Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
LAwLz

T-Mobile Austria Confirms They Stores All Customer Passwords In Clear Text - UPDATED

Recommended Posts

1 minute ago, Drak3 said:

My company has pretty good security.

 

Everything sensitive is paper copy only or on an external drive that has never, and will never, be used on a computer with any network access.

 

In a fire safe.

 

Guarded by a fairly vicious dog.

 

And occasionally, a guy with a gun

 

You forgot to mention the moat filled with Legos and UK power plugs that surrounds the fire safe!


If you need help with your forum account, please use the Forum Support form !

 

VPN server guide

Guide to run any software as Admin

NiceHash Mining Guide

Ethereum Mining Guide

Spoiler

My Gaming Rig - Motherboard: MSI Z370-A PRO CPU: i7-8700 RAM: 32GB DDR4 2400(4x8GB) GPU: Gigabyte GTX 1060 3GB OS SSD: 240GB Avexir E100 Storage: 2x 1TB Seagate PSU: Seasonic G650 OS: Windows 10 Pro 64bits Monitor: Acer 21in G205H + Lenovo 21in

 

Link to post
Share on other sites
1 minute ago, wkdpaul said:

 

You forgot to mention the moat filled with Legos and UK power plugs that surrounds the fire safe!

Also drunk soccer fans


⬇ - PC specs down below - ⬇

 

The Impossibox

CPU: (x2) Xeon X5690 12c/24t (6c/12t per cpu)

Motherboard: EVGA Super Record 2 (SR-2)

RAM: 48Gb (12x4gb) server DDR3 ECC

GPU: MSI GTX 1060 Gaming X 6GB

Case: Modded Lian-LI PC-08

Storage: Samsung 850 EVO 500Gb and a 2Tb HDD

PSU: 1000W something or other I forget

Display(s): 24" Acer G246HL

Cooling: (x2) Corsair H100i v2

Keyboard: Corsair Gaming K70 LUX RGB MX Browns

Mouse: Logitech G600

Headphones: Sennheiser HD558

Operating System: Windows 10 Pro

 

Folding info so I don't lose it: 

WhisperingKnickers

 

Join us on the x58 page it is awesome!

x58 Fan Page

 

Link to post
Share on other sites
59 minutes ago, Ekin said:

 

Wow. The whole twitter thread is a disaster...

Whoever is in charge of that T-Mobile twitter account needs sacked. They sound seriously stupid and are tarnishing the T-Mobile brand, we have no idea if what this person is saying is true. 


System Specs:

CPU:  Intel 8700K (3.7-4.7GHz Turbo)  GPU: ASUS RTX 2080 Ti DUAL OC MB: MSI Z370 Gaming Plus   RAM: Corsair 3000MHz 2x8GB(16GB)  CPU Cooler: Kraken X42 AIO  Sound card: Creative Sound Blaster Z  SSD: OCZ ARC100 480GB  HDD: Western Digital 1TB Black, Seagate Barracuda 1TB both 7200RPM, WD Green 2TB (storage)  PSU: Pro750W XFX 80 Plus Gold  Case: NZXT H500 Optical Drive: -

 

 

Link to post
Share on other sites
1 minute ago, wkdpaul said:

 

You forgot to mention the moat filled with Legos and UK power plugs that surrounds the fire safe!

Both failed preliminary testing.

 

However, -Redacted political joke regarding a wall-

 

 

 

Microkappa


Come Bloody Angel

Break off your chains

And look what I've found in the dirt.

 

Pale battered body

Seems she was struggling

Something is wrong with this world.

 

Fierce Bloody Angel

The blood is on your hands

Why did you come to this world?

 

Everybody turns to dust.

 

Everybody turns to dust.

 

The blood is on your hands.

 

The blood is on your hands!

 

Pyo.

Link to post
Share on other sites

I just went and read most of the Twitter thread, and the T-Mobile person says they do that so that they can use the password as a security question, both on the phone and in person at the stores ... This means an easy weak link is any T-Mobile store or kiosk, hearing this is just scary AF!!!

 

Anyone that has simple understanding of IT security would see why this is a problem (even if the stores didn't have access to the plain text passwords).

 

If this is all true, it's a horrific security hole.

 

  1. Don't store your customer's passwords in plain text, whatever the reason is, it's not a good enough reason.
  2. Don't use client's passwords as a security question, this is the least secure way to verify a client's identity, especially if the passwords are stored in plain text.

If you need help with your forum account, please use the Forum Support form !

 

VPN server guide

Guide to run any software as Admin

NiceHash Mining Guide

Ethereum Mining Guide

Spoiler

My Gaming Rig - Motherboard: MSI Z370-A PRO CPU: i7-8700 RAM: 32GB DDR4 2400(4x8GB) GPU: Gigabyte GTX 1060 3GB OS SSD: 240GB Avexir E100 Storage: 2x 1TB Seagate PSU: Seasonic G650 OS: Windows 10 Pro 64bits Monitor: Acer 21in G205H + Lenovo 21in

 

Link to post
Share on other sites
1 hour ago, wkdpaul said:

T-Mobile person says they do that so that they can use the password as a security question, both on the phone and in person at the stores

Seriously!!!  What level of security check do they perform on the person in the store or over the phone?  

