Dutch ISP Discovers 140,000 Customers With Default Password

bs0d3 writes "In Holland, a major ISP (KPN) has found a major security flaw for their customers. It seems that all customers have had the same default password of 'welkom01'. Up to 140,000 customers had retained their default passwords. Once inside attackers could have found bank account and credit card numbers. KPN has since changed all the passwords of the 140,000 customers with weak passwords. They also do not believe anyone has actually been burglarized since discovering this weak spot in security."

Verizon online

[Anonymous Coward]

had to ban the password abc123 on thier ADSL network years ago..

Re:

[Anonymous Coward]

I was there for that... I got cursed out that week by many a little old lady.

Re:

[Anonymous Coward]

KPN has since changed all the passwords of the 140,000 customers with weak passwords. They also do not believe anyone has actually been burglarized since discovering this weak spot in security.

It's a shame KPN changed their passwords for them. They were about to learn a valuable lesson!

The reasonably intelligent people only had to hear about one instance of fraud, one example of ID theft in the news, to understand that they need a decent password. Idiots don't learn the easy way like this. Idiots only ever learn the hard way. I don't agree with that but I respect their right to learn any way they want to. It's called freedom.

Re:

[jones_supa]

I kind of disagree. People shouldn't be unnecessarily punished for stupidity (unless it's something that harms other people). A much better idea would have been simply to have each user have some random password which they get printed at home.

Re:

[CastrTroy]

I bet that most of these people never even knew there was an account to begin with. If it had credit card and banking details, I'm pretty sure that the password refers to the online billing system, and not something like the PPPoE password. Most of the people probably never even logged into their account if they were even aware they had one. Basically, the ISP was completely at fault here for setting up the default password for every account to be exactly the same.

Re:

[mcgrew]

It's a shame KPN changed their passwords for them. They were about to learn a valuable lesson!

I doubt it. They'd just become part of a botnet.

The reasonably intelligent people only had to hear about one instance of fraud, one example of ID theft in the news, to understand that they need a decent password.

You confuse ignorance with stupidity. They heard about ID theft, they heard about phishing, they don't hear about weak passwords.

Re:

[matazar]

Bell Canada used to use this password and no one would ever change it. It was kind of funny being able to tell people what their password was. They've recently made slightly better passwords, but it was a good couple of years of abc123.

Re:

[Klaus_1250]

An even bigger ISP in the Netherlands uses/used the very same password for people who forgot their original more secure password.

They are lucky ACTA got rejected

[Anonymous Coward]

Those filthy communists enabling others to pirate through their connection would be in jail now.

Re:Tourism in Holland is going to EXPLODE

[Ziekheid]

The only thing missing from your post is something about wooden shoes and windmills. Thanks for the generalization, again.
Just for the record, it's no a normal or common thing to have sex with underage eastern european girls here.

Re:Tourism in Holland is going to EXPLODE

[formfeed]

The only thing missing from your post is something about wooden shoes and windmills. Thanks for the generalization, again.

This, and that war-driving has to be done on a bicycle.

Re:

[sortius_nod]

You forgot the tulips & orange!

Re:

[ZigiSamblak]

Right. And we can't be any more inviting than allowing foreign people to "come in" our country.

Can't be much more inviting than cheap pot&prostitutes and identical passwords for everybody that translate as "Welcome".

Doesn't surprise me much... KPN is a shit company who are still benefitting from being the previously state-owned telecom provider, meaning they can milk their customer base without having to do too much about anything, including security.

It's the ISP's fault

[wickerprints]

It's their fault for not (1) randomizing the initial password, and (2) forcing new subscribers to immediately change their password after the first login, both of which are standard practices on properly secured systems.

Re:It's the ISP's fault

[Anonymous Coward]

Further, why was the credit/bank information displayed in full? Isn't that stuff usually masked out? I think all services that I subscribe too usually just show the last 3-4 numbers of the account information, for this reason (in case login credentials are stolen).

Re:

[Anonymous Coward]

That one is easy. In the Dutch system, they don't use security by obscurity when it comes to bank account numbers, it's like an address. Most payments above a hand full of euros are done by bank transfer (cheques were phased out decades ago, credit cards are rarely used). You would have trouble paying for things or receiving payments if your bank account number was a secret there.

