back to article Vodafone hounds Czech customers for bills after they were brute-forced with Voda-issued PINs

Two crooks scammed Vodafone customers in the Czech Republic out of $26,000 thanks to weak telco-issued PIN codes. Vodafone preset the online passwords for their customers with a numerical password of 4-6 digits. A pair of chancers with no technical skills were able to launch a brute-force attack that reportedly involved trying …

  1. Chronos Silver badge
    Joke

    Surely...

    ...at least an identity Czech?

    Icon. And not a very good one, sadly.

  2. Sykowasp

    Well, that's me not considering Vodafone for any future switch.

    Such weak security arrangements are simply not acceptable. You don't allocate '1234' as a pin. You don't allow '1234' to be set as a pin. Where is another piece of information, such as the mentioned email address, or a standard password, or even those crappy questions about your first school or pet?

    For Vodafone to hide behind its ToS when it is to blame, to save a few grand, is simply disgusting.

    1. Lee D Silver badge

      And if you want to hold customer's liable for their choice of PIN, they have to have chosen it.

      As in, they have to have logged in with the temporary credentials, changed it to something of their own choosing, and THEN get compromised.

      Which isn't what happened.

    2. Anonymous Coward
      Anonymous Coward

      1234 as a pin

      Surely what counts here is the ease of web-based brute-forcing rather than a specified "1234" PIN. If the pins were computer generated with an even distribution, then trying any particular PIN combination would have been equally successful.

      If Voda had 600k customers, and generated random 4-digit PINs, then 1 in 10k of them would have been "1234", so blindly trying that would have given about the reported 60 hits. However, that hit-rate equally applies to /any/ of the possible 4-digit PINs (assuming no customer actioned PIN changes). Taking out "1234" only makes attacking more "random-looking" PINs easier, since there are fewer of them, although the effect is minor.

      I think rather you want possible PINs to be more numerous than customers, especially if assigning them automatically to customers who may not be interested in them; so Voda should have at least generated their maximum length 6-digit PINs even if they ignored all the other security improvements they could have made - because then the hit-rate would probably have been (assuming the numbers above) almost negligible, regardless of Voda's other shortcomings (or at least the fraudsters would have had to try harder).

      1. DavCrav Silver badge

        Re: 1234 as a pin

        "Surely what counts here is the ease of web-based brute-forcing rather than a specified "1234" PIN. If the pins were computer generated with an even distribution, then trying any particular PIN combination would have been equally successful."

        So obviously no. The point is, all of the PINs are 1234, so you have a 100% success rate if you guess a mobile number correctly and the person hasn't changed it. With random PINs you would have a 0.01% success rate (1 in 10000) after you guess the number correctly and it wasn't changed.

        1. Anonymous Coward
          Anonymous Coward

          Re: The point is, all of the PINs are 1234,

          To quote the article "Vodafone preset the online passwords for their customers with a numerical password of 4-6 digits." - which is not the same as "all the passcodes were set to 1234". The article also says the attack "involved trying random phone numbers and the passcode 1234".

          So every single passcode on every account (not just the 60 cracked ones) might have been auto-set to 1234 by Voda, as you say, but that's not what El Reg's article either says or implies. Does the linked Czech article say differently? (I can't read Czech).

    3. Blank Reg Silver badge

      Nothing has changed

      I recently picked up a prepaid vodaphone SIM card on a trip to Prague, I'll give you one guess at the pin number.

  3. Anonymous Coward
    Anonymous Coward

    Ahhh, sounds almost like our local Vodacom (South Africa). I may be wrong, though.

  4. Anonymous Coward
    Anonymous Coward

    Scammers, Czechmate and you're nicked.

  5. iron Silver badge

    Geofencing for logins?

    No thanks. Location services are terrible for desktop or laptop since they often say where your ISP is based rather than the user's actual location and this was an online account so you shouldn't need to login on your phone.

    1. Steve Davies 3 Silver badge

      Re: Geofencing for logins?

      Sometimes, not having the right geolocation is a good thing. One website I use thinks that I'm in postcode NG20. That is over 100 miles away from there I really am.

      Perfect!

      1. gnasher729 Silver badge

        Re: Geofencing for logins?

        At some point, geolocation was relevant to my job. At that time I found out that while most IP addresses in the USA have a quite precise geolocation, about ten percent have a geolocation that basically means "USA". But since each geolocation has precise coordinates, "USA" had coordinates that matched a little farm in Kansas.

        They have (usually armed) police there every wee, when for example police in Los Angeles finds a drug dealer's phone with geolocation = USA = little farm in Kansas. (My phone's geolocation was in the middle of the River Thames).

  6. JimmyPage Silver badge
    WTF?

    3 strikes and you're out ?

