[BreachExchange] T-Mobile Stores Part of Customers' Passwords In Plaintext, Says It Has 'Amazingly Good' Security

Audrey McNeil audrey at riskbasedsecurity.com
Fri Apr 6 21:51:00 EDT 2018


https://motherboard.vice.com/en_us/article/7xdeby/t-mobile-
stores-part-of-customers-passwords-in-plaintext-says-
it-has-amazingly-good-security

Security is hard. Computer systems get more complex by the day and software
is eating up the world, making the task of keeping hackers out harder and
harder.

Sometimes, however, companies just make it too easy for the bad guy by
disregarding the most basic and universally accepted security best
practices. Today’s culprit: T-Mobile Austria.

The company admitted on Twitter that it stores at least part of their
customer’s passwords in plaintext. This is a big no-no in this day and age
because if anyone breaches T-Mobile (and companies are breached all the
time), they could likely guess or brute-force every user's password. If the
passwords were fully encrypted or hashed, it wouldn't be that easy. But
having a portion of the credential in plaintext reduces the difficulty of
decoding the hashed part and obtaining the whole password.

“Based on what we know about how people choose their passwords,” Per
Thorsheim, the founder of the first-ever conference dedicated to passwords,
told me via Twitter direct message, “knowing the first 4 characters of your
password can make it DEAD EASY for an attacker to figure out the rest.”

T-Mobile doesn’t see that as a problem because it has “amazingly good
security."

On Thursday, a T-Mobile Austria customer support employee made that
stunning revelation in an incredibly nonchalant tweet.

Twitter user Claudia Pellegrino was quick to point out that storing
passwords in plaintext is wrong, but another T-Mobile customer rep didn’t
see it that way.

“I really do not get why this is a problem. You have so many passwords for
every app, for every mail-account and so on. We secure all data very
carefully, so there is not a thing to fear,” the rep wrote back.

Another Twitter user chimed in saying “what if your infrastructure gets
breached and everyone’s password is published in plaintext to the whole
wide world?”

That really didn’t sway the T-Mobile rep, who smugly replied: “What if this
doesn't happen because our security is amazingly good?”

A T-Mobile Austria representative said that "there is a misunderstanding in
this thread about how we store and what is being displayed for customer
service agents. I will check with our security officer and get back to
you." But didn't immediately follow-up.

It’s hard to overstate just how incredibly reckless it is, in 2018, to
still store people’s passwords in plaintext. Over the years, literally
billions of people’s credentials have been lost in countless data breaches,
and everyone in cybersecurity agrees that companies should take precautions
so that if a data breach happens, the passwords are hashed or encrypted and
don’t get compromised.

I can’t remember such a self-own since the days when CNBC tried to teach
people about passwords by asking them to give them up and send their
passwords over an insecure connection.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180406/c96088ff/attachment.html>


More information about the BreachExchange mailing list