BreachExchange mailing list archives
Vodafone Tells Hacked Customers with "1234" Password to Pay Back Money
From: Destry Winant <destry () riskbasedsecurity com>
Date: Thu, 6 Sep 2018 00:04:21 -0500
https://www.bleepingcomputer.com/news/security/vodafone-tells-hacked-customers-with-1234-password-to-pay-back-money/ A Czech court recently sentenced two hackers to three years in prison for accessing Vodafone customer's mobile accounts and using them to purchase 600,000 Czech Koruna worth of gambling services. Vodafone reportedly wants the hacked victim's to pay for these charges as they were using an easy password of "1234". According to reporting from Czech news site idnes.cz, the hackers accessed mobile customer's accounts by using the password 1234. Once they were able to gain access, they ordered new SIM cards that they picked up from various branches. As they knew the phone number and password they were able to pick up the SIM card and install it in their phones without any other verification. This allowed the attackers to charge over 600,000 Czech Koruna, or approximately 30K USD, for gambling services. Vodafone says it's the customers fault for having weak passwords Idnes.cz further reported that Vodafone is stating that it is not their responsibility for the attacker's chargers and that the hacked customers with easy passwords should have to pay the stolen money back. Some victims have reported that Vodafone has sent debt collectors to recover the money stolen by the hackers. The victims, on the other hand, have stated that they have no idea how their passwords were set to "1234" or that there was even an online market that could be used to buy services. Furthermore, Vodafone has stated that it may have been possible that one of their employees configured this password when a phone was purchased, but the user should still have changed it to a stronger password. The problem is that the passwords for the My Vodafone portal, as shown below, are only 4-6 digits long. The string in the password field translates to "4 to 6 digit number". While there is an automatic lockout procedure according to Jiri Kropac, the head of Threat Detection Labs at ESET, who tested it for BleepingComputer, the passwords requirements are still not strong enough. This is because passwords consisting of 4-6 digits can still be brute forced fairly quickly if there was ever a breach at the site or if an attacker was persistent. Vodafone's stance, though, is a dangerous precedent and one more reason that users should make sure they are using strong passwords at every site they visit. BleepingComputer has contacted Vodafone for comment, but had not heard back at the time of this publication. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Vodafone Tells Hacked Customers with "1234" Password to Pay Back Money Destry Winant (Sep 06)