Slashdot Mirror
Millions of Utility Customers' Passwords Stored In Plain Text (arstechnica.com)
schwit1 shares a report from Ars Technica: In September of 2018, an anonymous independent security researcher (who we'll call X) noticed that their power company's website was offering to email -- not reset! -- lost account passwords to forgetful users. Startled, X fed the online form the utility account number and the last four phone number digits it was asking for. Sure enough, a few minutes later the account password, in plain text, was sitting in X's inbox. This was frustrating and insecure, and it shouldn't have happened at all in 2018. But this turned out to be a flaw common to websites designed by the Atlanta firm SEDC. After finding SEDC's copyright notices in the footer of the local utility company's website, X began looking for more customer-facing sites designed by SEDC. X found and confirmed SEDC's footer -- and the same offer to email plain-text passwords -- in more than 80 utility company websites. Those companies service 15 million or so clients (estimated from GIS data and in some cases from PR brags on the utility sites themselves). But the real number of affected Americans could easily be several times that large: SEDC itself claims that more than 250 utility companies use its software.
Yes bad things will happen...like a criminal will pay my electric bill. Thanks, bad guy!
Many people use the same password for everything. So if you know the password they use to pay their electric bill, you also know the password to their bank account.
We need to have some basic security education. People should know that password reuse is bad, but they should also know that a website should not be offering to email them their plaintext password.
I had a couple of stores hosted on Volusion's hosting service, and a couple of years ago their password recovery system sent me my current password, rather than giving me a link to change my password. So clearly they store (or at least used to store) their user passwords in clear text or some recoverable form.
I tried to explain the clear security issue with this to one of their support techs, but he assured me that they felt this policy was most helpful to their users. Yeah, until everyone's password gets hacked. Good luck there.
For this and a few other reasons (rising costs, mainly), I've migrated my stores away from them.
The login doesn't ask for the complete password. Instead, it asks for 4 selected characters from the password plus 3 selected characters from my PIN.
I don't see how they can validate a few characters from a password unless they have it stored in plain text.
Actually, this applies to two banks. Both UK based.
The real "Libtards" are the Libertarians!
How do you know your passwords are stored securely on any given website anyway? Most websites won't (and probably shouldn't) tell you how they store passwords/hashes. Even if they do tell you, should you trust them to tell the truth? The only defense is to never assume your password is stored securely and take measures (don't reuse, 2-factor, change often, etc.) accordingly.
I have a great idea! Let's make sure we purchase software from the lowest cost bid. Those places keep costs low by hiring low-cost developers. Not bothering with tests and QA. They're also likely to be last on the list of companies to upgrade their process, guidelines, etc. High school students could probably write this in just a few weeks. What could possibly go wrong?
I warned my ISP at the time, Rainier Connect, of this very issue back in 2012.... is 7 years plenty of time to consider it reasonable discloser to talk about it publicly? Damn right it is. NAME AND SHAME this horrible and dated practice!! https://www.rainierconnect.com...
We need to have some basic security education.
We've tried that. I have co-workers who brazenly tell me they use the same password for everything. If I need them to logon as themselves for troubleshooting a problem, they will just tell me their password or think I already know what it is. When they do that, I ask them "Really? Where do you bank?" They just give me a blank stare.
http://plaintextoffenders.com
I would need to have an 'online relationship' with my utility companies for this to become a problem. I practice security-through-postage-stamps.
i go one step further. i only pay the bill in person and hand my money directly to the administrative assistant that prepares and mails the invoices and processes all the other mail and in person payments for our small town.
They leverage it to get your checking acct number, empty it. They use the statements and other info to apply for credit cards in your name. They assume your identity, maybe a couple of times, and ruin your credit forever. One of them gets arrested, blames you and comes to your house, he has the address from the statement.
Hartford auto insurance does this and they let you reset your password by answering secret questions on the site without even sending an email. They only send an email after you reset the password to tell you your password was changed.
The data gathered from breaches can be combined and has been into a database (you can find it online). From the utility company hackers learn the physical address that goes with your email address and your name and phone number.
From insurance info they learn your physical address, vehicle license plate and VIN number, your phone number.
