T-Mobile Austria - A Case Study on Bad Password Management

tldr; Don't store you password in plain-text and educate your non-tech employees on approaches to addressing sensitive topics.

Just yesterday T-Mobile Austria is hitting headlines for storing user’s password partially in plain text.

It started off with this tweet by Claudia:

And Andrea, a representative from T-Mobile responded with:
Red Flag 1:

“The customer service agents see the first four characters of your password.”

A clear indication that the password was in plain text.

But its encrypted so its definitely save right?

According to the tweet by Helmut, it is the database that is encrypted and not the passwords (still, you should not encrypt on individual password).

This protects against a malicious user having access to the database file with no encryption key.

It does not prevent a data breach from application level type of vulnerability such as SQL injection.

Red Flag 2:

Assuming your system is “amazingly good”.

Few moments later they received a free vulnerability assessment from the public…

What a way to get free assessment.

Red Flag 3:

We can clearly tell that Käthe isn’t a security person. The more important question is, why are non-technical employees allowed to response on behalf of a company regarding issues on such sensitive topic?

Based on implementation it is very likely they have a bad security team and even so they should be the one answering questions from the public.

Update 9 April 2018:

Finally a proper response from them.