California grant program is security nightmare

Government’s inability to protect citizen data resulted in at least $36 billion in cyber fraud this year. California may be getting ready to add to that total and setting up small businesses to be hit hard by hackers. But there are tactics the businesses could take to plug many holes.

Launched on December 30 in the midst of one of the biggest data breaches in history, the California Relief Grant Program is dependent on two third-party financial institutions to securely administer applications and the transfer of funds directly to SMB banks.

In the process, applicants must not just give up sensitive personal information, but the user names and passwords to their bank accounts.

Multiple security experts confirmed that while the first part is unavoidable, the last part — giving up login credentials — is a very bad idea.

“You never, ever, ever give your login credentials to anybody, even if the bank asks for them,” said Matthew Rosenquist, CISO for ecilpz.io. “There is no legitimate reason for organizations to ask that.”

And yet, it is becoming a modern practice among the virtual banking community. Venmo, the popular peer-to-peer payment app, has been hacked multiple times in 2020, most notably against professional gamblers, with hackers stealing hundreds of thousands of dollars. Venmo, along with Robinhood, Coinbase, Betterment, and Acorns, all use Plaid as a second-step verification tool.

“Plaid has quietly created a really big infrastructure without the consumer even knowing that they are powering it,” said Christopher Dawe, co-head of private investment at Goldman Sachs in a 2018 interview with CNBC.

Plaid is at the center of the California grant application process working through the primary contractor Lendistry, which requires even more sensitive information. As of this report, Lendistry has not been forthcoming with information about how they go about securing that information, not explaining why that information, once confirmed having been uploaded, tends to disappear from the application, requiring refiling of the application and documentation. When asked for an explanation from internal staff, Lendistry CEO simply said, “Let me know how it goes with Plaid. I think that is best.”

From the beginning to the program there have been multiple system-level failures as Lendistry seemed unable to handle the volume of applicants and sensitive financial information uploaded to the site has disappeared. Applicants have been required to re-apply up to four times and continue uploading their private information each time.

The state has been no more forthcoming with information about the failures but in a news release in early January said, “The program, which officially opened December 30, experienced high traffic – receiving thousands of completed applications. However, due to the high traffic, some businesses may have had trouble accessing the application. Adjustments to the program’s website have been made, and the application period has been extended to ensure that all interested applicants have the opportunity to apply.”

Even so, small business owners on Reddit strings complained that there seemed to be no improvements. The deadline for the first round of the grants has passed and emails went out the week of January 25 ensuring that applicants have been put on a waitlist for the second round.

Plaid has been much more responsive and provided interviews with Shano Fonseca, head of risk, Kyle Berry, head of security, and Freya Petersen, head of marketing. The full interview is available at the Crucial Tech podcast.

Petersen explained that the company engages with partners on two levels. For large financial institutions like Chase and Wells Fargo, Plaid works with internal security teams to integrate their product. For small institutions, like local credit unions that have limited resources, they provide the Plaid Exchange. In the latter case, the security team is not necessarily brought into the discussion and Plaid becomes a de facto security department for the bank.

This was the case with Technology Credit Union (Tech CU) in San Jose, California. While Plaid acknowledged that the credit union was a customer, interviews with the security team showed they had no knowledge of the relationship and they reiterated the “rule” that credit union members should never give out their login credentials. They also did not know the relationship of Lendistry in the California grant program, possibly because Lendistry is a competitor to banks.

This lack of coordination with the security teams in some institutions negates the ability of Plaid to link to bank accounts because of additional layers of security within the institution. For example, part of the login process for small-business members of Tech CU is sending a one-time PIN to the member to validate the login. Just giving theologian information to Plaid doesn’t bypass this requirement from Tech CU and there can be no link to the bank account. That defeats the ability of Lendistry to issue the grant money from the state but keeps the account safe. Plaid was unaware of this extra layer of security and Petersen said she would be looking into it.

Rosenquist suggested that a way around this is to set up a separate personal account, which does not have the security layer of the business account, just for the grant money. That means if the account is hacked, the only money lost is the grant money and it would be insured by the bank.

“If you’re you need to set up this type of relationship where they’re going to give you money once a month, or once a year, and you want that in place, great, open up a separate account,” he explained. “But you need to have a separate login, which may mean you know, unfortunately, you may have to go to a different bank. When you get the deposit in, you should be transferring it over to an account that you exclusively control. That way you mitigate this backward system. I would also provide feedback to whoever you’re giving it to saying that,  ‘Yes, this is absolutely a backward system. This is insecure. This is not following industry best practices. This is not in the best interest of your customers, myself included.  I would like to see this changed.’”

Print Friendly, PDF & Email
Lou Covey
+ posts

Lou Covey is the Silicon Valley Correspondent for Cybersecurity Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.

Lou Covey

Lou Covey is the Silicon Valley Correspondent for Cybersecurity Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.

Leave a Reply

Your email address will not be published. Required fields are marked *