0

I am a web developer, but I have only a rudimentary grasp of security, e.g., be careful to sanitize inputs, store as little user data as possible, encrypt passwords, keep up with security issues of libraries and packages, etc.

Today, I was approached by a client who does financial planning about replacing a spreadsheet he gives clients with a web-based form. The spreadsheet asks users to input certain financial data - e.g., current value of various investment accounts, business interests, etc. These numbers are put into a formula and a value is generated which is supposed to help the user decide whether the consulting could be useful to them.

The phone call was very short, and my questions focused on more mundane matters about user experience, desired UI elements, etc. No commitments have been made, and I'm analyzing the project to see if it's something I can do. I began to think about potential security issues, and I realized I really don't know where to start. So far it seems that client wants the form to be accessed via a magic link, and that the user would not enter any personally-identifying information. I do not know yet whether my potential client wants to store the value generated, a simple dollar amount which is the 'benefit' the user could get by using the service. The impression I got is that my potential client simply wants to use this value as a motivator for clients to inquire further about his services.

In this scenario, what security-related matters should I consider?

schroeder
  • 123,438
  • 55
  • 284
  • 319
user
  • 103
  • 3
  • 3
    I would consider the fact that 2 weeks after you finish this, the client will say "you know, I want a sign up page here for them to put in their personal details, and then also store their financial data so I can get them started". The client will then insist that this is an immediate priority and will be unwilling to pay for you to properly secure the data. You will then have to decide whether or not to oblige – Conor Mancone Jul 11 '20 at 01:34
  • Where is the data being stored and processed? On your server or client-side? – schroeder Jul 11 '20 at 07:44
  • 1
    "the user would not enter any personally-identifying information" -- the email to get the magic link is PII. – schroeder Jul 11 '20 at 07:45
  • @schroeder So far, it doesn't appear that the data would be stored anywhere - apparently, the value is simply for the user's purposes, i.e., to help them determine whether to pursue the client's services further. +1 for your pointing out that the email to get magic link is PII. Thank you. – user Jul 11 '20 at 09:04
  • @schroeder client-side – user Jul 11 '20 at 12:07

3 Answers3

2

It's the details that are confidential, but the outcome as the amount of dollars alone doesn't tell much to anyone. Before rushing to details like UX and UI one should define the desired use cases and functionality first. I see two possibilities, and both are good from your perspective:

  1. The tool is intented for personal use of the user alone, and the profit your client gets is bound to the impression it leaves to the user i.e. the user desides to use the services based on the results. In this case the user experience of the form is highlighted, as it's purely for advertisement. However, it also makes it possible to do everything client-side and the application doesn't need to save any of the information on the server. Regarding PII this is the easiest solution.

  2. If the application saves any possible PII, it's your client's responsibility to deside what information is collected and how it's stored and used. Depending on the jurisdiction there might be special requirements for that, e.g. EU GDPR, national privacy acts or even PCI DSS. You should have them to define their needs, and while you can give some advice, after you have finished with the project it's their data on their responsibility.

Esa Jokinen
  • 16,100
  • 5
  • 50
  • 55
1

You are asking yourself the right question. Security should not be an afterthought but integrated early in the design phase.

A magic link (à la Google Drive ?) may be convenient but inevitably they will be shared (or leaked), even inadvertently by forwarding E-mails for instance. Then there is no accountability: if you want to to know who made a change the only information you have is the IP address. Anybody you knows the URL can see information that they are not entitled to see.

So I think I would build a list of users and assign them usernames and passwords if possible. The inconvenience is not that great and there is more control over who can connect. The link could also be made short-lived/single-use only to minimize long-term exposure.

I am also assuming that we are not talking about prospective (new) clients, but clients with whom there is an existing relationship and that you already know them.

It all depends on the value of the data, how confidential it is and can you afford to have a stranger messing with it. The way I understand it, in terms of functionality it's almost like requesting an insurance quote or a house appraisal. But there is still PII involved and financial data is somewhat sensitive/private by definition. On the other hand, companies have to publish accounts, so it's possible that some of the information they will submit to you is in fact already public.

Before you reinvent the wheel: unless the client has specific requirements there may be solutions already available on the market. Then your job will be more integration than development. If your client uses an ERP or CRM it's possible that a plugin exists, or that you can build one (= better integration).

At this point the issue is not even security. It is more a question of data integrity and confidentiality (and accountability). As mentioned in comments, an IP address is PII and can reveal the end user outright (some companies have their own IP address blocks).

Things I would clarify with the client:

  • what kind of data will you exactly store and process
  • for how long
  • what is the long-term aim
  • is it possible that the project evolves and grows over time (think about function creep...)
  • applicable regulations to observe (eg GDPR)
Kate
  • 6,967
  • 20
  • 23
  • 2
    The scenario in the OP suggests that these are prospective clients: "wants to use this value as a motivator for clients to inquire further about his services" and "help the user decide whether the consulting could be useful to them". And the data appears to be processed client-side. – schroeder Jul 11 '20 at 20:16
0

The main issue you have here is even though there may not be any personally identifiable information being entered into the form, there is a lot of personally identifiable information being transmitted simply by the user connecting to the website.

IP address, which leads to geo-location, and could trackback to a person's phone if that connection data was in the hands of a person that had a high level of skill with hacking IP addresses back to the individual.

In that scenario then the bad actor would have certain financial details coupled with their identity which could leave that person exposed.

I do not think a project like that should be deployed without an experienced web security professional auditing the project to ensure that the level of data being exposed could not create a vulnerability for the end web user. May even be more of a financial security analysis that is needed, as web security and financial security are not the same areas of expertise.

I'm not saying a full-blown PCI audit is warranted, but at least enough review to ensure that the process is not creating a vulnerability.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Sean Larabee
  • 309
  • 1
  • 3
  • A magic link is being used. The info can be connected directly to the email account. The data on the server-side, what's exposed, and the security of that link-to-session data is the key here. What level of hacking would be possible to connect an IP to an individual? How does IP geolocation enable someone to connect the IP to a certain device and then person? I'm not sure that you are proposing a viable threat scenario. And PCI-DSS only applies to payment card info, not financial info. – schroeder Jul 11 '20 at 07:38
  • Some companies have their own IP address ranges. In that case the IP address can identify the company but not the person. That can be considered a data leak, the severity of which depends on the nature of data being submitted. – Kate Jul 11 '20 at 14:22
  • Not sure why Schroeder is focusing on my answers with such single minded obsession, and editing my posts, but it's foolish. First; A magic link has nothing to do with it. A webpage accessed by "potential" clients may be accessed from anywhere, using a number of mediums, and a magic link doesn't change networking fundamentals at all. Bottom line is any developer building a form that collects financial data should MAKE SURE it's secure by whatever means necessary, Nothing to argue about, was simply the best advice that can be given in regards to fin data of any kind. – Sean Larabee Jul 11 '20 at 17:09
  • 1
    My comments were not personal. Yours were. That's not appropriate. Please take a look at our [Code of Conduct](https://meta.stackexchange.com/conduct) – schroeder Jul 11 '20 at 19:40