Re:

[Anonymous Coward]

they don't use security by obscurity when it comes to bank account numbers, it's like an address. Most payments above a hand full of euros are done by bank transfer

Now what is that called, security-through-the-honor-system?

Come on, try to think about it. Do you rely on keeping your house address a secret as a protection against burglary? Can anyone who knows where your house is take your stuff? Answer: no, there's a lock, with retina scan, a heavily armed robot, a shark pond (frickin lasers included).

Why should knowing your bank account number be enough to be able to take your money out of the bank? To take money out of your account two things are needed: to know your bank account number and to BE you.

Re:

[Anonymous Coward]

This. Very much this. I can give my bank account number to anyone (I'm Dutch). They can't pull money from it. They could try by faking my signature on an automatic incasso form, but I can repeal that at any time.

To take money out of my account they either need my card and PIN (which, granted, is the 4-digit one, not the newer 6 digit one. If I had the choice, I'd pick 8 or more digits, I have no trouble remembering digits) or a very good forgery of my ID card or passport.

Re:

[arth1]

Now what is that called, security-through-the-honor-system?

No, it's called having a payer-initiated system, as opposed to the payee-initiated system we have here in the US.

When I send money to you:
In the US system, it starts with me sending a debit authorization to you, and your bank forwarding it on to my bank, which then debits my account and sends it to your bank
In the European system, it starts with me telling my bank to take the money from my account and send it to your bank, where it's deposited into your account.

One side effect of this difference is way less

Re:

[arth1]

I can reverse any transaction that originated from my account.
It has to be within 60 days and I'll be paying a fine if the charge back was without merit but it works just fine. I have used this feature multiple times when O2 Germany + Jesta tried to scam me.

Was that a payER initiated transfer, though? I.e. did you choose to pay them, then changed your mind?
Or was it them charging your card, in which case it was a payEE initiated transfer, like in the US?

Re:

[pipatron]

They are not responsible for their hopefully grown-up customers that are all obviously trusted by the banks to have credit cards.

Sure, they should have known better than to trust users to change their passwords, but some people need to learn the hard way. At most, this means a few weeks of sleepless nights for their PR-department.

Re:It's the ISP's fault

[tlhIngan]

They are not responsible for their hopefully grown-up customers that are all obviously trusted by the banks to have credit cards.

Sure, they should have known better than to trust users to change their passwords, but some people need to learn the hard way. At most, this means a few weeks of sleepless nights for their PR-department.

OTOH, I wonder if all 140,000 customers who used the default passowrd actually USED the account? It sounds like it was a customer service portal thing - not something they normally login with. For those people, they probalby managed their account by phone rather than thinking to log into the customer service potral and do all their changes there?

Re:

[kulnor]

You mean everyone should get an Internet User License and an Insurance policy against Uninsured Users? :-)

Re:

[ls671]

Would you shed a tear for an automobile driver who said "gee, I didn't know what the red-line was or that revving it past the red-line could damage the engine!" No, you'd say anybody fit to drive a car should know this, if they don't then they get to go to a mechanic and pay the stupidity tax. Same deal with passwords and internet access.

Your car analogy is out of date and it could be used against the point your are trying to make in modern days. Nowadays, cars have "rev limiters" that will prevent going above the red line too much. I guess with a manual, sticking it first gear at highway speed would still do the trick although.

So "rev limiters" == better protection for drivers who do not know.

Dummy driver goes to the dealer and says: "My car is broken, every time I go 500 rpm above the red line, my engine cuts off."

Re:It's the ISP's fault

[ShanghaiBill]

but some people need to learn the hard way.

Should car companies remove seat belts and airbags, so people can "learn the hard way" to avoid accidents?
Or maybe we should be responsible professionals and design secure systems and appropriate procedures, instead of blaming our customers for our own incompetence.

Re:

[stanlyb]

Actually, your analogy should be: Should car companies use default password for the ignition key?

Re:

[pipatron]

No, they should keep the seat belts. They should keep letting people decide when to use them, and they should not be responsible for any deaths that occur if someone did not use them.

Like letting people change their password as they should if they want to remain safe, or leave them if they want to get hurt badly in case someone hits them.

