153

I have a student loan account with a company, not the biggest company but big enough to where they should have their act together. Today I couldn't remember my password to log into my account dashboard. I clicked "forgot password" and they prompted me with 5 questions. First Name, Last Name, last 4-digit SSN, birthday, and zip code. All information that is easily acquirable if trying hard enough, not to mention all information that is included in their periodic emails about payments. Upon typing in the information the site responds saying I have been authenticated and gives me my password in plaintext.

So now not only is it incredibly easy to retrieve lost password details, they dont even send it to your email they just display it on screen, on top of that they store the password in plaintext in the database. This is an account that has details of my multi-thousand dollar loan as well as my bank details for auto-payments. Fortunately the one detail not given is my username, which is my full SSN, so that is the last thread of security; however, if they store passwords unhashed I'm sure my SSN is not either, making this even worse.

So my question is, given that this is a loan that I can't just up and leave is there/what are any precautions or steps that I can take to make this potentially more secure? Would it be worth emailing them and badgering them to upgrade their security or should I just pay as quick as possible and get out? If I do warn them, what types of threat should I say they are vulnerable to in hopes to scare them into a patch?

DasBeasto
  • 1,796
  • 2
  • 14
  • 14
  • 94
    [Public shaming](http://plaintextoffenders.com/) might be a way to go. Ironically served http only;) – Tobi Nary Mar 16 '16 at 13:49
  • 6
    Tell your company you're getting the loan from to get their act together. If the ship goes down and your information gets leaked, feel free to call the police for the stolen information and hire a lawyer for the method of which it was stolen.. (The site was insecure, so ultimately, it's the company's fault.) – xorist Mar 16 '16 at 13:49
  • 20
    Use a unique password for this site. Also, I am not sure if they are using HTTPS but considering the other security loopholes they have, I won't be surprised if SSL is missing as well. In that case make sure to always access the site from a relatively trusted network where no sniffers are installed. Granted that people who own the network or tap into the ISPs routers can still get all the info in plaintext over HTTP but this is the best you can do right now. – void_in Mar 16 '16 at 13:57
  • 2
    They could be storing the password encrypted instead of in plaintext; which is marginally less bad. It avoids a trivial plaintext leak from just a DB dump or SQL injection. It's still not good practice because if the server's compromised the attacker will probably be able to extract the decryption key with a bit of extra work. – Dan Is Fiddling By Firelight Mar 16 '16 at 15:16
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/37189/discussion-on-question-by-dasbeasto-what-to-do-if-stuck-with-website-that-has-po). – Rory Alsop Mar 18 '16 at 18:26
  • 1
    For anyone wondering, nearly a year later and no responses to any of my emails, in-website complaints, or complaints to the FTC. And the same issue is still present on the website. – DasBeasto Jan 10 '17 at 14:12
  • Re update: They finally migrated to a completely new site. Although the new site is awful and broken it does not have the same issue. – DasBeasto Jan 04 '18 at 19:40

5 Answers5

120

Financial institutions in the United States are obliged by the Gramm-Leach-Bliley Act to ensure the security and confidentiality of personal information. What you describe is a flagrant violation of the FTC's Safeguards Rule.

I would immediately file a complaint with the FTC.

Emmet
  • 1,091
  • 1
  • 6
  • 5
  • 15
    +1 Very interesting find, I'd think they count as a financial institution and if so would certainly be in violation. Thanks for the lead. – DasBeasto Mar 16 '16 at 21:13
  • 4
    They would almost certainly count; as the linked FTC document says, “financial institutions” is broadly construed for the purposes of the GLB Act. – Emmet Mar 16 '16 at 21:19
  • Ah yes it appears so, under their provided definition they certainly count barring some sort of bureaucratic loophole. I'll wait for their response to my messages so I can have both sides of the story but I can't foresee a path that doesn't involve filing one of those complaints. – DasBeasto Mar 16 '16 at 21:25
  • The document doesn't really specify anything about hashed passwords. It seems to indirectly imply that they should be for employee passwords ("Tough-to-crack passwords require the use of...") but other than that it just says the company has to implement a written security plan; it doesn't mention that it has to be a good one. Is there any kind of external oversight for something like this? It seems pretty vague other than the section about employees. – Sam Mar 18 '16 at 16:44
93

If you are concerned about the privacy of your password and thus your account (which should be the case), you should try to educate the customer service. The developer FAQ from the public shaming project for this kind of recklessness lists a few good points and is worth a read.

Also, you should point out that you feel insecure and lose trust in the company and will make them liable for any problems that stem from this no-go.

