back to article Imagine things are bad enough that you need a payday loan. Then imagine flaws in systems of loan lead generators leave your records in the open... for years

Two separate internet affiliate networks have closed vulnerabilities that exposed potentially millions of records in one of the most sensitive areas: payday loans. US-based software engineer Kevin Traver contacted us after he found two large groups of short-term loan websites that were giving up sensitive personal information …

  1. Pascal Monett Silver badge
    Facepalm

    A bad code push ? Really ?

    "an email address and a URL parameter "

    That is not a bad code push, that is 1990s Internet coding.

    We have come quite a long way in 30 years, thank you for catching up.

    1. Lee D

      Re: A bad code push ? Really ?

      Did you miss the bit where the SSN challenge was actually hidden in the HTML code of the same page anyway?

    2. itzman
      Facepalm

      Re: A bad code push ? Really ?

      No, we have in fact retrogressed. Today web sites are written by art students using 'frameworks'.

      Commercial websites of tier one banks are fatally flawed. No one cares. Bugs are never fixed. It took me over a year to get one bug fixed in a major high street bank so that I could use it without invoking Windows XP in a virtual machine. It still has the same bug, but only once, not twice. It features amazing minimalist graphics of light grey on white, but a marvellous picture of a black man looking like a happy investor. It tells me and has told me for over 18 months I have two messages. There are none.

      It has less functionality and runs at half the speed of the site it replaced.

      But it is fwightfully 'artistic'

      1. Mike 137 Silver badge

        Re: A bad code push ? Really ?

        Well said itzman. The results can be utterly stupendous.

        A commercial web site I have to use to select engineering standard parts has pages the source of which is over 600kB. The actual readable text is around 3kB. That's a Shannon efficiency of 0.5%. The remaining 99.5% is massively redundant blocks of almost duplicate in-line style statements and javascript, although the pages impart all the necessary information for ordering statically (or at least they would if the links to supporting documents were not javascript driven). What's wrong with HTML link anchors? Oh sorry, I forgot - they're "old fashioned" (or is it "outdated" these days?)

        If the presentation wonks that write web pages actually knew what they were doing technically, things might improve, but sadly both the concept that content is king has been abandoned and the current generation of tools makes it possible to generate output without any expertise. The results speak for themselves.

        1. noisy_typist

          Re: A bad code push ? Really ?

          You could have written that almost word for word in 2001 to describe Micros~ FrontPage websites. Nothing changes.

        2. ecofeco Silver badge

          Re: A bad code push ? Really ?

          But how will people know they are a l33t haxor without all that code?

      2. teknopaul Silver badge

        Re: A bad code push ? Really ?

        deutsche bank uses national ID number (that everyone knows) for username and a 4 digit pin for security.

        I don't know how they got that past even the most basic security audit

    3. JohnSheeran

      Re: A bad code push ? Really ?

      1990s internet coding is pretty good considering the entire business model is based on 1930s loan sharking.

  2. Pete 2 Silver badge

    On the bright side

    > exposed potentially millions of records in one of the most sensitive areas: payday loans

    Any hacker who does access that data will see that you don't have any money, so aren't worth scamming

    1. Aladdin Sane

      Re: On the bright side

      Or that you're vulnerable.

    2. JimboSmith Silver badge

      Re: On the bright side

      I was called by a Payday Loan company out bof the blue in the middle of one day. It was on my landline which had one day left before BT cut it off. Chap on the other end asked if he could speak to a MR XXXXX about a loan application he was going to be a guarantor for. When I said there wasn't anyone of that name here he became more salesman like. He asked If I needed up to five grand which had an interest rate of 50%. He said I just needed somebody to guarantee the loan.

      I said that I'd spotted a flaw in their business model which the chap insisted I hadn't. I said If I needed the loan (which I didn't) it would be sensible to pick somebody with the odd 5k to spare to guarantee it. Therefore that person is on the hook for the 5k and will be coming after me if I don't pay the loan back. There's no upside for the guarantor in this situation it's all risk and no reward. Why wouldn't we just cut out their payday loan company and I borrow the 5k from the guarantor. I pay them 25% (or less) interest and I'm saving myself a fair whack of cash. The guarantor also benefits from some serious upside in the form of this interest I'll be paying them. I said that sounded like a much better solution and cost much less.

      Chap on the other end of the phone says that won't work. Then says as I obviously don't need the money 'good day to you sir' or something like that. I think this was a genuine wrong number because I then dialed the two numbers with the last digits either side of mine on the keypad. I did end up speaking to a Mr XXXXX on the second one who was very pleasant and liked my idea.

      1. gnasher729 Silver badge

        Re: On the bright side

        My principle actually: If someone asks me if I want to be a guarantor for a loan, there are two possibilities: Either I have the money, and I'm willing to give them the money, then there is no loan. Or I don't have the money, or I wouldn't be willing to give them the money, then there is no guarantee, therefore no loan. It's rare for someone to fall into the first category.

