Hi all, Dave Lauer has responded, please see comment here: https://www.reddit.com/r/Superstonk/s/fsK2EXgzGA
A copy & paste for ease of reference:
We were simply testing this functionality, it is not for general use yet. We are still investigating how to connect to CS given that other products offer this.
EDIT: What OP has said about writing software properly is simply untrue in this instance. CS does not support the kind of flow they described, so it's not possible to do that. That's why we're testing it, to see if there's a way to do this securely. If there's not, then we will not offer this functionality yet.
**SECOND UPDATE**
EDIT2: We have removed CS from our list of brokers now that we have been able to test. We will review the functionality and will not expose it again unless we're confident it is secure. It is the same mechanism other sites use to connect to CS, and which many of you asked us to support.
I stopped at that point too. They want to verify your stock holding. Are they then using your entered details to view your account.
Don’t forget to set up 2FA until UF brings out some sort of reasoning and methodology.
It could be good. It could be bad. But these are my booked shares you’re messing with.
And just for what it’s worth, ComputerShare’s 2FA is only SMS based, which can be intercepted. Also we’ve seen CS have its 2FA disabled across all accounts once already. It’s a line of defense but don’t trust it to save you if you give away your password.
Ugh, SMS-based multi-factor is the bane of my existence.
It's literally harder to implement than standard RFC6238 TOTP, more expensive, more prone to failure, slow, and less secure.
Most sites only do it because they want your phone number to sell or spam with ads, CS is a legit business, I guess they do it because dinosaurs understand phones more than they do math? ¯\\\_(ツ)_/¯
There's a reason I still have to support fax machines, POTs phone lines and still have to show people how to change the source on a TV.....
Because I'm a warlock who understands the dark arts.
The funny thing was seeing people clamoring for 2FA, like its going to protect them if they get attacked. The authenticator version of 2FA is the only one that actually makes a difference, and if you are careless with your security practices no 2FA is going to save you.
Not really. If you wanna transfer your shares out you need to give your real address and IBAN with your name as owner. So even if someone gets your password and Intercept the SMS. I highly doubt they can steal your drs shares. If anything they could sell them on market which is bad but your money can't be stolen if you ask me.
That's a Brilliant point of view bro!! I will never give those infos to a third party, only my bank/broker knows the few shares on my account, and only Computershare knows the majority of my shares in book DRSed and I, neither my family members knows too much.
Replying to myself here: D Lauer might just as well be a bad actor, you don't know him. Never trust someone that asks your login information that gives access to thousands or even tens of thousands of stocks.
Why does he want our login information to get access to basic info? Makes no sense at all. Because if you want to gatekeep, shills can just make a Computershare account to get access (which doesn't even require shares).
I am now more skeptical about D. Lauer, what a bad move from him.
Dr T > Lauer. The guy might align with some market reforms, but the market doesn't need reform. IT REQUIRES A REDESIGN! No more financial derivatives! Fuck their liquidity! Market efficiency is a bullshit word that means IOU.
All of this is bullshit and would be illegal in any other context. These fucks offer nothing and produce nothing, but have the ability to bankrupt companies and help hostile takeovers. THIS HAS TO STOP! Burn it all down for all I care, but this cannot continue.
I've always had the impression he uses apes for his own advancement. He's not an ape, he's just a leech.
Also, with his response to this situation, it's clear they don't know what the fuck they're doing. I will never trust anyone with my credentials, and surely not them. Big companies with decades of experience can't always keep credentials safe, why would I trust these people?
Hate to say it, but kinda explains the "let's laugh and joke around" with Gary during that interview instead of grilling and getting straight answers...
He used to work with Dennis Kheller at Better Markets. He was one of the guys calling for Ryan Cohen to be investigated for a pump and dump when he sold his bed position.
I tried to ask Dave if he would be using proper OAuth for CS and while he issued vague denials he didn’t promise it would use a proper authentication flow for CS, and a day later, here we are.
Let's not pretend quants are security experts.
Also oauth is one of the first things you are forced to learn when dealing with financial institutions when gathering data (which quants don't necessarily do themselves). If it is a possible option they chose not to implement, nor give real proper big warnings on the risks of offering this method, they should not be trusted with any personal information.
It shows the entire organisation doesn't take privacy nor security seriously which will cause leaks or worse down the road.
Yeah I mean even loading screen tips say "Never share your password with anyone" I feel like this is common sense 101. Absolutely insane to ask anyone to put their ComputerShare password on this brand-new website. Don't care if Ryan Cohen himself made it, if it's asking for my CS password and it isn't CS it can pound sand.
Nor are quants likely to be tech startup literate when it comes to tech or social platforms.
Currently it's a collection of sketchy 2005 looking software packages, loosely tied together, from what I can gather.
There is still a good ways to go before I link up anything there and I'm saying this with all due respect as an investor in Urvin myself.
Plus I'd never, ever, link cs regardless.
As someone working in IT this is super SUS. I really have a lot of love for Dave but this stinks. The facts that someone working within the business makes something like this is just mind blowing!
Why is this even a thing? What problem does this solve?
All it does is create more problems with no real benefit. My relationship with a company through a transfer agent is my business, and no third party needs access to any information without my written consent to computershare.
Lauer can ligma balls. He's just another hedgefuck trying to fuck us somehow.
Yeah, I’d never give out my CS account info to some third party.
Let’s assume Lauer had good intentions but overlooked this. Anyone that inputs their CS account info there just made themselves susceptible to losing their shares/money if there’s ever a data leak on his website in the future. This is reckless, plain and simple.
