IP: thestreet.com's new security -- or, how to really bug customers

[Dave Farber <farber () cis upenn edu>]

[sure shoots the cable modem services that use dynamic IP djf]

> Date: Fri, 3 Mar 2000 19:37:30 GMT
> From: Brendan Kehoe <brendan () zen org>
> To: David Farber <farber () cis upenn edu>
>
> My browser was sitting on thestreet.com's Portfolio Tracker application, which
> lets me see how various stocks I own or am interested in are faring through
> the day.
>
> About an hour ago, it stopped showing anything, and instead read:
>
>                   Sorry, your account was suspended.
>                   Please call customer service at 1-800-562-9571 (outside the
>                   US, please use 212-321-5000).
>
> I called the 800 number, sitting on hold for about fifteen minutes or so on
> what is in fact a toll call from Ireland.  Then I got a support person, who
> saw that the account was suspended but didn't know why.  After being
> transferred to a tech support person named Edwin, I was asked if I was letting
> anyone else use my account.
>
> No, to the best of my knowledge I was the only one doing it.  "Um, are you
> sure?" was the response.  Hmm...that felt like someone's convinced I'm lying
> to them.
>
> After a little further discussion back and forth, I learned the details behind
> the problem: thestreet's recently added a security feature to catch people
> with more than one person using an account.  That makes sense enough.
>
> It keeps track of the host IP address (your system) when you visit, and
> appears to suspend your account if it finds that you're using two different
> addresses within one 24-hour period.
>
> While having the greatest intentions, thestreet needs to do some further
> technical research into their decisions before implementing them.  The
> unexpected hurdle in this approach is the fact that many users are connected
> by way of intermittent dialup connections, or something similar.  (In my case,
> it's an ISDN line, which drops the connection if it's idle for five minutes.)
>
> I told Edwin that I felt this was a dangerous setup since it makes an
> assumption about a user's IP address that's not technically accurate.  I tried
> to point out how dynamic IP addressing is fairly common these days.  How
> someone could be in an airport and check their accounts, then a few hours
> later do the same after returning home.  Bang, you've now used two distinct
> addresses, and thus would presumably be suspended by their system.
>
> With some attempts to reassure me that they've not yet seen much trouble come
> from this approach, he told me that any time in the future that it happens I
> can just call again and have it reinstated.  Once I pointed out that the
> call's not free from outside the US, I was able to work the address
> techsupport () thestreet com out of him as a safe-guard for the future.
> Whether or not a customer should have to put up with the service being
> repeatedly interrupted is also questionable.
>
> Dave, I'm sending you this note on the gamble that someone on IP might be
> interested in contacting thestreet to investigate this on a larger scale.  (My
> attempts with Edwin didn't work.)
>
> I'm fairly certain a large portion of Silicon Valley, among other places, has
> lately been using thestreet.com and similar services quite a bit, and thus
> would encounter many of the same difficulties.
>
> Thanks,
> B
> P.S. The two IP addresses he had for me were two random addresses inside the
> eircom.net domain, for two distinct addresses our ISDN router received at
> different points today between times of using the computer.  Sigh.
>
> --
> Brendan Kehoe
>
> Web page: http://www.zen.org/~brendan/