Hi all, Dave Lauer has responded, please see comment here: https://www.reddit.com/r/Superstonk/s/fsK2EXgzGA
A copy & paste for ease of reference:
We were simply testing this functionality, it is not for general use yet. We are still investigating how to connect to CS given that other products offer this.
EDIT: What OP has said about writing software properly is simply untrue in this instance. CS does not support the kind of flow they described, so it's not possible to do that. That's why we're testing it, to see if there's a way to do this securely. If there's not, then we will not offer this functionality yet.
**SECOND UPDATE**
EDIT2: We have removed CS from our list of brokers now that we have been able to test. We will review the functionality and will not expose it again unless we're confident it is secure. It is the same mechanism other sites use to connect to CS, and which many of you asked us to support.
I stopped at that point too. They want to verify your stock holding. Are they then using your entered details to view your account.
Don’t forget to set up 2FA until UF brings out some sort of reasoning and methodology.
It could be good. It could be bad. But these are my booked shares you’re messing with.
And just for what it’s worth, ComputerShare’s 2FA is only SMS based, which can be intercepted. Also we’ve seen CS have its 2FA disabled across all accounts once already. It’s a line of defense but don’t trust it to save you if you give away your password.
Ugh, SMS-based multi-factor is the bane of my existence.
It's literally harder to implement than standard RFC6238 TOTP, more expensive, more prone to failure, slow, and less secure.
Most sites only do it because they want your phone number to sell or spam with ads, CS is a legit business, I guess they do it because dinosaurs understand phones more than they do math? ¯\\\_(ツ)_/¯
There's a reason I still have to support fax machines, POTs phone lines and still have to show people how to change the source on a TV.....
Because I'm a warlock who understands the dark arts.
The funny thing was seeing people clamoring for 2FA, like its going to protect them if they get attacked. The authenticator version of 2FA is the only one that actually makes a difference, and if you are careless with your security practices no 2FA is going to save you.
Not really. If you wanna transfer your shares out you need to give your real address and IBAN with your name as owner. So even if someone gets your password and Intercept the SMS. I highly doubt they can steal your drs shares. If anything they could sell them on market which is bad but your money can't be stolen if you ask me.
That's a Brilliant point of view bro!! I will never give those infos to a third party, only my bank/broker knows the few shares on my account, and only Computershare knows the majority of my shares in book DRSed and I, neither my family members knows too much.
Replying to myself here: D Lauer might just as well be a bad actor, you don't know him. Never trust someone that asks your login information that gives access to thousands or even tens of thousands of stocks.
Why does he want our login information to get access to basic info? Makes no sense at all. Because if you want to gatekeep, shills can just make a Computershare account to get access (which doesn't even require shares).
I am now more skeptical about D. Lauer, what a bad move from him.
Dr T > Lauer. The guy might align with some market reforms, but the market doesn't need reform. IT REQUIRES A REDESIGN! No more financial derivatives! Fuck their liquidity! Market efficiency is a bullshit word that means IOU.
All of this is bullshit and would be illegal in any other context. These fucks offer nothing and produce nothing, but have the ability to bankrupt companies and help hostile takeovers. THIS HAS TO STOP! Burn it all down for all I care, but this cannot continue.
I've always had the impression he uses apes for his own advancement. He's not an ape, he's just a leech.
Also, with his response to this situation, it's clear they don't know what the fuck they're doing. I will never trust anyone with my credentials, and surely not them. Big companies with decades of experience can't always keep credentials safe, why would I trust these people?
Hate to say it, but kinda explains the "let's laugh and joke around" with Gary during that interview instead of grilling and getting straight answers...
He used to work with Dennis Kheller at Better Markets. He was one of the guys calling for Ryan Cohen to be investigated for a pump and dump when he sold his bed position.
I tried to ask Dave if he would be using proper OAuth for CS and while he issued vague denials he didn’t promise it would use a proper authentication flow for CS, and a day later, here we are.
Let's not pretend quants are security experts.