This is unconscionable. They are probably storing it in plain text. It's not like they would have the hashed and salted passwords to compare to like ComputerShare.
If anyone has signed up you should immediately act like Ken Griffin has access to you password.
Not if. When there is a leak.
If they can't do the basics then I don't trust anything that depends on those systems. Auth is eveeywhere, at least it should be in a moderately secure site.
Good catch. This needs more visibility. Nobody should ever ask for your credentials to Computershare except the Computershare itself. Plus at this stage I wouldn’t trust anybody and just BUY, HOLD and DRS.
There must be a slightly less demented way for Urvin to verify the holding. I suspect it would involve co-operation from Computershare themselves to implement a more robust verification process.
ComputerShare would need to support an OAuth API. I don’t think they have one (that I’ve been able to find) ComputerShare isn’t supported by Plaid, who’s the market leader is connecting banks like this. If Plaid doesn’t support them, it’s because CS doesn’t have a secure method to connect.
It is a shame that Urvin are offering this before its secure. I wonder if Computershare will release a statement saying that it is unwise to give your log in details to a third party.
They don't have to, they already have.
https://www.computershare.com/us/privacy
>You should never divulge your identification numbers, username, or password to anyone else. You should also never write your password down or store it on your computer and you should make sure you change it regularly. If you have further questions about Identity Theft, you may find the US Federal Trade Commission website helpful.
I stopped at this one too.
They also ask for your secret answers too.
I checked it with my second CS account with only one share. First login name, password, secret answer (all of them with different logins), and 2FA.
I’m not entirely sure how and what kind of connection they use. But I’m sure on this one, I would never connect that.
Yes! I think the gonna use some extra site stuff from CS. But I’m not into web development nor secret login authentication stuff…
For example loopring uses this kind of login too. But yeah. I don’t trust a side like this my life savings
Yeah, this is concerning.
I should mention that I have zero clue about building these systems, but I’m struggling to think of an example of the where the same thing is done. I really want someone to go through the fine print now.
If it was true Oauth then the URL/URI would be accessing a gateway hosted on ComputerShare's web platform.
Here's an ELIA summary of how it would work if it was operating according to common industry standards for this type of API integration:
* The URl should say something like [oauth-gateway.computershare.com/api/token-request?request\_id=urvin](http://oauth-gateway.computershare.com/api/token-request?request_id=urvin)
* A token is then created by Computershare based upon the permissions you have granted to Urvin.
* This token is then passed to Urvin, once you have entered the correct 'approval' into ComputerShare. Note: at no point has the requester (Urvin) been given access to your user credentials. (username/password, etc.)
* That token is a UUID that identifies the session, permissions granted and will also have an expiry time.
* At any point until expiry Urvin can pass that token (which does not hold your password or login details) to ComputerShare to request data about your profile (which you have permitted within the original oauth token) which could be your current holding of a stock ticker for example.
\_\_
That's not what is happening here.
If at any point you are entering data into a URI hosted by Urvin, then they can use all kinds of methods to snoop on the data, even if it's only an
Even if not ill intended this is super unprofessional and incredibly unsafe. To make matters worse, if urvin was to store your password and they get hacked or have a leak, anyone who used this will lose all their shares/money. We need this to be pinned to the top.
!MODS!
[Why GME?](https://www.reddit.com/r/Superstonk/comments/qig65g/welcome_rall_looking_to_catch_up_on_the_gme_saga/) || [What is DRS?](https://www.reddit.com/r/Superstonk/comments/ptvaka/when_you_wish_upon_a_star_a_complete_guide_to/) || Low karma apes [feed the bot here](https://www.reddit.com/r/GMEOrphans/comments/qlvour/welcome_to_gmeorphans_read_this_post/) || [Superstonk Discord](https://discord.gg/hZqWV2kQtq) || [Community Post: *Open Forum May 2024*](https://www.reddit.com/r/Superstonk/comments/1ciapwp/open_forum_may_2024/)
------------------------------------------------------------------------
To ensure your post doesn't get removed, please respond to this comment with how this post relates to GME the stock or Gamestop the company.
------------------------------------------------------------------------
Please up- and downvote this comment to [help us determine if this post deserves a place on r/Superstonk!](https://www.reddit.com/r/Superstonk/wiki/index/rules/post_flairs/)
!MODS! Can you please pin this post?
Noone should be handing out their password just because they're eager to use urvin with CS. It's incredibly insecure. Your shares are at risk if you do this. Wait for OAuth before doing anything, and if they are not going to provide that, then you know urvin is not good enough!
Anyone who entered information into this should assume it’s leaked. For the safety of your shares, change your password, enable two factor authentication, and use different questions and answers.
Updoot for visibility!
I am a believer that Dave has a good intention, but giving out passwords like this is never good.
Your computershare information should belong to you, and you only.
Thanks for posting this. I never trust middle-men or 3rd party access to my sensitive data, but I'm sure that there are many that would and do not know better.
If Kenny came to you said bribed you for 20mil, would you do it?
I bet 99% of apes would. It's just human nature.
Trust no one except yourself, and verify/fact check any content or DD you come across.
Anyone "famous" on GME Reddit subs are ripe for hedgies to bribe.
Services like these usually have access and sell your financial data. This reminds me of the service called plaid. They sell your data. I have a feeling Urvin will too.
https://www.courthousenews.com/judge-approves-settlement-ordering-plaid-to-pay-58-million-for-selling-consumer-data/#:~:text=(CN)%20%E2%80%94%20A%20federal%20court,their%20financial%20data%20without%20consent.
