Stories
Slash Boxes
Comments

SoylentNews is people

Vodafone Tells Hacked Customers with "1234" Password to Pay Back Money

posted by chromas on Wednesday September 12 2018, @10:44PM   Printer-friendly
from the Czech-your-password dept.

MrPlow writes:

Submitted via IRC for TheMightyBuzzard

A Czech court recently sentenced two hackers to three years in prison for accessing Vodafone customer's mobile accounts and use them to purchase 600,000 Czech Koruna worth of gambling services. Vodafone reportedly wants the hacked victim's to pay for these charges as they were using an easy password of "1234".

According to reporting from Czech news site idnes.cz, the hackers accessed mobile customer's accounts by using the password 1234. Once they were able to gain access, they ordered new SIM cards that they picked up from various branches. As they knew the phone number and password they were able to pick up the SIM card and install it in their phones without any other verification.

This allowed the attackers to charge over 600,000 Czech Koruna, or approximately 30K USD, for gambling services.

What do you lot think, should there be a blatant stupidity tax?

Source: https://www.bleepingcomputer.com/news/security/vodafone-tells-hacked-customers-with-1234-password-to-pay-back-money/

Original Submission

 
This discussion has been archived. No new comments can be posted.
Vodafone Tells Hacked Customers with "1234" Password to Pay Back Money | Log In/Create an Account | Top | 32 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Insightful) by bzipitidoo on Thursday September 13 2018, @02:44AM

    by bzipitidoo (4388) Subscriber Badge on Thursday September 13 2018, @02:44AM (#733973) Journal

    The one I love is truncating the password to 8 characters. More than one system I've encountered did that. Sure, it'll let you type in a longer password, but it only checks the first 8 characters. That's the Y2K of password security. The designers were too damned miserly to allow a few more bytes for a little bit longer password, as if it's still the 1970s when 256 bytes really was a significant amount of memory.

    I also giggle whenever an organization is able to tell me what my password was, when I claim to have forgotten it.

    And, wow, the insecurity of 1980s multiuser OSes was shocking. Did a lot of things that would be unthinkable today. Store all the passwords in plaintext, and leave them in memory after the password checker exits so that any other process that allocates memory and happens to receive that block can just read everyone's passwords. Yeah, that's what the mighty IBM mainframe did. The same sort of trick was probably possible with the disk. Change your password, forcing the password file to be updated, and maybe you could grab the memory that the IO system just used, or maybe you could grab the area on the disk where the old password file was stored.

    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3