That, coupled with your published social media info, can yield enough info to cross-reference you with other breached data and launch a vicious identity theft campaign against you, including logging into other sites, taking out loans in your name (after they easily get your social security number) and taking over your bank accounts by walking into a bank like wells fargo and opening a new account with a fake driverâ(TM)s license and social security card then transfer your money into the new account (this happened to a friendâ(TM)s friend who lost $60k; it took 4 months and 100 hours of her time to get the money back from very uncooperative Wells Fargo, after which she and the common friend dumped 4th-world WF for a highly-rated regional bank).
I do pay my utility bills online, but not through each utility's individual website. They all want people to do that, but I don't need more usernames and passwords to keep up with. I pay through my bank's website.
The only utility that knows my email address is the cable company that is also my isp, and that email address is the one they provide and I don't use.
If you shop online, use a re-loadable debit card - balance up, balance zero. Most banks will provide one, check and see if yours does.
An example of why America needs more regulation. This doesn't happen in other western nations.
Sweden - https://www.bbc.com/news/techn...
Germany - https://www.theguardian.com/wo...
France - https://techcrunch.com/2018/12...
Spain - https://www.theinquirer.net/in...
I would need to have an 'online relationship' with my utility companies for this to become a problem. I practice security-through-postage-stamps.
I suppose if the postal carriers in Chicago only throw your mail in the dumpster, that might work.
Of course, someone else might get it out of the dumpster ...
"To all SEDC Customers: SEDC is aware of all the facts and timelines regarding the subject of this story. We have taken steps to address the situation. In terms of SEDC’s approach in dealing with this issue, SEDC refrained from speaking in detail about confidential elements of SEDC’s database and software with an unknown 3rd party as doing so could have potentially compromised our customers’ systems. There are No Violations The plain text password in question is not a violation of PCI-DSS (Payment Card Industry Data Security Standard) compliance. This was confirmed with SEDC’s independent PCI Assessor. SEDC is not in violation of any PCI-DSS requirements. There was No Breach There was no breach of any consumer’s data We are Making It Better We notified all of our utilities in December of the software fix (Version 37 Service Pack 5—Enhanced Customer Portal Security Feature) which created an expiring password reset link and it is already deployed to all customers. With this fix, the “forgot password” process creates an expiring change password link that requires the consumer to confirm their identity. This security enhancement removes the option of emailing an existing password to the consumer. Phase 2 of the fix (salting and hashing of the passwords) will be included in Version 37 Service Pack 6 which is currently in beta. These fixes apply to UPN in all versions. SEDC leverages Oracle Advanced Security product to encrypt the entire database using Transparent Data Encryption. Oracle Advanced Security is and has been for quite some time available to all SEDC customers as part of SEDC’s offerings. On behalf of all the management and employees of SEDC, we sincerely apologize for any disruption that the ArsTechnica article may have caused your organization. SEDC is committed to deliver continuous improvement working side by side with our customers." As one of their customers let me be very clear in that SEDC is one of our most trusted vendors and they continually and reliably outshine every other vendor we have come in contact with or deal with. This includes firms that specialize in cyber-security.
"The plain text password in question is not a violation of PCI-DSS compliance."
https://pcipolicyportal.com/bl...
Requirement 8, version 3.0 of the PCI-DSS spec requires that "Passwords are protected with strong cryptography during transmission and storage."
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Doing a Google search for "you may choose to have your password e-mailed to you" (including quotes) gives 160 results, most of which appear to be utility companies.
Some interesting research, and while I agree with the premise that if a site can email you your password, it has substandard security, it does not mean those passwords are stored in plaintext. It's very possible that the passwords are stored in some encrypted form and the process for emailing the password has the resources to decrypt the password. Still, that is only marginally better than storing the password in plaintext. The issue is not how the password is stored (encrypted or not); it is the fact that the password is stored at all. Good systems use a hash of the password. While it is a common misconception, hashing is not encrypting. It is the irreversible conversion of data into a unique representation of that data. This where the regulators fall down. They mistake hashing for encrypting. Even then they fail understand the value of salting a hash (hint, it has nothing to do with table-top seasoning).
https://www.sedata.com/our-sol...
It includes:
Cyber Awareness Education
And....
SEDC MSS (Managed Security Services)
Just like a certain D (huge (only a minor bearch) consultancy), mebbe they don't need to do the stuff they tell you to do.