My F-Secure and F-Secure SAFE: What a mess!

Hi

I'm posting below text here in the hope some responsible person at F-Secure might forward it to the right place. I'm not willing do discuss this in an online chat, and there is no public email address it could sendit to.

So, here goes my blame:

F-Secure IS has been my security suite for many year. The renewal of the license is due. I thought I'd have a deeper look into F-Secure SAFE, first, to understand the difference. I'm currently only interested in a Windows solution.

I'm baffled a company like F-Secure is unable to create a secure, working web interface!

A login is required to get access to a trial version of F-Secure SAFE, so I created one. It is internet standard that newly created accounts have to be activated via mail before being able to login. Not so with F-Secure! After signing up, I was immediately logged-in, and could download and install F-Secure SAFE.

Busy with configuration, I left the webpage (switched away from the browser) unattended for too long, so I saw I had been automatically logged out when switching back to the browser. At least this is what the webpage told me. However, clicking at the user icon (to right), I was still logged in!! I actively had to click on logout, to be able to login again. But look at this: F-Secure tells me that I first have to activate my account by clicking on the link in the mail. Remember, I have been logged into that account, and could look around, download SAFE, etc. Really? Are you a security company, or someone doing their first steps in programming.

Even worse: Being logged into the My F-Secure Account, I see "location: Australia" at the bottom. Let me correct, so, click there an change to Switzerland. On click an the whole web page appears in Italian language? What the heck! Nearly 2/3rd of Switzerland is German speaking, 23% is French speaking, 9% is Italian speaking, 1% it speaking Romantsch. So who told you to switch to Italian when choosing Switzerland as location? You had to offer at least German, French, and Italian to choose from.

Finally, a question to F-Secure SAFE: It seems this does no longer support multiple users on a single Windows machine. Some of them being children, that should be limited via "Kindersicherung". I could not find out how to do this. This is easy with F-Secure Internet Security.

Saying I'm disappointed would be too positive a statement. Get your web designers up to date.

Note: This is my second negative experience with the "My F-Secure" site. The first was a couple of weeks ago when I created my F-Secure Community account, and all over a sudden I got mails regarding my F-Secure SAFE trial license (see: 04298521 Unwanted subscription to F-Secure SAFE).

Regards

Peter

Comments

  • Ukko
    Ukko Posts: 3,311 Superuser

    Hello,

    Sorry for the discussion between community users. Surely someone from F-Secure will pick it up. But while there is a time.

    It is internet standard that newly created accounts have to be activated via mail before being able to login. Not so with F-Secure! After signing up, I was immediately logged-in, and could download and install F-Secure SAFE.

    So, the very main trouble is the fact that you can use any email without confirming it (that it's yours)? Right?

    If so, there is even one more trouble point around this flow. However, I still haven't been able to come up with any "dangerous" impact. Except for "possible" spam from F-Secure letters. Or potential difficulties if the 'owner' of email decides to create an account later.

    At the same time, if I remember correctly, after the expiration (or maybe earlier) of the trial time, it will no longer be possible to use the portal without confirmation of the mail. Additionally, inactive (say, bogus) accounts can be deleted after a certain period of time. It is stipulated somewhere (terms, policies, or simply public pages), perhaps, but I am not sure (do not remember right now) where.

    Wasn't it convenient (for you as a user, not a fraudster) to immediately be able to download the software and use it after specifying your contact information (registration); Including, as soon as possible protection of the device?

    Even worse: Being logged into the My F-Secure Account,

    As for the 'chosen' region after login - It may be that your browser could not or is not allowed to get your geolocation (or the web page was not trying to get it), so 'null' was selected instead of yours. Nothing chosen, but the list of options is visible itself. It is also possible that you registered for trial (or went to the site) from the general page F-Secure (Global in a sense) instead of a certain local or supported for your location. So the portal followed that, but probably doesn't have a "Global" option.

