Submitted via IRC for TheMightyBuzzard
A Czech court recently sentenced two hackers to three years in prison for accessing Vodafone customer's mobile accounts and use them to purchase 600,000 Czech Koruna worth of gambling services. Vodafone reportedly wants the hacked victim's to pay for these charges as they were using an easy password of "1234".
According to reporting from Czech news site idnes.cz, the hackers accessed mobile customer's accounts by using the password 1234. Once they were able to gain access, they ordered new SIM cards that they picked up from various branches. As they knew the phone number and password they were able to pick up the SIM card and install it in their phones without any other verification.
This allowed the attackers to charge over 600,000 Czech Koruna, or approximately 30K USD, for gambling services.
What do you lot think, should there be a blatant stupidity tax?
(Score: 4, Funny) by PartTimeZombie on Wednesday September 12 2018, @10:50PM (3 children)
As any fule kno hunter2 is the best password.
(Score: 0) by Anonymous Coward on Wednesday September 12 2018, @11:35PM (2 children)
25 years and nuthin wrong using 'password', '1234' or 'qwerty'. 'hunter2' is like super secure, use it for my banking.
(Score: 2) by captain normal on Thursday September 13 2018, @06:33AM
Naw...everyone knows the best PW is 1qazxdr5tgbhu8
When life isn't going right, go left.
(Score: 2) by maxwell demon on Thursday September 13 2018, @07:32AM
I secure all my important stuff with the password "Correct Horse Battery Staple". I learned from xkcd that this is an extremely secure password.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Wednesday September 12 2018, @10:54PM (3 children)
Do you know everything? Because you are gonna pay that tax otherwise.
(Score: 2) by maxwell demon on Thursday September 13 2018, @07:33AM
Stupidity != ignorance.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by fyngyrz on Thursday September 13 2018, @02:26PM (1 child)
Yes. On the company that couldn't be bothered to look at a prospective password and make sure it complies with just a few simple metrics.
How many times have we seen password systems that require at least one lower case, and one upper case, and one number, and one punctuation, plus a minimum length? What's so bloody hard about that? Or going even further with metrics like "letters must not be sequential or duplicate", etc.?
Seriously, the problem here is that these operations dumb things down — either because they are dumb, or because they want every freaking IQ-bereft customer to drool their way into their coffers — beyond any reasonable degree.
Password security matters when the customer's data is involved, as it was in this case. Any idea that it's "too hard" is a hugely bad idea. Any failure to see to it that password security is maintained is stupid, whether intentional or not.
(Score: 2) by driverless on Thursday September 13 2018, @08:01PM
You forgot the doodles, sign language, and squirrel noises [dilbert.com].
(Score: 2) by Gaaark on Wednesday September 12 2018, @11:08PM
Might make people take more care with passwords and privacy.
Maybe.
Yeah...no. Probably not. Stupid is hard to fix.
!oooh!, Facebook like! *sploooge*
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2, Funny) by Anonymous Coward on Wednesday September 12 2018, @11:13PM (1 child)
I have the same combination on my luggage.
(Score: 0) by Anonymous Coward on Thursday September 13 2018, @12:34PM
LOL. I came here looking for this and I'm not disappointed. Thanks Sir.
(Score: 5, Insightful) by darkpixel on Wednesday September 12 2018, @11:43PM (7 children)
Sure, we can have a stupidity tax. But let's charge Vodaphone. I have a 14-digit PIN I would *love* to use in order to be *secure*...but neither my bank nor my cell phone company allow anything longer than 4 digits.
(Score: 0) by Anonymous Coward on Wednesday September 12 2018, @11:50PM
Most insightful comment here.
(Score: 2) by inertnet on Wednesday September 12 2018, @11:56PM (2 children)
Even worse, this site already has your PIN [deviantart.com].
(Score: 0) by Anonymous Coward on Thursday September 13 2018, @06:03AM (1 child)
The comments on there are full of people who would be in the highest idiot-tax bracket. For example:
I don't even know where to start with this, but at least he tried, unlike all the others who apparently can't count.
(Score: 1) by darkpixel on Friday September 14 2018, @12:29AM
I'm not sure why it would take hours of his life.
Bash:
Node:
Python:
BASIC:
(Score: 5, Insightful) by Fluffeh on Thursday September 13 2018, @12:29AM (1 child)
That's spot on.Because in this case, it isn't the customers who got hacked, it is poor Vodafone processes and a lack of controls in place to mitigate the risk that has caused this. Were the customer passwords daft? Yes. But it was the company rules and processes that allowed this to happen, so Vodaphone can't pass the buck here when some (at least partly) clever crooks gamed the system and made everyone look stupid.
I would say from a PR point of view, the best thing Vodafone could do would be to shut up and change their processes to try to stop this happening again. Also, given the crooks had access to accounts, how many personal voicemails were saved, was there any access to customer cloud data?
Lastly, I'm also going to say that there must have been an AWFUL lot of customer accounts being TESTED to see if their password was 1234. Isn't a good part of intrusion security checking for anomalous traffic out of no-where? You would think a single IP suddenly trying to access thousands of accounts using a password of 1234 should sound alarm bells. This should have been picked up and shut down before a single SIM card was ordered or a single bet was placed.