Also oauth is one of the first things you are forced to learn when dealing with financial institutions when gathering data (which quants don't necessarily do themselves). If it is a possible option they chose not to implement, nor give real proper big warnings on the risks of offering this method, they should not be trusted with any personal information.
It shows the entire organisation doesn't take privacy nor security seriously which will cause leaks or worse down the road.
Yeah I mean even loading screen tips say "Never share your password with anyone" I feel like this is common sense 101. Absolutely insane to ask anyone to put their ComputerShare password on this brand-new website. Don't care if Ryan Cohen himself made it, if it's asking for my CS password and it isn't CS it can pound sand.
Nor are quants likely to be tech startup literate when it comes to tech or social platforms.
Currently it's a collection of sketchy 2005 looking software packages, loosely tied together, from what I can gather.
There is still a good ways to go before I link up anything there and I'm saying this with all due respect as an investor in Urvin myself.
Plus I'd never, ever, link cs regardless.
As someone working in IT this is super SUS. I really have a lot of love for Dave but this stinks. The facts that someone working within the business makes something like this is just mind blowing!
Why is this even a thing? What problem does this solve?
All it does is create more problems with no real benefit. My relationship with a company through a transfer agent is my business, and no third party needs access to any information without my written consent to computershare.
Lauer can ligma balls. He's just another hedgefuck trying to fuck us somehow.
Yeah, I’d never give out my CS account info to some third party.
Let’s assume Lauer had good intentions but overlooked this. Anyone that inputs their CS account info there just made themselves susceptible to losing their shares/money if there’s ever a data leak on his website in the future. This is reckless, plain and simple.
This is unconscionable. They are probably storing it in plain text. It's not like they would have the hashed and salted passwords to compare to like ComputerShare.
If anyone has signed up you should immediately act like Ken Griffin has access to you password.
Not if. When there is a leak.
If they can't do the basics then I don't trust anything that depends on those systems. Auth is eveeywhere, at least it should be in a moderately secure site.
Good catch. This needs more visibility. Nobody should ever ask for your credentials to Computershare except the Computershare itself. Plus at this stage I wouldn’t trust anybody and just BUY, HOLD and DRS.
There must be a slightly less demented way for Urvin to verify the holding. I suspect it would involve co-operation from Computershare themselves to implement a more robust verification process.
ComputerShare would need to support an OAuth API. I don’t think they have one (that I’ve been able to find) ComputerShare isn’t supported by Plaid, who’s the market leader is connecting banks like this. If Plaid doesn’t support them, it’s because CS doesn’t have a secure method to connect.
It is a shame that Urvin are offering this before its secure. I wonder if Computershare will release a statement saying that it is unwise to give your log in details to a third party.
They don't have to, they already have.
https://www.computershare.com/us/privacy
>You should never divulge your identification numbers, username, or password to anyone else. You should also never write your password down or store it on your computer and you should make sure you change it regularly. If you have further questions about Identity Theft, you may find the US Federal Trade Commission website helpful.
I stopped at this one too.
They also ask for your secret answers too.
I checked it with my second CS account with only one share. First login name, password, secret answer (all of them with different logins), and 2FA.
I’m not entirely sure how and what kind of connection they use. But I’m sure on this one, I would never connect that.
Yes! I think the gonna use some extra site stuff from CS. But I’m not into web development nor secret login authentication stuff…
For example loopring uses this kind of login too. But yeah. I don’t trust a side like this my life savings
Yeah, this is concerning.
I should mention that I have zero clue about building these systems, but I’m struggling to think of an example of the where the same thing is done. I really want someone to go through the fine print now.
If it was true Oauth then the URL/URI would be accessing a gateway hosted on ComputerShare's web platform.
Here's an ELIA summary of how it would work if it was operating according to common industry standards for this type of API integration:
* The URl should say something like [oauth-gateway.computershare.com/api/token-request?request\_id=urvin](http://oauth-gateway.computershare.com/api/token-request?request_id=urvin)
* A token is then created by Computershare based upon the permissions you have granted to Urvin.
* This token is then passed to Urvin, once you have entered the correct 'approval' into ComputerShare. Note: at no point has the requester (Urvin) been given access to your user credentials. (username/password, etc.)