Re:

[jones_supa]

To refine that analogy a bit... it would be like having seat belts that in this particular car model required you to separately remember to enable the automatic locking mechanism so that it works in accidents.

Re:

[CanHasDIY]

I can't believe this remark gets +5 Informative!

I second that.

What kind of fucked up childhood does a person have, to make them honestly believe that securing your own shit is somehow someone else's problem?

Re:

[geekoid]

what if you don't know everyone has the same key?
Why would you even buy that lock?

While everyone is responsible for their own security, people developing the products are responsible for good implementation; which this was not.

Re:It's the ISP's fault

[lgw]

If I get a lock installed on the door of my new house, with a key that is the same as the key on 140000 other doors, guess what I am going to do next, install a new lock or wait until someone empties my house and blame the company that installed the lock.

Unless you went out of your way to get a special lock, the lock on the door of your house is likely trivial to defeat with a "bump key", which is pretty easy to come by and use (unlike lockpicks, which would also open your door easily, but are somewhat controlled and take a bit of practice). But you probably didn't know that, because you're not a technical expert in that area of security.

Most people aren't a technical expert in the area of computer security, and so don't have a clue that they would need to change the password their ISP gave them. They would expect their ISP to be competant in such matters.
 

Re:

[geekmux]

Most people aren't a technical expert in the area of computer security, and so don't have a clue that they would need to change the password their ISP gave them. They would expect their ISP to be competant in such matters.

I'm sorry, but at some point, ignorance with basic computer functions needs to be frowned upon, not placated to. 50 years ago, hardly anyone had a password to anything. These days, it's almost impossible to find someone without at least one, and yet we're going to continue to act like people don't know what the hell they're for, or why they should change them (like, ever).

It's one thing to not know how to set up custom firewalls and DMZ segments. It's another matter entirely if a user cannot seem to gras

Re:

[lgw]

Again, you're (likely) ignorant about basic physical security functions - most people are, and yet society does find because physical security is a mature field, and end users simply don't need to understand any of that! Computer security needs to reach that point - the users will never get any "smarter" (generally users aren't actually dumb, they just don't care about your software).

Re:

[geekmux]

Again, you're (likely) ignorant about basic physical security functions - most people are, and yet society does find because physical security is a mature field, and end users simply don't need to understand any of that! Computer security needs to reach that point - the users will never get any "smarter" (generally users aren't actually dumb, they just don't care about your software).

Actually, I am acutely aware of the importance of physical security. It is the primary line of defense.

Now, perhaps you could explain to me how exactly physical security measures are going to apply to the average user who walks around with an unencrypted hard drive in their laptop (that a 10-year old could remove and copy), a cell phone (with an "unlock" button for security), and most of their personal information now stored online in webmail, facebook, twitter, picasa, etc (all secured by the same impossi

Re:

[lgw]

Yes, physical security (encrypted drives, strong passwords, two-factor auth) is a mature field.

Heh, you sort of made my point for me. You're so focused on your specialty that that's what you think of when I say "physical security". You worry about personal information being stolen, but what steps did you take to preven tyour actual, physical passport being stolen? Or any valuables in your house? Or your car? Most people don't understand the basics of physical security, and while tere would be less crime if they did, we don't blame the victim when a crime occurs.

Re:

[Anonymous Coward]

It's their fault for not (1) randomizing the initial password, and (2) forcing new subscribers to immediately change their password after the first login, both of which are standard practices on properly secured systems.

Definitely true!! Let's face it whilst us geeks will roll our eyes and groan at the stupidity of the user, we should remember that most people don't choose or want to care about complexity of security. A lock and key is a nice easy physical reminder in our daily routine that we need to keep the bad guys out, but passwords are not intuitive to our lifestyle yet. Until people become accustomed to the digital set of keys, or it becomes as easy as a set of keys, then people will rely on default passwords.

So yes

Re:

[geekmux]

It's their fault for not (1) randomizing the initial password, and (2) forcing new subscribers to immediately change their password after the first login, both of which are standard practices on properly secured systems.

Exactly. And when I read "major security flaw", I laughed, trying to figure out what is the larger "flaw" here. The rather blatant and obvious shortcomings you've pointed out, or the fact that there are at least 100,000 people in Holland who don't know why they should ever change their default password.

