Is your money safe?

[Guest]

.

[JoanW]

Something came up in another trhead, but instead of sidetracking that discussion I wanted to pull it out to its own topic.

This statement....

BTW - just recently, someone posted 100,000 stolen hotmail passwords online. The most common one was 123456. Anyone can write a script to try to login to your Kiva account using simple passwords. They can then wait for the 15th, make a withdrawal request of all the money in your account.

Prompted this one -

Yes, I can confirm this.  I have several Kiva accounts for which only one Paypal address is used, and I have withdrawn money from my families account before which is registered with a different email address than my Paypal account.  I have never had Kiva ask me to confirm that the accounts are connected.

I think this should be of IMMEDIATE concern to anyone with a Kiva account. I have yet to withdraw money myself and was amazed that this is how the system works. I would call on Kiva to make a change so it will ONLY send money to the paypal address already listed in the records.

Hacking one account is pretty easy these days...if they can hack Hotmail, they can hack Kiva.  To be able to send the money to any Paypal account with no verification is just not acceptable in today's world.

My specific solutions?
1) Make withdrawls only to previously connected Paypal account
2) Send verification email to the address of record.
2a) Forcing a verification when changing email addresses to prevent someone from hacking the account, changing the email then withdrawing money.

I don't have a lot of money in my Kiva account...but I still don't like it being put unnecessarily at risk.

[tomviolence]

people should probably first make sure their kiva password (as well as other passwrods) are not simple dictionary words, and have a character or number in it. For instance, instead of using your dog's name by itself, add a date - like spot0407 or 04spot07, etc. Easy to remember, but more difficult to hack.

[JoanW]

I agree - there are any number of simple ways to make a password harder to guess. 2 totally unrelated words stuck together (ex: spotchant), substituting numbers for certain letters (ex: le22ers), or using just the initials from a favorite phrase (ex: ujtifap)..there are lots of ways to be safer.

However, I assume that if I am doing my part, Kiva (or any other website regarding my money/identity) should be doing their part as well.

[Alaska Pack]

Here is a program on NPR that talks about how to make your password safer.  They mention the common password 123456.

http://www.npr.org/templates/player/mediaPlayer.html?action=1&t=1&islist=false&id=113619478&m=113623911

The other program on my play list talks about sites that for as little as $100 a company will hack the password of a computer account.  It makes one feel vulnerable.  My mother-in-law recently had her password to her yahoo account stolen.  Every one on her e-mail list then received e-mails saying she was stuck in Nigeria and to send money.  We then added 5 more figures to the password to our account.

Any other tips out there?  Ian!?! 

Bernice

[tomviolence]

There are two basic methods for for getting a persons password, one brute force guessing, and the other social engineering.

Your ATM card uses 4 digits, so there are 10,000 possible combinations. (0000 through 9999) - Given enough time and a bank that does not limit password attempts, anyone can break it, especially if you use simple sequences (1234)

The other method, social engineering is easier. You ask someone for their password, and they give it to them. You send an email (pretending to be from bank, paypal, the IRS, etc) confirming a change, with a link to log on to a site to re-verify details. Or, you ask people to download a program (Free speed up your computer !! - or You need Anti-virus, click here !!) - and get their permission to make changes to their computer, which can then capture key strokes, email back account information etc.

There is a trade off between convenience and security, though inconvenient things are not necessarily secure, and convenient things not unsecure.

To login and read the NY Times online should not require two people with separate keys in different parts of the country turning them and entering a 126 character long password simultaneously. But your bank might want a password that is 6 characters long, includes a special character or number, and a third piece of info as well. Each level helps prevent brute force attacks. Limiting tries, logging IPs, and other things help create safe access.

Social engineering will continue and increase as the simple methods fall away.

Websites can do things to improve their security, have a password checker to reccomend increasing the strength of your password, requiring something like an address or other piece of information, not in your profile, but in your registration, to check against when withdrawing money, email alerts to the primary email address notifiy you of a change, etc.

[waywardcats]

2) Send verification email to the address of record.

Hi Joan,

I don't know about your other listed items, but I can confirm that Kiva does send a withdrawal email to the email of record on the Kiva account and NOT to the Paypal email.  I just tested this to confirm that my memory was correct.  This email went to the address on record at Kiva, and not to the Paypal email address.

Dear ....,

This email confirms your withdrawal request of $5.00. You can expect the
funds to be deposited into your paypal account within 1-3 weeks.

We hope your experience lending money to poor entrepreneurs has been a
positive one. If you have any questions, you can find our Frequently
Asked questions and our contact info at the Kiva Help Center:
http://www.kiva.org/about/help?_te=wr

Best Wishes, Kiva Staff

To view your Kiva loan portfolio go to:
https://www.kiva.org/app.php?page=account

Of course, it does not require any action from the receiver and so if the email is lightly monitored it might take a while for someone to realize that their account has been hacked and to notify Kiva of a malicious withdrawal.

