The pre-code or how the concepts “code word” and “digital confirmation code” by SMS are confused in the working system
Sometimes, the user involuntarily has to become testers of new, not fully verified changes on the current site or in the updated security system algorithm, which confirms the status of the user by sending him an SMS code.
This is what happens when a user is accustomed to one course of events, and not entirely correct changes are presented to him for granted.
It all started a year ago (December 2017) in the city of Veliky Novgorod.
Dialogue at the checkout (the cashier and the buyer in the person of me, plus then the branch manager):
- Good afternoon, please tell me your phone number.Later, the company removed the old version of the site from access, leaving only the new one, where my codeword remained.
- Good, XXX-XXX-XX-XX.
- Denis, do you want to add anything else to the order?
- No, thanks, can I write off bonuses for an order?
- Yes, of course, tell me your code word in your account?
- You know, I wanted him to create this code word there, but I did not succeed.
- Now I will call our director, she will help you (that is, she will help create a code word on the site for the client!).
- Good day. How can I help you?
- How can I create a code word on your website in my account?
- BUT! You probably tried to do this in the new version of the site, and you need to go to the old version at this address.
- Yes, I’ll come in now (I go to the old version of the site, register and create a code word by the rules - only Russian letters and one word - “dodosl”), thanks!
Log in to your account using the verification code by phone number:
Personal Area:
Description of the line "code word":
What can be written in the line "code word" (only Russian letters):
Look at the page code by elements:
At the very end of the "view-source: https: //dodopizza.ru/ekaterinburg/profile" see
console.log
('Hi! We are looking for enthusiastic, motivated developers and therefore we invite you to your place. \ N \ nSite is only the pinnacle of the information system we create to achieve our goal. Our goal is to build the most efficient fast food chain on the planet. \ N \ nToday we have more than 390 pizzerias in 11 countries and we process 1600 requests per second. In 2 years we will have 800 pizzerias and 3K requests per second. To keep up with business growth rates, we are improving the technology stack: replacing ASP.NET 5 \ u002B jQuery on ASP.NET Core React, go from monolithic architecture to service, automate deploy and regression testing. We host everything in Azure. \ n \ nWe offer white wages, options and the opportunity to participate in building international business. Over the past four years, three developers have left us on our own initiative. whether we are close to each other, just come to visit - look at the office, plunge into the atmosphere. Write to cto@dodopizza.com or www.facebook.com/alexander.andronov.5 \ n \ nRead more here: dodois.com ');
Here to these comrades " Dodo Pizza IT " and there will be questions that have arisen below!
Our time (January 2019), Yekaterinburg, after riding with a child on a snow slide, went to the nearest pizzeria.
- Good afternoon, please tell me your phone number.
- Good, XXX-XXX-XX-XX.
- Denis, do you want to add anything else to the order?
- No, thanks, can I write off bonuses for an order?
- Yes, now you will receive a code on the phone number and you tell me it (it clicks in the cashier's interface to “send a request by SMS”).
- You know, I did not take the phone with me, let me tell you my code word, which I have had for more than a year as recorded in my account?
- Let's. ... Oh, it is not correct! Repeat again. ... All the same, she writes that the word is not correct (she tried to drive my code word “Dodosl” twice in the ticket office interface).
- Strange, well, let's not bonuses.
Coming home, the phone had this SMS with a four-digit code.
Logging in to your personal account, now instead of the “code word” I have “code from SMS” in the line “code word”:
In the personal account of the user, the state of the “code word” line changed automatically in addition to writing four numbers there instead of Russian letters, and these numbers came to me via SMS in this form.
How so? And where is the "word" of Russian letters?
Two options are obtained - the developers have changed and added new modules for confirming the client’s status via SMS and did not put them in order to work correctly with the old modules (the “code word” line) or the cashier operator did not receive all the instructions on how to work with the cash register and code word.
About the cashier - specifically checked the situation in another pizzeria, all the same for the algorithm of actions. If you don’t say that there is a usual code word, and not numbers from SMS, then everything works as if normal.
But in fact, the cashier-operator immediately sends a request for confirmation of the client’s status via SMS. And why, then, in general, the line "code word" in your account? Probably, the new method of confirming the user's status via SMS should be the main one, but the old method with the usual “code word” entered earlier by the user was forgotten to be removed or left as is, but it is convenient to output the code from the SMS to it.
And the whole thing is in microservices and client application, which is easier to use and uses SMS codes for user identification.
The architecture of the information system “Dodo IS” is as follows:
It turns out that in the Clients block and the Network Management block in the communications module and the client site there are now incorrect workings of the entered data (and this situation did not happen very long ago, as I understand it, since last fall my codeword worked normally in the fall without codes by SMS). Thus, there is an automatic replacement of the “code word” in the user's personal account by four digits from the SMS code by the user's phone number for convenience, further working with this word, for example, already in the client application.
But some users find it more convenient to do an order in the web interface and work with a personal account, so it’s better to do such an oddity with a codeword auto-change without user confirmation need to be implemented more correctly, or at least in the line description what a “code word” is to remove only Russian letters add this code from sms.
After communicating with those. Company support received the answer:
Thank you for your valuable feedback. I apologize for such a long response.In fact, there is an error in the implementation of the functional, but it is not critical and 99.9% of users will not notice it, as they always carry a phone with them and can say four digits from the SMS code, instead of a complex code word only in Russian in a personal the office.
A group of analysts and technical support were involved in the discussion. Indeed, the two identification modules interrupt each other. We came to the decision that in the near future we will come to the "pre-code" in all sources.
But sometimes it happens that a small mistake pulls further global failures. So it is better to test such nuances in security as the processing of SMS code values and code words in your personal account before being implemented in production.
Source: https://habr.com/ru/post/436104/