So, a couple of Czech "hackers" accessed Vodaphone customer accounts. They used the password "1234," found it worked on a bunch of accounts, and ordered SIM cards on those accounts. Picked up the cards and used the phones to make charges on gambling services. Got caught and sentenced.
Vodaphone wants the customers to pay for the thefts. Vodaphone says the customers used weak passwords and deserve everything they get.
Now, normally I would have a bit of sympathy for Vodaphones position. (A very little bit.) Were it not for one minor detail: Vodaphone only allows users to have passwords that are four to six characters long ...
Vodaphone only allows users to have passwords that are four to six characters long ...
I am less sympathetic to Vodaphone's position. First, TFA states the range is 4 to 6 digits (not characters). Secondly, customers report that they did not even know the password existed. Third, Vodaphone suggests that perhaps "one of their employees configured this password when a phone was purchased...."
A 4-6 digit PIN might be reasonable when device presence is required (e.g. an unlock PIN), but not for a online web site.
Ultimately, I think the appropriate party to pay for the thefts should be the thieves. That would be a perfect world where the thieves had the funds on hand or we could make them work the debt off.
In reality, what will ultimately happen is that Vodaphone will file an insurance claim to recoup the lost funds, their premiums will increase, and then they'll pass that cost on to the consumers. In the end, Vodaphone customers will pay for it.
Service providers shouldn't bank on end-users being aware of all the risks, and should also take measure to protect their own systems with controls, such as enforcing password complexity requirements, halting use due to suspicious activity, tracking, etc.
Ultimately, Vodaphone should be held responsible --- of course, we can't count on the thieves to bear the costs --- and even if they cover the losses through insurance, they should be compelled to strengthen their system.
For decades the security community has had the terrible habit of blaming the end-user for security issues that were actually caused by terrible system design that failed to account for the complete system aspects of tools (h/w & s/w), processes, and people. Understanding the human factor, to include motivations and real-world environments of action, is essential to developing secure systems.
A great exposition of this problem is in Alan Cooper's The Inmates Are Running the Asylum: Why High Tech Products Drive Us Crazy and How to Restore the San.... That book should be mandatory reading for everyone who claims to be a cybersecurity specialist.
I also addressed aspects of this problem, particularly on password selection, a few years ago in my 25 minute talk at INFOSEC World, Why Won't They Follow the Rules? Maybe It's the Boss's Fault!