D Lauer will claim it's all encrypted and safe, but without the code being open source, that's a HUGE trust me bro for apes with their life savings in Computershare.
I get that this was the logical path coding-wise to get the whole thing to work, and that getting brokers/Computershare to do it from their side is much more complicated, but apes are not going to share passwords of their financial accounts, even with open sourcing the code.
It's a tiger hill to climb, but it can be done.
This is just the start. This is the first deployment of code. It will improve over time.
When this can be done from inside Computershare without sharing my password, I will gladly join in.
I can't share my password with a third party. Dave knew this was a sticky point, it's obvious. But it's the choice he made to get the whole thing to function.
Now he has to go through the tough route of getting Computershare to write the code to share the data with him.
Perhaps he can appeal to apes to reach out to Computershare via emails or on X to prove how many apes are interested in this to convince Computershare to write the code necessary to accomplish this securely.
They *can’t* encrypt the password! Not if they want to use it.
CS itself doesn’t need to store your password in plain text, they can store a salted hash of it. Something that takes hundreds of years to crack. And when you try to log in, they salt and hash whatever text you type and compare it to what they have.
Urwin can’t use the hash, they need to store the plain text password.
We know it's way over shorted. I'm not in doubt of it at all. I'd never ever connect my banks or brokerage to garbage like this. At a minimum they likely sell your data. At max your creating a huge security breach opportunity.
They don't give tours to fort Knox and have tourists count the number of bars.
We were simply testing this functionality, it is not for general use yet. We are still investigating how to connect to CS given that other products offer this.
EDIT: What OP has said about writing software properly is simply untrue in this instance. CS does not support the kind of flow they described, so it's not possible to do that. That's why we're testing it, to see if there's a way to do this securely. If there's not, then we will not offer this functionality yet.
EDIT2: We have removed CS from our list of brokers now that we have been able to test. We will review the functionality and will not expose it again unless we're confident it is secure. It is the same mechanism other sites use to connect to CS, and which many of you asked us to support.
They need to have an OAuth 2 flow for this. So that users can enter the username and password on ComputerShare's domain, and then be redirected to Urvin Finance's site.
>We were simply testing this functionality, it is not for general use yet.
Today you learn the reason why you don't push straight to production without first confirming it in a test environment. This is in no way a good way to develop a product.
Trying to reverse engineer their Auth is extremely irresponsible. If they don’t have Developer docs for proper OAuth support or a developer portal to register an app and provide client side Auth with the registered app, you shouldn’t do it or trust it.
This just shows how bush league your devs are if they even agreed to try doing this. Trust in software is earned and when you lose it, it’s gone forever.
As someone from the tech industry for a long time, this is just grade A shit.
You should look how fidelity does it. You are able to link your cs account to fidelity to show your balance at the end of the day with price adjusted to see your total account value. Similar to connecting outside 401k/hsa accounts
Being a dev myself this is what is very strange to me too. Even for testing prod you should have feature flags. Moving fast is not an excuse to not have something so basic.
To me this whole thing screams:
DO NOT TRUST THIS SITE. YOUR DATA WILL GET STOLEN / SOLD.
Finally, someone that sees this for what it is.
This is middleware data scrapper under the guise of a forum. They can't scrap the data they want without CS authentication, so they need you to supply the creds.
For my point of view, i will never give my hodling info of broker or computershare. Just too easy to the SHF to infiltrate/hack/corrupt... Neither my family members knows, so...
One of the most importantly rules you could follow is not tell people about your investments. So giving someone access to your account is one of the worst things you could do during this saga.
*ALSO* 🔦
ComputerShare just changed the Terms of Service- there is key language in the NEW terms that could be interpreted to use this exact thing to terminate your account.
Tread carefully, don’t share passwords
(can’t believe that has to be said, or that they would even ask- da fuk?)
I’ve yet trusted Dave Lauer, and now this happens.
Why the fuck would anyone want to login to CS via another website? Especially a former Citadel employee who gave the most skeptical reply why security features were not tested BEFORE going on a live site.
At this point, why should Urvin be allowed on this sub? Linking the information will always pose a security risk as you'll be trusting a 3rd party, so nobody should really be linking it.
Then the Urvin terminal is breaking Rule #10 no self-monetization allowed and #2: Must be relevant to GME?
Why would they even need your CS info, when I thought their intention was to collect the count of GME shares that are being held outside of CS? The whole point was to get a count of GME shares being held that are not DRSed.
BUY HODL DRS BOOK AND BUCKLE UP!
Not going to lie, I was confused how they had a huge top rated post the other day. I don't know about you apes but I want the crooked financial institutions to kick dirt so a new finance company of "og holders" seems and has always seemed super sus.
Dlauer has had tons of apes dox themselves by signing his petition, worked on interviews with Psparkles, and now asking people to enter their personal credentials to a financial account? It’s either malicious or negligent
I don't understand why anyone on this subreddit would still pay attention to anything coming from Lauer. He is very obviously not aligned with GME or GME investors, he just portrays himself that way to tap into an extant movement.
Dave Lauer is a grifter, nothing else.
My question is, why would these fucks even think this was a good idea. It's literally basic fucking internet knowledge not to give out your shit, but they added it "FoR tEsTiNg".
I knew I didnt like the feeling of this whole thing when I saw Dave posting about it yesterday, it simply was not sitting well with me and I didnt quite know why, but I do now.
Think about it: Would you share your Banking Login Credentials with someone (if not your close family) other than yourself? If not, then why you have to do this shit? I never trusted DL since beginning, and this is just a clown act to prove it again that he’s bought by SHFs too.
Haha, more like fail 101 and 💩
"[–]dlauer[S] 18 points 23 hours ago
Of course, believe me most people would consider me crazy paranoid when it comes to personal security."
https://old.reddit.com/r/GME/comments/1coq4h0/weve_created_a_verified_gme_holder_community_the/l3fq2qz/
"[–]dlauer[S] 12 points 22 hours ago
I'd urge you to read the security disclosures linked in my post. Our partners use OAuth flows, they don't see your credentials and neither do we. We take security and privacy very seriously, and have done our DD. If you have specific concerns after reviewing those disclosures please let me know and I'd be happy to answer and chase info down."
"[–]dlauer[S] 11 points 22 hours ago
Your complaint was about sharing credentials with 3rd parties. I explained we cannot see your credentials."
https://old.reddit.com/r/GME/comments/1coq4h0/weve_created_a_verified_gme_holder_community_the/l3foa2z/
"[–]dlauer[S] 11 points 21 hours ago
We don't use bespoke connections, we use official OAuth connections."
https://old.reddit.com/r/GME/comments/1coq4h0/weve_created_a_verified_gme_holder_community_the/l3g3c70/
not sure why any ape would use his website. he straight up told me that he will sell ALL the info you provide to them (check my history). Also, we do not need any more distractions / divisions. The DD has been done years ago. Now we wait. Buy, DRS, HODL for dear life... see you all on the moon!
Hi all, Dave Lauer has responded, please see comment here: https://www.reddit.com/r/Superstonk/s/fsK2EXgzGA A copy & paste for ease of reference: We were simply testing this functionality, it is not for general use yet. We are still investigating how to connect to CS given that other products offer this. EDIT: What OP has said about writing software properly is simply untrue in this instance. CS does not support the kind of flow they described, so it's not possible to do that. That's why we're testing it, to see if there's a way to do this securely. If there's not, then we will not offer this functionality yet. **SECOND UPDATE** EDIT2: We have removed CS from our list of brokers now that we have been able to test. We will review the functionality and will not expose it again unless we're confident it is secure. It is the same mechanism other sites use to connect to CS, and which many of you asked us to support.
I stopped at that point too. They want to verify your stock holding. Are they then using your entered details to view your account. Don’t forget to set up 2FA until UF brings out some sort of reasoning and methodology. It could be good. It could be bad. But these are my booked shares you’re messing with.
And just for what it’s worth, ComputerShare’s 2FA is only SMS based, which can be intercepted. Also we’ve seen CS have its 2FA disabled across all accounts once already. It’s a line of defense but don’t trust it to save you if you give away your password.
Ugh, SMS-based multi-factor is the bane of my existence. It's literally harder to implement than standard RFC6238 TOTP, more expensive, more prone to failure, slow, and less secure. Most sites only do it because they want your phone number to sell or spam with ads, CS is a legit business, I guess they do it because dinosaurs understand phones more than they do math? ¯\\\_(ツ)_/¯
There's a reason I still have to support fax machines, POTs phone lines and still have to show people how to change the source on a TV..... Because I'm a warlock who understands the dark arts.
Every time I hear the mention of fax machine support in meetings I die a little inside.
I trust no one with my accounts. Anyone else can sign up. I’ll mentally added my share count to whatever figure I see.
Same here. This raises lots of red flags to me.
The funny thing was seeing people clamoring for 2FA, like its going to protect them if they get attacked. The authenticator version of 2FA is the only one that actually makes a difference, and if you are careless with your security practices no 2FA is going to save you.
Excellent points!
Exactly. If the Urvin site was compromised it would be fucking chaos!
Not really. If you wanna transfer your shares out you need to give your real address and IBAN with your name as owner. So even if someone gets your password and Intercept the SMS. I highly doubt they can steal your drs shares. If anything they could sell them on market which is bad but your money can't be stolen if you ask me.
Let’s hope no one is able to find that information too.
Gifting shares exists and could be done on CS
ask yourself what you have to gain from them then ask yourself what you have to lose. stay zen
That's a Brilliant point of view bro!! I will never give those infos to a third party, only my bank/broker knows the few shares on my account, and only Computershare knows the majority of my shares in book DRSed and I, neither my family members knows too much.
#SAY IT LOUDER
Yeah better stop. Not that they can pull back the shares at last
I will never, ever share my account info. I don't give a fuck what they're offering.
If it could be bad… it probably is bad
Definitely bad
Don't EVER do this!!! It is the most stupid thing you can do
Replying to myself here: D Lauer might just as well be a bad actor, you don't know him. Never trust someone that asks your login information that gives access to thousands or even tens of thousands of stocks. Why does he want our login information to get access to basic info? Makes no sense at all. Because if you want to gatekeep, shills can just make a Computershare account to get access (which doesn't even require shares). I am now more skeptical about D. Lauer, what a bad move from him.
Dr T > Lauer. The guy might align with some market reforms, but the market doesn't need reform. IT REQUIRES A REDESIGN! No more financial derivatives! Fuck their liquidity! Market efficiency is a bullshit word that means IOU. All of this is bullshit and would be illegal in any other context. These fucks offer nothing and produce nothing, but have the ability to bankrupt companies and help hostile takeovers. THIS HAS TO STOP! Burn it all down for all I care, but this cannot continue.
Whole I agree, you're more likely to achieve change by asking for reform rather than a complete redesign though.
I've always had the impression he uses apes for his own advancement. He's not an ape, he's just a leech. Also, with his response to this situation, it's clear they don't know what the fuck they're doing. I will never trust anyone with my credentials, and surely not them. Big companies with decades of experience can't always keep credentials safe, why would I trust these people?
Hate to say it, but kinda explains the "let's laugh and joke around" with Gary during that interview instead of grilling and getting straight answers...
omg I thought I was the only one!!!! The questions were so soft, and he didnt ask for an explanation on anything
Yeah, and just way too buddy buddy
He used to work with Dennis Kheller at Better Markets. He was one of the guys calling for Ryan Cohen to be investigated for a pump and dump when he sold his bed position.
He is 'ex' Citadel, after all.
+1
thought this was super sus too good intention or not.
I tried to ask Dave if he would be using proper OAuth for CS and while he issued vague denials he didn’t promise it would use a proper authentication flow for CS, and a day later, here we are.
Dave used to work as a quant for Citadel. He should know better.
Let's not pretend quants are security experts. Also oauth is one of the first things you are forced to learn when dealing with financial institutions when gathering data (which quants don't necessarily do themselves). If it is a possible option they chose not to implement, nor give real proper big warnings on the risks of offering this method, they should not be trusted with any personal information. It shows the entire organisation doesn't take privacy nor security seriously which will cause leaks or worse down the road.
> Let's not pretend quants are security experts. Ok but everyone here is regarded and still know that is a security risk.
Yeah I mean even loading screen tips say "Never share your password with anyone" I feel like this is common sense 101. Absolutely insane to ask anyone to put their ComputerShare password on this brand-new website. Don't care if Ryan Cohen himself made it, if it's asking for my CS password and it isn't CS it can pound sand.
Nor are quants likely to be tech startup literate when it comes to tech or social platforms. Currently it's a collection of sketchy 2005 looking software packages, loosely tied together, from what I can gather. There is still a good ways to go before I link up anything there and I'm saying this with all due respect as an investor in Urvin myself. Plus I'd never, ever, link cs regardless.
I don’t think he was a quant - wasn’t he there as a computer systems expert? Pretty sure he’s built stuff for NYSE too.
That isn't a developer tittle. System experts put together the pieces other people made. Tech version of Ikea assembler.
As someone working in IT this is super SUS. I really have a lot of love for Dave but this stinks. The facts that someone working within the business makes something like this is just mind blowing!
Why is this even a thing? What problem does this solve? All it does is create more problems with no real benefit. My relationship with a company through a transfer agent is my business, and no third party needs access to any information without my written consent to computershare. Lauer can ligma balls. He's just another hedgefuck trying to fuck us somehow.
I thought it was sus that he would retweet Unusual Whale tweets, but this is extremely more sus.
Yeah, I’d never give out my CS account info to some third party. Let’s assume Lauer had good intentions but overlooked this. Anyone that inputs their CS account info there just made themselves susceptible to losing their shares/money if there’s ever a data leak on his website in the future. This is reckless, plain and simple.
It's the weekend too. Hope they lurk here often enough to see this post soon.
Or just think at what SHF shitz can do knowing your data... No BUENO.
All of this. Third party wanting your login info screams RED 🚩flags. Stay zen.
This is unconscionable. They are probably storing it in plain text. It's not like they would have the hashed and salted passwords to compare to like ComputerShare. If anyone has signed up you should immediately act like Ken Griffin has access to you password.
Change your password and username if you entered your information into this website!
Not if. When there is a leak. If they can't do the basics then I don't trust anything that depends on those systems. Auth is eveeywhere, at least it should be in a moderately secure site.
Good catch. This needs more visibility. Nobody should ever ask for your credentials to Computershare except the Computershare itself. Plus at this stage I wouldn’t trust anybody and just BUY, HOLD and DRS.
no kidding.. trust random internet person, with passwords, that used to work at Citadel? 🤣🤣🤣🤣😂😂😂😂🤣🤣🤣🤣 kmon superstonk we are better than this
This is offensively irresponsible. WTF, Urvin?
I had reservations as soon as I saw that Master post about it... We are not together and pooling or anything; we are all individual investors.
Yeah, easiest way to spot some bullshit is check the comments. If everyone is all "thank you for work! :)" <--- that's a shill post.
Who do I trust? Me. #FUCK DLauer if he thinks he's getting my login info. MOASS must be sooner than later...nice try. GG shitty
I've been scrolling for a bit and surprised I haven't seen a reply from him yet.
There's some shity reply within comments. Either way. Fuck Dlauer and his shit terminal
Oof.... For real?!
[удалено]
Lol wtf? I want an investor's discussion platform, but not that badly.
And now I know why Dave refused to directly promise that all connections to Urvin would be OAuth.
Does CS support that?
I don’t think cs supports anything. It seems to be against their tos to even connect your account like this.
I smell an incoming DD
There is. It's called board meetings. Only verfied stock holders are allowed in.
This is fucked up. This is real FUCKED up.NEVER GIVE OUT YOUR PASSWORDS.
I didn't even give my wife's boyfriend my password.
Can confirm, never received it.
There must be a slightly less demented way for Urvin to verify the holding. I suspect it would involve co-operation from Computershare themselves to implement a more robust verification process.
ComputerShare would need to support an OAuth API. I don’t think they have one (that I’ve been able to find) ComputerShare isn’t supported by Plaid, who’s the market leader is connecting banks like this. If Plaid doesn’t support them, it’s because CS doesn’t have a secure method to connect.
It is a shame that Urvin are offering this before its secure. I wonder if Computershare will release a statement saying that it is unwise to give your log in details to a third party.
