Millions of Utility Customers' Passwords Stored In Plain Text (arstechnica.com) 81
schwit1 shares a report from Ars Technica: In September of 2018, an anonymous independent security researcher (who we'll call X) noticed that their power company's website was offering to email -- not reset! -- lost account passwords to forgetful users. Startled, X fed the online form the utility account number and the last four phone number digits it was asking for. Sure enough, a few minutes later the account password, in plain text, was sitting in X's inbox. This was frustrating and insecure, and it shouldn't have happened at all in 2018. But this turned out to be a flaw common to websites designed by the Atlanta firm SEDC. After finding SEDC's copyright notices in the footer of the local utility company's website, X began looking for more customer-facing sites designed by SEDC. X found and confirmed SEDC's footer -- and the same offer to email plain-text passwords -- in more than 80 utility company websites. Those companies service 15 million or so clients (estimated from GIS data and in some cases from PR brags on the utility sites themselves). But the real number of affected Americans could easily be several times that large: SEDC itself claims that more than 250 utility companies use its software.
Re: (Score:3)
Yes bad things will happen...like a criminal will pay my electric bill. Thanks, bad guy!
Many people use the same password for everything. So if you know the password they use to pay their electric bill, you also know the password to their bank account.
We need to have some basic security education. People should know that password reuse is bad, but they should also know that a website should not be offering to email them their plaintext password.
Re: (Score:1)
We need to have some basic security education.
We've tried that. I have co-workers who brazenly tell me they use the same password for everything. If I need them to logon as themselves for troubleshooting a problem, they will just tell me their password or think I already know what it is. When they do that, I ask them "Really? Where do you bank?" They just give me a blank stare.
Re: Up to *some* good. (Score:1)
Hartford auto insurance does this and they let you reset your password by answering secret questions on the site without even sending an email. They only send an email after you reset the password to tell you your password was changed.
The data gathered from breaches can be combined and has been into a database (you can find it online). From the utility company hackers learn the physical address that goes with your email address and your name and phone number.
From insurance info they learn your physical add
Re: (Score:3, Informative)
I would need to have an 'online relationship' with my utility companies for this to become a problem. I practice security-through-postage-stamps.
Re: (Score:1)
i go one step further. i only pay the bill in person and hand my money directly to the administrative assistant that prepares and mails the invoices and processes all the other mail and in person payments for our small town.
Re: (Score:2)
Re: (Score:2)
I would need to have an 'online relationship' with my utility companies for this to become a problem. I practice security-through-postage-stamps.
I suppose if the postal carriers in Chicago only throw your mail in the dumpster, that might work.
Of course, someone else might get it out of the dumpster ...
Re: Is there a list of affected utility companies? (Score:4, Informative)
Sweden - https://www.bbc.com/news/techn... [bbc.com]
Germany - https://www.theguardian.com/wo... [theguardian.com]
France - https://techcrunch.com/2018/12... [techcrunch.com]
Spain - https://www.theinquirer.net/in... [theinquirer.net]
Volusion seems to do this as well. (Score:1)
I had a couple of stores hosted on Volusion's hosting service, and a couple of years ago their password recovery system sent me my current password, rather than giving me a link to change my password. So clearly they store (or at least used to store) their user passwords in clear text or some recoverable form.
I tried to explain the clear security issue with this to one of their support techs, but he assured me that they felt this policy was most helpful to their users. Yeah, until everyone's password gets
I think my bank stores passwords in plain text (Score:4, Interesting)
The login doesn't ask for the complete password. Instead, it asks for 4 selected characters from the password plus 3 selected characters from my PIN.
I don't see how they can validate a few characters from a password unless they have it stored in plain text.
Actually, this applies to two banks. Both UK based.
Re:I think my bank stores passwords in plain text (Score:4, Informative)
If they are hashing a bunch of combinations of just a few characters of the password, these characters could be easily brute forced, salted or not! After knowing these combinations, brute forcing the rest of the password would be as easy as hell
Re: (Score:2)
Time to get a new bank.
