Peter Stern has not responded to my private message regarding a security issue/irregularity I've discovered on the Datek site, so I'll post my discovery here. Since he has not responded, this seems to be the only way to get Datek's attention and also to verify with other account users that the problem exists. Hopefully, this information will not be of much help to a hacker since it isn't a total security failure, but at the very least it is an inconsistency that is worrisome.
Passwords should use both alpha and numeric characters for highest security, so my password is an alphanumeric string. Simple words or combinations of letters are fairly easy for a hacker to break by brute force "guessing", from what I understand. By accident, I discovered that I have access to my Datek account by only typing in the alpha characters, leaving the numerics off. To me, this means the security is half-compromised. Using the partial password allows me to get quotes, as well as view my portfolio and its history. To my relief, I still must enter the full password to send an order in.
Will others please verify this irregularity/inconsistency? I haven't checked all the possible access points, but even one inconsistency is worrisome to me and makes me wonder about the security integrity for the site. This also makes me a little nervous that many of us had publicly posted part of our user names earlier for Peter's poll. I know it's not the entire user name or password, but a good chunk of it is vulnerable from what I see, and I don't want ANY of it to be any easier to hack.
D. Kuspa |