You should also document that behaviour and try to get a written quote on their point of view if they do not see a reason to fix this. Thus, if any problems arise, it will make the whole thing easier for you from a legal point of view.

Besides that, by submitting the site to plaintext offenders, you will provide a third-party point of view, which might help your case.

Also, I assume you use a secure unique password for that site and hopefully have always done so.

If not, treat this as a regular leak, changing all your passwords (and on that occasion, make sure to use unique passwords for each service)

Matt
  • 165
  • 8
Tobi Nary
  • 14,302
  • 8
  • 43
  • 58
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/38003/discussion-on-answer-by-smokedispenser-what-to-do-if-stuck-with-website-that-has). – Rory Alsop Apr 06 '16 at 07:45
7

You could report this to the administrators of the site, but in the likely event that the e-mail is picked up by customer services it's unlikely to be understood.

Hopefully it'll be elevated to a development team who will hopefully understand it.

However you may wish to urge caution as if it's grossly misunderstood you don't want to be accused of hacking.

Alternatively in the UK for example the "data protection act" is legislation to protect against such mishandling. The "information commissioners office" handles complaints. In particular there is statement on the gov.uk site to contact the ICO if:

Make a complaint

If you think your data has been misused or that the organisation holding it hasn’t kept it secure, you should contact them and tell them.

If you’re unhappy with their response or if you need any advice you should contact the Information Commissioner’s Office (ICO).

https://www.gov.uk/data-protection/make-a-complaint

The ICO is a useful resource: https://ico.org.uk/

The UK is particularly good and I suspect other countries have similar legislations in place, however certainly other countries aren't as forthcoming.

Community
  • 1
Alex KeySmith
  • 319
  • 1
  • 9
  • 10
    I am glad that you mentioned the possibility that this might be misconstrued as hacking. A classmate of mine in college did some simple traceroutes on the schools network and noticed a bottleneck which was severely degrading performance. He took the information to the network admins and was accused of hacking, and just barely avoided being expelled (they took away network in his room for his remaining years, fired him from his job working in the computer labs, etc). It is not unusual for people ignorant of technical matters to view anyone outside their employ with technical info as a threat. – otakucode Mar 19 '16 at 04:00
3

Can you update any of that personal info and give them fake slightly altered but still valid values? Like, give them a very nearby zip code (preferably 9-number) that the mailman could still figure out to deliver you mail. Or "you spelled my last name wrong, it's DasBeesto not DasBeasto"

Can you change your username to something highly random?

Make sure you use a long, unique password for that site, that has absolutely no relationship with the passwords you use on other sites (not rAnD0m-sitex for example)

Neil McGuigan
  • 3,379
  • 1
  • 16
  • 20
  • 7
    I'm not sure where they got the zip information from it may have been given when applying for the loan but I'll see if it is changeable. Unfortunately the username is my SSN so I can't change that to something random. Also since this is a federal loan, i.e. a line of credit, changing these to fake values may be considered fraud, but I am unsure. – DasBeasto Mar 16 '16 at 18:47
  • Also, what would be the benefit of providing false personal information? That info can most likely be obtained through other means, in contrast to the actual debt data, which is the greater concern here, probably. – Tobi Nary Mar 16 '16 at 23:18
  • 2
    @SmokeDispenser: in order to "recover" DasBeasto account password, an attacker would need to provide the same misspelling. – Ángel Mar 16 '16 at 23:24
  • 1
    You're completely right. I'm tired, obviously. Good night;) – Tobi Nary Mar 16 '16 at 23:27
  • @SmokeDispenser threat: user wants to login to my account. Finds my real dob, zip code etc on linkedin and other places. Resets my password. Views my account. If zip is fake they can't do that – Neil McGuigan Mar 16 '16 at 23:28
  • 2
    I would not change your personal information to something fake. These are people you owe money to. Even if their security is irresponsible garbage, you don't want to risk giving them a case against you if you get on their bad side. – jpmc26 Mar 17 '16 at 03:39
  • @jpmc it's a trade-off. weigh risk of someone easily breaking into your loan account and wreaking havoc, or a loan company suing you for having a slightly wrong zip code – Neil McGuigan Mar 17 '16 at 04:16
2

Instead of providing your bank details to the loan administrator, provide the loan account details to your bank billpay service.

This is actually a good idea in general -- placing less compromising information under the care of a more valuable account avoids the problem of "privilege escalation".

Also, if you aren't confident that the loan administrator actually scrubbed bank details that you previously provided them, tell your bank about the situation. They'll issue you new account numbers and revoke the ones known to the insecure site, and possibly also put pressure on the loan administrator to clean up their act.

Ben Voigt
  • 760
  • 1
  • 10
  • 17