish-it-was password security:

    At the very list I'd write them an email "notifying" them of the issues

    Fuck that. I'm not interested in helping clowns wearing clown shoes as big as the clown shoes these clowns are wearing to pass as non-clowns.

    What I certainly will be doing, as a new shareholder in companies CODE and CODE, is writing to their boards and expressing, in the strongest possible terms I can devise while still sounding vaguely businesslike, my dismay at their choice of registrar and the reasons for that dismay.


  • Discourse touched me in a no-no place

    @flabdablet

    Are those busted-ass button labels your fault somehow, or theirs?



  • @flabdablet said in Wish-it-was password security:

    If I want to hold shares in the two companies who have chosen this pack of nongs as their registrar, I pretty much have to.

    ???

    I guess I'm not sure what kind of investing you're doing. Don't you have investment banks there, like our Merrill Lynch or American Century or Fidelity or what-not?

    Here in the US, you sign up for a Merrill Lynch account and you have access to every symbol in every US stock exchange (and most international ones), you have access to hundreds of mutual funds for free (and thousands more for a small fee), they sell/arrange CDs, etc.


  • Winner of the 2016 Presidential Election Banned

    @flabdablet said in Wish-it-was password security:

    If I want to hold shares in the two companies who have chosen this pack of nongs as their registrar, I pretty much have to.

    Then... don't invest in those two companies? If this is how they manage their shares, how badly are they managing their businesses? undefined


  • :belt_onion:

    @flabdablet said in Wish-it-was password security

    If I want to hold shares in the two companies who have chosen this pack of nongs as their registrar, I pretty much have to.

    This. The issuer chooses the registrar, so incompetence thrives.

    Computershite once transferred some of my shares with a completely made up cost basis and acquisition date. It was going to cost me thousands in extra taxes and took me months and many hours on hold to get straightened out. I'm very thankful my broker spent so much time helping me deal with those clowns.

    A friend of mine's issue of several years was resolved when they moved a desk and found his share certificate behind it.



  • @blakeyrat Here in Australia, the usual procedure is to sign up with a stock broker of your choice, who will then place trades for you for a brokerage fee. Brokers also offer for-fee advice about what to buy and sell.

    I trade with CommSec, the brokerage arm of one of the Big Four Australian banks; they charge me $30 per trade for online trades under $10,000 or a small percentage for trades over that. If I had elected to open a Commonwealth Bank Trading Account as well, that $30 would drop to $20. The Big Four are as full of WTF as you'd expect from any large bank and I have no desire to argue with them about my money, so I use an account at my own bank instead and just pay the extra $10/trade.

    Having bought shares in an ASX-listed company through CommSec, I become a CHESS Sponsored Holder. The company I've bought into then sends me a nice Welcome To Our Company snail mail containing a form that invites me to become an Issuer Sponsored Holder. I have yet to learn of any advantage to being an Issuer Sponsored Holder as opposed to a CHESS Sponsored Holder, so I haven't done that. At the end of every month in which I've traded shares, I get a stack of CHESS paperwork in the mail listing those trades and the resulting holdings balances.

    However, just being a CHESS Sponsored shareholder is not necessarily enough to get me my dividend payments. Some of the companies I hold will mail paper cheques; others will only do direct deposits to a bank account. I can't be arsed depositing cheques, so I want to lodge direct deposit and Tax File Number details with all the companies I hold.

    Most Australian companies outsource the maintenance of those details to one of several Share Registries instead of doing it in-house. Two of mine have chosen to use the completely verkakte Share Registry I'm complaining about.

    Not that any of the others are much better. But this is the only one I've used so far that actually does implement wish-it-was password security.



  • @flabdablet Australia sounds like a dystopia.



  • @blakeyrat Meh. I'd rather live somewhere that sounds like a dystopia than somewhere that actually is one.

    contrary to popular belief, no Australian Prime Minister has ever been eaten by a salt-water crocodile



  • @FrostCat said in Wish-it-was password security:

    Are those busted-ass button labels your fault somehow, or theirs?

    Depends whether you consider using Firefox to be a "fault". They're a bit less busted in Chrome. I'm sure they look just fine in IE6.


  • Discourse touched me in a no-no place

    @blakeyrat said in Wish-it-was password security:

    Australia sounds like a dystopia.

    Haven't you seen The Road Warrior?


  • Discourse touched me in a no-no place

    @flabdablet said in Wish-it-was password security:

    Depends whether you consider using Firefox to be a "fault".

    Yes. But I was actually thinking of "caused by a Stylish rule" or something.


  • area_can

    @ScienceCat said in Wish-it-was password security:

    I am so glad the banks in my country are actually more or less decent.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.