      2. Anonymous Coward
        Anonymous Coward

        Re: On the bright side

        You then made two unsolicited calls to check who the original unsolicited caller was calling? I'm not sure that's best practice.

      3. david bates

        Re: On the bright side

        Exactly this - why would I not just flex my god credit rating and take out the loan at 2% interest in behalf of my friend? What would I be losing?

  3. IGotOut Silver badge

    Payday loans...

    Aka legalised loan sharks.

    1. Prst. V.Jeltz Silver badge

      Re: Payday loans...

      It really is reprehensible. Why its not illegal to charge (lets say double the inflation rate) is beyond me.

      They've regulated them a bit now I hear , so now they are merely

      "scum of the earth , top of the list , still beating heroin dealers , but not by as much as previously"

  4. J27

    That's debatable... the legality that is.

  5. Anonymous Coward
    Anonymous Coward

    There’s a special place in Hell for pay day loan operators

    Right by the sewage outfall.

  6. Anonymous Coward
    Anonymous Coward

    Now imagine that no company will suffer any consequence for their mistakes...

  7. Trixr

    "no evidence" of a breach?

    So Mr Zoom Marketing says there is no evidence of a breach of confidential data, whereas Traver tested 170 records and had an 80% strike rate.

    So were those particular records disclosed as being tested to Zoom Marketing and is the plonker excluding them in his report of "no breach"? Because if it were me, I would be very careful to state, "Other than the 136 records accessed by Travers between $DateTimeA and $DateTimeB, we found no evidence of any other PII breach via this route."

    Because if the specific records weren't disclosed, they didn't do a very good job of reviewing their logs (assuming they had them).

  8. Quentin North

    GDPR

    And that, folks, is the reason we have GDPR and dont trust US companies with our European data.

    1. Alan Brown Silver badge

      Re: GDPR

      Mnay US states have privacy laws which this stuff is breaching and their State AGs are more than happy to long-arm such laws

      All someone has to do is show the sites have numbers of people from the state in question - and a suitably notified state AG may decide to do that themselves

  9. sgp

    Global Management LLC

    What a shady name.

  10. Anonymous Coward
    Anonymous Coward

    To give some credit

    (I seriously did not intend to make a pun)

    Aside from the more than questionable morality of so-called payday loans on many, many grounds, I do at least appreciate this Weichsalbaum guy being frank about their problem, doing something about it quickly, and not doing the "a small number of our valued customers" bullshit. I guess he's the brains behind the idea and hired someone to do the API + backend and the latter was more on the cheap side than the good side.

    1. Mark192

      Re: To give some credit

      +1. He certainly contrasts favourably with the second lot, who sought to minimise the issue.

  11. Lorribot

    I personally hate most corporate websites as they are triumph of design over usability, once designers started getting involved and restricted website widths (most website only fill a third of my screen) and what not, had lots of Flash/java nonsense and all that rubbish rather just deliver content, it was all down hill. We now have in-bedded videos that start automatically and all sorts of animation and cleverness and JavaScript stuff going on, it hardly surprising the basic coding is not up to anything and basic security is ignored or just not understood or seen as important...until the GDPR fines come in.

    1. ecofeco Silver badge

      A good read: http://www.stilldrinking.org/programming-sucks

    2. teknopaul Silver badge

      Use of SSN presumable makes this US specific. GDPR will not come in to it.

  12. Anonymous Coward
    Anonymous Coward

    Never a borrower, nor a lender be...

    If you haven't figured out that buying something for £100 now, but paying £110 next week is a bad deal, then you're pretty screwed. If you're short of money now, it'll be even worse when that loan comes due.

    1. Anonymous Coward
      Anonymous Coward

      Re: Never a borrower, nor a lender be...

      In the adds on TV which seemed to dry up now they show the annual interest rates in small print and these are horrendous I have seen them over 1,000 %.

      1. Alan Brown Silver badge

        Re: Never a borrower, nor a lender be...

        During the UK crackdowns on payday lenders (ie, when they started forcing them to disclose interest rates but before outright bans) I saw one advert listing a 14,500% APR

  13. Conor Turton

    Who the hell uses SSNs as proof of ID?

    This is why using someone's social security number on an application as absolute proof of identity is stupid beyond belief.

    1. ecofeco Silver badge

      Re: Who the hell uses SSNs as proof of ID?

      Who? Almost every organization in the U.S., that's who.

      Despite the fact that it was never intended as such.

      1. Alan Brown Silver badge

        Re: Who the hell uses SSNs as proof of ID?

        Birth certificates are not identity documents either (in fact they're embossed as such) but are commonly used as proof of ID (including for passports)

        As I have my grandfather's one I've wondered a few times if I could be registered as a 125 year old geezer, just to prove a point

    2. Alan Brown Silver badge

      Re: Who the hell uses SSNs as proof of ID?

      Yup.

      I've seen stories of USA hospitals being assessed for major HIPPA violations after improperly recording patient data (one of the most common apparently is someone going into emergency room and being linked against a previous patent with the same name but a different SSN) and then sending out debt collectors/filing credit reports based on SSN

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022