Comcast Security Flaw Exposes Partial Addresses, Social Security Numbers of 26 Million Users (buzzfeednews.com) 67
olsmeister writes: A security flaw in the Comcast Xfinity online portal exposed social security numbers and partial home addresses of more than 26.5 million subscribers, according to security researcher Ryan Stevenson. Comcast says the flaws have already been patched and that it currently has no reason to believe that the flaws were ever exploited. BuzzFeed reports of the two vulnerabilities: One of the flaws could be exploited by going to an "in-home authentication" page where customers can pay their bills without signing in. The portal asked customers to verify their account by choosing from one of four partial home addresses it suggested, if the device was (or seemed like it was) connected to the customer's home network. If a hacker obtained a customer's IP address and spoofed Comcast using an "X-forwarded-for" technique, they could repeatedly refresh this login page to reveal the customer's location. That's because each time the page refreshed, three addresses would change, while one address, the correct address, remained the same. Eventually, the page would show the first digit of the street number and first three letters of the correct street name, while asterisks hid the remaining characters. A hacker could then use IP lookup websites to determine the city, state, and postal code of the partial address.
In the second vulnerability that Stevenson discovered, a sign-up page through the website for Comcast's Authorized Dealers (sales agents stationed at non-Comcast retail locations) revealed the last four digits of customers' Social Security numbers. Armed with just a customer's billing address, a hacker could brute-force (in other words, repeatedly try random four-digit combinations until the correct combination is guessed) the last four digits of a customer's Social Security number. Because the login page did not limit the number of attempts, hackers could use a program that runs until the correct Social Security number is inputted into the form. After learning of these vulnerabilities, Comcast disabled in-home authentication and put a strict rate limit on the portal. Here's what a Comcast spokesperson had to say about the matter: "We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers. We take our customers' security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report."
In the second vulnerability that Stevenson discovered, a sign-up page through the website for Comcast's Authorized Dealers (sales agents stationed at non-Comcast retail locations) revealed the last four digits of customers' Social Security numbers. Armed with just a customer's billing address, a hacker could brute-force (in other words, repeatedly try random four-digit combinations until the correct combination is guessed) the last four digits of a customer's Social Security number. Because the login page did not limit the number of attempts, hackers could use a program that runs until the correct Social Security number is inputted into the form. After learning of these vulnerabilities, Comcast disabled in-home authentication and put a strict rate limit on the portal. Here's what a Comcast spokesperson had to say about the matter: "We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers. We take our customers' security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report."
Full Location (Score:2)
A local ISP near me puts the device's MAC address into the reverse DNS lookup of every IP address assigned on their network. Just increase/decrease the MAC address by 1 or 2, and you'll usually get the routers WiFi MAC instead of WAN MAC. With the WiFi MAC in hand, you can use publicly available free online tools to geolocate the access point down to about a 2-4 house accuracy. In other words, you can get near-exact physical location of any user on this ISP from just their IP address. ... It has been like t
Re: (Score:2)
What's with these companies, can't keep basic data secure?
Were they born in the '40s?
Re:Full Location (Score:5, Interesting)
For web forms that will not enable the Next button without information they don't need, I usually fake it. That fake data goes into my password manager as a third level of security that only I know.
Re: (Score:3)
Why do they need an SSN in the first place? If I'm completely honest, we have to bear some of the responsibility for these breaches of security by idly allowing any and all personal information to be collected by any old munchkin. An ISP does not need your SSN, date of birth or anything else beyond your address and payment details.
They need your SSN for checking your credit, which is used to determine if you will be required to pay a deposit on your service. Remember that Comcast isn't just an Internet provider, they also sell phone and pay TV service. Service people can run up a pretty penny in post-paid charges on.
If you're about to say "they can't force you to give them your SSN". You're right. But you also can't force them to give you service. They could also agree to give you service only if you pay a huge deposit (which will be
Re: (Score:2, Interesting)
NOPE! You just have to pay a deposit potentially or ask for a manger to override. No reason to give it. https://forums.xfinity.com/t5/Customer-Service/You-should-not-need-my-social-security-to-set-up-service/td-p/2587380
Re: (Score:2)
It sounds like the US credit checking system is broken then - I don't need to supply the British equivalent (NI Number) when applying for credit, nor do I need to apply for credit to sign up for cable or satellite TV...
Rather than simply accepting the broken system, you might want to think about how it should be changed.
Re: (Score:2)
Well sure, in a country of a few thousand people this works, how about a country with 300+ million people? Do you know how many Matthew/John/Steve Smiths there are in the U.S.? How about Jones? The number of people with the same birthdate and name is probably more than some cities in both the U.S. and Europe.
Re: (Score:2)
Re: (Score:2)
Re:Full Location (Score:5, Interesting)
Why do they need an SSN in the first place?
Better question: Why do we pretend that SSNs are "secret"?
They are already semi-public, and generally used as a "citizenship number". There have been so many breaches that nearly every SSN has be leaked multiple times. Why not just go all the way, and make SSNs fully public? Then people could just write it on an envelope, and the USPS would deliver the letter to your current address.
If companies want something for authentication, they would have to use something sensible instead.
Re: (Score:2, Interesting)
Then people could just write it on an envelope, and the USPS would deliver the letter to your current address.
Back in the early 90s when I was in the Navy, we did use our SSN in our mailing address, at least in boot camp.
Like you say, it isn't really a secret and it wasn't until a few years later that you heard everyone saying not to tell anyone your number and then we started pretending it was a secret.
Re: (Score:2)
It's harder to avoid than it first appears. Every little unique fact about you is one more bitmap to pry into your life and you can only
SSNs are not unique per person (Score:2)
I'm not trying to imply that the SSN is a secret. I'm implying that it's UNIQUE.
