cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rslade
Influencer II

Vodaphone blames customers for weak passwords.

So, a couple of Czech "hackers" accessed Vodaphone customer accounts.  They used the password "1234," found it worked on a bunch of accounts, and ordered SIM cards on those accounts.  Picked up the cards and used the phones to make charges on gambling services.  Got caught and sentenced.

 

Vodaphone wants the customers to pay for the thefts.  Vodaphone says the customers used weak passwords and deserve everything they get.

 

Now, normally I would have a bit of sympathy for Vodaphones position.  (A very little bit.)  Were it not for one minor detail: Vodaphone only allows users to have passwords that are four to six characters long ...


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
4 Replies
denbesten
Community Champion


@rslade wrote:

 

 Vodaphone only allows users to have passwords that are four to six characters long ...

I am less sympathetic to Vodaphone's position.  First, TFA states the range is 4 to 6 digits (not characters). Secondly, customers report that they did not even know the password existed.  Third, Vodaphone suggests that perhaps "one of their employees configured this password when a phone was purchased...."

 

A 4-6 digit PIN might be reasonable when device presence is required (e.g. an unlock PIN), but not for a  online web site.

 

DAlexander
Newcomer III

Ultimately, I think the appropriate party to pay for the thefts should be the thieves.  That would be a perfect world where the thieves had the funds on hand or we could make them work the debt off. 

 

In reality, what will ultimately happen is that Vodaphone will file an insurance claim to recoup the lost funds, their premiums will increase, and then they'll pass that cost on to the consumers.  In the end, Vodaphone customers will pay for it.

Shannon
Community Champion

 

Service providers shouldn't bank on end-users being aware of all the risks, and should also take measure to protect their own systems with controls, such as enforcing password complexity requirements, halting use due to suspicious activity, tracking, etc.

 

Ultimately, Vodaphone should be held responsible --- of course, we can't count on the thieves to bear the costs --- and even if they cover the losses through insurance, they should be compelled to strengthen their system.

 

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
CraginS
Defender I

For decades the security community has had the terrible habit of blaming the end-user for security issues that were actually caused by terrible system design that failed to account for the complete system aspects of tools (h/w & s/w), processes, and people. Understanding the human factor, to include motivations and real-world environments of action, is essential to developing secure systems.

 

A great exposition of this problem is in Alan Cooper's The Inmates Are Running the Asylum: Why High Tech Products Drive Us Crazy and How to Restore the San.... That book should be mandatory reading for everyone who claims to be a cybersecurity specialist.

 

I also addressed aspects of this problem, particularly on password selection, a few years ago in my 25 minute talk at INFOSEC World, Why Won't They Follow the Rules? Maybe It's the Boss's Fault!  

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts