Testing Sharesies’ security – Is your account vulnerable?

A recent post on Reddit raised some concerns over the security of the Sharesies platform. The post’s key concern was that your Sharesies account is vulnerable because the platform lacks two-factor authentication (2FA), and that an attacker who had gotten hold of your email and password would be able to change your account’s email, phone, and ultimately withdraw money from the account without your knowledge.

This isn’t the type of content I usually post, and I am certainly no cybersecurity expert. But I thought this would be worth looking into – Security is a critical consideration when it comes to your finances. So are these claims of your Sharesies account being vulnerable true? I put them to the test below.

Update (6 July 2021) – Sharesies has now committed to implementing 2FA on their platform

1. Background

Typically any online accounts you use are secured by an email/username and password. You need these details to log in to your online accounts.

InvestNow login screen requiring email and password

An attacker could get access to your account by obtaining your email and password details. This could potentially be obtained by:

  • Phishing – Tricking you into handing over your email and password, for example, through a fake login page.
  • Using a Keylogger – A piece of software or hardware that’s maliciously installed to monitor the keystrokes you make on your device and extract the passwords you use.
  • Through a data breach – An online service you used could be hacked, and your credentials leaked.

This is where two-factor authentication (2FA) can come in handy. 2FA requires you to go through an additional form of verification (independent of your password) when logging in or performing a certain action (like withdrawing money from your account).

InvestNow requires an additional passcode to log in

Common methods of 2FA are:

  • Email or SMS – getting an email or text message which contains a passcode.
  • Authenticator app – an app usually installed on your smartphone that generates a passcode which changes every 60 seconds. This method should be more secure than email or SMS as it requires an attacker to have your physical device to get this passcode.

2FA provides you with an extra layer of security, as an attacker with your password would still need access to your email, SMS, or smartphone in order to access your account. Here’s the benefit of InvestNow’s use of 2FA:

Investnow requires 2FA just to log in, and it won’t even let me change my email/bank account without contacting them personally. It’s a gigantic pain in the ass but at least I know it would be basically impossible for anyone to access my account (let alone change any info) without access to my phone.

Reddit commentor

Unfortunately the Sharesies platform does not have 2FA. Does this make your account vulnerable? Let’s test a few things to find out…

2. Testing the Sharesies platform

For this experiment I borrowed my partner’s Sharesies account, and for various functions on the platform I tested to see whether:

  • It was possible to complete each action
  • If successful, whether the account holder (my partner) got an email/text notification, alerting her to the fact I’ve done something on her account

Trying to log in

Just like InvestNow, the Sharesies login screen requires you to enter your email and password:

I know my partner’s email, but not her password. I could guess her password based on things I know about her (e.g. the password could be based on her birthday, or my name, or some other personal detail), so this demonstrates the need for strong, unique passwords. Fortunately for her it seems her password is a solid one, and I’m unable to guess successfully:

After way too many guesses (about 20), the account finally got locked:

Now I’m stuck. The “forgot password” function is useless to me as the reset email goes to my partner’s email (and I don’t have access to this email):

I can’t go any further, so her investments are safe. For now…

Using compromised credentials

What if we assume that my partner’s Sharesies email and password had been compromised (e.g. through a phishing attack)? Fortunately my partner has kindly let me borrow her Sharesies account credentials, so i won’t have to hack anyone to get this test underway. How far can I go in this scenario?

With her email and password, I can now log in and see all of my partner’s Sharesies account details (unlike InvestNow, there was no 2FA when logging in). This includes her investment portfolio, address, phone number, email, IRD number, and bank account number:

My partner did not receive a notification to let her know that someone had logged in to her account.

Buying and selling investments

I noticed there is a credit/debit card linked to my partner’s Sharesies account (but no bank account):

I can use the linked card to top up her Sharesies account, taking away money from her credit card or bank account the debit card is linked to. Here I successfully topped up $10 from the linked card:

I could then use this $10 to buy some investments. I could also sell any existing investments. Here I put in a sell order for a few FNZ shares:

My partner did not receive a notification to let her know that her account had been topped up with her linked card, or to notify her of the investment transaction I’ve made.

Changing details

Changing the email and phone number of a Sharesies account is incredibly easy.

There was no email or SMS to my newly updated email and phone number asking me to confirm that the new email/phone was actually valid. This is bad – a person genuinely trying to change their email could mistype their new email (e.g. instead of typing “daniel@gmail.com”, they type “dan@gmail.com”), leading to the owner of the mistyped email address (dan@gmail.com) being able to reset the password and access that person’s Sharesies account.

At this point, Sharesies finally sends out an email to my partner notifying her that her email/phone number has changed. But by the time she gets this notification, it’s too late to do anything about it – my partner can no longer access her account, given I’ve changed her email to a different one, and she can no longer use her original email to log in. There is no way for my partner to call Sharesies to get help. She can only email them and wait for a response.

Finally, I tried changing the account’s password. This was easy to change too, with no verification checks needed, and no follow up with a notification to inform that the password has been changed. Although I liked that Sharesies doesn’t allow you to use a weak password.

Getting money out of Sharesies

One way an attacker could attempt to get money out of your account is to add their own CSN to your Sharesies account, then by transferring out any NZX shares to that CSN.

Thankfully adding a CSN to your Sharesies account goes through a verification process to ensure that the CSN belongs you. It seems that this part of Sharesies is secure.

The other way to get money out of Sharesies is to withdraw the money to a NZ bank account. First I added my own bank account to my partner’s Sharesies account:

I then made a withdrawal request of $10:

Nothing happened for the day until 6:38pm when my partner got a text message asking for her approval to complete the withdrawal. This text was sent to her phone (the original phone number on the Sharesies account), even though I had updated the account’s phone number to my phone! It seems my attempted withdrawal has failed!

3. Summary of the results

Now that I’ve completed my testing, let’s have a look at the results.

Without password

Your account is secure as long as your password is kept safe:

TestResult
Logging inSecure, but number of attempts before the account is locked could be reduced.
Viewing your informationSecure. Not possible to access without password.
Topping up with a cardSecure. Not possible to access without password.
Placing an orderSecure. Not possible to access without password.
Updating emailSecure. Not possible to access without password.
Updating phone numberSecure. Not possible to access without password.
Changing passwordSecure. Not possible to access without password.
Adding CSNSecure. Not possible to access without password.
Withdrawing moneySecure. Not possible to access without password.

Compromised password

If your password is compromised, there’s a lot an attacker could do on your account:

TestResult
Logging inNot secure. No 2FA or other verification.
Viewing your informationNot secure. No 2FA or other verification.
Topping up with a cardNot secure. No 2FA or other verification.
Placing an orderNot secure. No 2FA or other verification.
Updating emailNot secure. No 2FA or other verification.
Updating phone numberNot secure. No 2FA or other verification.
Changing passwordNot secure. No 2FA or other verification.
Adding CSNSecure. Verification required to add CSN.
Withdrawing moneySecure. Verification required to complete withdrawal.

Are the results good or bad?

The positives

Your Sharesies account is secured by your password. Without your credentials, an attacker is unable to access or do anything with your Sharesies account. Following good password management practices (such as using strong, unique passwords, and changing your password regularly) would improve the security of your account.

Regarding withdrawals, it seems they are secure with my attempt being flagged as potentially dodgy. It was reassuring that my partner got a text (even though I’d removed her phone number from the account) asking her to confirm the withdrawal. Here’s what Sharesies says about their withdrawal process:

The Sharesies withdrawal process is extensive and involves a human component to operate. It’s also routinely audited by KPMG to ensure it is functioning and covering the appropriate risks.

All withdrawal requests are reviewed by one of our Operations team members, and we have manual and automated processes for identifying suspicious withdrawals. For any withdrawal over a certain amount the customer is contacted to confirm they want it to go ahead, and then the withdrawals are submitted to our bank. If a new bank account is added, we also ask for proof that this account is in the same name of the Sharesies account holder. This again has a human in the loop for security.

Sharesies via Reddit comment

The negatives

The problem is that it’s unreasonable to assume that your password is 100% safe. You could fall victim to a phishing attack, keylogger, or data breach that exposes your credentials. And if someone does get hold of your password, thanks to the lack of 2FA the consequences could be pretty bad. An attacker could:

  • See your personal information – including investments, address, bank account details. They could use these details to conduct further attacks or scams on you.
  • Top up your account using your credit/debit card – affecting your other financial accounts outside of Sharesies. I’m guessing this malicious transaction could be reversed by your bank, but this could still leave you short of money to buy groceries or pay rent while you’re waiting for the money to be refunded to you.
  • Lock you out of your Sharesies account – with no way to get back in apart from waiting for a response from email support.
  • Conduct investment transactions on your behalf – they could liquidate all your holdings, resulting in undesirable brokerage charges, causing you to realise losses, or potentially make you liable for taxes.

All of this could happen without you knowing, until the next time you try to access your Sharesies account.

There are a couple of smaller issues such as the lack of verification of emails or phone numbers that you add to your Sharesies account, and allowing too many attempted logins before an account gets locked.

4. An ideal design

While the vulnerabilities of Sharesies are not critical, there is room for improvement. Sharesies is dealing with potentially sensitive customer information, therefore security of the platform needs to be a priority. The implementation of two-factor authentication would be an ideal next step:

2FA should be compulsory on Sharesies when:

  • Logging in with a device which you’ve never used with Sharesies before
  • Changing your password
  • Adding or changing a bank account
  • Adding your CSN
  • Transferring your shares out to your CSN
  • Making a withdrawal
  • Changing your 2FA method (e.g. from text to email)

These actions should be followed by an email or text notification to let you know that one of these has been performed.

2FA should also be compulsory when:

  • Changing your email
  • Changing your phone number

Any changes to these should have to be verified (e.g. with a verification email to the new email address) before they take effect. These actions should also be followed by an email or text notification to your original email or phone number, so that any fraudulent or incorrect changes can be quickly identified and reversed.

In addition, users should be able to opt-in to requiring 2FA when:

  • Logging in to your account
  • Placing buy orders
  • Placing sell orders
  • Topping up with a credit card

Unfortunately all of this comes at a cost of making Sharesies less user friendly. It adds more steps to whatever you’re doing, and adds complexity to the platform. But I think it’s a necessary cost to keep their customers’ accounts secure, and for additional peace of mind.

Here is Sharesies’ initial response to the topic (on 5 July 2021):

We know there’s been a bit of chat online lately about 2FA (two-factor authentication) and security at Sharesies—we wanted to address these issues and share some more info about how we keep you and your money safe.

Currently, we don’t offer 2FA, but we know that investors would like to see this, and we’re exploring ways that we can implement 2FA on Sharesies in the future.

We have many layers of security measures in place to protect investments and identify fraudulent activity on the platform—this includes additional verification checks when money is withdrawn.

We also do our own assurance testing and are constantly reevaluating how we can look for more ways to improve our platform and continue to keep our investors safe. As part of this, we go through regular security testing by reputable, independent security partners, and fix issues that come out of this.

We’re confident in the security of our platform and the processes in place to protect you and your money. 

Sharesies via Sharesies’ Share Club NZ Facebook Group

It seemed that Sharesies were dragging their heels on implementing 2FA given their confidence in the security measures already in place on their platform. However the next day (6 July 2021), they followed up with a response committing to adding 2FA to their platform:

Opt-in 2FA is coming

Thanks heaps to everyone who shared their feedback with us about 2FA (two-factor authentication) and security at Sharesies. We’ve heard your feedback, and we’ll be launching 2FA on Sharesies in the coming weeks.

Our opt-in 2FA will be supported by a wide range of authenticators, including Google Authenticator and Duo. We’ll be sharing more info about how 2FA works on Sharesies when we launch.

Sharesies via Sharesies’ Share Club NZ Facebook Group

That was quick! A good outcome for their customers.

Conclusion

It can be argued that your Sharesies account is safe, even without 2FA. As long as your password is safe, it’s not possible for an attacker to get into your account to view your information and steal your money. And to better protect your account, you can use good password management practices, such as using strong and unique passwords.

On the other hand, it can be argued that passwords alone aren’t enough protection, especially for accounts containing potentially sensitive information such as Sharesies. If you don’t use 2FA, your account is unprotected in the event that your password is compromised. Thankfully appears to be good processes around verifying withdrawals, but someone could still wreak havoc by viewing your information or selling off your investments.

The good news is that all the online discussion and customer pressure has worked, and that Sharesies have committed to bringing 2FA to their platform. So remember to opt-in once the functionality goes live!

Keen to start building your investment portfolio with SharesiesSign up with this link, and you’ll get a bonus $5 in your account to invest!

Found this article helpful? Let’s be friends on Facebook, Twitter, or via email so you can keep up with the latest news and posts!


More articles



Disclaimer

The content of this article is based on my personal opinion and should not be considered financial advice. The information should never be used without first assessing your own personal and financial situation, and conducting your own research. You may wish to consult with an authorised financial adviser before making any investment decisions.