Social Security Numbers are NOT unique [nbcnews.com] per person. not even close. People have more than one (often for legitimate reasons) and many numbers are used for more than one person (usually for identity theft). We're talking tens of millions of people here. We tend to think of them as unique identifiers in the sense of a primary key but in reality they definitely are not reliable in that capacity and never have been.
It's far better if you never accept the linkage in the first place because, once you've given a piece of information away, you've completely lost control of it.
Quite so.
Re: (Score:2)
We're talking tens of millions of people here. We tend to think of them as unique identifiers in the sense of a primary key but in reality they definitely are not reliable in that capacity and never have been.
They are reliable enough as a unique identifier for the purposes of attempting identify theft, which was the parent poster's point. Unique enough as a primary key in some national database, okay perhaps not. But the identity thief does not require that level of accuracy to be successful -- and the IRS has no problem treating them as a unique identifier.
How SSNs are used is the problem (Score:2)
Better question: Why do we pretend that SSNs are "secret"?
Lot's of data is technically public that you really don't want to be made more available than necessary. Identity theft is a serious problem and given how casually SSN's are handled and how they are used for authentication (even when they shouldn't be) giving a lookup table for them is a terrible idea currently.
They are already semi-public, and generally used as a "citizenship number".
That doesn't make it a good idea or desirable. It's certainly at odds with a lot of privacy considerations.
Why not just go all the way, and make SSNs fully public?
Because you have to change a lot of other infrastructure and business practices to make t
Re: (Score:1)
If I understand the SSN correctly, in Australia the equivalent is the Tax File Number (TFN).
Only an employer, once you're employed, a bank (to deduct tax from any interest you may earn from having money in the bank) and the Tax office are allowed to ask for it. Or store it.
Anyone else asking for it is committing an offence.
TFNs are secret.
Re: (Score:2)
Parts of the addresses were converted to asterisks. This is explained in the summary.
Why are SSN's available to an internet-facing app? (Score:2)
Re: (Score:2)
... So people without logins can be validated. ...
So, convenience instead of security. I would have thought Comcast knew better.
Re: (Score:2)
Re: (Score:2)
...For verification that the user is who they say they are and they're authorized to make changes to the account. ...
Why does the app have access to the SSN? Why not, e.g., hash what the customer enters and compare the hashes? Why not, e.g., send the entered SSN off to a different server that does not have internet access and is more secure?
Re: (Score:2)
Re: (Score:2)
...Because it's not your "social security password" so why would you salt and hash like a password? ...
I never said it was a password. .
...That's the thinking (or lack thereof) behind it I assume....,
You shouldn't dis someone when you make incorrect assumptions.
Re: (Score:2)
He seemed to me to be dissing stupid developers who assume that if the field isn't named "password" then it doesn't matter if it's exposed.
Re: (Score:2)
Why is a subscriber's SSN required, period? Okay I can understand to protect against bad apples. But why do you need my SSN for the future when my payment history is all the credit history you need?
Because they are selling your data and your SSN is a great choice for a primary key. This is the user's fault. If you think a $250 deposit costs more than your security is worth, then by all means don't stop giving out your SSN
-dk
Need consequences with teeth (Score:5, Insightful)
A security flaw in the Comcast Xfinity online portal exposed social security numbers and partial home addresses of more than 26.5 million subscribers
So my beef with this isn't that a security flaw happened. I expect that to happen from time to time even though I think the consequences for it aren't nearly severe enough currently. The problem I have is that Comcast is storing Social Security Numbers in the first place. They have absolutely zero need to store this information. Yes I'm aware that lots of companies do it and for the most part they don't need it either. But let's ignore that and say they do need/want to store my SSN. Then there should be consequences with serious teeth for security failures regarding sensitive information about me. We have these leaks in part because there are effectively zero consequences for mismanagement of sensitive customer data. The companies simply don't have to care very much. Failure to keep this data secure should result in heavy fines and odious government oversight. It should be ugly enough to make them think seriously about what data they really ought to be storing and how they go about it and what best practices to use. Companies that act responsibly should be free to go about their business but those that can't or won't handle sensitive data responsibly should be very afraid.
Re: (Score:3)
Encryption at rest means nothing if the actual mechanism to get to the data isn't secure.
I can encrypt everything at rest, but I could also forget to verify credentials on the system that has the rights to decrypt....
Encryption does not equal secure (Score:2)
One of those requirements is that any personally identifying information that is at rest must be encrypted.
That gets routinely and roundly ignored. I've worked in hospital systems and my wife is a doctor. And in most cases nothing really ever comes of it and there are minimal to zero consequences to the organizations that fail to maintain adequate infosec. Plus just because something is encrypted to comply with a statute doesn't mean it is actually secure. That is why you need to have legal consequences with actual teeth to ensure an adequate level of effort is expended to keep data secure and to incentivize
Re: (Score:2)
comcast open wifi network the backs on your link (Score:2)
comcast open wifi network the backs on your link is also there as well.
Re: (Score:2)
Re: (Score:2)
and Comcast has a way of making that turn back on from time to time.
Re: (Score:2)
How comforting (Score:2)
That's not a no, I'd like a actual no actual customers were harmed with these exploits. Is that to much to ask?
funny thing about comcast's security (Score:1)
Meh (Score:3)
Give this time and learn the real numbers later... (Score:2)
...or learn something closer to the real numbers later. As I pointed out earlier [slashdot.org] these stories follow a pattern and part of that pattern is to lowball the first press release of the number of adversely affected parties. Comcast will likely join the ranks of Equifax [slashdot.org], Yahoo [slashdot.org], and Hyatt [slashdot.org].