a word on our secure login
Now that we’ve rolled out our upgraded secure login process generally, there’s been some grumbling that I want to address. Your insightful comments have added to a pretty active and rigorous discussion regarding our security system here at TK, and I wanted to share the results of that discussion with all of you here. We chose to lead the field in security, which can be unpopular because your methods appear so much more fussy than the competition's. Why require extra steps, right, when few others do? At the same time, the last thing we want is to leave our clients vulnerable to attacks that other brokerages might not be protecting against – and we believe that’s a real possibility if you stay with the pack with your security solution versus pushing ahead of it. While TradeKing’s systems have never been breached by the type of security assault experienced at some other online brokerages, we want to keep it that way – and protecting you requires that we work together in implementing what we hope is the best security in our industry.
To some degree the fight against Internet hackers is an arms race, so we're committed to staying ahead of that curve versus behind it. I hope you'll agree, as most of our clients do, that a little hassle is worth that extra protection.
At the same time, we hear those of you who’ve spoken up about the new system’s inconveniences. Let’s walk through some of the beefs (beeves?) a few of you have surfaced recently and explain why we built the system as we did.
I use a vault program or password-storage system to login for me automatically, and I can’t do that anymore with the new login.
A few of you have registered this complaint, and I agree, it’s a little more inconvenient than before. We’ll do our best to factor this into our thinking for future iterations of the secure login, but for now we’re asking you to accept a little inconvenience for the sake of greatly enhanced security. After all, aren’t your brokerage assets worth a little extra trouble?
Will you ever let us opt-out of the new secure login process?
Part of me would love to say “yes” here, because it does seem a reasonable request. After much discussion internally, though, we’ve decided that the answer is “no”. Allowing even part of our clients to opt-out is the security equivalent of building a massive rock barricade with a moat complete with dragons and sharpshooters – and then opening up a back-door with a nice foot bridge to make it easy for attackers to enter that way. We’ve got to collaborate together on this if it’s going to work to protect all of us, so unfortunately, no loopholes.
The onscreen keyboard slows me down. I’m worried about others seeing me enter my password when I’m at work or at a public computer.
It’s true that over-the-shoulder snoopers can be a problem at public computers or at work, if you work at an open cubicle. Even if your password -- entered traditionally with your real keyboard -- appears as asterisks onscreen, a would-be hacker can watch your typing fingers or, more commonly still, install a keylogging program onto a PC to grab every keystroke you enter and get your password that way. Bottom line: definitely look over your shoulder before you start typing. That’ll at least cut your risks of low-tech snooping.
However, this is not the method that has typically been deployed to the financial detriment of online brokerage accounts. By far the most prevalent method of attack has been an organized effort involving automated keylogging programs, which our security system is designed to thwart head-on. Remember, too, that even if an over-the-shoulder snooper DID see your password as you key it in, unless they use that password to log-in to a computer that YOU have tagged as safe, they will encounter your unique security questions at log-in. That is one piece of this “multi-factor” security solution. If you are using a computer in a place where you fear someone will look over your shoulder and see your password, and then have access to the same computer later, simply DO NOT tag that computer as one you designate with us as safe and trusted and secure – because it isn’t.
Is there any danger in showing my address or phone number as part of the security questions?
No. Even if a hacker or thief were to guess or already know your correct phone number or address on your TK brokerage account, as presented in the security questions, he or she would still need to enter your password correctly in the second step. That’s why this security method is referred to as “multi-factor authentication” – you’ve got to hack through more than one factor to get access to an account.
The onscreen keyboard protects us from malicious keylogging programs, but what about screenshot loggers? Do such malicious programs exist?
These programs do exist but are not nearly as prevalent as keylogging programs. Again, hacking and security are a competitive arms race, with each side racing to beat the other with a "state-of-the-art" solution. As soon as it becomes common practice for businesses to protect themselves generally against keylogging programs with login systems such as ours, the hackers will doubtless fight back with a new innovation to thwart that system. (And just like other crooks choosing between an unguarded house and one with a security system, our hope is to deflect potential threats by simply raising the security standard enough to make crime here at TK that much more difficult.)