Link to post
Share on other sites

Wow.. the first 4 characters are visible to employees??

 

THIS JUST IN, 95% OF ALL THE MOBILE CUSTOMERS HAVE PASSWORD: pass********

 

.... I'm waiting for a customer to sort this database by passed, alphabetically.

Link to post
Share on other sites

I'm not saying this is good, it isn't But working on the Webcare team of the Dutch part of T-Mobile. A lot of people they let onto the Twitter account are full of shit.


My Build:

Spoiler

CPU: i7 4770k GPU: GTX 780 Direct CUII Motherboard: Asus Maximus VI Hero SSD: 840 EVO 250GB HDD: 2xSeagate 2 TB PSU: EVGA Supernova G2 650W

Link to post
Share on other sites

wow, just ... amazing xD I really don't have words for it

Link to post
Share on other sites

I wonder how long until someone tries to hack them just to show how weak it is. "we have amazing security" is pretty much an open invitation for people to try and prove you wrong.


Razer Blade Stealth | i5-7200u | 8GB DDR3 1866

Ryzen 2600x | 16GB DDR4 3333mhz [15-15-15-36-50] | PowerColor Vega 56 8GB 

Phone Pixel 4XL || Android - 10.0 

"The only real mistake is the one from which we learn nothing" - John Powell

Link to post
Share on other sites

giphy.gif


Main PC:  Motherboard: Asus Crosshair V Formula Z | RAM: Amd R9 Gamer 32gb 2400mhz | Case: Cooler Master HAF X Case | Storage: Amd R7 480gb, 2x Crucial M500 240gb, Toshiba 5TB | PSU: Antec True Power Quattro 1200 | CPU: Amd FX-9590 | GPU: Asus Amd Fury X | Keyboard: Logitech G710+ | Mouse: Logitech G502 | Sound: Razer Leviathan | OS: Windows 10 Pro | Display: Dell u3415w | Cooling: Apogee XL, Heatkiller Fury X w/ Back Plate, 720mm Rad

Link to post
Share on other sites

I've been thinking about this trying to take it all in and it's still just shocking to the point of being hard to accept this is actually happening.  The fact they store passwords like that should already be a huge piece of negative PR on its own, but their replies have only made it worse.  This level of arrogance and incompetence is a terrible combination.  Furthermore the announcement that they store passwords in plain text has made them a target whether they realize it or not since everyone now knows they could get passwords if they pull it off, which in most cases can't be assumed.  I can't wait until they inevitably are breached and have to explain to shareholders why they did this, announced that they did it, and then ignored cries that it's unsafe and that they need to fix it.  It will not be good for them.  It's common sense that this is a very bad practice, but for them to admit they do it, and then to defend it... it's incomprehensible.

 

And how can they say the employees can see the first 4 characters?  If it's in plain text, then they can see the whole thing lol

Link to post
Share on other sites
26 minutes ago, Ryan_Vickers said:

And how can they say the employees can see the first 4 characters?  If it's in plain text, then they can see the whole thing lol

Stored in plaintext in the database but most employees won't have the permissions available to read the whole field. Database admins can of course see the whole thing.


[Out-of-date] Want to learn how to make your own custom Windows 10 image?

 

Desktop: AMD R9 3900X | ASUS ROG Strix X570-F | Radeon RX 5700 XT | 16GB Trident Z 3200MHz | 256GB 840 EVO | 960GB Corsair Force LE | EVGA P2 650W

Laptop: Intel M-5Y10c | Intel HD Graphics | 8GB RAM | 250GB Micron SSD | Asus UX305FA

Server: Intel Xeon D 1541 | ASRock Rack D1541D4I-2L2T | 32GB Hynix ECC DDR4 | 2x1TB 2x8TB Western Digital HDDs

Link to post
Share on other sites
Just now, 2FA said:

Stored in plaintext in the database but most employees won't have the permissions available to read the whole field. Database admins can of course see the whole thing.

Yeah, and those DBAs are employees are they not? :P 

Not to mention if they're incompetent enough to do this, there's no telling what other unimaginably bad practices might be going on... for all you know the kiosk level people do have read access to the whole thing xD

Link to post
Share on other sites
1 minute ago, Ryan_Vickers said:

Yeah, and those DBAs are employees are they not? :P 

Not to mention if they're incompetent enough to do this, there's no telling what other unimaginably bad practices might be going on... for all you know the kiosk level people do have read access to the whole thing xD

Why are you being so semantic? I was explaining how it was possible.

 

I prefer not to speculate.


[Out-of-date] Want to learn how to make your own custom Windows 10 image?