    My own experience is also about such; but if I do use 'local' (supported) F-Secure website before portal - then portal with a relevant region by default. Or if I login from a dedicated page.

    However, what about "Swiss" point. Indeed a very strange one. I don't know if there is any clear explanation here. Maybe some very specific case is implied and is necessary when there is no way to choose another (strict DE and so on). And the situation itself just became complicated, that the meanings ​​of localization (translation, language of the page) and the Region (location) itself overlapped. Becoming not entirely accurate. Anyway, maybe you could refer to this trouble in that thread: Language feedback — F-Secure Community

    Busy with configuration, I left the webpage (switched away from the browser) unattended for too long, so I saw I had been automatically logged out when switching back to the browser. At least this is what the webpage told me. However, clicking at the user icon (to right), I was still logged in!!

    Could this be a warning that you will soon be logged out? If so, then the reason for the "return" in the logged state is probably understandable. Otherwise, I could not repeat this. If you logged out, then there was no easy way (as you described).

     F-Secure tells me that I first have to activate my account by clicking on the link in the mail. Remember, I have been logged into that account, and could look around, download SAFE, etc. Really? Are you a security company, or someone doing their first steps in programming.

    With my experience, they did not insist if there is a fresh trial. So, "you have to" or can do it later (within thirty days). With this option, the design is quite logical.

    It seems this does no longer support multiple users on a single Windows machine. Some of them being children, that should be limited via "Kindersicherung". I could not find out how to do this. This is easy with F-Secure Internet Security.

    Perhaps, still should be possible. The difference is 'local' rules against 'web'-ruled ones.

    Sorry if I misunderstood your need, but maybe the following things can help:

    • for example, this is your device. you set up it with your account (or with Administrator-type Windows account) as for yourself. This is adult profile (F-Secure SAFE)
    • when you open another user account in system - F-Secure SAFE should request or inform you about an option to configure it as for "child". So, child profile. There are options to configure sleeptime, time limits, Content Blocker. Additionally, you can locally configure list of allowed/denied websites for each user account.
    • by opening yet another user account - you can choose already 'prepared' profile also. or even to create another one.

    In general, if installation was not for your child from first, then 'open' F-Secure SAFE main UI (under required Windows user account) - choose "user" logo near top right corner. Choose "Switch user". Then follow instructions (need to login into portal, then choose and / or set up profile).

    With your 'adult' profile - you can manage some things via user interface.

    Actually, sorry for my very clumsy explanation. But if you really want to try - I can re-phrase and suggest something if your tries are unsuccessful.

    Thanks and sorry for my reply.

    Amirul
  • phunsoft
    phunsoft Posts: 7 Observer

    Hi Ukko

    Thanks for your answer.

    >>>So, the very main trouble is the fact that you can use any email without confirming it (that it's yours)? Right?

    >>>If so, there is even one more trouble point around this flow. However, I still haven't been able to come up with any "dangerous" impact. Except for "possible" spam from F-Secure letters. Or potential difficulties if the 'owner' of email decides to create an account later.

    The fact some just anybody knowing my email address can create an account at F-Secure.com and readily work with that account is frightening. This is a first class security exposure.


    >>>Wasn't it convenient (for you as a user, not a fraudster) to immediately be able to download the software and use it after specifying your contact information (registration); Including, as soon as possible protection of the device?

    So, you value convenience higher that security? Relly?


    >>>As for the 'chosen' region after login - It may be that your browser could not or is not allowed to get your geolocation (or the web page was not trying to get it), so 'null' was selected instead of yours. ... However, what about "Swiss" point. Indeed a very strange one. I don't know if there is any clear explanation here.

    I don't care about the wrong region being chosen at first. My comment is about careless programming. If the website offers me to choose location "Switzerland", this is simply not enought! The code sould offer "Switzeland - German", "Switzerland - French", and "Switzerland Italian", at least.


