Paul Moore

Paul Moore


Security consultant, researcher & CISO at Icebook.

Share


Twitter


CashPlus: "It is secure" - Ooooh no it isn't.

As part of a wider research project, I joined CashPlus in June (18th to be precise), which is purportedly... better than a business bank account So I paid the £…

Paul MoorePaul Moore

As part of a wider research project, I joined CashPlus in June (18th to be precise), which is purportedly...

better than a business bank account
So I paid the £29.99 annual membership fee and waited for the card to arrive.

Less than a week later, the card arrived and I headed over to MyCashPlus.co.uk to register & activate the card.  For those of you that don't follow me... I use AgileBits' 1Password to generate and manage my passwords.  If you're still trying to think up and remember passwords, I strongly suggest you invest in 1Password.

Anyway... by default, it creates a random 50 character long password, packed full of numbers, upper & lower case alphanumerics and special characters.  For example, here's one it's just generated...

)F/+3=2)9}338H]}#?=8P4{j,23K<48d9A78P.7<7;o8.7,7*b

To my amazement, CashPlus wouldn't accept this password - and promptly gave this error.

10

Not a good start!

If CashPlus stored passwords safely, there's absolutely no reason to artificially restrict what characters can be used, or the quantity.  Which means they're either encrypting them (which isn't secure, as it can be decrypted) or worse, storing in plain text.

I questioned CashPlus via Twitter...

11

As you can see, there was no response to my first tweet on 22nd June... so I asked again 5th July.  Here's the response...

12

So they're supposedly "secure" but not willing to prove it.  Remember Kerckhoff's principle?

A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.
So there's no reason why they can't discuss how it's stored... unless of course, it isn't secure at all.

By this point, I'm quite concerned.  Let's run a Qualys SSL test...

6

7

8

Support for 40 bit encryption, IIS 6 and not even PCI compliant. Damn!

This can't be right, surely?  Let's have a read of their privacy & security policies...

9

CashPlus need to sack their "security experts" !  40/56 bit encryption is not secure, it's not even close.

I hope the cookies a safe!

13

Remarkably tick-free isn't it.  This just gets worse...

By this time, I've no confidence in CashPlus' ability to keep my data safe, so I try to remove my details from the profile.

3

.. but all the fields are disabled, so you can't alter them or submit the form!

Your account was opened on 18/06/2013.  Accounts that have been opened for less than 30 days must contact the call centre to make any changes to the contact data.
So what happens if we remove "disabled" from the element using Chrome debugger?

4

There we go! :)

I called CashPlus to cancel my account on July 9th 2013 - to be told it would be closed immediately and the £29.99 refunded by the end of the day - followed up with a tweet explaining why.

14

The refund didn't happen.  I called again to be told...

it actually takes 30 days once head office get round to opening the ticket.  We process thousands of cancellations each month.
I can see why.  The refund finally hit the account on the 15th July 2013, but my account and details are still accessible online!  I'll give them until the 9th of August and if it still isn't removed, I'll take it further.

This isn't a replacement for a business bank account - it's an absolute joke.  If you've any sense whatsoever, you'll avoid CashPlus like the plague.

As David said, if you're concerned at the way your details are handled, vote with your wallet and go elsewhere.

That's all folks.  Remember to tweet, +1 or Like if you found this useful.

Paul Moore
Author

Paul Moore

Comments