T-Mobile Austria - A Case Study on Bad Password Management
Just yesterday T-Mobile Austria is hitting headlines for storing user’s password partially in plain text.
It started off with this tweet by Claudia:
Hello Claudia! The customer service agents see the first four characters of your password. We store the whole password, because you need it for the login for https://t.co/vJapgJ50qc ^andrea— T-Mobile Austria (@tmobileat) April 4, 2018
Red Flag 1:
“The customer service agents see the first four characters of your password.”
A clear indication that the password was in plain text.
To clarify: Customer service agents see only parts of customers‘ passwords which are safely stored in encrypted databases via industry standard encryption algorithm. We are also using one-time-PINs for customer authentication and are evaluating voice biometrics. ^Helmut @ojour— T-Mobile Austria (@tmobileat) April 6, 2018
But its encrypted so its definitely save right?
According to the tweet by Helmut, it is the database that is encrypted and not the passwords (still, you should not encrypt on individual password).
This protects against a malicious user having access to the database file with no encryption key.
It does not prevent a data breach from application level type of vulnerability such as SQL injection.
Red Flag 2:
Assuming your system is “amazingly good”.
@Korni22 What if this doesn't happen because our security is amazingly good? ^Käthe— T-Mobile Austria (@tmobileat) April 6, 2018
Few moments later they received a free vulnerability assessment from the public…
"amazingly good". pic.twitter.com/FmclP1UZUF— M. Hasbini (@0xbsec) April 6, 2018
Passwords might be in here somewhere. pic.twitter.com/AwAnoF83ya— Bad Packets Report (@bad_packets) April 6, 2018
fortunately, the systems are updated .. 🧐 pic.twitter.com/xIdBH5p1zp— alexander (@alessandrinoino) April 6, 2018
Looks like they also run outdated WordPress and outdated Apache 🤔 pic.twitter.com/g53LlaHyGE— Pips (@Pips801) April 6, 2018
What a way to get free assessment.
Red Flag 3:
Hi @c_pellegrino, I really do not get why this is a problem. You have so many passwords for evey app, for every mail-account and so on. We secure all data very carefully, so there is not a thing to fear. ^Käthe— T-Mobile Austria (@tmobileat) April 5, 2018
We can clearly tell that Käthe isn’t a security person. The more important question is, why are non-technical employees allowed to response on behalf of a company regarding issues on such sensitive topic?
Based on implementation it is very likely they have a bad security team and even so they should be the one answering questions from the public.
Update 9 April 2018:
Claudia, as we previously said we will implement further steps to secure passwords. Passwords will be salted and hashed, service agents will not be able to see any parts of passwords. We will implement this as quickly as possible.— T-Mobile Austria (@tmobileat) April 9, 2018
Finally a proper response from them.