    Sorry, unless it's involved some very sophisticated playing with spacetime, WTF don't sites just lock an account after 3 incorrect tries ?

    1. Anonymous Coward
      Anonymous Coward

      Re: 3 strikes and you're out ?

      Re: 3 strikes and you're out ?

      because then it becomes trivial to mount denial of service attacks against customers.

    2. deive

      Re: 3 strikes and you're out ?

      They were attacking different amounts with the same pin, not one account with different pins.

      Still should have something in place to protect against that though.

  7. DonL

    Credit limit?

    Pay by SMS may be handy to pay for an € 1 app, but it's way to fraud sensitive to allow the payment of large amounts. If Vodafone didn't impose a suitable limit (€50 for example), then that's negligence on their part.

    1. Anonymous Coward
      Anonymous Coward

      Re: Credit limit?

      Don't know about Waterphone¹ but reliable operators allow you to configure whether you are going to enable SMS payments (which may be handy for paying for public transport for non-regular users) and if so, to set a limit.

      But mind, if you are going to "protect" (haha) the configuration page with "1234" plus phone number...

      ¹ Czechs will understand.

  8. Anonymous Coward
    Anonymous Coward

    Vodaphone

    I will never use vodaphone ever again, used to have them for company phone on contract but when I switched to PAYG they kept removing the service and keeping my unused credit.

    Taking money not belonging to you makes you a thief and I do not intentionally do business with thieves

    1. DropBear Silver badge

      Re: Vodaphone

      Actually, I had been a prepaid Vodaphone customer for a whole decade before eventually their asshattery reached levels that convinced me to switch to a different provider - frankly, I can't remember the exact issues anymore but they certainly weren't trivial and were just betraying a general contempt for their customer. Not that I particularly expect others to be fundamentally different or any better, but at least they seem to be doing a reasonable job of hiding that so far...

  9. Anonymous Coward
    Anonymous Coward

    Here's what to do

    > The 60 affected customers' bills were padded with fraudulent transactions. Rather than them writing off, Vodafone is aggressively chasing payments, even resorting to debt collectors.

    For this, affected customers should be getting in touch with the Czech Telecommunications Office (Český telekomunikační úřad) if they haven't already done so: https://www.ctu.cz/ (Czech) and https://www.ctu.eu/ (English).

    In the meanwhile, payment requests and debt collector letters should be ignored. Once a complaint filed with the ČTÚ, any further debt collection efforts should be reported to the police.

    > The telco reportedly claimed that its clients are liable

    No they clearly aren't, the company is. Vodafone deployed a system with grossly deficient security and put their victi... customers' finances and personal data at risk.

    And for this, affected customers should be reporting Vodafone to the Czech Data Protection Office (Úřad pro ochranu osobních údajů). Here is the site, go to contact for phone number and opening times, or just report online: https://www.uoou.cz/.

    Lastly, affected customers should run from Vodafone like the plague. It is the shittiest company I have ever had the displeasure of having to deal with anywhere in the world. And I've dealt with some shit companies.

  10. Anonymous Coward
    Anonymous Coward

    Security

    > If Vodafone had any rate-limiting, account lockout, geofencing or time-based security on logins, that would help improve security without inconveniencing legitimate users, Thorsheim further noted.

    I agree with the rest of Per's comment, but not with this. The reason being that yes, *properly implemented* those security measures would likely not inconvenience legitimate users.

    But we're talking about a company that thinks "1234" is a perfectly acceptable default password. Would you really trust them to implement anything properly?

  11. John Savard Silver badge

    Liability

    Since the miscreants have been caught, the law should bar the company from attempting to recover the money from anyone else but them. Even more so in a case like this, where the company itself set up the situation.

  12. Shadow Systems Silver badge

    If you get a letter demanding payment...

    ...can you reply that the Czech is in the mail?

    *Runs away before someone chucks a beer mug at my head*

    1. Anonymous Coward
      Anonymous Coward

      Re: If you get a letter demanding payment...

      But what if the Czech bounces ?

      1. Shadow Systems Silver badge

        Re: If you get a letter demanding payment...

        Even my Reality Czechs bounce. =-)p

      2. DropBear Silver badge
        Trollface

        Re: If you get a letter demanding payment...

        "But what if the Czech bounces ?"

        WILLIAM WONKA! What - did - you - do - this - time?!?

  13. Andre Carneiro
    FAIL

    Ah, Vodafone...

    The gift that keeps on giving.

    Good to see they’re as utterly shit abroad as they are in the UK.

    Never again!

  14. Anonymous Coward
    Anonymous Coward

    4 Digit SIM PIN?

    Nah. I use six. Always have, always will.

    Just because some bloke's wife back in the 60s could only remember 4 digits why are we all hamstringing our security with only 4 digits ?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019