Monday, December 17, 2007

Prosper Replies On Prospers.org Scrubbing

I did get an reply from inside Prosper regarding the prospers.org scrubbing. One of Prosper's big concerns with the .org relates to security. Until I read this, I did not truly appreciate how fanatical they were about personal and security. In retrospect, I should not have been surprised based on my dealings with other financial institutions, but I had not considered this level of detail before. This portion of the e-mail chain is reproduced verbatim with permission:

Prospers.org is a critical security risk to all members.

Prospers.org actively encourages users to map their Prosper screen name to their email. This in itself is a serious security breach.

Prospers.org then requires a password. Given human nature, it is likely that some unsuspecting users would use the same password on Prospers.org as they do on Prosper. This in effect gives whoever runs Prospers.org a growing database of logins in which they could access Prosper members' bank account information, transfer money, place bids, etc.

As if this weren't serious enough, Prospers.org's login is not encrypted. This means every time anyone (including those with admin access) login to Prospers.org their username and password is passed over the internet in clear text allowing any hacker with a packet sniffer to acquire this information.

Based on this, it is highly advised that every member who has ever registered with Prospers.org change their password immediately.

If you think they're too paranoid, please tell me that you're not running IT for my bank.

Update: In addition to posting a lengthy rebuttal to prospers.org's danger to security, Ferrix, the prospers.org maintainer, has confirmed the security state of their forums

In addition to my other comments rebutting PMI's analysis of .org site security, is this nugget (thanks Mark12547)

Our forum software's login form hashes the password on the client browser before sending it to the server. This means that there is no sniffing vulnerability, even without SSL login.

By the way, as of yesterday night we have SSL protection for the login data anyway, too.

2 comments:

Anonymous said...

My personal opinion on this is that Prosper got caught with it's pants down (a lot of outbound transfers?) due to threatening a ban on users of prospers.org and now is in CYA mode. These appear to be excuses for the most part.

If Prosper really thought there were security problems, they could have contacted ferrix, the owner of prospers.org and warned him. As it is, they used a sledge-hammer to try to swat a fly and now have broken the china.

Anonymous said...

exactly, zcommodore. Or, Prosper could have embraced prospers.org and added advice to its users that "if you participate in any of the wonderful community-founded support sites, make sure your password there is different from your Prosper login."

It's really uber-protectionist to make a site invisible over speculation about what passwords people choose. That reasoning doesn't fly.