Paxum.com Issues: Recommend *Against* Using Paxum Now

[ErgoOne]

 

I just attempted to open a Paxum account, to try them out.  The experience was extremely difficult, and at the end I called Paxum and had them walk me through the process of closing the account.  I did not feel safe using it.

Here's what I noticed in the process;

1) Paxum's automated emails use HTML, but have incorrect MIME settings.  This means that they are displayed by Thunderbird and the other email clients that I tested as plain text.  *That* means that you have to search through a bunch of HTML codes to find the information that you need to confirm your account, etc. 

2) Paxum uses attached PDF files to send certain types of critical information, but because of the broken MIME settings, the attachments cannot be viewed or detached in normal email clients.  They must be handled by hand, by saving the email as text and then using a utility to demime them.  Most users are not up to figuring this out.

3) Paxum's web site is extremely picky about the format of information that it accepts in fields when you are signing up, but does not tell you in advance which symbols are disallowed.  Among the issues: periods (.) are not allowed in street addresses, but you find that out only when you include one and get an error back.

4) Paxum will not accept a scanned image above 4 MB in size for identity verification, but states that images must be "high quality" and rejects faxed images.  It took me several tries to come up with an image that was of a size it would accept and also a quality it would accept.  This is *really* annoying.

I could continue, but frankly, the email and web site tell me that the people managing Paxum's servers are not very good at what they are doing.  I work in networking security, manage a mail server, have managed web sites since the mid-1990s, and am intimately familiar with what it takes to run a secure site.  My assessment of Paxum's setup is that their technical people do not appear to be experienced enough to be trusted running a site that requests and holds information that will allow identity theft.  I didn't run a vulnerability scan on the site, but would not be at all surprised to find cross-site scripts and other vulnerabilities that can be used to steal information.

I recommend not using Paxum.  They probably mean well, and after they get their act together on their technical services might be worth using.  For now, though, giving them the information that they request to manage your money is IMHO taking an unnecessary and unwise risk.

[1714929437]

1714929437

[1714929437]

1714929437

[1714929437]

1714929437

[1714929437]

1714929437

[Piper67]

Now THIS is useful information... perhaps the Paxum reps can chime in and/or do something about it.

For the record, I also tried to verify my Paxum account today. I sent a scanned image and was told it was unacceptable. To my eyes it was perfectly fine.

But I guess if they make it hard enough, we'll go elsewhere.

[Johnny Pizza]

Good to know What a bunch of shits

[PaxumChris]

I just attempted to open a Paxum account, to try them out.  The experience was extremely difficult, and at the end I called Paxum and had them walk me through the process of closing the account.  I did not feel safe using it.

Here's what I noticed in the process;

1) Paxum's automated emails use HTML, but have incorrect MIME settings.  This means that they are displayed by Thunderbird and the other email clients that I tested as plain text.  *That* means that you have to search through a bunch of HTML codes to find the information that you need to confirm your account, etc. 

2) Paxum uses attached PDF files to send certain types of critical information, but because of the broken MIME settings, the attachments cannot be viewed or detached in normal email clients.  They must be handled by hand, by saving the email as text and then using a utility to demime them.  Most users are not up to figuring this out.

3) Paxum's web site is extremely picky about the format of information that it accepts in fields when you are signing up, but does not tell you in advance which symbols are disallowed.  Among the issues: periods (.) are not allowed in street addresses, but you find that out only when you include one and get an error back.

4) Paxum will not accept a scanned image above 4 MB in size for identity verification, but states that images must be "high quality" and rejects faxed images.  It took me several tries to come up with an image that was of a size it would accept and also a quality it would accept.  This is *really* annoying.

I could continue, but frankly, the email and web site tell me that the people managing Paxum's servers are not very good at what they are doing.  I work in networking security, manage a mail server, have managed web sites since the mid-1990s, and am intimately familiar with what it takes to run a secure site.  My assessment of Paxum's setup is that their technical people do not appear to be experienced enough to be trusted running a site that requests and holds information that will allow identity theft.  I didn't run a vulnerability scan on the site, but would not be at all surprised to find cross-site scripts and other vulnerabilities that can be used to steal information.

I recommend not using Paxum.  They probably mean well, and after they get their act together on their technical services might be worth using.  For now, though, giving them the information that they request to manage your money is IMHO taking an unnecessary and unwise risk.

Thanks for bringing attention an issue with thunderbird and our mail. I'll have it addressed right away. This is the first we've heard of people not being able to open the PDF unless they save the file. I personally have downloaded it from my gmail. Mac's mail aswell as outlook without any issue aswell as all of our clients. I'll have this tested with thunderbird to see if there is an issue but we have sent out 1000's upon 1000's of these pdf's with very minimal issues.

If you are unable to get the proper format we need to verification you can always open a ticket and let a support agent know that you are unable to get the file below 4mb and i'm pretty sure we have an alternative solution for them to verify your documents

As for the security of our site - our sites are often audited by outside sources aswell as our banking partners. We feel our system is very secure and we take security very serious. If you find a bug in our system we would encourage you to let us know so we can address it right away.