Don't underestimate industrious users

[Shivetya]

On a system I manage we have rules in place to prevent the reuse of passwords, simple ones like you cannot use a password you used the previous 31 times and such with limits on how often you can change them.

Well unless we put a limit of changes that were beyond a day you can guess what many users figured out to do... Forcing users to change passwords doesn't always end up with the results you expect.

Oh, mixed case and numbers... don't even get me started. Surveyed users on how they handled that and its

Once upon a time...

[Mr. Firewall]

When I was a sysadmin at a certain Bible college known for its weak security, I collected the password hashes of the students & faculty and ran them through a cracker (John the Ripper if I remember correctly), then sent out a mass email with the decrypted passwords, sorted by the amount of time it took to crack them.

Yeah, the majority of them were cracked within five seconds. Of course, I omitted the information on just whose passwords they were.

Dunno if it resulted in anyone actually doing something about their passwords though.

Re:

[GodfatherofSoul]

OK, am I to understand you published actual passwords? That never works to motivate the technically challenged.

Re:

[Mr. Firewall]

Yes, I published them. One year later.

Re:

[Anonymous Coward]

Why the bleep did you do that? If they had a password that could be cracked in a few thousand guesses, it'd take under a second to brute-force it from the hash - but an outside attacker trying to log in should be stopped after three guesses if the sysadmin is halfway competent. Unless you're expecting to leak the hashes, you're solving the wrong problem - and, in the process, making the real problem worse.

Re:

[Teun]

Why do you ask? It was a Bible College where everyone daily recites the 10 commandments not excluding the 8th. and 10th, no need for passwords!

Re:

[Mr. Firewall]

Your error is in assuming that any & all attackers would be from the outside.

Not a safe assumption.

other common passwords found around the world

[Anonymous Coward]

welcome01
willkommen01
aloha01
benvenuto01

Re:

[mr100percent]

Well they are no longer the current password to those accounts, and with regards to other sites it's no less secure than someone who has a password on the top 10 most popular passwords list.

Re:

[causality]

Well they are no longer the current password to those accounts, and with regards to other sites it's no less secure than someone who has a password on the top 10 most popular passwords list.

Some users think passwords are a nuisance or a bother and resent having to stop and take the 2 seconds necessary to type it in. Others appreciate the safeguard that it represents and treat it accordingly. Both reap what they sow.

There is definitely a strong overlap between that first group, and this more general (sadly widespread) mindset that ever putting any thought into anything is some kind of terrible burden to be avoided at all costs.

Re:

[Bert64]

The problem is that there are simply too many sites asking for passwords these days..

The sensible thing is obviously to use a different password everywhere, but you will never remember them and end up keeping them written down somewhere. Either somewhere inconvenient, so that you don't have access to the password when you need it, or somewhere convenient where it could more easily fall into someone else's hands.

So people reuse passwords across sites, the problem with this is that you don't know how a given

Re:

[causality]

The problem is that there are simply too many sites asking for passwords these days..

The sensible thing is obviously to use a different password everywhere, but you will never remember them and end up keeping them written down somewhere. Either somewhere inconvenient, so that you don't have access to the password when you need it, or somewhere convenient where it could more easily fall into someone else's hands.

So people reuse passwords across sites, the problem with this is that you don't know how a given site will store your password... It might be in plain text, or using a weak algorithm... A compromise of one site (see linkedin) thus compromises your accounts on other sites.

A nice solution is to use a browser add-on (Firefox has a few like this, other browsers probably do, too) that generates a strong per-site password for you.

The way it works is that you choose one good master password. The add-on then makes a cryptographic hash of the site's domain name and your master password. This produces a password that is unique to each site, can be safely stored without fear of compromise, and provides a high degree of entropy (looks like random characters). You only have to rem

Nothing lost

[belthize]

They also do not believe anyone has actually been burglarized since discovering this weak spot in security.

Sure, that's believable. It'd be bad if googling 'welkom01' turned up hits on free password sites but that'll probably never happen.

What's particularly humorous is forcing google to not include pages from the last week. One of the first pages is this gem from 2010.

http://www.autoitscript.com/forum/topic/118849-import-csv-file-to-add-users-in-ad/ [autoitscript.com]

Almost looks like the ISP's admin asking how to make it so new accounts get the right password in a scripted fashion. There are a few other admin type questions

burglarized???