Re: (Score:2)
Do you realize how insecure that is? Take any four characters, hash them, and check them against the 640K database of hashes per customer. If they are all in the password, you'll get a least one hit.
It reduces the task of cracking the password to a fucked up form of bingo
Re: (Score:1)
640K ought to be enough for anyone...
Re:I think my bank stores passwords in plain text (Score:4, Interesting)
JP Morgan Chase, until about 26 months ago, only stored the first 8 characters of your password. Let that sink in for a second. A company that is creating a cryptocoin for internal transaction processing was only storing 8 characters of your online banking password.
Unfortunately these schmucks are still in business.
Re: (Score:2)
Doesn't AmEx also convert passwords to lowercase before hashing? They don't store the plaintext password - they lowercase it before hashing/verifying.
Re: (Score:1)
Or it stores the hashes of all combinations (or the subset it'll ever ask)? Only 8*7*6*5/4! = 70 combinations for an 8 char password... there might be other more efficient algos, though.
Mine does the same (HSBC).
Re: (Score:2)
Or it stores the hashes of all combinations (or the subset it'll ever ask)? Only 8*7*6*5/4! = 70 combinations for an 8 char password... there might be other more efficient algos, though.
But it's worth noting that doing this is also very insecure...
Re: (Score:3)
I think my bank stores passwords unhashed.
FTFY. They might store them unencrypted, or they might have an elaborate keyserver setup with a reasonable level of security, you can't know that. Hashing would have been better, but that doesn't mean everything else is garbage.
Re: (Score:2)
The problem is that you don't know, so you can't make an informed decision as to which companies you do or don't want to do business with.
Re: (Score:2)
With banks the secret phrase they want 3 random characters from is to supplement the full password. In fact it's mostly there to try to defeat key loggers, which is why they make you enter it using drop-down menus on a heavily Javascript laden page that pegs your CPU at 100%.
So? (Score:2, Informative)
How do you know your passwords are stored securely on any given website anyway? Most websites won't (and probably shouldn't) tell you how they store passwords/hashes. Even if they do tell you, should you trust them to tell the truth? The only defense is to never assume your password is stored securely and take measures (don't reuse, 2-factor, change often, etc.) accordingly.
Low cost! (Score:2)
I have a great idea! Let's make sure we purchase software from the lowest cost bid. Those places keep costs low by hiring low-cost developers. Not bothering with tests and QA. They're also likely to be last on the list of companies to upgrade their process, guidelines, etc. High school students could probably write this in just a few weeks. What could possibly go wrong?
Name and Shame (Score:3)
I warned my ISP at the time, Rainier Connect, of this very issue back in 2012.... is 7 years plenty of time to consider it reasonable discloser to talk about it publicly? Damn right it is. NAME AND SHAME this horrible and dated practice!! https://www.rainierconnect.com... [rainierconnect.com]
http://plaintextoffenders.com (Score:2, Interesting)
http://plaintextoffenders.com
Re: (Score:1)
They leverage it to get your checking acct number, empty it. They use the statements and other info to apply for credit cards in your name. They assume your identity, maybe a couple of times, and ruin your credit forever. One of them gets arrested, blames you and comes to your house, he has the address from the statement.
Reply from SEDC to Utilities (Score:1)
The PCI Assessor is full of shit (Score:2)
"The plain text password in question is not a violation of PCI-DSS compliance."
https://pcipolicyportal.com/bl... [pcipolicyportal.com]
Requirement 8, version 3.0 of the PCI-DSS spec requires that "Passwords are protected with strong cryptography during transmission and storage."
Simple google search finds list of companies (Score:1)
Not quite (Score:1)
There's a punchline too... (Score:2)
https://www.sedata.com/our-sol... [sedata.com]
It includes:
Cyber Awareness Education
And....
SEDC MSS (Managed Security Services)
Just like a certain D (huge (only a minor bearch) consultancy), mebbe they don't need to do the stuff they tell you to do.