Australian media has fallen into a bout of panic following the discovery that, in addition to cat pictures, newspaper paywall gateways, pornography and illegally-copied music and movies, the Internet is used as a business communications medium. The victim of this revelation is Vodafone, which uses a Web portal to provide …
It's still a fail from Vodaphone.
"Vodafone has since stated that the misuse of login credentials probably came either from a dealer or from an employee."
No shit Sherlock.
I'm still a bit confused about the article's author's sarcasm on the use of web portals being new.
They're not. Being compromised like this isn't new either.
That's why it's a fail for Vodaphone, they should have known that simply trusting your employees to not hand out piss weak credentials is a dead loss. That's why everyone else has moved on to more secure methods. Sheeze.
But the main problem ...
But the main problem isn't the fact they've got a web portal, it's the fact they seemingly hold PIN and credit card details in the clear. Also, they share logins openly (one per store which all employees know) that only change once every three months.
I'm hoping like buggery that the claims about PINs and CC details were just mistakes, bad reporting by the journo who broke the story. CC details should never be kept in clear text or available for a staff member to read, only a few digits of a number should ever be made visible. Same for PINs, they should be protected by the same system that passwords are where the employee enters it then gets told if it's right or not.
Even if those two things are just bad reporting, the fact that the store logins are protected purely by passwords is horrendous (no other hardware, software or VPN style systems), the fact they change only every three months is horrendous, and the fact they're shared by all staff is horrendous.
I'm exploring my options right now. Unfortunately I'm less than 6 months in to a 24 month contract that I cannot afford to leave at this point in time. If I can leave though, I certainly will be.
Oh, there's an update from Vodafone.
Minutes after I posted by last comment they tweeted that they've released a new statement about it, which can be found here - http://blog.vodafone.com.au/blog/news/vodafone-customer-data-security/
Apparently CC details are secured as required by PCI DSS. No word on PINs though. Passwords changing every 24 hours for now. I hope they'll implement better security to restrict logins to being from the stores (VPN or some such). Those are some of my fears answered.
It's very different
There's a big difference between a banking site which allows you to login and see your own details and an internet-facing portal that lets staff login and see the entire customer database. Surely that should be limited to intranets, in-store networks or VPNs. Even for business partners, more security than a simple username and password on the internet should protect a company's entire customer database (which includes names, addresses, phone numbers, DoBs, credit cards, etc - it's an identity theft nightmare [or nirvana depending how you look at it]).
It's a BIG FAIL and VERY different to all the examples quoted in this story.
Information wants to be free
Part of the issue is the amount of information on each customer that is made available through the portal. It makes sense to have some information available to vodafone workers for customer support (phone model, plan etc), but having absolutely everything on show is just daft.
Home addresses, dates of birth, drivers license numbers (needed to register a sim card to show you're not a terrorist, as terrorists don't drive as everyone knows), voicemail PIN number - it's all available.
The muppets who designed their web portal should be hit with a stick, and told to figure out what resellers, agents, vodafone shop workers etc would realistically need to see to do their jobs, and limit the information available to only that. Giving everyone a full database dump is just asking for trouble, which they've now got.
Not really panic - privacy concern
"Web portal" is a red herring. The deal is that it looks as though any dealer password can be used to access lots of infol about any customer. PINs, license numbers, complete call numbers history, addresses, etc.
So a keylogger on one dealer PC is likely a key to the whole customer database castle. I can get a logon to do a tax return via a web portal but I don't expect my logon to give me access to your data.
This is not a non-story...
I think the Richard Chirgwin has rather missed the point.
Of course companies have web portals that allow access to customer information for the purposes of self-service. However, each customer has a unique log-in, and knowing that log-in only gives you access to that customer’s records.
Other information may be available via an extranet, but this is only a sub-set of information useful for other specific circumstances, such as stock levels and ordering systems. Such systems in any case may be tied to specific IP addresses, and shouldn’t contain sensitive customer information.
Companies should be much more restrictive about access to their back-end systems, however, where information about every customer can be seen. Usually such systems are only available in specific locations (eg at a call centre or branch), and require a log-in tied to an individual employee. Where remote access is possible, it is via a VPN link, again tied to an individual user and authenticated using something like an RSA token.
In this case, Vodafone was allowing access to its entire back-end system from any internet-connected computer using nothing more than a generic password. Richard Chirgwin mentions banks, as if this behaviour is usual – but would you be happy if someone could access all the information the bank has on file about you from anywhere in the world using a simple username/password combination – especially when such logins are generic and shared between many different users? I think not.
For sure, the media has hyped this up somewhat (saying ‘their whole customer base information is publicly accessible on the internet’ is a bit of a stretch), but there is still a genuine story here. Vodafone Australia’s infosec policies are clearly not up to scratch, potentially exposing customer information to miscreants who could use it to commit fraud, including identity theft. And that is no trivial matter.
Richard Chirgwin - full points; SMH/TSH - minus several million points...
I completely agree with Richard, and it's great to see an article dispell the FUD so simply. Pity this got no airplay here in Sydney Australia.
Yes: Vodofone are probably speading to the SecurID people at RSA right now about better authentication solutions (no I don't work for them), and Yes: access to customer data should be graduated - but anyone who thinks that these lapses are in any way unique to Vodafone Australia are living in fantasy land.
In my limited experience, here in Sydney, Australia corporate IT do not invest any time or money into authentication, change control, encryption etc. certainly in comparison with European and Scandinavian companies I've worked with. Just look at the job ads - these requirements are the 51st bullet point on a Systems Admin job description - very poor.