Slashdot Mirror
Millions of Utility Customers' Passwords Stored In Plain Text (arstechnica.com)
schwit1 shares a report from Ars Technica: In September of 2018, an anonymous independent security researcher (who we'll call X) noticed that their power company's website was offering to email -- not reset! -- lost account passwords to forgetful users. Startled, X fed the online form the utility account number and the last four phone number digits it was asking for. Sure enough, a few minutes later the account password, in plain text, was sitting in X's inbox. This was frustrating and insecure, and it shouldn't have happened at all in 2018. But this turned out to be a flaw common to websites designed by the Atlanta firm SEDC. After finding SEDC's copyright notices in the footer of the local utility company's website, X began looking for more customer-facing sites designed by SEDC. X found and confirmed SEDC's footer -- and the same offer to email plain-text passwords -- in more than 80 utility company websites. Those companies service 15 million or so clients (estimated from GIS data and in some cases from PR brags on the utility sites themselves). But the real number of affected Americans could easily be several times that large: SEDC itself claims that more than 250 utility companies use its software.
Yes bad things will happen...like a criminal will pay my electric bill. Thanks, bad guy!
X came up with a list of 89 affected utilities, with an estimated 15+ million customers (using GIS records and, in some cases, meter counts posted on the utility sites themselves). I bumped that list up to 133, after removing duplicate domains. (I did not attempt to replicate X's methodology for estimating total customers on the 44 additional utilities I found.) This is still well short of the 250+ utility clients SEDC themselves claim.
Ars is not publishing a full list, to avoid making it easier for any would-be malicious attackers to hit every possible target. Concerned Ars readers should check their utility company's site for an offer to send a copy of forgotten passwords by email—and might also want to view the HTML source of the online payments page and look for an "SEDC" copyright.
I use a different password for every account I have. I've never regretted it.
I had a couple of stores hosted on Volusion's hosting service, and a couple of years ago their password recovery system sent me my current password, rather than giving me a link to change my password. So clearly they store (or at least used to store) their user passwords in clear text or some recoverable form.
I tried to explain the clear security issue with this to one of their support techs, but he assured me that they felt this policy was most helpful to their users. Yeah, until everyone's password gets hacked. Good luck there.
For this and a few other reasons (rising costs, mainly), I've migrated my stores away from them.
The login doesn't ask for the complete password. Instead, it asks for 4 selected characters from the password plus 3 selected characters from my PIN.
I don't see how they can validate a few characters from a password unless they have it stored in plain text.
Actually, this applies to two banks. Both UK based.
The real "Libtards" are the Libertarians!
What is surprising is that this isn't a vice or buzzfeed "article." Because slashdead has stooped to THAT.
How do you know your passwords are stored securely on any given website anyway? Most websites won't (and probably shouldn't) tell you how they store passwords/hashes. Even if they do tell you, should you trust them to tell the truth? The only defense is to never assume your password is stored securely and take measures (don't reuse, 2-factor, change often, etc.) accordingly.
I have a great idea! Let's make sure we purchase software from the lowest cost bid. Those places keep costs low by hiring low-cost developers. Not bothering with tests and QA. They're also likely to be last on the list of companies to upgrade their process, guidelines, etc. High school students could probably write this in just a few weeks. What could possibly go wrong?
I logged into my machine at work this morning using my password. I didn't regret it.
I warned my ISP at the time, Rainier Connect, of this very issue back in 2012.... is 7 years plenty of time to consider it reasonable discloser to talk about it publicly? Damn right it is. NAME AND SHAME this horrible and dated practice!! https://www.rainierconnect.com...
http://plaintextoffenders.com
an anonymous independent security researcher
clears throat.
I hope no one compromises my utility account and pays the bill for me or anything. I'm honestly not sure what else they could do. I am not in an area served by one of these websites, but my functionality my local utility provides on their website is minimal. Pay bill, sign up for payment plan/extension, report outage/downed lines or gas leak, etc. To change or shut off service, you have to call. I suppose they might be able to figure out an email address of mine or something, but in all honesty, what is the real worst-case scenario of my utility account getting hacked?
Tired of this happening again and again and again and again and again and again and again and again and again and again and again and again and again and again and again...
Time to stick it to companies even if it puts them under.
Posting AC to protect my employer.
I was a sysadmin, and my boss said there's a department, Cardiology, it was for patients medical info that the EMR didn't support at that time. They need this web based app, and you to check it out, and see if there's any reason it won't run on a Citrix Server, and if it's OK, then set them up.
The first thing I noticed was that after the user logged in, as I navigated the web site's various pages and forms, every URL had the user's ID and password in plain text, so what you saw in the address bar was something like this:
http//CrapilogySoftware.com/DoSomething?=userID:Bob;password:mydog'sname
Oh, you say, I forgot to put the "s" in https? Oh no, it was plaintext sent over good ol' http.
