Internet and e-mail policy and practice
including Notes on Internet E-mail


2019
Months
Jan
Jun
Jul Aug
Sep Oct
Nov Dec

Click the comments link on any story to see comments or add your own.


Subscribe to this blog


RSS feed


Home :: Internet


24 Jan 2019

What's wrong with this security model? Internet

I'm moving some of my financial accounts to Lively, a fintech startup. We've had the usual chit-chat about details of where the money is coming from on the messaging system on their web site. It works fine, when there's something new they send me a note saying to log in and check my messages. Except that today they sent me a message through a third party "secure" messaging service. To protect the guilty, we'll call it Hubri.

I got a message from Lively which they sent through Hubri. It had a big block of stuff that sort of looks like PGP:

--- START PROTECTED MESSAGE TDF 0 ---
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9InllcyI/Pgo8dGRmOlRydXN0ZWREYXRhT2JqZWN0IHhtbG5zOnRkZj0idXJuOnZpcnRydTp0
 ...
TnJUMFRSZEZ3PTwvdGRmOkJhc2U2NEJpbmFyeVBheWxvYWQ+CjwvdGRmOlRydXN0ZWREYXRhT2JqZWN0Pg==
--- END PROTECTED MESSAGE ---

It had a link to the Hubri web site, which told me that it was loading their special decoder, then asked whether my address was the one it had sent the message to (uh, yes), and it said OK, we'll send you a secret code.

The code arrived at the same address as the original message, and when I cut and pasted it into their web page, it showed me the message. What exactly is their security model? Anyone who could interecept the original message could intercept the followup with the code, so how is this different from sending plain text?

The Hubri page offered me the opportunity to send Lively an equally secure response, which I did. It said to look at the messages on their web site to see my answer. You'd expect the message they sent via Hubri also to be in their internal messaging, but no such luck.


posted at: 15:28 :: permanent link to this entry :: 0 comments
posted at: 15:28 ::
permanent link to this entry :: 0 comments

comments...        (Jump to the end to add your own comment)

Add your comment...

Note: all comments require an email address to send a confirmation to verify that it was posted by a person and not a spambot. The comment won't be visible until you click the link in the confirmation. Unless you check the box below, which almost nobody does, your email won't be displayed, and I won't use it for other purposes.

 
Name:
Email: you@wherever (required, for confirmation)
Title: (optional)
Comments:
Show my Email address
Save my Name and Email for next time

Topics


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

CAUCE
CSA recap: CAUCE discusses international email and security
56 days ago

A keen grasp of the obvious
My high security debit card
186 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse



© 2005-2018 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.