To address the limited threat as it exists now, we'll soon be rolling out a Flash 9.0 version of the onscreen keyboard, which protects against this modest (so far) threat a bit better than the current Javascript version.
?
In short, our multi-factor system and the onscreen keyboard are keeping our security a step ahead of the race – which is very good news for the security of your assets.
How are you accommodating visually impaired clients with this system?
A downside of this new system is that it doesn’t work as seamlessly with programs that “read” computer screens for the visually impaired. I’m visually impaired myself, so naturally I’m thinking about this issue all the time. If you are visually impaired, give our customer service a call – we’d like to factor in your needs in future versions and see what we can do to help you in the meantime.
I really appreciate hearing from you about the new system. While the vast majority of our clients have no problem with the new system, when we heard complaints from a few of you, we realized we may not have explained our thinking thoroughly enough. We know we’re asking you to inconvenience yourself slightly, but we think it’s for a much greater good in the long run. If we collaborate together, we can run those hackers out of town with the very best brokerage security in the business!
Be Good,
Don
[image: locks by killrbeez on flickr]
----------------------------------------------------
Follow the markets at the TradeKing Blog, learn options strategies from the Options Guy, or check out expert commentary on real client trades at TK All-Stars.
Comments
Follow commentsUPod posted April 15, 2008 (04:27AM)
WallStreetKing posted April 15, 2008 (04:32AM)
RetireOnTime posted April 15, 2008 (07:20AM)
This is a dead horse that I seem to keep beating, but there are legitimate concerns being brought up about the limitations of this security system. I was always a proponent of the "opt-out" procedure that I see we will never be allowed.
How are we going to address logging in from mobile phones (something that is becoming much more commonplace), how can we log into tradeking from a machine that does not have flash 9 or can't run it? How are you dealing with portfolio and money management software?
The security of the system will always be weakest at the users. It doesn't matter if you've got the latest, greatest tech, people are going to keep passwords in purses and wallets, they're going to use the weakest passwords they can and they are going to avoid regularly changing them. These are problems that can't be addressed by adding a second factor (a constant, easily identifiable factor) or on-screen keyboard.
Since the 80's people have been losing money to "hackers" steeling their info over their shoulders, this is just as tried and true, just as viable as key logging. Screen snooping and recording is a very viable and real threat, despite the fact that no one has tied it to financial sector security compromises. It might be related to the fact that no financial institutions are putting the password on-screen in plain sight.
Snooping is the reason we mask passwords on-screen, it's the age-old way of getting people's info. Even in your onscreen keyboard the password is hidden, this should be a big red flag - we don't trust people to know who is watching their screens.
I like the idea of second factor authentication for non-trusted terminals, I also like the idea of regular password changes and complexity requirements. I support flagging unusual account activity and I am all for having TK call and verify said activity, just like my credit card company would. I agree that we all need to take measures to make things more secure, but I will continue to disagree with these methods.
I know I come off as adversarial, largely because I am quite opposed to this system. Not only do I think there are flaws with the new system and agree with many of the grumblings of the TK community, I also feel like trivializing customer convenience is miscalculated at best. People may start considering other platforms that are more convenient for them.
I think TK is the best platform out there and opened an account here thinking about many years to come, not just today or tomorrow. I wouldn't leave (or threaten to leave) over this, but I will register my strong objection.
UPod posted April 15, 2008 (07:41AM)
One thing I just thought of is that if you're going to do an ACH transfer or authorize a trade, you still have to enter your password manually, so the key logging threat isn't entirely eliminated.
I haven't followed this topic in the forums so I'm not aware if this has already been asked/mentioned/addressed.
Seed Man posted April 15, 2008 (11:13AM)
The castle analogy, used in Don's blog post, with a bridge past dragons and sharpshooters does not apply, here. Just because one account can be breached, regardless of method, does not mean that there is an increased likelihood that the same person can breach an unrelated account. I am sure TK has taken procautions against that possibility, right?