I pointed this out to the 60-year old nurse that was showing this stuff to me. She said the long "What.The.Hell".
And then she said "Say no more. This is not going to happen".
They have also stored passwords in clear text for years now. They don't give a crap about complaints either.
I think it's book store mentality - at my former job we worked for a french book store chain and they insisted they wanted that "feature", too, because it's "more convenient for the customer". We did not comply with that demand, but it illustrates the point that these people do not want to see reason.
Holiday Innâ(TM)s IHG Rewards Club. Yes, theyâ(TM)ll mail it to you in plaintext, and by the way: itâ(TM)s only a 4-DIGIT NUMERIC PIN.
Iâ(TM)ve emailed and otherwise tried their âoecontact usâ links several times over the last several years calling them out over their lack of security. Iâ(TM)ve never gotten anything more than an automated response.
Apparently their website developers didnâ(TM)t stay at a Holiday Inn Express last night.
Please keep your mouth closed while posting to Slashdot. Your drool is dripping on your keyboard, randomly shorting it out...
"To all SEDC Customers: SEDC is aware of all the facts and timelines regarding the subject of this story. We have taken steps to address the situation. In terms of SEDC’s approach in dealing with this issue, SEDC refrained from speaking in detail about confidential elements of SEDC’s database and software with an unknown 3rd party as doing so could have potentially compromised our customers’ systems. There are No Violations The plain text password in question is not a violation of PCI-DSS (Payment Card Industry Data Security Standard) compliance. This was confirmed with SEDC’s independent PCI Assessor. SEDC is not in violation of any PCI-DSS requirements. There was No Breach There was no breach of any consumer’s data We are Making It Better We notified all of our utilities in December of the software fix (Version 37 Service Pack 5—Enhanced Customer Portal Security Feature) which created an expiring password reset link and it is already deployed to all customers. With this fix, the “forgot password” process creates an expiring change password link that requires the consumer to confirm their identity. This security enhancement removes the option of emailing an existing password to the consumer. Phase 2 of the fix (salting and hashing of the passwords) will be included in Version 37 Service Pack 6 which is currently in beta. These fixes apply to UPN in all versions. SEDC leverages Oracle Advanced Security product to encrypt the entire database using Transparent Data Encryption. Oracle Advanced Security is and has been for quite some time available to all SEDC customers as part of SEDC’s offerings. On behalf of all the management and employees of SEDC, we sincerely apologize for any disruption that the ArsTechnica article may have caused your organization. SEDC is committed to deliver continuous improvement working side by side with our customers." As one of their customers let me be very clear in that SEDC is one of our most trusted vendors and they continually and reliably outshine every other vendor we have come in contact with or deal with. This includes firms that specialize in cyber-security.
1-Going through bank there's no "convenience fee" to pay.
2-Debit card would work, but a credit card with it's benefits and protections would be better.
"The plain text password in question is not a violation of PCI-DSS compliance."
https://pcipolicyportal.com/bl...
Requirement 8, version 3.0 of the PCI-DSS spec requires that "Passwords are protected with strong cryptography during transmission and storage."
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Posting as a coward, because I work in the industry. Storing passwords as plain text is very common. Utility billing software from NISC (https://www.nisc.coop/ivue-appsuite/) stores customer passwords in plaintext as well. If your utility provider website is called anything with "Smarthub" in the name, you are vulnerable. These systems also often store email addresses, verification questions, home addresses (including prior addresses), social security numbers, and even family relationships.
Doing a Google search for "you may choose to have your password e-mailed to you" (including quotes) gives 160 results, most of which appear to be utility companies.
An MLS software company that I used to work for did this. I told them, many, MANY times how awful this was and that as soon as somebody security-conscious got wind of this, it could ruin them as a company. They didn't care, and instead doubled-down on the practice saying that agents being able to retrieve their password that they forgot was more important....as if there aren't already ways to work around idiots not being able to remember their password..
Some interesting research, and while I agree with the premise that if a site can email you your password, it has substandard security, it does not mean those passwords are stored in plaintext. It's very possible that the passwords are stored in some encrypted form and the process for emailing the password has the resources to decrypt the password. Still, that is only marginally better than storing the password in plaintext. The issue is not how the password is stored (encrypted or not); it is the fact that the password is stored at all. Good systems use a hash of the password. While it is a common misconception, hashing is not encrypting. It is the irreversible conversion of data into a unique representation of that data. This where the regulators fall down. They mistake hashing for encrypting. Even then they fail understand the value of salting a hash (hint, it has nothing to do with table-top seasoning).
https://www.sedata.com/our-sol...
It includes:
Cyber Awareness Education
And....
SEDC MSS (Managed Security Services)
Just like a certain D (huge (only a minor bearch) consultancy), mebbe they don't need to do the stuff they tell you to do.
why is this ?