The pre-code or how the concepts “code word” and “digital confirmation code” by SMS are confused in the working system
Sometimes the user involuntarily has to become testers of new, not fully verified changes on the current site or in the updated security system algorithm, which confirms the status of the user by sending him an SMS code.
This is what happens when the user is accustomed to one course of events, and he is presented with for granted not entirely correct changes.
It all started a year ago (December 2017) in the city of Veliky Novgorod.
Dialogue at the checkout (the cashier and the buyer in the person of me, plus then the branch manager)
- Good afternoon, please tell me your phone number.Later, the company removed the old version of the site from access, leaving only the new one, where my codeword remained.
- Good, XXX-XXX-XX-XX.
- Denis, do you want to add anything else to the order?
- No, thanks, can I write off bonuses for an order?
- Yes, of course, tell me your code word in your personal account?
- You know, I wanted him to create this code word there, but I did not succeed.
- Now I will call our director, she will help you (that is, help create a code word on the site for the client!).
- Good day. How can I help you?
- How can I create a code word on your website in my account?
- BUT! You probably tried to do this in the new version of the site, and you need to go to the old version at this address.
- Yes, I’ll come in now (I go to the old version of the site, register and create a code word by the rules - only Russian letters and one word - “dodosl”), thanks!
Entering your personal account using the confirmation code by phone number:
Personal Account:
Description of the “code word” line:
What can be written in the “code word” line (only Russian letters):
Look at the page code by elements:
At the very end, “view-source: https://dodopizza.ru/ekaterinburg/profile »see
console.log
('Привет! Мы ищем увлечённых мотивированных разработчиков и поэтому приглашаем тебя к себе.\n\nСайт — это лишь вершина информационной системы, которую мы создаём для достижения своей цели. Наша цель — построения самой эффективной сети быстрого питания на планете.\n\nСегодня у нас более 390 пиццерий в 11 странах, и мы обрабатываем 1600 запросов в секунду. Через 2 года у нас будет 800 пиццерий и 3К запросов в секунду. Чтобы успевать за темпами роста бизнеса, мы совершенствуем стек технологий: заменяем ASP.NET 5 \u002B jQuery на ASP.NET Core \u002B React, переходим от монолитной архитектуры к сервисной, автоматизируем деплой и регрессионное тестирование. Хостим всё в Azure.\n\nМы предлагаем белую зарплату, опционы и возможность принять участие в построении международного бизнеса. За последние четыре года по собственной инициативе от нас уволилось три разработчика. Чтобы понять, подходим ли мы друг другу, просто приходи в гости — посмотришь офис, окунёшься в атмосферу. Пиши на cto@dodopizza.com или www.facebook.com/alexander.andronov.5\n\nПодробнее тут: dodois.com');
Here to these comrades " Dodo Pizza IT " and there will be questions that have arisen below!
Our time (January 2019), Yekaterinburg, after riding with a child on a snow slide, went to the nearest pizzeria.
- Good afternoon, please tell me your phone number.
- Good, XXX-XXX-XX-XX.
- Denis, do you want to add anything else to the order?
- No, thanks, can I write off bonuses for an order?
- Yes, now you will receive a code on the phone number and you tell me it (clicks on the interface of the cash desk to “send a request by SMS”).
- You know, I did not take the phone with me, let me tell you my code word, which I have had for more than a year as recorded in my account?
- Let's. ... Oh, it is not correct! Repeat again. ... All the same, she writes that the word is not correct (she tried to drive my code word “Dodosl” twice in the ticket office interface).
- Strange, well, let's not bonuses.
Coming home, the phone had this SMS with a four-digit code.
Logging into the personal account, now instead of the “code word” I have “code from SMS” in the “code word” line:
In the personal account of the user, the state of the “code word” line in the automatic mode has changed, and four digits are written there, instead of Russian letters, and these numbers came to me by SMS in this form.
How so? And where is the "word" of Russian letters?
Two options are obtained - the developers have changed and added new modules confirming the client’s status via SMS and did not put them in order to work correctly with the old modules (the “code word” line) or the cashier operator did not receive all the instructions on how to work with the cash register and code word.
Pro cashier - specifically checked the situation in another pizzeria, all the same for the algorithm of action. If you don’t say that there is a usual code word, and not numbers from SMS, then everything works as if normal.
But in fact, the cashier-operator immediately sends a request for confirmation of the client’s status via SMS. And why, then, in general, the line "code word" in your account? Probably, the new method of confirming the user's status via SMS should be the main one, but the old method with the usual “code word” entered earlier by the user was forgotten to be removed or left as is, and it is convenient to output the code from the SMS to it.
And the whole thing is in microservices and the client application, which is easier to use and uses SMS codes for user identification.
The architecture of the information system “Dodo IS” is as follows:
It turns out that in the “Clients” block and the “Network Management” block in the communications module and client site there are now incorrect workings of the entered data (and this situation did not happen very long ago, as I understand it, since last fall my codeword worked normally without codes by SMS). Thus, there is an automatic replacement of the “code word” in the user's personal account by four digits from the SMS code by the user's phone number for convenience, further working with this word, for example, already in the client application.
But some users find it more convenient to do an order in the web interface and work with a personal account, so it’s better to do such an oddity with a codeword auto-change without user confirmation need to be implemented more correctly, or at least in the line description what a “code word” is to remove only Russian letters add this code from sms.
After communicating with those. Company support received the answer:
Thank you for your valuable feedback. I apologize for such a long response.In fact, there is an error in the implementation of the functional, but it is not critical and 99.9% of users will not notice it, as they always carry a phone with them and can say four digits from the SMS code, instead of a complex code word only in Russian in a personal the office.
A group of analysts and technical support were involved in the discussion. Indeed, the two identification modules interrupt each other. We came to the decision that in the near future we will come to the “pre-codes” in all sources.
But sometimes it happens that a small mistake pulls further global failures. So it is better to test such nuances in security as the processing of SMS code values and code words in your personal account before being implemented in production.