-Kerry-

Edited to clean up grammar and for clarity

[RichardF]

Dear Kiva,

Have you seen my horse lately?

[JoanW]

I don't know about your other listed items, but I can confirm that Kiva does send a withdrawal email to the email of record on the Kiva account and NOT to the Paypal email.  I just tested this to confirm that my memory was correct.  This email went to the address on record at Kiva, and not to the Paypal email address.

Of course, it does not require any action from the receiver and so if the email is lightly monitored it might take a while for someone to realize that their account has been hacked and to notify Kiva of a malicious withdrawal.

Kerry, thanks for sharing your experience. It is good to hear from those who have direct experience....that is how all of us learn.

The email you shared with is sent after the fact though. What I meant was a letter that is sent between when you ask for money and when they send the transaction to Paypal - where you have to respond to the email (generally 1-click) to say "yes, I really did want to do this"

I think there are two issues -

• Lenders - knowing how to have secure passwords & keep them secure
• Kiva - having procedures that make it easier to steal my money if someone does hack.

Both are important and it takes both of them to have a safe place for my money.

[Patricia SF]

Good day all,

A long, long time ago while I was searching for information regarding PayPal, I stumbled into this information.  It's from the "Withdrawing Kiva credit back to PayPal" thread dated August 2007.

http://www.kivafriends.org/index.php/topic,914.10.html:

Something else I found interesting was the page that asked for the PayPal e-mail address. Does any PayPal e-mail address really mean any e-mail address? So if I wanted to withdraw and send it to someone else, would entering their e-mail address instead of mine send my converted Kiva credit to their PayPal account? Or does Kiva compare the e-mail address on the account to the one the withdraw request is going to as part of this 1-3 week process? I'll probably find that out soon since I've got a different Kiva login e-mail address than the PayPal address I entered on the form.f

Thanks to Henry for offering to do this little test and grab the screen shots. Below are the screen shots he took in order. Click to enlarge.

1. Henry has $25 credit in his Kiva account.

2. Henry clicks the Withdrawal link and gets a page where he can enter an e-mail address (twice). Note the wording on there. "deposited into a PayPal account of your choice".

3. Henry enters my e-mail address instead of his.

4. Donate to Kiva. It costs money to process the transaction?

5. Are you sure? The confirmation here is nice with a visual check of the e-mail address where the withdrawal is going.

6. Thanks. You'll get your money in 1-3 weeks.

7. Henry has no more Kiva Credit because he just sent it to me (rubs hands).

8. Henry gets the confirmation e-mail from Kiva saying that he can expect the funds deposited into his account within 1-3 weeks. But wait, he didn't send it to his PayPal account....

At my e-mail address, which Henry entered instead of his, I get... nothing. Except probably an e-mail in 3-21 days saying I have money from Kiva and that my Kiva account withdrawal has been processed. This is assuming they don't have some sort of PayPal name/verification on their end that might raise a red flag. This post detailing what we did will probably raise one.

The main security problem I see here, is if someone has access to your Kiva account or can guess your e-mail/password (a common problem), they can, in theory, withdraw your money to themselves without you really knowing if there is no check and balance there. Also, the confirmation e-mail says your funds will be deposited into YOUR paypal account. An inexperienced user with a compromised account who gets a message like that might think it's their loan payback, since there is no mention in that e-mail what paypal account/address it went to.

So a confirmation message sent to the account holder asking a second time if they authorized the withdrawal to so and so, especially (perhaps only) if the e-mail address the withdrawal is being sent to doesn't match the one used for their Kiva login, would go a long way for security and piece of mind.

With large withdrawals, I'd hope someone at Kiva just calls you up and verifies your info and request that way. I can't imagine sending hundreds, maybe thousands of dollars to a PayPal account without making absolutely sure, and especially if the address entered on the withdrawal form doesn't match that persons Kiva login address.

Anyway, I hope this isn't seen as being hard on Kiva. I'm just a security freak, I suppose. Working in computers, I've seen too bad many things happen to good and unsuspecting people with their information and finances online. I'd hate to see any Kiva lender find out that their account has been compromised and/or money stolen/messed with. A great organization like Kiva also doesn't need that kind of negative publicity.

[JoanW]

Good day all,

A long, long time ago while I was searching for information regarding PayPal, I stumbled into this information.  It's from the "Withdrawing Kiva credit back to PayPal" thread dated August 2007.

Thanks Patricia.  I have to assume this means that either they don't see it as a problem, or at least nothing they intend to address. Peachy.  At least now I know what sort of risk I'm looking at.

[joanna_h]

if only i could keep enough kiva credit sitting in my account that it would be worth someone stealing! 

[tomviolence]

Well, let's be positive. Someone might hack in and deposit money  ....