HackerTrans
TopNewTrendsCommentsPastAskShowJobs

MaxGabriel

no profile record

Submissions

Mercury defeats phishing with device verification

mercury.com
6 points·by MaxGabriel·năm ngoái·1 comments

Documenting Your Database Schema

mercury.com
3 points·by MaxGabriel·2 năm trước·1 comments

Utility Types in TypeScript

mercury.com
2 points·by MaxGabriel·3 năm trước·0 comments

Creating an EmptyObject Type in TypeScript

mercury.com
2 points·by MaxGabriel·3 năm trước·0 comments

Linting Your Postgres Schema

mercury.com
2 points·by MaxGabriel·3 năm trước·1 comments

comments

MaxGabriel
·3 tháng trước·discuss
Any chance the first result was an ad? Those are definitely a popular phishing distribution mechanism, so getting your parents an adblocker could help
MaxGabriel
·6 tháng trước·discuss
We have a similar check in our Haskell codebase, after running into two issues:

1. Nested database transactions could exhaust the transaction pool and deadlock 2. Same as you described with doing eg HTTP during transactions

We now have a compile time guarantee that no IO can be done outside of whitelisted things, like logging or getting the current time. It’s worked great! Definitely a good amount of work though.
MaxGabriel
·6 tháng trước·discuss
One thing to add about performance: it's also pretty easy in Postgres to index only non-soft deleted data.

I think this is likely unnecessary for most use cases and is mostly a RAM saving measure, but could help in some cases.
MaxGabriel
·6 tháng trước·discuss
This might stem from the domain I work in (banking), but I have the opposite take. Soft delete pros to me:

* It's obvious from the schema: If there's a `deleted_at` column, I know how to query the table correctly (vs thinking rows aren't DELETEd, or knowing where to look in another table)

* One way to do things: Analytics queries, admin pages, it all can look at the same set of data, vs having separate handling for historical data.

* DELETEs are likely fairly rare by volume for many use cases

* I haven't found soft-deleted rows to be a big performance issue. Intuitively this should be true, since queries should be O log(N)

* Undoing is really easy, because all the relationships stay in place, vs data already being moved elsewhere (In practice, I haven't found much need for this kind of undo).

In most cases, I've really enjoyed going even further and making rows fully immutable, using a new row to handle updates. This makes it really easy to reference historical data.

If I was doing the logging approach described in the article, I'd use database triggers that keep a copy of every INSERT/UPDATE/DELETEd row in a duplicate table. This way it all stays in the same database—easy to query and replicate elsewhere.
MaxGabriel
·năm ngoái·discuss
I’m the author of this post and a co-founder of Mercury. Let me know if you have any questions!
MaxGabriel
·năm ngoái·discuss
You’re correct that Mercury uses Haskell for its backend: https://serokell.io/blog/haskell-in-production-mercury
MaxGabriel
·2 năm trước·discuss
> AFAICT, Mercury only allows a single security key.

We allow multiple security keys. You can add more here: https://app.mercury.com/settings/security
MaxGabriel
·2 năm trước·discuss
> 6-10 digit numeric or alphanumeric code that could be copied out of the email message into a form field on the signin screen.

To be clear this is what we're trying to avoid. An easily typeable code like that can be typed into a phisher's website.
MaxGabriel
·2 năm trước·discuss
Oh good find, the link going through Mailgun as a redirect is a recent regression. We have a PR to fix that going live soon.

That said, our security team and I agree there is no security issue here. Mailgun already can see the text of the emails we send.
MaxGabriel
·2 năm trước·discuss
I’m the CTO of Mercury

You shouldn’t get the device verification requirement if you’ve used the device before (we store a permanent cookie to check this) or for the same IP. Any chance your cookies are being cleared regularly?

We added this after attackers created clones of http://mercury.com and took out Google ads for it. When customers entered their password and TOTP on the phishing site, the phisher would use their credentials to login and create virtual cards and buy crypto/gold/etc. The phisher would also redirect the user to the real Mercury and hope they figured it was a blip.

This device verification link we send authorizes the IP/device you open it on, which has almost entirely defeated the phishers.

Since WebAuthn is immune to this style of phishing attack, we don’t require device verification if you use it. I highly recommend using TouchID/FaceID or your device’s flavor of WebAuthn if you can—it’s more convenient and more secure. You can add it here: https://app.mercury.com/settings/security

That said, we are talking internally about your post and we do recognize that as IPv6 gets more traction IPs will rotate much more regularly, so we’ll think if we should loosen restrictions on being a same-IP match.
MaxGabriel
·2 năm trước·discuss
I think database schema docs are really valuable, so much so that I added tests that require docs for each table and column. But I still got asks that the docs needed more information, mostly from data science people (who otherwise need to go bug engineers, or end up writing bugs in their own SQL). So I wrote internal guidelines for documenting database tables, and eventually that became this blog post

Lemme know if you have any questions!
MaxGabriel
·2 năm trước·discuss
> Kener is a Open-Source

Should this be “an” in the page header?
MaxGabriel
·3 năm trước·discuss
100% open rate on transactional emails feels too high to me. Something like an e-commerce purchase might kick off multiple emails (purchase made, shipped, arrived), none of which the user opens
MaxGabriel
·3 năm trước·discuss
I’m the author of this post and a co-founder of Mercury. AMA!
MaxGabriel
·3 năm trước·discuss
It’s pretty common to use ad network mediators, which try multiple ad networks for an ad, to optimize for using high earning ones first, and falling back to others in case the first network didn’t have an ad to show.

(I helped make such a product 7 years ago)
MaxGabriel
·3 năm trước·discuss
Just as one data point, Mercury has hired maybe ~120 Haskell engineers in the last 4 years. Some of that is reflected in these job posts but we definitely hired a lot more than we posted on the subreddit.
MaxGabriel
·3 năm trước·discuss
If anyone from GitHub is reading, any idea if the double commit bug the merge queue had has been fixed?

https://github.com/orgs/community/discussions/36568

(This was an issue for us during the beta)
MaxGabriel
·3 năm trước·discuss
It’s also a huge vector for actual phishing, especially because google ads doesn’t use puny code, so it’s easy to buy ads for sites that differ by just a diacritic
MaxGabriel
·3 năm trước·discuss
Does anyone else get an infinite redirect loop visiting on mobile safari?

Edit: it’s fixed by requesting the desktop website.
MaxGabriel
·3 năm trước·discuss
"other banks" was a bit ambiguous, here's the list of banks for our partner Evolve: https://www.getevolved.com/openbanking/fdic-mercury/

You as the customer are the owner of record on the funds. The accounts are held by our partner banks at these other banks, as your agent and custodian (something like "Evolve Bank and Trust for benefit of Acme Corp).

The FDIC insurance applies to the business holding the funds; it is definitely not insuring Mercury itself.

You do need to use Mercury to withdraw the funds; we still run all the authorization and compliance rules around this, and there isn't a facility for you to go into eg United Texas Bank and ask for your money. That said, if Mercury were to go bankrupt tomorrow, your funds are held by our partner banks who have full KYC/KYB info on you would be able to access all your funds.