SoylentNews is people
SoylentNews
Submitted via IRC for TheMightyBuzzard
A Czech court recently sentenced two hackers to three years in prison for accessing Vodafone customer's mobile accounts and use them to purchase 600,000 Czech Koruna worth of gambling services. Vodafone reportedly wants the hacked victim's to pay for these charges as they were using an easy password of "1234".
According to reporting from Czech news site idnes.cz, the hackers accessed mobile customer's accounts by using the password 1234. Once they were able to gain access, they ordered new SIM cards that they picked up from various branches. As they knew the phone number and password they were able to pick up the SIM card and install it in their phones without any other verification.
This allowed the attackers to charge over 600,000 Czech Koruna, or approximately 30K USD, for gambling services.
What do you lot think, should there be a blatant stupidity tax?
(Score: 5, Insightful) by darkpixel on Wednesday September 12 2018, @11:43PM (7 children)
Sure, we can have a stupidity tax. But let's charge Vodaphone. I have a 14-digit PIN I would *love* to use in order to be *secure*...but neither my bank nor my cell phone company allow anything longer than 4 digits.
(Score: 0) by Anonymous Coward on Wednesday September 12 2018, @11:50PM
Most insightful comment here.
(Score: 2) by inertnet on Wednesday September 12 2018, @11:56PM (2 children)
Even worse, this site already has your PIN [deviantart.com].
(Score: 0) by Anonymous Coward on Thursday September 13 2018, @06:03AM (1 child)
The comments on there are full of people who would be in the highest idiot-tax bracket. For example:
I don't even know where to start with this, but at least he tried, unlike all the others who apparently can't count.
(Score: 1) by darkpixel on Friday September 14 2018, @12:29AM
I'm not sure why it would take hours of his life.
Bash:
Node:
Python:
BASIC:
(Score: 5, Insightful) by Fluffeh on Thursday September 13 2018, @12:29AM (1 child)
That's spot on.Because in this case, it isn't the customers who got hacked, it is poor Vodafone processes and a lack of controls in place to mitigate the risk that has caused this. Were the customer passwords daft? Yes. But it was the company rules and processes that allowed this to happen, so Vodaphone can't pass the buck here when some (at least partly) clever crooks gamed the system and made everyone look stupid.
I would say from a PR point of view, the best thing Vodafone could do would be to shut up and change their processes to try to stop this happening again. Also, given the crooks had access to accounts, how many personal voicemails were saved, was there any access to customer cloud data?
Lastly, I'm also going to say that there must have been an AWFUL lot of customer accounts being TESTED to see if their password was 1234. Isn't a good part of intrusion security checking for anomalous traffic out of no-where? You would think a single IP suddenly trying to access thousands of accounts using a password of 1234 should sound alarm bells. This should have been picked up and shut down before a single SIM card was ordered or a single bet was placed.
(Score: 5, Insightful) by Mykl on Thursday September 13 2018, @03:24AM
Vodafone can't claim that they are offering super security when there are a maximum of 10,000 passwords available. If, as the summary implies, the "hackers" just trawled the customer base with a set PIN, they'd be bound to pick up a number of accounts no matter which PIN they entered. 1234 was probably just picked because it was likely to have slightly more results than another random number
(Score: 3, Insightful) by bzipitidoo on Thursday September 13 2018, @02:44AM
The one I love is truncating the password to 8 characters. More than one system I've encountered did that. Sure, it'll let you type in a longer password, but it only checks the first 8 characters. That's the Y2K of password security. The designers were too damned miserly to allow a few more bytes for a little bit longer password, as if it's still the 1970s when 256 bytes really was a significant amount of memory.
I also giggle whenever an organization is able to tell me what my password was, when I claim to have forgotten it.
And, wow, the insecurity of 1980s multiuser OSes was shocking. Did a lot of things that would be unthinkable today. Store all the passwords in plaintext, and leave them in memory after the password checker exits so that any other process that allocates memory and happens to receive that block can just read everyone's passwords. Yeah, that's what the mighty IBM mainframe did. The same sort of trick was probably possible with the disk. Change your password, forcing the password file to be updated, and maybe you could grab the memory that the IO system just used, or maybe you could grab the area on the disk where the old password file was stored.