(Score: 5, Insightful) by Mykl on Thursday September 13 2018, @03:24AM
Vodafone can't claim that they are offering super security when there are a maximum of 10,000 passwords available. If, as the summary implies, the "hackers" just trawled the customer base with a set PIN, they'd be bound to pick up a number of accounts no matter which PIN they entered. 1234 was probably just picked because it was likely to have slightly more results than another random number
(Score: 3, Insightful) by bzipitidoo on Thursday September 13 2018, @02:44AM
The one I love is truncating the password to 8 characters. More than one system I've encountered did that. Sure, it'll let you type in a longer password, but it only checks the first 8 characters. That's the Y2K of password security. The designers were too damned miserly to allow a few more bytes for a little bit longer password, as if it's still the 1970s when 256 bytes really was a significant amount of memory.
I also giggle whenever an organization is able to tell me what my password was, when I claim to have forgotten it.
And, wow, the insecurity of 1980s multiuser OSes was shocking. Did a lot of things that would be unthinkable today. Store all the passwords in plaintext, and leave them in memory after the password checker exits so that any other process that allocates memory and happens to receive that block can just read everyone's passwords. Yeah, that's what the mighty IBM mainframe did. The same sort of trick was probably possible with the disk. Change your password, forcing the password file to be updated, and maybe you could grab the memory that the IO system just used, or maybe you could grab the area on the disk where the old password file was stored.
(Score: 3, Interesting) by Anonymous Coward on Thursday September 13 2018, @12:07AM (2 children)
1-2-3-4 isn't blocked by Vodaphone as a combo.
If it's insecure reject it. Otherwise allow it. Either 1234 and 1111 and 0000 and 9876 are allowed, or not. If not, what about digits of pi or e? What about years - anything starting with 19** or 20** or mabye even further back. Pretty soon there aren't many numbers left, in that 10,000.
(Score: 5, Informative) by sjames on Thursday September 13 2018, @12:15AM (1 child)
Not only not blocked, according to TFA, they set it as a default on every new account.
(Score: 4, Insightful) by JoeMerchant on Thursday September 13 2018, @03:07AM
So, that should be the "reset your password today" prompt that comes up every day your password is still the default 1234. If they're not actively prompting them to change it, I'd say it's as valid as any other password.
Furthermore, if the password is limited to 4 numerical digits, Vodaphone should be held liable anyway. The available code space for passwords should exceed the number of customers, period - preferably by a large factor like the number of customers squared.
🌻🌻 [google.com]
(Score: 5, Informative) by sjames on Thursday September 13 2018, @12:12AM
Before we blame the customers for having '1234' as their password, Vodaphone admits that customer representatives set it to that when they set up the account. Further, there is a 6 character limit on passwords, the website says use a 4 to 6 digit number and many customers say they don't know how their password came to be 1234.
So if a stupidity tax is due, there is real question who should be paying it.
(Score: 2, Insightful) by davidjohnpaul on Thursday September 13 2018, @01:02AM
If Vodafone don't want people using 1234 as their password, then they shouldn't allow users to have 1234 as a password.
Allow passwords to be a reasonable length and blacklist known bad passwords and things like this shouldn't happen.
(Score: 0) by Anonymous Coward on Thursday September 13 2018, @01:27AM (4 children)
If passwords are important to you, but not to the users, then assign them.
Lusers will write them down; eventually remember them; on any case it will make remote exploits more difficult.
(Score: 2) by sjames on Thursday September 13 2018, @02:35AM (1 child)
(Score: 0) by Anonymous Coward on Thursday September 13 2018, @03:00AM
Their fault then.
(Score: 0) by Anonymous Coward on Thursday September 13 2018, @03:10AM (1 child)
I have had the same 4 digit PIN on my ATM card and bank account for 35+ years now, zero problems.
I have had numerous 16 digit credit card numbers, they seem to average about 18 months between fraudulent uses - different use case, different problems with security. Making the CC# 64 digits wouldn't help, people get access to them and abuse them no matter how complex.
Ergo: the real problem with the 4 digit passwords is that Vodaphone leaked them to the criminals.
(Score: 0) by Anonymous Coward on Thursday September 13 2018, @03:15AM
For clarity: by the act of assigning 1234 as a default to every customer, Vodaphone effectively leaked the fact that a large number of their customers use the passcode 1234. Doesn't matter that "it's hard to put a different code in every account" Vodaphone is in control of the situation and they mismanaged it (i.e. need to work harder to secure their customers' accounts.)
(Score: 3, Interesting) by MichaelDavidCrawford on Thursday September 13 2018, @01:39AM (2 children)
It is an infraction to leave your car unlocked while its unoccupied.
Yes I Have No Bananas. [gofundme.com]
(Score: 0) by Anonymous Coward on Thursday September 13 2018, @01:49AM
That is stupid.
(Score: 2) by JoeMerchant on Thursday September 13 2018, @03:13AM
Thus the name? Found a new car here, unlocked - the land says it's mine!!!
🌻🌻 [google.com]