Last year I set up a 401K contribution with my company. In May, my company was acquired and rolled into a larger company. The larger company set us up with a new 401K provider, Kibble & Prentice. I filled out the required paperwork and it was done. That was last summer around July or August.
Fast forward to a week ago in mid-March 2013. I decide to check out the 401K status, so I try to log in. The login info provided to me earlier didn’t work, so I hit “Forgot User ID”. I answered the provided question and it said that there was an error. I tried a few other variations just to make sure and then decided that I just hadn’t set the security questions. The instructions on the site said to call customer service.
I grabbed a conference room at the office, dialed the number, and talked to a representative. She was incredibly nice and helpful. I said “I lost my user ID and password.” She says, “I’m sorry. Can I get your social security number?” I provide it. “Can I get your zip code?” I provide it. “And finally, your date of birth?” I provide it.
Then she says — and pay attention closely to this:
“Your user name is (blah blah blah) and your password is (blah blah blah).”
Read that again and let it sink in. I’ll wait.
For those who haven’t figured it out, she told me my password. This should not be possible. She should not be able to read my password at all.
In programming one of the cardinal rules of security is that passwords should never, ever be readable. They should be encrypted using one-way hashing techniques such as md5, sha1, bcrypt or any number of other hashing techniques. The security of those aren’t perfect, but they’re a huge, huge step forward from storing them in plain text.
Here’s what an md5 password might look like:
As you can see, that’s not easy to guess — and a customer support agent certainly could not translate that into my original password!
The logical conclusion here is that Kibble & Prentice, the company that has been selected and trusted with my financial information and retirement money, stores my password in plain text. That means anyone with access to the database, including, apparently, customer service representatives, can read my password and access my account.
This is disconcerting to say the least. Any disgruntled employee could simply dump the database into a text file using a query as simple as (assuming a SQL-like language):
SELECT username, password FROM users
And bam! Instant access to every user’s account. Including mine. Including yours. Including anyone who uses Kibble & Prentice as a 401K provider.
Do I trust them with my money? Not anymore.
Now all I have to do is figure out how to get my money out without losing half of it to taxes.
Bottom line: If I were you, I’d call up your financial institutions and pretend you lost your username and password. A secure institution will send you a “Reset Password” link. An insecure one will read your password right back to you over the phone.
I can’t even describe how disgusted I am with Kibble & Prentice right now. Beyond words.
If your company uses Kibble & Prentice for your 401K provider, I’d complain. I’d complain loudly and vociferously until everyone knows. I’d complain right now and I’d get them to switch to another provider who treats your data and money with the respect and care that you deserve.