     F-Secure tells me that I first have to activate my account by clicking on the link in the mail. Remember, I have been logged into that account, and could look around, download SAFE, etc. Really? Are you a security company, or someone doing their first steps in programming.

    >>>With my experience, they did not insist if there is a fresh trial. So, "you have to" or can do it later (within thirty days). With this option, the design is quite logical.

    As said above, I consider this implementation a security exposure.


    And to add a point I had forgotten: When creating a new account that allows the user to choose a password, the pasword usually has to be entered twice, to be sure. Not so at F-Secure. While this is not a security issue, it is very unsusual.

    Thanks

    Peter

    UkkoAmirul
  • phunsoft
    phunsoft Posts: 7 Observer

    Apologies to all for posting critisism here, which belongs to F-Secure. I you care to read, you might understand that this not something to be discussed in an online chat. Sadly, there is no F-Secure support email address.


    Do you feel like a little bit more fun with F-Secure handling user accounts? Here it goes:

    • Earlier this year, I created an F-Secure Community account to be able to post about some different problem here. I then got mails confirming that I now have an "F-Secure SAFE trial subscription". Hugh, how comes (F-Secure help case: 04298521 Unwanted subscription to F-Secure SAFE). I was told this is a software error. The separate My F-Secure account, as well as the subscription, was created upon registratio for the community by mistake. Note: Those were two separate accounts at that time.
    • I asked for deletion of my My F-Secure account, while leaving the community account alone. This had been done.
    • As you know from above, I did create a new My F-Secure account few days ago to be able to do a test installation of F-Secure SAFE.
    • I decided to delete this My F-Secure account today, since I don't want to continue the F-Secure SAFE subscription. Done. Trying to login again failed. Good!
    • Trying to login to the commiunity thereafter. Fails! My community accout has been deleted as well. Ok, not what I wanted.
    • I create a new community account to be able to follow up this thread. I use the same email address as before.
    • Surprise, surprise: The nickname I had set previously was immediately seen with the newly created account. So, F-Secure did not completely delete my account.

    The Web Interface of F-Secure simply does not behave in a secure, state of the art manner!

    Conclusion for the time being: I will not buy any F-Secure solution that is based on a web interface, such as F-Secure SAFE. I'm frightened of security exposures there might be.

    I'm happy with F-Secure internet Security, and have been for years. Will stick to this.

    UkkoAmirul
  • Ukko
    Ukko Posts: 3,311 Superuser

    Hello,

    thanks for your response!

    The fact some just anybody knowing my email address can create an account at F-Secure.com and readily work with that account is frightening. This is a first class security exposure.

    Basically, yes. But you (as the owner of the email address) will receive a confirmation letter with the option to "cancel" (if it is not you) or contact support about this fraud.

    In a sense, you can even arrange a coup and log into "your" account, delete, and so on. Because you can restore access to the account by email (unless two step verification is involved). In addition, I have not checked whether it is possible to "purchase" a subscription with an unconfirmed email in the account. If possible, then there is a little more oddity here.

    Also, if My F-Secure account is not 'confirmed' (via email) - this is a kind of bogus one. So, in a matter of fact - there can be even a fake one email address. Thus, it is not about knowing your email address. Just about "any" random address. I mean, even if your email address is used, it does not have any connection directly to you or against you. At least I couldn't come up with some malicious scenario. For except of the very 'hard' ones.

    Besides, I think that the inability to use so unconfirmed account after the trial (or earlier) is a well design and should mitigate most of troubles.

    However, I feel your point of view. It's just that I also think that the ability to install the software as soon as possible (well, the described steps) is very convenient for a good user. Otherwise, it will take so many actions in some situations.

    So, you value convenience higher that security? Relly?

    It's not really my value. I just often see dissatisfaction with the protracted use of this or that service, as well as "confirmation". For me it is not a problem to confirm the email address before "actual" use and will often be more "secure".