No one argues the value of increased personal security, we just don't like clumsy implementation -- especially when TK implemets other aspects of the site so well. I guess that makes us become even more critical on this issue. Why not give customers the option of disabling the Flash keyboard and using a PIN number instead? Let us choose our own religion. You can control the default.
Personal note on RetireOnTime's post.... well written, well argued.
UPod posted April 15, 2008 (11:45AM)
Steve Gibson is one of this countries best experts on computer security. I did a search on his sight regarding his thoughts on keyboard logging:
http://www.grc.com/sn/SN-116.txt
LEO: Go away. Bye bye. Matthew Paulson in Madison, San Diego - I'm sorry, Madison, South Dakota - wonders about
the security of onscreen keyboards. We've talked about this before. I know that keyloggers are a
major way for malicious individuals to steal account information from users. I was wondering, if a
bank's website were to implement an onscreen keyboard, where the user clicks on the keys to enter their password,
would that be more secure? I know that keyloggers can also measure mouse-click positions. So if the key
layouts were randomized at each time, would this be a secure means of authentication that's immune to keyloggers?
I think we - he's doing this actually as an undergraduate research project. I think we talked about this recently,
didn't we?
STEVE: Yeah, we did because it was - in fact, it was in last week or two weeks ago's
episode. Someone was asking about the notion of a keyboard jumping around the screen. And the
sense was that, well, the reason I included this question was that I want to always reinforce this
notion that security is not absolute. It's a relative thing. You can design systems which are absolutely
secure as you can make them within the constraints. So, for example, having a keyboard that randomizes
its key positions is going to be better than not randomizing its key positions, which is going to be better
than not having an onscreen keyboard and using a physical keyboard, which is really not very good because
it's really prone to keystroke logging.
So absolutely, the more you can do to confuse things and to slow down the bad guys, the better.
You're going to have a lower chance of being compromised. But again, if your model is perfect
information, that is, anybody logging in can see what you can see, then even an onscreen keyboard
could be mapped and tracked. Which is why, for example, in last week's episode I talked about this
Perfect Paper Password system where its key is, so to speak, it never reuses the same login twice.
Which means the act of logging in obsoletes that login so that even somebody with perfect knowledge
can't use that knowledge. So, I mean, that's substantially stronger than anything that uses a
repetitive login and some sort of a puzzle. You might even consider that, like, moving the keys
around the keyboard is sort of a puzzle. Lord knows it's going to confuse your users. Wait a minute,
where did the "E" go? I saw it over here just a second ago.
LEO: It's going to drive them crazy. That's my only complaint is it's going to make them nuts.
STEVE: Right.
locogmac posted April 15, 2008 (04:58PM)
Just a few comments on the TradeKing security questions...
1. Does anyone else feel that asking the First or Last name is a bad question to ask? Especially if your account login ID includes one or the other, or both?
2. TradeKing uses randomized names/numbers for the non-correct choices, right? Sometimes the answers I see feel like they are answers inputted by other users. I don't think that's a good way to come up with other "wrong" answers.
3. One time one of the security questions asked a question, and out of the 5 answers available, 3 were blank, and the other two were both the exact same correct answer. I picked one of the correct answers out of the two and got in. What went wrong there? Has anyone else had that happen to them? I don't have that screenshot with me right now, but I could post it if it would help.
4. I'm glad that you guys decided to add that "clear" button, as well as the "symbols" button, on the on-screen keyboard. It was a hassle to do multiple backspaces and/or if we had symbols to hit shift everytime.
bigdog posted April 16, 2008 (10:52AM)
RetireOnTime, I wanted to thank you specifically for your well-reasoned response - respectfully disagreeing as you do isn't adversarial in my book. Mobile login is indeed possible with the iPhone and iTouch and others of the new touchscreen phones coming out to chase Apple. We're aware that this login doesn't allow portfolio management software to store your password automatically, a minor pain-in-the-neck that most clients don't have a problem with. As for your point on Flash 9, we heard from clients like you in our pre-launch phase that Flash 9 might not work for all users, so that's been factored into the overall rollout plan. For those clients whose computers can handle it, we'll be implementing a Flash 9 version of the keyboard soon to address some slow loading we're seeing with some clients, plus provide better protection against "click mapping", or malicious software that tracks where you click on a screen. If for any reason your computer can't handle Flash 9, you'll get the current Javascript keyboard.