[PaxumChris]

Now THIS is useful information... perhaps the Paxum reps can chime in and/or do something about it.

For the record, I also tried to verify my Paxum account today. I sent a scanned image and was told it was unacceptable. To my eyes it was perfectly fine.

But I guess if they make it hard enough, we'll go elsewhere.

PM me or email me ( chris@paxum.com ) your username and we will get it sorted

Chris

[JoelKatz]

These are very typical of the issues you have when a service goes live, especially when external events force your timing. I bet these will all be sorted out within a week at most.

[PaxumChris]

These are very typical of the issues you have when a service goes live, especially when external events force your timing. I bet these will all be sorted out within a week at most.

We have been running for awhile and have processed thousands upon thousands of accounts with out any major issues. The PDF and email issue is very new to me and we have not be alerted to it until this post by any client. Same for the PDF issue.

Regards
Chris

[Piper67]

These are very typical of the issues you have when a service goes live, especially when external events force your timing. I bet these will all be sorted out within a week at most.

We have been running for awhile and have processed thousands upon thousands of accounts with out any major issues. The PDF and email issue is very new to me and we have not be alerted to it until this post by any client. Same for the PDF issue.

Regards
Chris

Don't worry, Chris. If you address these issues, you'll likely find that Ergo will change the name of this thread. He's a completely different kind of person to the ones that attacked you in other threads.

And if it makes Paxum more secure and user friendly in the future, that can only be good, right?

[rdonohoe]

4) Paxum will not accept a scanned image above 4 MB in size for identity verification, but states that images must be "high quality" and rejects faxed images.  It took me several tries to come up with an image that was of a size it would accept and also a quality it would accept.  This is *really* annoying.

I opened an account with them, sent them Scanned Passport that I have saved from PayPal, MoneyBookers etc, and sent Utility Bill.
They rejected the Passport because a part of the top edge was too close to the edge of the scan. So I sent a scan of another Government ID as my Passport is in my Parent's house in a safe so I don't keep it in mine

Still no dice.

So I closed the account. I didn't even want to use it for deposit just withdrawal.

R

[ErgoOne]

Chris, the problem isn't just with Thunderbird. I verified that the same issue comes up with several other email clients as well.  One of them was the standard Macintosh email client; my husband has a Mac Pro and I tested with it.  Only certain webmail clients display your emails as rendered HTML.  

Outside auditing of your site is a good thing.  Frankly, from my experience, it has probably saved your bacon more than once because the people who are designing, coding, and managing the web site show every sign of not knowing how to do this kind of work.  You *really* need to get some more experienced developers ASAP.

I'm a technical writer by profession, but also do a lot of QA as part of my job.  I work for a Fortune 500 company, in the division that provides security "solutions" (I HATE that term) for protecting customer-facing web portals for companies and organizations that have high security needs, such as banks and financial institutions.  The technical side of your business is exactly the sort of thing that I spend most of my working day understanding, documenting, and figuring out how to protect.  (As in -- write use cases for.)

I'm not hostile to Paxum.  Nor do I think Paxum is trying to defraud anybody; I see no sign of that at all.  What I do see is a sign of lack of sufficient experience in designing and managing secure web sites.  You *MUST* get people in there who know how to handle the types of security required for a financial institution.

[ErgoOne]

These are very typical of the issues you have when a service goes live, especially when external events force your timing. I bet these will all be sorted out within a week at most.

From your mouth to God's ears. :-)  I expect that it will take more than a week, but the problems are definitely fixable.  These are not issues associated with a lack of integrity or fundamentally careless attitude, but with a new company that needs expertise in something that it lacks expertise in.  I will probably try Paxum again in a couple of months if I see reason to think that they've fixed the problems.

But not right now.

[PaxumChris]

Chris, the problem isn't just with Thunderbird. I verified that the same issue comes up with several other email clients as well.  One of them was the standard Macintosh email client; my husband has a Mac Pro and I tested with it.  Only certain webmail clients display your emails as rendered HTML.  

Outside auditing of your site is a good thing.  Frankly, from my experience, it has probably saved your bacon more than once because the people who are designing, coding, and managing the web site show every sign of not knowing how to do this kind of work.  You *really* need to get some more experienced developers ASAP.

I'm a technical writer by profession, but also do a lot of QA as part of my job.  I work for a Fortune 500 company, in the division that provides security "solutions" (I HATE that term) for protecting customer-facing web portals for companies and organizations that have high security needs, such as banks and financial institutions.  The technical side of your business is exactly the sort of thing that I spend most of my working day understanding, documenting, and figuring out how to protect.  (As in -- write use cases for.)

I'm not hostile to Paxum.  Nor do I think Paxum is trying to defraud anybody; I see no sign of that at all.  What I do see is a sign of lack of sufficient experience in designing and managing secure web sites.  You *MUST* get people in there who know how to handle the types of security required for a financial institution.

Regarding the Email issue - again we have never heard of this before at all. I will have a tech look at it but to be honest this seems to be a very isolated incident.If this was a common issue i'd assume we would of been made aware of this when we first launched and had 1000's of accounts created in a matter of days.

I appreciate your feedback and we do take it all in and discuss it and always improving our services.