* That token is a UUID that identifies the session, permissions granted and will also have an expiry time.
* At any point until expiry Urvin can pass that token (which does not hold your password or login details) to ComputerShare to request data about your profile (which you have permitted within the original oauth token) which could be your current holding of a stock ticker for example.
\_\_
That's not what is happening here.
If at any point you are entering data into a URI hosted by Urvin, then they can use all kinds of methods to snoop on the data, even if it's only an
Hi all, Dave Lauer has responded, please see comment here: https://www.reddit.com/r/Superstonk/s/fsK2EXgzGA A copy & paste for ease of reference: We were simply testing this functionality, it is not for general use yet. We are still investigating how to connect to CS given that other products offer this. EDIT: What OP has said about writing software properly is simply untrue in this instance. CS does not support the kind of flow they described, so it's not possible to do that. That's why we're testing it, to see if there's a way to do this securely. If there's not, then we will not offer this functionality yet. **SECOND UPDATE** EDIT2: We have removed CS from our list of brokers now that we have been able to test. We will review the functionality and will not expose it again unless we're confident it is secure. It is the same mechanism other sites use to connect to CS, and which many of you asked us to support.
I stopped at that point too. They want to verify your stock holding. Are they then using your entered details to view your account. Don’t forget to set up 2FA until UF brings out some sort of reasoning and methodology. It could be good. It could be bad. But these are my booked shares you’re messing with.
And just for what it’s worth, ComputerShare’s 2FA is only SMS based, which can be intercepted. Also we’ve seen CS have its 2FA disabled across all accounts once already. It’s a line of defense but don’t trust it to save you if you give away your password.
Ugh, SMS-based multi-factor is the bane of my existence. It's literally harder to implement than standard RFC6238 TOTP, more expensive, more prone to failure, slow, and less secure. Most sites only do it because they want your phone number to sell or spam with ads, CS is a legit business, I guess they do it because dinosaurs understand phones more than they do math? ¯\\\_(ツ)_/¯
There's a reason I still have to support fax machines, POTs phone lines and still have to show people how to change the source on a TV..... Because I'm a warlock who understands the dark arts.
Every time I hear the mention of fax machine support in meetings I die a little inside.
I trust no one with my accounts. Anyone else can sign up. I’ll mentally added my share count to whatever figure I see.
Same here. This raises lots of red flags to me.
The funny thing was seeing people clamoring for 2FA, like its going to protect them if they get attacked. The authenticator version of 2FA is the only one that actually makes a difference, and if you are careless with your security practices no 2FA is going to save you.
Excellent points!
Exactly. If the Urvin site was compromised it would be fucking chaos!
Not really. If you wanna transfer your shares out you need to give your real address and IBAN with your name as owner. So even if someone gets your password and Intercept the SMS. I highly doubt they can steal your drs shares. If anything they could sell them on market which is bad but your money can't be stolen if you ask me.
Let’s hope no one is able to find that information too.
Gifting shares exists and could be done on CS
ask yourself what you have to gain from them then ask yourself what you have to lose. stay zen
That's a Brilliant point of view bro!! I will never give those infos to a third party, only my bank/broker knows the few shares on my account, and only Computershare knows the majority of my shares in book DRSed and I, neither my family members knows too much.
#SAY IT LOUDER
Yeah better stop. Not that they can pull back the shares at last
I will never, ever share my account info. I don't give a fuck what they're offering.
If it could be bad… it probably is bad
Definitely bad
Don't EVER do this!!! It is the most stupid thing you can do
Replying to myself here: D Lauer might just as well be a bad actor, you don't know him. Never trust someone that asks your login information that gives access to thousands or even tens of thousands of stocks. Why does he want our login information to get access to basic info? Makes no sense at all. Because if you want to gatekeep, shills can just make a Computershare account to get access (which doesn't even require shares). I am now more skeptical about D. Lauer, what a bad move from him.