I also want to be clear about why we're not offering an opt-out: we don't think a lesser standard of security, however convenient, is safe for ANY user. Banks were required to implement two-factor authentication last year and opting-out isn't a possibility due to a Federal Reserve mandate. It's not a question of the bad guys infiltrating our systems using the opt-out; it's about protecting all our clients with a level of security which we aim to make the best in the business. We think you deserve nothing less.
I think we have some misunderstandings still about over-the-shoulder snoopers; that threat is considerably minimized with the new secure login. Our FAQ addresses this exact concern here - https://www.tradeking.com/faqs/security#Iamafraidthatsomeonewillpeekovermyshoulderandstealmypassword -- but I'll summarize the answer again. If a snooper sees you enter your username and password, that person will be thwarted by a second hurdle, the security questions, when they attempt to login as you. The only way that stranger could beat the system is by logging in on a computer you've already tagged as one of your three "safe" machines - a pretty unlikely scenario, and one only you can guard against. "Multi-factor" security means these additional hurdles will cut the threat of snoopers considerably over traditional login methods.
I really liked Steve Gibson's point that security solutions live on a continuum, in which the two poles are perfect security (usually in the form of total randomization) and perfect user convenience. To get a little more perfection, you trade off convenience, and vice versa. It's best to design a solution in the midpoint of that continuum, somewhere with strong security that most, if not all, of your clients can deal with, convenience-wise. We've tried our best to strike that balance, and we'll continue to negotiate that balance in future deployments. All this discussion can only be constructive towards that end, which is great.
Don't want to forget Logomac's questions, too: we do use randomized responses to the security questions, not answers from other users - but we're glad you noticed that they all look like viable answers to a stranger. That's the point of that part of the design! If the security question asked you what your first car was, for example, and the choices were "Mustang", "orange", "banana", "sunshine", or "the White Album", well, that would be a pretty easy guess - the wrong answers are purposely designed to appear potentially correct to anyone but you. As for that technical hiccup you mentioned, if it ever happens again, definitely take that screenshot and email it to us at service@tradeking.com with as much detail about your machine as you can tell us. We'd really appreciate it if you do. And glad you found the "clear" and "symbols" keys helpful - like I said, this is all dynamic and hopefully improving with each iteration.
Be Good,Thanks again, everyone, for your input - we really do appreciate the time and thought you put into this.
Don
RetireOnTime posted April 16, 2008 (06:00PM)
Don - Thanks for the reply. I am glad that the issues are being addressed as well as you guys can within your security model.
I would like to state for clarity, that I am all for the second factor, even though I believe that minor research can overcome it in most cases. I'm am opposed only to the on-screen keyboard as a requirement. I think that most folks access their accounts from work and thus, there are a lot of people worried about who can see their screens. The market is open only during the hours that I'm at work, so if I want to get in on any real-time trading, it would have to be at my workstation. This might bring up the question - is the onscreen keyboard actually more secure in every environment? More importantly, is it more secure in the most common environment?
I'd be interested to know how many users are accessing their accounts from the office, I can only speak for myself and the people I know personally, so I don't have a good data set to compare. My gut feeling, however, is that a large majority of us do.
Perhaps some sort vendor API could be a future consideration to allow for third-party logins. I wouldn't be opposed to being able to use biometrics to log in to my account.
RetireOnTime posted April 16, 2008 (06:24PM)
locogmac posted April 17, 2008 (06:22PM)
Don, thanks for your responses. Although you skipped or forgot to comment on my first question about the first and last names being used as security questions.
