Vodafone Aus web portal credentials escape, media panic
The internet's not just Tweets, porn and lolcats? Who knew?
Australian media has fallen into a bout of panic following the discovery that, in addition to cat pictures, newspaper paywall gateways, pornography and illegally-copied music and movies, the Internet is used as a business communications medium.
The victim of this revelation is Vodafone, which uses a Web portal to provide database access to its sales staff and those of its business partners. Staff and partners have logins that allow them access to customer data on that database and – quelle surprise – those logins seem to have been leaking.
And what appears to be criminal activity to persuade those holding logins to hand over their passwords (presumably using a mix of bribes and threats) has gathered steam as a purported Internet-borne mass breach of Vodafone’s security. The story started with the Sun-Herald (tabloid Sunday morning sister to the Sydney Morning Herald) asserting that the "personal details of millions of Vodafone customers" were "publicly available on the Internet".
Vodafone has since stated that the misuse of login credentials probably came either from a dealer or from an employee. Vodafone Australia’s CEO Nigel Dews was quoted by ABC News as saying that the company is investigating the breach and threatened to pursue those responsible "with the full force of the law".
Everyone else with a Web-based business portal – banks, insurers, government departments and the like – is presumably awaiting the media’s discovery that Vodafone isn't Australia's only business user of the Internet. ®
Richard Chirgwin - full points; SMH/TSH - minus several million points...
I completely agree with Richard, and it's great to see an article dispell the FUD so simply. Pity this got no airplay here in Sydney Australia.
Yes: Vodofone are probably speading to the SecurID people at RSA right now about better authentication solutions (no I don't work for them), and Yes: access to customer data should be graduated - but anyone who thinks that these lapses are in any way unique to Vodafone Australia are living in fantasy land.
In my limited experience, here in Sydney, Australia corporate IT do not invest any time or money into authentication, change control, encryption etc. certainly in comparison with European and Scandinavian companies I've worked with. Just look at the job ads - these requirements are the 51st bullet point on a Systems Admin job description - very poor.
This is not a non-story...
I think the Richard Chirgwin has rather missed the point.
Of course companies have web portals that allow access to customer information for the purposes of self-service. However, each customer has a unique log-in, and knowing that log-in only gives you access to that customer’s records.
Other information may be available via an extranet, but this is only a sub-set of information useful for other specific circumstances, such as stock levels and ordering systems. Such systems in any case may be tied to specific IP addresses, and shouldn’t contain sensitive customer information.
Companies should be much more restrictive about access to their back-end systems, however, where information about every customer can be seen. Usually such systems are only available in specific locations (eg at a call centre or branch), and require a log-in tied to an individual employee. Where remote access is possible, it is via a VPN link, again tied to an individual user and authenticated using something like an RSA token.
In this case, Vodafone was allowing access to its entire back-end system from any internet-connected computer using nothing more than a generic password. Richard Chirgwin mentions banks, as if this behaviour is usual – but would you be happy if someone could access all the information the bank has on file about you from anywhere in the world using a simple username/password combination – especially when such logins are generic and shared between many different users? I think not.
For sure, the media has hyped this up somewhat (saying ‘their whole customer base information is publicly accessible on the internet’ is a bit of a stretch), but there is still a genuine story here. Vodafone Australia’s infosec policies are clearly not up to scratch, potentially exposing customer information to miscreants who could use it to commit fraud, including identity theft. And that is no trivial matter.
Not really panic - privacy concern
"Web portal" is a red herring. The deal is that it looks as though any dealer password can be used to access lots of infol about any customer. PINs, license numbers, complete call numbers history, addresses, etc.
So a keylogger on one dealer PC is likely a key to the whole customer database castle. I can get a logon to do a tax return via a web portal but I don't expect my logon to give me access to your data.