* Carta Security Bug – Startups Beware

Carta (formerly eShares) may not be as secure as you think.

Yesterday, I logged in to Carta (https://carta.com/), which provides a software as a service (SaaS) platform for startups to manage cap tables, keep track of stock options and the like, and do valuation.

I had not logged in for over a year. Like many companies, Carta has embraced two-factor authentication (2FA) (https://en.wikipedia.org/wiki/Multi-factor_authentication), which claims to be more secure than other methods, but is often no more than security theatre (https://en.wikipedia.org/wiki/Security_theater).

After I had logged in (I knew both my username and password), I was prompted to add my cell phone number to the Carta system, which I did. I then entered the 6-digit 2FA code into Carta. I’m sure that you can guess what happened next – or almost next. Carta logged me out and required me to re-enter my (1) username, (2) password, and (3) 2FA code.

What you probably CANNOT guess is what happened BETWEEN my two sessions. While I was still logged in to session #1, I was prompted to “click here to download” (or the like) my “recovery codes,” which are used in place of 2FA or when you have forgotten your username/password (or changed cell phone numbers).

Recovery codes are another form of security theatre. They are too long and difficult to remember, so people write them down, PDF them, or print them. Much like they do for auto-generated passwords that are too difficult to remember. (When I was on active duty in the USAF, the VAX/VMS system that we used for email required crazy complicated passwords. Most people stored their passwords on a sticky note in their top desk drawers. Yay security!) Nevertheless, I have used recovery codes for the USPTO, Dropbox, Apple’s FileVault disk encryption technology, and others.

So, between my sessions, I was prompted to download my recovery codes. I clicked the link, briefly saw my codes on the screen (looked like about a half a dozen 6-digit numbers), and then WAS LOGGED OUT BY CARTA.

And getting your recovery codes from Carta is a one-shot deal. There is no redo.

I immediately complained to Carta support about this security bug in their software. Their reply was not super helpful:

“Thanks for contacting Carta Support! Unfortunately, there is no way to recover backup codes if they were not saved. With that being said, if you do not have your backup codes to log in, you can always submit a 2FA reset request and our team will handle that for you and restore access to your account.”

What about if the recovery codes were not saved DUE TO A BUG IN YOUR SOFTWARE?

I know that Carta is the de facto standard provider of cap table services (and the like) to startups, but this incident would make me look elsewhere for such services – and advise those MassChallenge and Techstars companies that I mentor to do likewise.

Once again, I am reminded of the seminal Jul/Aug 2002 MIT Technology Review cover story article on sucky software:

* Why Software Is So Bad by Charles C. Mann (2000-07-01)
WAS: http://www.technologyreview.com/articles/mann0702.asp
NOW: https://www.technologyreview.com/2002/07/01/40875/why-software-is-so-bad/

In short, software is bad because we, as users, put up with bad software. I have complained about bad software and sloppy programming in the past (see “related posts” below). And, unfortunately, I believe that I will complain about bad software in the future.

Related Posts

  1. * MIT Alumni Email Forwarding For Life (EFL) Security Issues (2020-12-06)
    A cautionary tale about so-called email forwarding.
  2. * Twitter Bug Makes Tweet Archives Unreliable For eDiscovery (2014-11-17)
    Tweets from 2010 and earlier suffer from URL redirection problem.
  3. * Google’s Buzz Tweaks Are Lipstick On A Pig, And Why Google 2010 Is Like Microsoft 1998 (2010-02-17)
    Just because something can be done doesn’t mean it should be done.
  4. * Drawing That Explains Google Buzz Privacy Problems (2010-02-14)
    Think visually before launching technology products.
  5. * Gmail Fail: Account Lockdown: Unusual Activity Detected (2008-10-10)
    Gmail locks me out daily for READING my mail too quickly.
  6. * How To Fix Verizon FiOS Internet Service When All HTTP Traffic Is Blocked (2008-01-21)
    QA rule zero: whatever changed last caused the problem.
  7. * Amazon.com’s Silly Password Changing Procedure (2005-10-12)
    Another large company is clueless about password security.
  8. * [Deleted] Credit Card (In)security (2004-06-10)
  9. * Software Patents: Final HERTS (Hypotheticals, Examples, Rants, Thoughts, And Stats) (Part 8) (2003-06-16)
    Using open source software is a bit like reading Entertainment Weekly. Lots of people do it but few admit it. Plus other observations that didn’t fit anywhere else.


Erik J. Heels claims to publish the #1 blog about technology, law, baseball, and rock ‘n’ roll.