As far as the "technical hiccup," I believe it's happened only once on a work computer that runs Windows XP Professional. I really don't know what went wrong there as my other computers use Win XP Professional as well. Anyways, it hasn't happened again yet, so hopefully it was just a one time deal. I do have a screenshot of it, but I don't believe it would help. I noticed I had marked the answers in the screenshot already so I won't be posting it up here. :)
Anyways, I think it's really cool to get feedback and a "customer service"-like response from the "Big Dog" at TradeKing. Keep up with the good work!
jest posted April 18, 2008 (02:46AM)
I'm getting used to the system, so i'm more comfortable with it now. I also agree with most of what you've said, but the portfolio management software issue needs to be addressed; but I can live with the rest of changes and understand why they were made.
That being said, I still think that TK is by far the best broker I've used, and seeing a post like this from the CEO goes to show how hard the company works to do what's best. I feel confident that you guys will work this out eventually.
TheDuckWW posted April 18, 2008 (02:22PM)
heltzer posted April 21, 2008 (08:11AM)
While it takes a little longer to log in, I am supportive of these security changes. To keep with the analogy, you cannot build a castle wall infinitely high, so each one of these solutions are going to have weaknesses. The hope is that together, they are strong enough to deter attacks by making it easier to attack a different website, just like a moat, thick stone walls, portcullis and a bunch of archers in your castle make it more interesting for pirates to attack the wooden palisade in the next county.
I applaud Tradeking for taking this step. I am not surprised that there are some in the community that find it unpopular, and sometimes I find it a little irritating. I have confidence the Tradeking team will take all of the critiques seriously (they seem to respond quickly on these blogs) and make appropriate modifications in the future. I also recognize, like I think most in the community will, that these measures are ultimately for our collective benefit.
Plus, it was fun answering some of the security questions.
Question Everything posted April 21, 2008 (08:52AM)
While I like the extra security your website provides, there is a problem with your pre-defined security questions. Your purpose in having these additional security answers is to help authenticate a customer. I do understand how this could increase your security but the existing way you have structured the security questions is flawed. It could easily result in people not being able to remember the answers to their questions. What do you do when someone can't remember their answers but they are actually the account holder?
So what's the problem? You have arbitrarily created a limited series of questions under the false assumption that everyone would be able to answer 3 of those questions. For both my wife and I, that is not the case. There is a bias built into the questions based on who created those questions. The question creators thought these would be ones everyone could answer. They were wrong.
For example, my wife never went to college, didn't have any pets, can't remember who she went to the prom with, etc. The only question she can answer from your list that she could remember if asked would be her favorite band. So for both my wife and I, we had to fake the answers on 2 of the 3 questions and write them down somewhere so we can refer to then when ask. If we were on the phone and away from our computers, it is unlikely we would remember the answers to these questions.
You have created a flawed security device because you are forcing people to answer questions they may not know or be able to remember the answers to. Just because the creators of these questions could easily find three questions they could remember the answers to doesn't mean that other people could do the same. This is the false assumption of your current approach.
Here is my recommendation. The best way to handle this is to allow each user to create their own security questions. Then they will be creating questions they know they can remember the answer to. This is a fairly easy thing to do programming wise. There is no requirement that everyone has to answer the same security questions. The requirement is that they can remember the answers. This actually increases security beyond your present level because the questions would be unique to each user, not just the answers.
On a related note, your tag system is also flawed because it relies on cookies. Your system knows the IP address of the computer we are using and that resides in your system not ours. So why not just match the computer IP on record to the one that is being used and if they match then there is no need for the security questions. Why is this a problem for us and many computer users? To properly run a computer without it bogging down, you need to continually clean out your temporary internet files. When that getes too long, all kinds of bad things happen. But because we are following proper computer management methods, your system doesn't find a cookie and forces us to answer the fake security questions again. Your security system should not be relying on cookies.
