My Brokerage Firm Is A Security Vulnerability

cereal-guy-cereal-guy-squint-lIn 2012 I discovered that my bank is a security vulnerability. Today, while calling support, I happened upon the realization that my brokerage firm is too. One of the first things the automated system had me do was type in my account password via the number pad on my phone. It was at this point that I was reminded of why I don’t trust anyone with anything. Allow me to explain the red flags that shot up.

Strength in numbers

For the sake of explanation, let’s assume we’re working with a 10-character password. It is the unfortunate truth that many financial institutions place very weird limits on user passwords. For example, it is not uncommon to disallow special characters, and to limit the password to 12 characters. So for this explanation, we’ll use a 10-character alpha-numeric password with a-z, A-Z, and 0-9. This gives us roughly 8.39*10^17 possibilities (it’s actually lower than that because certain passwords like aaaaaaaaaa are not allowed).

misc-seriously-lNow, think about what I was asked to do. The brokerage firm asked me to type in my password on my phone’s number pad. There are multiple consequences here. First, my password complexity has been reduced from a 62-character alphabet to a 10-character alphabet. This means that there are only 10^10 possibilities. We have reduced the complexity by almost 8 orders of magnitude! Are the red flags flying up yet?

Everything is broken

troll-problem-on-phone-lWhat followed is equally concerning. After punching in 10 numeric keys on my phone, the system successfully authenticated me! Uhm, what?! Depending on the key that was pressed, there are up to 9^10  possible passwords (some keys, like 7, have nine possible characters that they represent in this alphabet). There are a few possibilities that could explain this:

  • The brokerage firm hashed all 9^10 possible strings and compared every hash to my hashed password in their database. Not only is this very unlikely, but it creates a collision attack by design.
  • The brokerage firm isn’t hashing my password, but is storing it with a two-way encryption scheme like AES. When I attempt to login, the firm decrypts my password, translates it to a T-9 representation (which is extremely easy to do), and compares. But if an attacker (or rogue employee) ever obtains that encryption key, I’m screwed.
  • The brokerage firm is storing a pre-computed T-9 representation of my password in their database. It’s extremely easy to do, and would require no additional work on their part. This is only negligibly better than storing my password in plaintext.
  • The brokerage firm is storing my password in plaintext. If that’s the case, then all hope is lost.

crazy-pillsI feel like I’m taking crazy pills

All of these options leave me feeling very insecure about my money. I’m inclined to look into transferring my funds to a different company, but if this AAA firm can’t get it right, will anyone?

My Falling Out With Facebook: My Friends Are Boring

Over the past few years, I’ve noticed somewhat of a transformation of how I use and perceive social media. This should be no surprise–trends change and the social media scene is in constant flux. But something happened last night that made me really stop and think about my evolved opinions of Facebook, Twitter, and the like.

It’s a show about nothing

rage-female-lLate last night, my girlfriend was flipping through the Facebook app on her iPhone when she suddenly exclaimied, “I hate social media!” Now, this post isn’t about her, and I won’t presume to think that I can speak for her, but what followed was a short rant about how she thinks the majority of posts on Facebook are stupid. In not so many words, she told me how she’s tired of seeing people post about, well, nothing.

sad-why-inverted-lMy first reaction was to challenge her. I love social media, and wanted to charge in its defense! Afterall, social media has revolutionized how we share information. What could be better? But after taking some time to think about it, I decided that I have my own qualms.

Go home, you’re drunk

facebook-girlI’m going to get straight to the point: Facebook has completely lost its appeal. Not Facebook the platform or Facebook the company, but Facebook the ecosystem. And it might not be Facebook’s fault–it might be mine. When I was in college, Facebook was great. I loved seeing the shenanigans that my peers got into over the weekend. It was a joy logging on throughout the day and receiving a constant stream of photos, party invitations, drunken stories, new relationships, expired relationships, and congruent complaints about class and assignments. But now that I’m out of school, none of that applies anymore. Almost all of my peers are living very different lives, and the social bubbles that we spent 4+ years building don’t make sense anymore. I’ve been out of college for about a year and a half, and I find that I have almost nothing to say to any of my Facebook friends. Before was college, and we were all in it together. Now is life, and we’re all in it on our own.

Gratifying cacophony

Enter Twitter. I’ll admit it: a few years ago I thought Twitter was stupid. I saw it as a platform that limited you to only posting status updates. Why would I want a dumbed-down Facebook? It wasn’t until a couple of years ago that I finally started to get it. Where Facebook fails, Twitter soars. No longer am I limited by the mundane ennui that is my Facebook feed. On Twitter I can reach a range from superstars to pleabians in the various fields and topics that interest me. I like to discuss current events, politics, and software development (among other things). I can do this with a massive audience on Twitter. Very few of my friends tend to participate when I take those conversations to Facebook.

tweetdeck

What’s more is that Twitter is very much a firehose. It doesn’t try to shape my experience, it just dumps everything on me. And I love it. Facebook thinks it knows which posts will interest me, but Facebook is usually wrong.

It’s me; it’s you

My Facebook friends are my real-life friends. But let’s be honest: my real-life friends are boring. Photos of your dog, inside jokes, cryptic song lyrics, “I fucking love science”, and hashtagged wedding engagements are a fine way to pass the time, but honestly, I’m not getting anything out of it anymore.