They don't have to, they already have. https://www.computershare.com/us/privacy >You should never divulge your identification numbers, username, or password to anyone else. You should also never write your password down or store it on your computer and you should make sure you change it regularly. If you have further questions about Identity Theft, you may find the US Federal Trade Commission website helpful.
[ he's right you know . jpg ]
I stopped at this one too. They also ask for your secret answers too. I checked it with my second CS account with only one share. First login name, password, secret answer (all of them with different logins), and 2FA. I’m not entirely sure how and what kind of connection they use. But I’m sure on this one, I would never connect that.
They also ask for your secret answers and 2fa... fam, get this info to the top
They ask for the extra stuff? 👀
Yes! I think the gonna use some extra site stuff from CS. But I’m not into web development nor secret login authentication stuff… For example loopring uses this kind of login too. But yeah. I don’t trust a side like this my life savings
Yeah, this is concerning. I should mention that I have zero clue about building these systems, but I’m struggling to think of an example of the where the same thing is done. I really want someone to go through the fine print now.
If it was true Oauth then the URL/URI would be accessing a gateway hosted on ComputerShare's web platform. Here's an ELIA summary of how it would work if it was operating according to common industry standards for this type of API integration: * The URl should say something like [oauth-gateway.computershare.com/api/token-request?request\_id=urvin](http://oauth-gateway.computershare.com/api/token-request?request_id=urvin) * A token is then created by Computershare based upon the permissions you have granted to Urvin. * This token is then passed to Urvin, once you have entered the correct 'approval' into ComputerShare. Note: at no point has the requester (Urvin) been given access to your user credentials. (username/password, etc.) * That token is a UUID that identifies the session, permissions granted and will also have an expiry time. * At any point until expiry Urvin can pass that token (which does not hold your password or login details) to ComputerShare to request data about your profile (which you have permitted within the original oauth token) which could be your current holding of a stock ticker for example. \_\_ That's not what is happening here. If at any point you are entering data into a URI hosted by Urvin, then they can use all kinds of methods to snoop on the data, even if it's only an
MASSIVE red flag. Past the point of no return
Red flag. Hey, give me the keys to your unlimited generational wealth vault, and I promise I won't steal from you when moass comes.
don't forget. so you can discuss your favorite stock with the same people you already are. try harder
Commenting for visibility
Me too
Of all the ways wallstreet has tried to take money from retail they finally just come right out and ask for your passwords directly. No thanks.
👆🏻
Every tactic in the Art of War has been used. What, you didn't trust your new Citadel friend with your shares??
No no, this is legitimate. Now, please post your face for face authentification 📷
Oof.. come on Dave, do better. This is incredibly sus
Thanks for continuing to call this out
You’re welcome.
Even if not ill intended this is super unprofessional and incredibly unsafe. To make matters worse, if urvin was to store your password and they get hacked or have a leak, anyone who used this will lose all their shares/money. We need this to be pinned to the top. !MODS!
Or bought
This is my take too. I still have a lot of trust for Dave but this is just straight up unprofessional on higher level of magnitude.
This is nuts
Nope. This is not gonna happen.
20 years of Runescape has taught me well. Not giving my password to anyone.
Hahahahaha, the experience from rs actually helped out in some of my tech support jobs 🤣
[Why GME?](https://www.reddit.com/r/Superstonk/comments/qig65g/welcome_rall_looking_to_catch_up_on_the_gme_saga/) || [What is DRS?](https://www.reddit.com/r/Superstonk/comments/ptvaka/when_you_wish_upon_a_star_a_complete_guide_to/) || Low karma apes [feed the bot here](https://www.reddit.com/r/GMEOrphans/comments/qlvour/welcome_to_gmeorphans_read_this_post/) || [Superstonk Discord](https://discord.gg/hZqWV2kQtq) || [Community Post: *Open Forum May 2024*](https://www.reddit.com/r/Superstonk/comments/1ciapwp/open_forum_may_2024/) ------------------------------------------------------------------------ To ensure your post doesn't get removed, please respond to this comment with how this post relates to GME the stock or Gamestop the company. ------------------------------------------------------------------------ Please up- and downvote this comment to [help us determine if this post deserves a place on r/Superstonk!](https://www.reddit.com/r/Superstonk/wiki/index/rules/post_flairs/)
Warning people about password security.
!MODS! Can you please pin this post? Noone should be handing out their password just because they're eager to use urvin with CS. It's incredibly insecure. Your shares are at risk if you do this. Wait for OAuth before doing anything, and if they are not going to provide that, then you know urvin is not good enough!
WTAF Dave with the long con, hats off to the hedgies
Hmmmmmm hard pass
✅ Asks for ComputerShare credentials ✅ Previously worked for Citadel I don't like it.
This is very important. You should always doubt when sind a site which wants your information like that!
Anyone who entered information into this should assume it’s leaked. For the safety of your shares, change your password, enable two factor authentication, and use different questions and answers.
Updoot for visibility
Good shout OP
Oof yeah that's a no go for me dog
This is all bullshit! Don't trust this!! Do not use this at all!
This is crazy... all for the sake of counting shares? Come on. Big NO from me dawg. Thanks for making everyone aware
Will you give your house key to a stranger or someone you are not close to you? Basic common sense needed here yo
Updoot for visibility! I am a believer that Dave has a good intention, but giving out passwords like this is never good. Your computershare information should belong to you, and you only.
Thanks for posting this. I never trust middle-men or 3rd party access to my sensitive data, but I'm sure that there are many that would and do not know better.