Hope this helps,
Don
RetireOnTime posted April 22, 2008 (06:23AM)
I've also had issues with security questions at many sites, although I think the ones here are much easier to work with than others (like my bank). Some folks don't keep one band as their "favorite" nor do they have such a strong preference in food, or whatever else. I like that TK has many questions that aren't dependant on how you feel at the time you setup your account.
bigdog posted April 22, 2008 (09:10AM)
Sorry I missed part of your comment, locogmac. Let me quote directly from the TradeKing Online Security section of our website (accessible from the home page or via this link), found under Online Security>What you can do>Protect your User name and password:
https://www.tradeking.com/PrivateView/main/Other/onlineSecurity.tmpl
“Always use a password that is difficult for others to guess. Do not use obvious data, such as your name, initials, Social Security number, phone number, license plates, address, birthdays, names of friends, families, or pets, the word "password", company names, words in the dictionary, sequences of numbers, or keyboard characters. Use special characters and a mix of letters and numbers. A good way to create a secure password that is easy to remember but hard to guess is to use the first letter of a memorable phrase and insert or substitute some special characters.
Change your password frequently.
Do not use the same user ID/password combination for your TradeKing account that you use for other online accounts.
TradeKing offers two levels of security by letting clients set up two passwords: one to access account information, one to enter orders and execute other sensitive transactions. By setting up two different passwords, and not entering your "Trading Password" when you log in, you greatly reduce the risk of unauthorized access to your account. Keep your account information secure and confidential. Never share your UserName or Password.
Never share your username and password with anyone. Avoid writing that information down or storing it anywhere but in your head. If you distribute your password to third-parties, you assume responsibility for their actions.”
There are many other helpful tips in that section of our site, too, so I invite you all to pay a visit there if you haven’t already.
Great late-breaking comments on the security questions, too, Question Everything (aka Don - nice name!).
The idea of typing your own security questions was considered, but in reality makes the process no more secure, in that if you type your own question a key-logger can grab that question and know it once you type it that first time, as well as the typed answer to it. It’s an important part of the multi-factor security system that you select that first question from a drop-down by clicking, not typing.
My personal approach to this issue of “question relevance” is to simply think more creatively about the questions presented to click and choose from, and the answers one can provide. For instance, one may choose to define the word “Coach” more broadly, permitting oneself a non-sports context for this term, and therefore an unpredictable answer which maybe only you could possibly know. Similarly, maybe your favorite “show” to watch when you were a kid was “the sunset”, or “traffic”, or “the waves of the ocean”.
Enough said there, I think.
Anyhow, just wanted to thank you again for the great, frank feedback and useful back-and-forth. It's definitely invaluable to us!
Be Good,
Don
PaxTex posted April 23, 2008 (11:47AM)
apalmer posted January 24, 2009 (07:20PM)
apalmer posted January 24, 2009 (07:34PM)
bigdog posted January 27, 2009 (12:05PM)
Thanks for the vote of confidence, apalmer! It was more than a little shocking to me, too, when I learned how easily keylogging software can infiltrate your computer, so I’m also glad we’re fending thieves off in this way.
I’ll pass your ideas for thwarting the over-the-shoulder snoopers to our development team, too, although this may be a case when simple extra care prevails over higher-tech. Still, we’re constantly refining this system, so any and all ideas are welcome. Thanks for sharing!
Pug Tsurani posted May 20, 2011 (09:01AM)
In my opinion, KeePass' two-channel auto-type obfuscation is more secure than using an on screen mouse-only keyboard. If TradeKing wants to provide their technologically savvy customers with better security, disable pasting, timeout the password entry after 1 second (or less) and require a 40+ character password with upper and lower case letters, numbers, and special characters.
When TradeKing finally fixes this security flaw and forces me to use their pain-in-the-ass on screen keyboard, I'll move my account somewhere else. I don't trust a company that talks security without knowing what it means.
bluexnine posted June 09, 2011 (03:07AM)
You must Log In to post to this blog.
Not a member? Register Now to …