WebViews Are Not To Be Trusted

WebViews scare the shit out of me. And they should scare the shit out of you–or, less sensationally, you should regard them with genuine skepticism. In the wake of the world finally devoting critical thought to a 60-year-old intelligence agency, it’s good to see people realizing that the internet is, in fact, not anonymous. But, big brother isn’t the only person you should be worrying about. Don’t forget about little brother and sister too. I’m talking about the app developers.

All I know is my gut says ‘maybe’

How many times have you installed a new app on your phone and were prompted to log in with either Facebook or Twitter. Did you do it? How do you know? It’s pretty easy to verify, as the services will list apps that are linked to your account. But you can only perform that check after the fact. Or perhaps you’ve always been weary of letting Facebook or Twitter have too much access to your life, and you opt out of logging in with those methods. After all, why does Facebook need to know what you’re reading in The New York Times? But how about other services? There are lots of apps that integrate with Instagram. Maybe you don’t have to log in to Instagram to use the app, but if you’d like to share app content via Instagram, a login is inevitable. We’ve all seen screens like this:

instagram-login

It’s a simple WebView that authenticates with Instagram so that you can post your favorite fake-vintage photo of your dinner. But how do you know that’s where your credentials are going? There is no address bar. No confirmation from the OS. No HTTPS indicator. Nothing. You just trust that the developer is sending your credentials to Instagram, and not harvesting them somewhere in the Ukraine. Seems a bit phishy, no?

Nom nom nom

And what about cookies? Sure, most larger services have guards against it, but cookie stealing is still a reasonable attack against a user. Let’s say you’re using my developer news aggregating app CoderNews and you click on a link that takes you to a GitHub login.

github-login

Again, are you sure you’re actually at a GitHub login, or did I send you somewhere else? And second, how do you know that I’m not piping your session cookies elsewhere? Apple will happily let me read and edit cookies that you pulled down through my app. I’ve heard the argument “but aren’t we allowing the same risk when we use Chrome or Firefox?” Yes, absolutely. But ask yourself, do you trust them? Why? Do you trust me? Why not? Whether you think it’s a good distinction or not, there is a difference.

Only the insecure strive for security

What’s the best solution to these problems? Maybe iOS and Android should force their WebViews to display the url that is being rendered. Maybe they should have a tighter cookie policy. Maybe Jony Ives values beauty over security, and there will never be a solution. But if USB Condoms can make the front page of Hacker News, can we at least have some outrage over a much more likely security issue?

Is This Real Life?

davidafterdentistToday is May 1, 2013. Last May, big things were happening in my life. I graduated from college. I moved to Cincinnati. I was gearing up to start my career as a software developer. I can’t believe that was a year ago.

In that time, a lot of great things have happened. I hit the ground running with my job. I was part of a mobile dev team, from which I learned A LOT. I’ve worked on multiple side projects that have garnered modest publicity. I was on the front page of some of the world’s most read online publications (that literally caught the eye of more than 2.5 million people). I’ve got some amazing people in my life now that I didn’t even know one year ago and I can’t imagine living without. I could go on and on.

It’s been a good year. No, it’s been a great year. But I’d be lying if I said I was content. There are many reasons for that, but I won’t bore you with them. Rather I’ll leave you with this: Where do you see yourself in five years? Why are you waiting five years to get there?

Apple’s Payment Problem

This past Sunday I purchased a really cool iOS app called CodeBucket. It’s a handy app that lets me completely manage my Git repositories that live on Bitbucket. I use it primarily for issue tracking on the go. But this post is not about that.

I’m cheap

I admit it, I’m not one to often purchase apps. It’s not that the price is too high, it’s just that I don’t find myself to be very productive on my iPhone. It’s usually not worth the money when I can often complete a task more quickly on my laptop–and for free. Despite all this, CodeBucket had good reviews so I decided to buy it for the negligible price of $1.99. Or so I was told.

Buffering…

It wasn’t until two days later, Tuesday, that I received an email receipt from Apple for my purchase. Here’s a snippet from that receipt:

codebucket-receipt-screenshot

First of all, why the hell did it take two entire days for me to receive an emailed receipt? The purchase happened on Sunday, the receipt is dated Monday, and I get the email on Tuesday? Perhaps the internet tubes were filled in Cupertino this weekend. But, whatever, I can live with it. It’s not like I was eagerly awaiting my receipt so that I could keep my books in tip-top shape.

What’s up with that?

what-up-with-thatThe second issue here is a bit more bothersome. As I mentioned, I thought I was purchasing an app for $1.99. Apparently a 6.5% sales tax was applied to this purchase, bringing the grand total to $2.12. Now, my issue here isn’t with the fact that I had to pay tax; that doesn’t bother me. The problem is that I was never told that I would be paying tax on the transaction. The price read $1.99 so I assumed I would pay $1.99. There was no final confirmation to make sure I agreed to a grand total–it just went ahead and applied the tax and charged me.

I consulted the iTunes Store Terms and Conditions, and sure enough it’s in there:

Your total price will include the price of the product plus any applicable sales tax; such sales tax is based on the bill-to address and the sales tax rate in effect at the time you download the product. We will charge tax only in states where digital goods are taxable.

Apparently Ohio enforces tax on the sale of digital goods. I was unaware of that. I did a quick ctrl+f on the Wikipedia page, and Ohio didn’t come up. I guess Apple knows more than me about taxes. Regardless, it’s a common courtesy to let a customer know just how much they’re paying for something before they actually pay. Oh, and an emailed receipt really shouldn’t take two days to deliver. But I guess when FT 500 says you’re the most valuable company in the world, you can do what you want.