    But what kind of security in your mind? That F-Secure account will be pinned to your email? And, then, malicious actor may perform some malicious things within F-Secure software (that is, in a way will be assigned to account that is registered with your email - but still not confirmed)?

    Is it just the very-very fact that someone was able to use the name of your email address and use (even if only for trial time) some services?

    It is quite understandable and obvious, the current design has such a "weirdness". But is there really a security risk here?

    Perhaps, anyone can use your name in any situation. Most of them - will not check further about is it really your name. And so on. Until something really important is needed.

    By the way, one of my email addresses is a very pretty one (short and fancy). Constantly tried to be hacked by strange peoples. Furthermore, and what is a really annoying me - this email is used (like in your situation and in this discussion) for registration in a lot of services. Not by me. By someone. Their put bogus names, bogus information (or their own) - but this email address. I know it - because confirmation letters in my inbox.

    However, a huge number of services are even allowed to use it then without confirmation. For years. Or maybe not - but still associate with 'previous' activity by account. Hostings, VPN services, streaming services and so on. This is really weird. Mostly about 'premium' or purchased things. So, they allowed users to purchase or use 'premium' things with unconfirmed account and does not worry about any fraud in that way. I even cannot delete these account. When I contact support of these services - they suggested to login into that account and to delete/request it by this way. So, I really do not want do it - because I did not create it and I do not want accept their terms or policies (that is required for login). Weird situation.

    Is it something that you think about My F-Secure account?

    I don't care about the wrong region being chosen at first. My comment is about careless programming. If the website offers me to choose location "Switzerland", this is simply not enought! The code sould offer

    Yes, it was clear that your not really care about the wrong region at first. You just mentioned it - I just mentioned that, perhaps, it was not a mistake as wrongly detected region (but other limitations or sort of situation). Just in case.

    While with Switzerland. Quite likely that they need a quality feedback from Swiss users. So, good that you raise this point. And maybe (if there will be no replies) - you can try to contact them vie web-chat anyway (Contact support | F-Secure).

    As said above, I consider this implementation a security exposure.

    But, perhaps, they not revealing your email address. They not

    In this particular case - if someone specifies an email address - this is a set of letters. Which could have just been invented by the user, which is being registered. What kind of exposure there?

    How can be your email address is compromised in that situation?

    However, I understand the ethical trouble point. And also the very "absurdity" of the situation. But nonetheless? Is there something that really poses a threat to the man (the real owner of the email) and which could have been carried out without his knowledge (or it would not have been known that it was without his knowledge)?

    I also tried to think at the time about this subject, but could not figure out if there was an actual problem.

    to be discussed in an online chat. Sadly, there is no F-Secure support email address.

    Indeed. But you can to request an email conversation approach in a web-chat. At least, if the 'concern' can not be sorted via web-chat -  they themselves should even suggest continuing the discussion via email.

     more fun with F-Secure handling user accounts

    So, the exact design of backend is not known for me. I supposed that there is the only one "My F-Secure" account as such. When you register it for a certain service - then it used for this. However, very likely you can then credentials for another "F-Secure" service (that also using one client ID) - and you will proceed with that. As an another activation.

    The impact - described troubles further.

    Surprise, surprise: The nickname I had set previously was immediately seen with the newly created account. So, F-Secure did not completely delete my account

    Perhaps, this point is quite explained in their Terms, Policies. And other things like GDPR. They should (maybe) keep some sort of information for a while. Then fully 'delete' data (or any other scenarios).

    In addition, very likely you can request deleting or providing information about you from their. https://download.sp.f-secure.com/eula/latest/safe_privacy_eng.html (Retention part, for example).

    Your described current flow was with a very strange point indeed. That really can be used by malicious intent. However, there are very 'mitigations' and requirements for success with harmful impact.

    The Web Interface of F-Secure simply does not behave in a secure, state of the art manner!

    It is possible that this is so. However, it's not just the interface (especially for a secure points). But I can understand what you meant.

    Thanks!

    Amirul