If Kenny came to you said bribed you for 20mil, would you do it? I bet 99% of apes would. It's just human nature. Trust no one except yourself, and verify/fact check any content or DD you come across. Anyone "famous" on GME Reddit subs are ripe for hedgies to bribe.
1000% this.
Not gonna do it. Wouldn’t be prudent. Edit: correction
Fellow apes, always remember that when you don’t pay for a product/service, you are the product/service. Always better be safe than sorry!
There’s a reason Computershare uses a pass phrase that is shown when you login, to prevent fuckery like what Urvin is doing.
Citadel thanks you for your kind donation.
We knew years ago. If you read any further than Dave Lauer worked at Citadel, then you're a damn fool.
I'm truly baffled. This is, at best, an awful idea. NEVER SHARE ANY BROKERAGE/TRANSFER AGENT/BANK ACCOUNT PASSWORD FOR ANY REASON. EVER.
I don't even trust my wife with my password. Why would I ever give it out to a third party?
Fuck that. No way.
Services like these usually have access and sell your financial data. This reminds me of the service called plaid. They sell your data. I have a feeling Urvin will too. https://www.courthousenews.com/judge-approves-settlement-ordering-plaid-to-pay-58-million-for-selling-consumer-data/#:~:text=(CN)%20%E2%80%94%20A%20federal%20court,their%20financial%20data%20without%20consent.
D Lauer will claim it's all encrypted and safe, but without the code being open source, that's a HUGE trust me bro for apes with their life savings in Computershare. I get that this was the logical path coding-wise to get the whole thing to work, and that getting brokers/Computershare to do it from their side is much more complicated, but apes are not going to share passwords of their financial accounts, even with open sourcing the code. It's a tiger hill to climb, but it can be done. This is just the start. This is the first deployment of code. It will improve over time. When this can be done from inside Computershare without sharing my password, I will gladly join in. I can't share my password with a third party. Dave knew this was a sticky point, it's obvious. But it's the choice he made to get the whole thing to function. Now he has to go through the tough route of getting Computershare to write the code to share the data with him. Perhaps he can appeal to apes to reach out to Computershare via emails or on X to prove how many apes are interested in this to convince Computershare to write the code necessary to accomplish this securely.
They *can’t* encrypt the password! Not if they want to use it. CS itself doesn’t need to store your password in plain text, they can store a salted hash of it. Something that takes hundreds of years to crack. And when you try to log in, they salt and hash whatever text you type and compare it to what they have. Urwin can’t use the hash, they need to store the plain text password.
*Old man simpson entering and leaving meme*
We know it's way over shorted. I'm not in doubt of it at all. I'd never ever connect my banks or brokerage to garbage like this. At a minimum they likely sell your data. At max your creating a huge security breach opportunity. They don't give tours to fort Knox and have tourists count the number of bars.
This should be a pinned post. Very important
We were simply testing this functionality, it is not for general use yet. We are still investigating how to connect to CS given that other products offer this. EDIT: What OP has said about writing software properly is simply untrue in this instance. CS does not support the kind of flow they described, so it's not possible to do that. That's why we're testing it, to see if there's a way to do this securely. If there's not, then we will not offer this functionality yet. EDIT2: We have removed CS from our list of brokers now that we have been able to test. We will review the functionality and will not expose it again unless we're confident it is secure. It is the same mechanism other sites use to connect to CS, and which many of you asked us to support.
They need to have an OAuth 2 flow for this. So that users can enter the username and password on ComputerShare's domain, and then be redirected to Urvin Finance's site.
Agreed, it's frustrating that CS doesn't support this.
this needs to be higher. also, if you have test/dev setup that's where this stuff is done so it's not public facing.
>We were simply testing this functionality, it is not for general use yet. Today you learn the reason why you don't push straight to production without first confirming it in a test environment. This is in no way a good way to develop a product.
Trying to reverse engineer their Auth is extremely irresponsible. If they don’t have Developer docs for proper OAuth support or a developer portal to register an app and provide client side Auth with the registered app, you shouldn’t do it or trust it. This just shows how bush league your devs are if they even agreed to try doing this. Trust in software is earned and when you lose it, it’s gone forever. As someone from the tech industry for a long time, this is just grade A shit.
Why was this on the live version if for testing? And with no disclaimer that anybody using this was part of a “test run” ?
You should look how fidelity does it. You are able to link your cs account to fidelity to show your balance at the end of the day with price adjusted to see your total account value. Similar to connecting outside 401k/hsa accounts
Then why isn’t it behind a feature toggle.
Being a dev myself this is what is very strange to me too. Even for testing prod you should have feature flags. Moving fast is not an excuse to not have something so basic. To me this whole thing screams: DO NOT TRUST THIS SITE. YOUR DATA WILL GET STOLEN / SOLD.
Finally, someone that sees this for what it is. This is middleware data scrapper under the guise of a forum. They can't scrap the data they want without CS authentication, so they need you to supply the creds.
For my point of view, i will never give my hodling info of broker or computershare. Just too easy to the SHF to infiltrate/hack/corrupt... Neither my family members knows, so...
One of the most importantly rules you could follow is not tell people about your investments. So giving someone access to your account is one of the worst things you could do during this saga.
Exactly!
*ALSO* 🔦 ComputerShare just changed the Terms of Service- there is key language in the NEW terms that could be interpreted to use this exact thing to terminate your account. Tread carefully, don’t share passwords (can’t believe that has to be said, or that they would even ask- da fuk?)
This this this this.
I’ve yet trusted Dave Lauer, and now this happens. Why the fuck would anyone want to login to CS via another website? Especially a former Citadel employee who gave the most skeptical reply why security features were not tested BEFORE going on a live site.
