So I wake up early, because my body is in-between two time zones right now; to do a little morning trading before the market opens. Too my chagrin, my account is locked out at my broker. Could I have been compromised using the hotel’s less than secure Internet? I also left my wireless adaptor on all night by mistake, so now I’m a little worried. I try to log in a few more times but, no luck! I scramble looking for the “Contact Us” page at my broker’s website I jump in the car and place a call.
After providing answers to some pretty good security questions, the customer service rep resets my password, all systems go! Once I arrive in the office I try to log in, game over just that quick! WTF is going on here, because just as the casino would have it, the market is moving against my positions time is precious. So I hit redial hard enough to permanently leave the button depressed. Fuming, I walk through the security questions again and as the conversation unfolds I hear, “Hmmpf, never seen this before!” What would “this” be I ask. “Your account just locked itself out again!”
Now this is where you can start formulating ideas. Initial attempt is locked, user then has password reset by security, shortly after the account is locked again. As quickly as the account can be unlocked and the password reset the account is locked again. Given the speed of what was going on and doing what I do, I knew it was software at play. Apparently someone was running a password dictionary against my account, but then again SSL prevents that. Had I inadvertently gone to a bogus site and entered my login information? Then the thief would have my credentials and I wouldn’t be locked out.
Aaaargh, customer support is talking to tech support, and I’m on hold for minute number nine. Then an epiphany, which unfortunately meant I was the one to blame. A thick client application I use to trade uses my credentials and since it pulls information real-time it constantly pings my broker. In addition, it has that infamous “Save my login info” checkbox, a feature that should be done away with on every secure site in the world, don’t save my username and definitely do not save my username and password info! Consumers have to learn how to remember passwords, period! I like the cool key fobs RSA (now part of EMC) produces where they generate a key, this in conjunction with some security questions should do the trick, adds a little time to the login but so be it. In any case, it turns out that a comedy of errors of sorts caused my problem.
I had attempted to change my password before leaving home, it didn’t work. Not particularly bothered by that I logged into my thick client software and handled business. Since I’ve got 3 desktops, 3 laptops, and 3 servers doing various things all the time I tend to leave my PCs on. While I try to be Green and use suspend mode, something woke my PC up and that application fired up in my absence. But in the interim I had changed my password so the credentials saved in the thick client software no longer matched. This resulted in a real-time application pinging my broker with bad log in credentials multiple times per minute. While this might be handled by the website and result in locking the account out, this exception isn’t conveyed to the thick client software. SO in effect I am waging a DoS attack against brokerage against myself.
The lesson here aside from being more careful about what you leave running unattended, is how testing concurrency, functionality, and security blend together. So be mindful of cross-disciplinary opportunities in your testing. The tech support folks I spoke with had never encountered this scenario. Maybe the Security(login retry rules, encryption, SSL, etc.) passed, along with some Functional test cases(What happens after 3 failed attempts, does changing the password to a new password work as expected) and possible the Performance angle(What happens when concurrent attempts to change the password are launched) where performed. But a combination of all the above with a mix of applications (not a stretch as this thick client software is provided by the same broker) would have mitigated this.
No Comments so far ↓
Your comments are welcomed.