[philofaqs]

For heaven's sake what's wrong with burgled?

Re:

[philofaqs]

Umm less standard? OK I'm English from England, we would never, ever say I've been burglarized, I've never even heard the word in 50 years on this planet before but Chambers says it's OK well actually not with the final D. Still I guess the verbification of a nounifiction etc is Ok on the intertubes.

Re:burglarized???

[mako1138]

I guess it's American usage. We don't ever say "burgled" over here; it sounds funny.

Re:

[Sulphur]

Burgle is a back-formation from burglar. Notice that burgler is not a word, and burglar doesn't come from "one who burgles."
While burgle may be a perfectly cromulent word in the sense that it's acknowledged by dictionaries as actually used, it's really less standard and too informal for news reports.

At least the cromulescence is clear.

Re:

[CanHasDIY]

Better than buggered, I suppose...

Re:

[Dishevel]

I would rather be burgled than buggered.

Re:

[Inda]

And someone who does the deed is a burglarizer.

Why couldn't they have picked French to bastardize (sic)?

New password

[Anonymous Coward]

All offending passwords were changed to "welkom02." Crisis averted!

"Dear Subscribers"

[bitt3n]

"We have discovered you have been using default password 'welkom01'. This represents a grave security risk. Therefore, we have changed your password to 'welkom02'."

and the usernames too

[slashmydots]

It's twice as bad as the summary makes it sound: "It seems that the Usernames were easy to guess because it was comprised of the persons zipcode + street address."
But at least then it'd have to be targetted. What isn't clear is what the login actually does. The article says it was the "account management" login. So to use Time Warner as a comparison, I assume that means they would change the ISP-based e-mail account passwords from there and read their e-mail via a webmail interface not to mention reset

Damn!

[evenmoreconfused]

Just lost about 140K bots on my net...

My ISP

[rickb928]

Cox isn't much, but I don't actualll get a default account, except for email, and that is just email.

My account info is not necessary to use service, just to automate payment, and I have to set up everything, no defaults.

My real concern is how this ISP determined using defaults made any sense. Really?

ISP didn't discover it.

[Amarantine]

KPN didn't discover it themselves. An ICT company did (accidentally even), and reported the flaw to an IT site (webwereld.nl) instead of contacting KPN directly.

Dutch link: http://tweakers.net/nieuws/82955/kpn-maakt-blunder-met-standaardwachtwoord-z-adsl-accounts.html [tweakers.net] and http://webwereld.nl/nieuws/111057/140-000-kpn-adsl-accounts-lek-door-welkom01-fail.html [webwereld.nl]

Passwords shamaswords

[jago25_98]

Sounds like users have had it with passwords...

  or is the problem still between the keyboard and the chair?

Re:

[zippthorne]

It's their own fault for not making the default password a variant of "everybodygetsthispassworditsnotsecureatall" or, "IShouldChangeThisToSomethingUnique"

weak password

[kwikrick]

The ISP replaced it with another weak password? What? welkom02? Why not a strong password? Strong passwords do not have to be hard to remember or type, see: http://xkcd.com/936/ [xkcd.com]

Re:

[wvmarle]

Thanks. Now everyone please change your password from "welkom01" to "correcthorsebatterystaple" and we all have become a lot more secure!

Great password!

[XiPHiaS81]

welkom01 and welkom02 have to be great passwords. The (Dutch) company I work for gave me an internal SVN user whose password I can't change. However, they require me to change it every month (because they're very security-conscious). Since I can't do this, the account gets locked every time. When this happens, I just call the helpdesk. They will then reset the password for me. They usually provide me a new password like 'welkom01'. This, and the fact that 140,000 other people are using it, proves to me that

What are the odds ...

[fritsd]

What are the odds that they've changed 140 000 passwords to "sukkel01" now, I wonder.

I think you accidentally a whole word

[L4t3r4lu5]

In Holland, a major ISP (KPN) has found a .

First sentence, guys. A grammatical mistake in the First. Fucking. Sentence.

The 9 year olds in the special school I tech for can construct full sentences. They can also read through their work and pick out mistakes. You, as paid editors, have no excuse. I don't care if this is a missing angle bracket on a tag or other technical issue; It's inexcusable.