...at least an identity Czech?
Icon. And not a very good one, sadly.
Two crooks scammed Vodafone customers in the Czech Republic out of $26,000 thanks to weak telco-issued PIN codes. Vodafone preset the online passwords for their customers with a numerical password of 4-6 digits. A pair of chancers with no technical skills were able to launch a brute-force attack that reportedly involved trying …
Well, that's me not considering Vodafone for any future switch.
Such weak security arrangements are simply not acceptable. You don't allocate '1234' as a pin. You don't allow '1234' to be set as a pin. Where is another piece of information, such as the mentioned email address, or a standard password, or even those crappy questions about your first school or pet?
For Vodafone to hide behind its ToS when it is to blame, to save a few grand, is simply disgusting.
Surely what counts here is the ease of web-based brute-forcing rather than a specified "1234" PIN. If the pins were computer generated with an even distribution, then trying any particular PIN combination would have been equally successful.
If Voda had 600k customers, and generated random 4-digit PINs, then 1 in 10k of them would have been "1234", so blindly trying that would have given about the reported 60 hits. However, that hit-rate equally applies to /any/ of the possible 4-digit PINs (assuming no customer actioned PIN changes). Taking out "1234" only makes attacking more "random-looking" PINs easier, since there are fewer of them, although the effect is minor.
I think rather you want possible PINs to be more numerous than customers, especially if assigning them automatically to customers who may not be interested in them; so Voda should have at least generated their maximum length 6-digit PINs even if they ignored all the other security improvements they could have made - because then the hit-rate would probably have been (assuming the numbers above) almost negligible, regardless of Voda's other shortcomings (or at least the fraudsters would have had to try harder).
"Surely what counts here is the ease of web-based brute-forcing rather than a specified "1234" PIN. If the pins were computer generated with an even distribution, then trying any particular PIN combination would have been equally successful."
So obviously no. The point is, all of the PINs are 1234, so you have a 100% success rate if you guess a mobile number correctly and the person hasn't changed it. With random PINs you would have a 0.01% success rate (1 in 10000) after you guess the number correctly and it wasn't changed.
To quote the article "Vodafone preset the online passwords for their customers with a numerical password of 4-6 digits." - which is not the same as "all the passcodes were set to 1234". The article also says the attack "involved trying random phone numbers and the passcode 1234".
So every single passcode on every account (not just the 60 cracked ones) might have been auto-set to 1234 by Voda, as you say, but that's not what El Reg's article either says or implies. Does the linked Czech article say differently? (I can't read Czech).
At some point, geolocation was relevant to my job. At that time I found out that while most IP addresses in the USA have a quite precise geolocation, about ten percent have a geolocation that basically means "USA". But since each geolocation has precise coordinates, "USA" had coordinates that matched a little farm in Kansas.
They have (usually armed) police there every wee, when for example police in Los Angeles finds a drug dealer's phone with geolocation = USA = little farm in Kansas. (My phone's geolocation was in the middle of the River Thames).
Don't know about Waterphone¹ but reliable operators allow you to configure whether you are going to enable SMS payments (which may be handy for paying for public transport for non-regular users) and if so, to set a limit.
But mind, if you are going to "protect" (haha) the configuration page with "1234" plus phone number...
¹ Czechs will understand.
I will never use vodaphone ever again, used to have them for company phone on contract but when I switched to PAYG they kept removing the service and keeping my unused credit.
Taking money not belonging to you makes you a thief and I do not intentionally do business with thieves
Actually, I had been a prepaid Vodaphone customer for a whole decade before eventually their asshattery reached levels that convinced me to switch to a different provider - frankly, I can't remember the exact issues anymore but they certainly weren't trivial and were just betraying a general contempt for their customer. Not that I particularly expect others to be fundamentally different or any better, but at least they seem to be doing a reasonable job of hiding that so far...
> The 60 affected customers' bills were padded with fraudulent transactions. Rather than them writing off, Vodafone is aggressively chasing payments, even resorting to debt collectors.
For this, affected customers should be getting in touch with the Czech Telecommunications Office (Český telekomunikační úřad) if they haven't already done so: https://www.ctu.cz/ (Czech) and https://www.ctu.eu/ (English).
In the meanwhile, payment requests and debt collector letters should be ignored. Once a complaint filed with the ČTÚ, any further debt collection efforts should be reported to the police.
> The telco reportedly claimed that its clients are liable
No they clearly aren't, the company is. Vodafone deployed a system with grossly deficient security and put their victi... customers' finances and personal data at risk.
And for this, affected customers should be reporting Vodafone to the Czech Data Protection Office (Úřad pro ochranu osobních údajů). Here is the site, go to contact for phone number and opening times, or just report online: https://www.uoou.cz/.
Lastly, affected customers should run from Vodafone like the plague. It is the shittiest company I have ever had the displeasure of having to deal with anywhere in the world. And I've dealt with some shit companies.
> If Vodafone had any rate-limiting, account lockout, geofencing or time-based security on logins, that would help improve security without inconveniencing legitimate users, Thorsheim further noted.
I agree with the rest of Per's comment, but not with this. The reason being that yes, *properly implemented* those security measures would likely not inconvenience legitimate users.
But we're talking about a company that thinks "1234" is a perfectly acceptable default password. Would you really trust them to implement anything properly?
Biting the hand that feeds IT © 1998–2019