If you would like to email me any more specifics to this that may not be for the public eye to see shoot me an email chris@paxum.com - and we can get this all sorted with our tech guys

Regards

Chris

[tvbcof]

I'm not even close to signing up with Paxum because I want to wait and see about some other stuff, and because I have no need for their service.  

But I will agree w/ Mr Katz (as seems to be often the case) that these issues don't strike me as the kinds of red flags that I would be especially  concerned about.  Indeed, it seems like they are practicing defensive programming in certain of these issues, and that is in my book a very good thing.  

Obviously it would be a good thing if the end user experience was better, but I personally would gladly trade this to avoid the hassle of being caught up in some fraudulent use fiasco.

[ErgoOne]

Don't worry, Chris. If you address these issues, you'll likely find that Ergo will change the name of this thread. He's a completely different kind of person to the ones that attacked you in other threads.

She.  At least, last I checked.  (My poor husband would be quite shocked if it turned out otherwise.)

[JoelKatz]

I'm not hostile to Paxum.  Nor do I think Paxum is trying to defraud anybody; I see no sign of that at all.  What I do see is a sign of lack of sufficient experience in designing and managing secure web sites.  You *MUST* get people in there who know how to handle the types of security required for a financial institution.

I'm not hostile to Paxum either, and I don't think Paxum is trying to defraud anyone. I wouldn't read as much into these particular issues as ErgoOne seems to.

But I will say one thing from my own experience: It is very easy for non-technical people to assume that because someone knows how to do something and make it work, they also know how to make it secure. And it's easy to assume that because nothing bad has happened for awhile, your system must be at least reasonably secure. And it's easy to assume that because a system is growing, it's also growing more secure -- surely someone's doing that, right? However, these three assumptions are entirely false.

This is especially true for innovative companies that experience fast growth. Mt. Gox, for example.

A small anecdote: The last breach I helped clean up involved a software defect that could have leaked a small, growing company's entire customer and transaction database. The programmer whose code had the bug knew that his code had this type of bug, but he believed it was too difficult to exploit because he didn't know an easy way to exploit it. He, of course, was not a computer security person, so he had no idea that there are toolkits available that make exploiting bugs of this type extremely easy.

And one final point: If you ask these people if they take security seriously and if their code is secure, they will say yes because they honestly believe that they are. And they believe there's no need for other people to audit them. When they see how many vulnerabilities there are and how easy they are to exploit, they are frequently quite surprised. People who aren't security experts just don't understand what the threats actually are.

[Piper67]

Don't worry, Chris. If you address these issues, you'll likely find that Ergo will change the name of this thread. He's a completely different kind of person to the ones that attacked you in other threads.

She.  At least, last I checked.  (My poor husband would be quite shocked if it turned out otherwise.)

A thousand apologies... I shouldn't have assumed. In my defence, women seem to be scarce in these forums, enough that there's a whole thread about it, and another thread devoted to a single tattoo... sheesh!

You poor husband is a lucky man.

[dikidera]

Chris, the problem isn't just with Thunderbird. I verified that the same issue comes up with several other email clients as well.  One of them was the standard Macintosh email client; my husband has a Mac Pro and I tested with it.  Only certain webmail clients display your emails as rendered HTML.  

Outside auditing of your site is a good thing.  Frankly, from my experience, it has probably saved your bacon more than once because the people who are designing, coding, and managing the web site show every sign of not knowing how to do this kind of work.  You *really* need to get some more experienced developers ASAP.

I'm a technical writer by profession, but also do a lot of QA as part of my job.  I work for a Fortune 500 company, in the division that provides security "solutions" (I HATE that term) for protecting customer-facing web portals for companies and organizations that have high security needs, such as banks and financial institutions.  The technical side of your business is exactly the sort of thing that I spend most of my working day understanding, documenting, and figuring out how to protect.  (As in -- write use cases for.)

I'm not hostile to Paxum.  Nor do I think Paxum is trying to defraud anybody; I see no sign of that at all.  What I do see is a sign of lack of sufficient experience in designing and managing secure web sites.  You *MUST* get people in there who know how to handle the types of security required for a financial institution.

Am i to understand you are sexually attracted to the same sex?

[Piper67]

Further to my previous post on the difficulty of getting verified with Paxum, I had an email exchange with Chris. I accept his explanation for why the procedure may seem more difficult than is warranted, and on the face of it it seems to be so for the benefit of us, the customers.

He also offered a pretty easy solution, which I stupidly hadn't though of myself, to get around the problem.

So far, so good.

[JoelKatz]

Am i to understand you are sexually attracted to the same sex?

If you mean the same as her husband, then yes.

[PaxumChris]

Further to my previous post on the difficulty of getting verified with Paxum, I had an email exchange with Chris. I accept his explanation for why the procedure may seem more difficult than is warranted, and on the face of it it seems to be so for the benefit of us, the customers.

He also offered a pretty easy solution, which I stupidly hadn't though of myself, to get around the problem.

So far, so good.

Everything we do at the end is to protect our clients. If we dont we put everyone at risk. Even if that means rejecting some documents you all feel should work

Better safe than sorry ... right?