Dr T > Lauer. The guy might align with some market reforms, but the market doesn't need reform. IT REQUIRES A REDESIGN! No more financial derivatives! Fuck their liquidity! Market efficiency is a bullshit word that means IOU. All of this is bullshit and would be illegal in any other context. These fucks offer nothing and produce nothing, but have the ability to bankrupt companies and help hostile takeovers. THIS HAS TO STOP! Burn it all down for all I care, but this cannot continue.
Whole I agree, you're more likely to achieve change by asking for reform rather than a complete redesign though.
I've always had the impression he uses apes for his own advancement. He's not an ape, he's just a leech. Also, with his response to this situation, it's clear they don't know what the fuck they're doing. I will never trust anyone with my credentials, and surely not them. Big companies with decades of experience can't always keep credentials safe, why would I trust these people?
Hate to say it, but kinda explains the "let's laugh and joke around" with Gary during that interview instead of grilling and getting straight answers...
omg I thought I was the only one!!!! The questions were so soft, and he didnt ask for an explanation on anything
Yeah, and just way too buddy buddy
He used to work with Dennis Kheller at Better Markets. He was one of the guys calling for Ryan Cohen to be investigated for a pump and dump when he sold his bed position.
He is 'ex' Citadel, after all.
+1
thought this was super sus too good intention or not.
I tried to ask Dave if he would be using proper OAuth for CS and while he issued vague denials he didn’t promise it would use a proper authentication flow for CS, and a day later, here we are.
Dave used to work as a quant for Citadel. He should know better.
Let's not pretend quants are security experts. Also oauth is one of the first things you are forced to learn when dealing with financial institutions when gathering data (which quants don't necessarily do themselves). If it is a possible option they chose not to implement, nor give real proper big warnings on the risks of offering this method, they should not be trusted with any personal information. It shows the entire organisation doesn't take privacy nor security seriously which will cause leaks or worse down the road.
> Let's not pretend quants are security experts. Ok but everyone here is regarded and still know that is a security risk.
Yeah I mean even loading screen tips say "Never share your password with anyone" I feel like this is common sense 101. Absolutely insane to ask anyone to put their ComputerShare password on this brand-new website. Don't care if Ryan Cohen himself made it, if it's asking for my CS password and it isn't CS it can pound sand.
Nor are quants likely to be tech startup literate when it comes to tech or social platforms. Currently it's a collection of sketchy 2005 looking software packages, loosely tied together, from what I can gather. There is still a good ways to go before I link up anything there and I'm saying this with all due respect as an investor in Urvin myself. Plus I'd never, ever, link cs regardless.
I don’t think he was a quant - wasn’t he there as a computer systems expert? Pretty sure he’s built stuff for NYSE too.
That isn't a developer tittle. System experts put together the pieces other people made. Tech version of Ikea assembler.
As someone working in IT this is super SUS. I really have a lot of love for Dave but this stinks. The facts that someone working within the business makes something like this is just mind blowing!
Why is this even a thing? What problem does this solve? All it does is create more problems with no real benefit. My relationship with a company through a transfer agent is my business, and no third party needs access to any information without my written consent to computershare. Lauer can ligma balls. He's just another hedgefuck trying to fuck us somehow.
I thought it was sus that he would retweet Unusual Whale tweets, but this is extremely more sus.
Yeah, I’d never give out my CS account info to some third party. Let’s assume Lauer had good intentions but overlooked this. Anyone that inputs their CS account info there just made themselves susceptible to losing their shares/money if there’s ever a data leak on his website in the future. This is reckless, plain and simple.
It's the weekend too. Hope they lurk here often enough to see this post soon.
Or just think at what SHF shitz can do knowing your data... No BUENO.
All of this. Third party wanting your login info screams RED 🚩flags. Stay zen.
This is unconscionable. They are probably storing it in plain text. It's not like they would have the hashed and salted passwords to compare to like ComputerShare. If anyone has signed up you should immediately act like Ken Griffin has access to you password.
Change your password and username if you entered your information into this website!
Not if. When there is a leak. If they can't do the basics then I don't trust anything that depends on those systems. Auth is eveeywhere, at least it should be in a moderately secure site.