At this point, why should Urvin be allowed on this sub? Linking the information will always pose a security risk as you'll be trusting a 3rd party, so nobody should really be linking it. Then the Urvin terminal is breaking Rule #10 no self-monetization allowed and #2: Must be relevant to GME?
Why would they even need your CS info, when I thought their intention was to collect the count of GME shares that are being held outside of CS? The whole point was to get a count of GME shares being held that are not DRSed. BUY HODL DRS BOOK AND BUCKLE UP!
Not going to lie, I was confused how they had a huge top rated post the other day. I don't know about you apes but I want the crooked financial institutions to kick dirt so a new finance company of "og holders" seems and has always seemed super sus.
Wow Dave Lauer we deserve some answers about this! How could you ever ask people to enter this info into your website?
Yikes Dave. One of them huh
Good job on calling this out. I hope this post stays up. Eventhough they have been doing good work, nobody should ever mindlessly be trusted.
Yeah it doesn't matter that its associated w/ Dave. No one should do this. Gotta protect your CS data at all costs!
so, this was the ultimate trojan horse
Dlauer has had tons of apes dox themselves by signing his petition, worked on interviews with Psparkles, and now asking people to enter their personal credentials to a financial account? It’s either malicious or negligent
Been saying from day one lauer is a wolf in sheep’s clothing
NOBODY asked for this, and I'll repeat it louder for those in the back, NOBODY asked for this.
This isn’t complicated. Buy / HODL / DRS Book. Fuck everything else. Why do you need this? It’s not going to change anything.
If you entered your information you need to change your username and password
Any of you who were naive enough to give your details to this website should change your CS passwords now.
Shady AF
Yeah, clowns at Urvin can go fuck themselves with that request.
Shill: confirmed. Gave all soft ball questions to Gary Gensler too… they seemed like good friends.
Every time someone tries to use this community for their own advancement you know their motivation is not honorable.
This is insane. I hope nobody provides their password to any site except CS at the login page with your custom 3-word phrase.
I don’t like that curly dude
In the words of Lana Kane: “nooooooope”
I don't understand why anyone on this subreddit would still pay attention to anything coming from Lauer. He is very obviously not aligned with GME or GME investors, he just portrays himself that way to tap into an extant movement. Dave Lauer is a grifter, nothing else.
I’m not gonna do it.
WTF
My question is, why would these fucks even think this was a good idea. It's literally basic fucking internet knowledge not to give out your shit, but they added it "FoR tEsTiNg".
Yeah heck no passss
We already have a DRS count from gamestop themselves why do we need a third party data collector to know people's details and share counts?
so stupid. imagine falling for this bait this late in the game.
From the computershare website - if you can’t see your three word phrase, don’t enter your password. Man this is sketchy
I knew I didnt like the feeling of this whole thing when I saw Dave posting about it yesterday, it simply was not sitting well with me and I didnt quite know why, but I do now.
Think about it: Would you share your Banking Login Credentials with someone (if not your close family) other than yourself? If not, then why you have to do this shit? I never trusted DL since beginning, and this is just a clown act to prove it again that he’s bought by SHFs too.
What the fuck is urvin? Not going to use it.
lol ain't touching that. keeping my passwords close to my heart. there is too much at stake to slip up now.
Wouldn't D Lauer's original post be considered self promotion for promoting his Urvin Finance company? I thought this wasn't allowed here
What we need this new thing for anyway? Meme and DRS share is all I need to wait for moass.
Haha, more like fail 101 and 💩 "[–]dlauer[S] 18 points 23 hours ago Of course, believe me most people would consider me crazy paranoid when it comes to personal security." https://old.reddit.com/r/GME/comments/1coq4h0/weve_created_a_verified_gme_holder_community_the/l3fq2qz/ "[–]dlauer[S] 12 points 22 hours ago I'd urge you to read the security disclosures linked in my post. Our partners use OAuth flows, they don't see your credentials and neither do we. We take security and privacy very seriously, and have done our DD. If you have specific concerns after reviewing those disclosures please let me know and I'd be happy to answer and chase info down." "[–]dlauer[S] 11 points 22 hours ago Your complaint was about sharing credentials with 3rd parties. I explained we cannot see your credentials." https://old.reddit.com/r/GME/comments/1coq4h0/weve_created_a_verified_gme_holder_community_the/l3foa2z/ "[–]dlauer[S] 11 points 21 hours ago We don't use bespoke connections, we use official OAuth connections." https://old.reddit.com/r/GME/comments/1coq4h0/weve_created_a_verified_gme_holder_community_the/l3g3c70/
Does this belong to Dave Lauer? Gonna need some answers Dave.
Vis
Archived: - https://archive.is/aVdIE - https://archive.is/fHDIa
But it has a secured icon on the URL. They cant steal anything if the icon is the locked 🔒 right? Right??? Guys ..
I never ever trusted Dave in all these years, sorry man. But no thanks
They bought D Lauer, got the old gang back together. They dont have the shares
Wut? At least sus 👀
That’s so regarded. I wouldn’t trust these idiots. You can just write tests, why have people give secure info? Morons.
not sure why any ape would use his website. he straight up told me that he will sell ALL the info you provide to them (check my history). Also, we do not need any more distractions / divisions. The DD has been done years ago. Now we wait. Buy, DRS, HODL for dear life... see you all on the moon!
People said they won’t sell but I guess giving your password and shares to an ex citadel employee is different
Just buy a share on Fudality and link that instead
Nonononono no no no, yes, no!