Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dutch ISP Discovers 140,000 Customers With Default Password

Posted by timothy on from the remove-fingers-from-dike-and-type-new-one dept.

bs0d3 writes "In Holland, a major ISP (KPN) has found a major security flaw for their customers. It seems that all customers have had the same default password of 'welkom01'. Up to 140,000 customers had retained their default passwords. Once inside attackers could have found bank account and credit card numbers. KPN has since changed all the passwords of the 140,000 customers with weak passwords. They also do not believe anyone has actually been burglarized since discovering this weak spot in security."

21 of 99 comments (clear)

  1. Verizon online by Anonymous Coward · · Score: 5, Interesting

    had to ban the password abc123 on thier ADSL network years ago..

    1. Re:Verizon online by Anonymous Coward · · Score: 2, Funny

      I was there for that... I got cursed out that week by many a little old lady.

    2. Re:Verizon online by Anonymous Coward · · Score: 2, Interesting

      KPN has since changed all the passwords of the 140,000 customers with weak passwords. They also do not believe anyone has actually been burglarized since discovering this weak spot in security.

      It's a shame KPN changed their passwords for them. They were about to learn a valuable lesson!

      The reasonably intelligent people only had to hear about one instance of fraud, one example of ID theft in the news, to understand that they need a decent password. Idiots don't learn the easy way like this. Idiots only ever learn the hard way. I don't agree with that but I respect their right to learn any way they want to. It's called freedom.

  2. It's the ISP's fault by wickerprints · · Score: 5, Informative

    It's their fault for not (1) randomizing the initial password, and (2) forcing new subscribers to immediately change their password after the first login, both of which are standard practices on properly secured systems.

    1. Re:It's the ISP's fault by Anonymous Coward · · Score: 5, Interesting

      Further, why was the credit/bank information displayed in full? Isn't that stuff usually masked out? I think all services that I subscribe too usually just show the last 3-4 numbers of the account information, for this reason (in case login credentials are stolen).

    2. Re:It's the ISP's fault by tlhIngan · · Score: 4, Interesting

      They are not responsible for their hopefully grown-up customers that are all obviously trusted by the banks to have credit cards.

      Sure, they should have known better than to trust users to change their passwords, but some people need to learn the hard way. At most, this means a few weeks of sleepless nights for their PR-department.

      OTOH, I wonder if all 140,000 customers who used the default passowrd actually USED the account? It sounds like it was a customer service portal thing - not something they normally login with. For those people, they probalby managed their account by phone rather than thinking to log into the customer service potral and do all their changes there?

    3. Re:It's the ISP's fault by ShanghaiBill · · Score: 5, Insightful

      but some people need to learn the hard way.

      Should car companies remove seat belts and airbags, so people can "learn the hard way" to avoid accidents?
      Or maybe we should be responsible professionals and design secure systems and appropriate procedures, instead of blaming our customers for our own incompetence.

    4. Re:It's the ISP's fault by stanlyb · · Score: 2

      Actually, your analogy should be: Should car companies use default password for the ignition key?

    5. Re:It's the ISP's fault by lgw · · Score: 5, Insightful

      If I get a lock installed on the door of my new house, with a key that is the same as the key on 140000 other doors, guess what I am going to do next, install a new lock or wait until someone empties my house and blame the company that installed the lock.

      Unless you went out of your way to get a special lock, the lock on the door of your house is likely trivial to defeat with a "bump key", which is pretty easy to come by and use (unlike lockpicks, which would also open your door easily, but are somewhat controlled and take a bit of practice). But you probably didn't know that, because you're not a technical expert in that area of security.

      Most people aren't a technical expert in the area of computer security, and so don't have a clue that they would need to change the password their ISP gave them. They would expect their ISP to be competant in such matters.
       

      --
      Socialism: a lie told by totalitarians and believed by fools.
    6. Re:It's the ISP's fault by Anonymous Coward · · Score: 2, Interesting

      they don't use security by obscurity when it comes to bank account numbers, it's like an address. Most payments above a hand full of euros are done by bank transfer

      Now what is that called, security-through-the-honor-system?

      Come on, try to think about it. Do you rely on keeping your house address a secret as a protection against burglary? Can anyone who knows where your house is take your stuff? Answer: no, there's a lock, with retina scan, a heavily armed robot, a shark pond (frickin lasers included).

      Why should knowing your bank account number be enough to be able to take your money out of the bank? To take money out of your account two things are needed: to know your bank account number and to BE you.

    7. Re:It's the ISP's fault by jones_supa · · Score: 2

      To refine that analogy a bit... it would be like having seat belts that in this particular car model required you to separately remember to enable the automatic locking mechanism so that it works in accidents.

  3. Once upon a time... by Mr.+Firewall · · Score: 5, Interesting

    When I was a sysadmin at a certain Bible college known for its weak security, I collected the password hashes of the students & faculty and ran them through a cracker (John the Ripper if I remember correctly), then sent out a mass email with the decrypted passwords, sorted by the amount of time it took to crack them.

    Yeah, the majority of them were cracked within five seconds. Of course, I omitted the information on just whose passwords they were.

    Dunno if it resulted in anyone actually doing something about their passwords though.

    --
    In times of universal deceit, telling the truth gets you modded -1 Troll
  4. burglarized??? by philofaqs · · Score: 4, Insightful

    For heaven's sake what's wrong with burgled?

    1. Re:burglarized??? by philofaqs · · Score: 2

      Umm less standard? OK I'm English from England, we would never, ever say I've been burglarized, I've never even heard the word in 50 years on this planet before but Chambers says it's OK well actually not with the final D. Still I guess the verbification of a nounifiction etc is Ok on the intertubes.

    2. Re:burglarized??? by mako1138 · · Score: 3, Insightful

      I guess it's American usage. We don't ever say "burgled" over here; it sounds funny.

  5. New password by Anonymous Coward · · Score: 5, Funny

    All offending passwords were changed to "welkom02." Crisis averted!

  6. "Dear Subscribers" by bitt3n · · Score: 4, Funny

    "We have discovered you have been using default password 'welkom01'. This represents a grave security risk. Therefore, we have changed your password to 'welkom02'."

    --
    how many pairs of boxer shorts should you own?
  7. Damn! by evenmoreconfused · · Score: 5, Funny

    Just lost about 140K bots on my net...

    --
    No. Well...maybe. Actually, yes. It really just depends.
  8. Re:Tourism in Holland is going to EXPLODE by Ziekheid · · Score: 4, Insightful

    The only thing missing from your post is something about wooden shoes and windmills. Thanks for the generalization, again.
    Just for the record, it's no a normal or common thing to have sex with underage eastern european girls here.

  9. Re:Tourism in Holland is going to EXPLODE by formfeed · · Score: 5, Funny

    The only thing missing from your post is something about wooden shoes and windmills. Thanks for the generalization, again.

    This, and that war-driving has to be done on a bicycle.

  10. ISP didn't discover it. by Amarantine · · Score: 5, Informative

    KPN didn't discover it themselves. An ICT company did (accidentally even), and reported the flaw to an IT site (webwereld.nl) instead of contacting KPN directly.

    Dutch link: http://tweakers.net/nieuws/82955/kpn-maakt-blunder-met-standaardwachtwoord-z-adsl-accounts.html and http://webwereld.nl/nieuws/111057/140-000-kpn-adsl-accounts-lek-door-welkom01-fail.html