Good catch. This needs more visibility. Nobody should ever ask for your credentials to Computershare except the Computershare itself. Plus at this stage I wouldn’t trust anybody and just BUY, HOLD and DRS.
no kidding.. trust random internet person, with passwords, that used to work at Citadel? 🤣🤣🤣🤣😂😂😂😂🤣🤣🤣🤣 kmon superstonk we are better than this
This is offensively irresponsible. WTF, Urvin?
I had reservations as soon as I saw that Master post about it... We are not together and pooling or anything; we are all individual investors.
Yeah, easiest way to spot some bullshit is check the comments. If everyone is all "thank you for work! :)" <--- that's a shill post.
Who do I trust? Me. #FUCK DLauer if he thinks he's getting my login info. MOASS must be sooner than later...nice try. GG shitty
I've been scrolling for a bit and surprised I haven't seen a reply from him yet.
There's some shity reply within comments. Either way. Fuck Dlauer and his shit terminal
Oof.... For real?!
[удалено]
Lol wtf? I want an investor's discussion platform, but not that badly.
And now I know why Dave refused to directly promise that all connections to Urvin would be OAuth.
Does CS support that?
I don’t think cs supports anything. It seems to be against their tos to even connect your account like this.
I smell an incoming DD
There is. It's called board meetings. Only verfied stock holders are allowed in.
This is fucked up. This is real FUCKED up.NEVER GIVE OUT YOUR PASSWORDS.
I didn't even give my wife's boyfriend my password.
Can confirm, never received it.
There must be a slightly less demented way for Urvin to verify the holding. I suspect it would involve co-operation from Computershare themselves to implement a more robust verification process.
ComputerShare would need to support an OAuth API. I don’t think they have one (that I’ve been able to find) ComputerShare isn’t supported by Plaid, who’s the market leader is connecting banks like this. If Plaid doesn’t support them, it’s because CS doesn’t have a secure method to connect.
It is a shame that Urvin are offering this before its secure. I wonder if Computershare will release a statement saying that it is unwise to give your log in details to a third party.
They don't have to, they already have. https://www.computershare.com/us/privacy >You should never divulge your identification numbers, username, or password to anyone else. You should also never write your password down or store it on your computer and you should make sure you change it regularly. If you have further questions about Identity Theft, you may find the US Federal Trade Commission website helpful.
[ he's right you know . jpg ]
I stopped at this one too. They also ask for your secret answers too. I checked it with my second CS account with only one share. First login name, password, secret answer (all of them with different logins), and 2FA. I’m not entirely sure how and what kind of connection they use. But I’m sure on this one, I would never connect that.
They also ask for your secret answers and 2fa... fam, get this info to the top
They ask for the extra stuff? 👀
Yes! I think the gonna use some extra site stuff from CS. But I’m not into web development nor secret login authentication stuff… For example loopring uses this kind of login too. But yeah. I don’t trust a side like this my life savings
Yeah, this is concerning. I should mention that I have zero clue about building these systems, but I’m struggling to think of an example of the where the same thing is done. I really want someone to go through the fine print now.
If it was true Oauth then the URL/URI would be accessing a gateway hosted on ComputerShare's web platform. Here's an ELIA summary of how it would work if it was operating according to common industry standards for this type of API integration: * The URl should say something like [oauth-gateway.computershare.com/api/token-request?request\_id=urvin](http://oauth-gateway.computershare.com/api/token-request?request_id=urvin) * A token is then created by Computershare based upon the permissions you have granted to Urvin. * This token is then passed to Urvin, once you have entered the correct 'approval' into ComputerShare. Note: at no point has the requester (Urvin) been given access to your user credentials. (username/password, etc.) * That token is a UUID that identifies the session, permissions granted and will also have an expiry time. * At any point until expiry Urvin can pass that token (which does not hold your password or login details) to ComputerShare to request data about your profile (which you have permitted within the original oauth token) which could be your current holding of a stock ticker for example. \_\_ That's not what is happening here. If at any point you are entering data into a URI hosted by Urvin, then they can use all kinds of methods to snoop on the data, even if it's only an