 

Desktop: AMD R9 3900X | ASUS ROG Strix X570-F | Radeon RX 5700 XT | 16GB Trident Z 3200MHz | 256GB 840 EVO | 960GB Corsair Force LE | EVGA P2 650W

Laptop: Intel M-5Y10c | Intel HD Graphics | 8GB RAM | 250GB Micron SSD | Asus UX305FA

Server: Intel Xeon D 1541 | ASRock Rack D1541D4I-2L2T | 32GB Hynix ECC DDR4 | 2x1TB 2x8TB Western Digital HDDs

Link to post
Share on other sites
Just now, 2FA said:

Why are you being so semantic? I was explaining how it was possible.

 

I prefer not to speculate.

I'm just saying the whole thing is a mess.  I guess in the actual thread they specifically said the kiosk people have access to the first 4 characters, which I guess they intended as "oh don't worry we can't see the whole thing, just the first four", but I look at it as a) well it's stored so someone has access to the whole thing, so that's still bad, and b) if it was just the DBAs that would already be bad but the fact that kiosk people can see anything at all is even worse imo. It's just bad in all ways and it's breaking my brain to even try to comprehend this so if I don't make sense please don't take it the wrong way :P

Link to post
Share on other sites
1 minute ago, Ryan_Vickers said:

I'm just saying the whole thing is a mess.  I guess in the actual thread they specifically said the kiosk people have access to the first 4 characters, which I guess they intended as "oh don't worry we can't see the whole thing, just the first four", but I look at it as a) well it's stored so someone has access to the whole thing, so that's still bad, and b) if it was just the DBAs that would already be bad but the fact that kiosk people can see anything at all is even worse imo. It's just bad in all ways and it's breaking my brain to even try to comprehend this so if I don't make sense please don't take it the wrong way :P

Yeah, plaintext is bad. If they have one or both a CIO/CISO, they should be fired. Their authentication policies are terrible for using passwords as a security question. If you're going to use multiple "something you know" forms of authentication, make them not overlap at all.


[Out-of-date] Want to learn how to make your own custom Windows 10 image?

 

Desktop: AMD R9 3900X | ASUS ROG Strix X570-F | Radeon RX 5700 XT | 16GB Trident Z 3200MHz | 256GB 840 EVO | 960GB Corsair Force LE | EVGA P2 650W

Laptop: Intel M-5Y10c | Intel HD Graphics | 8GB RAM | 250GB Micron SSD | Asus UX305FA

Server: Intel Xeon D 1541 | ASRock Rack D1541D4I-2L2T | 32GB Hynix ECC DDR4 | 2x1TB 2x8TB Western Digital HDDs

Link to post
Share on other sites
Just now, 2FA said:

Yeah, plaintext is bad. If they have one or both a CIO/CISO, they should be fired. Their authentication policies are terrible for using passwords as a security question. If you're going to use multiple "something you know" forms of authentication, make them not overlap at all.

Yeah that kind of defeats the purpose of having two doesn't it? xD

Link to post
Share on other sites
5 minutes ago, EPENEX said:

But didn't you hear? They have amazing security. ;)

Yes... their security is so good, it doesn't need to be good...

Spoiler

giphy.gif

 

Link to post
Share on other sites

This is insaine, I really hope the twitter person is just full of shit


I spent $2500 on building my PC and all i do with it is play no games atm & watch anime at 1080p(finally)...

Builds:

The Toaster Project! Northern Bee!

 

The original LAN PC build log! (Old, dead and replaced by The Toaster Project & 5.0)

Spoiler

"Here is some advice that might have gotten lost somewhere along the way in your life. 

 

#1. Treat others as you would like to be treated.

#2. It's best to keep your mouth shut; and appear to be stupid, rather than open it and remove all doubt.

#3. There is nothing "wrong" with being wrong. Learning from a mistake can be more valuable than not making one in the first place.

 

Follow these simple rules in life, and I promise you, things magically get easier. " - MageTank 31-10-2016

 

 

Link to post
Share on other sites

Hmm pretty ignorant tweet. Amazing security...right.

 

10 hours ago, SC2Mitch said:

This isn't just TMobile Australia, this is TMobile in general tbh

Also: LOL


\\ QUIET AUDIO WORKSTATION //

5960X 3.7GHz @ 0.983V / ASUS X99-A USB3.1      

32 GB G.Skill Ripjaws 4 & 2667MHz @ 1.2V

AMD R9 Fury X

256GB SM961 + 1TB Samsung 850 Evo  

Cooler Master Silencio 652S (soon Calyos NSG S0 ^^)              

Noctua NH-D15 / 3x NF-S12A                 

Seasonic PRIME Titanium 750W        

Logitech G810 Orion Spectrum / Logitech G900

2x Samsung S24E650BW 16:10  / Adam A7X / Fractal Axe Fx 2 Mark I

Windows 7 Ultimate

 

4K GAMING/EMULATION RIG

Xeon X5670 4.2Ghz (200BCLK) @ ~1.38V / Asus P6X58D Premium

12GB Corsair Vengeance 1600Mhz

Gainward GTX 1080 Golden Sample

Intel 535 Series 240 GB + San Disk SSD Plus 512GB

Corsair Crystal 570X

Noctua NH-S12 

Be Quiet Dark Rock 11 650W

Logitech K830

Xbox One Wireless Controller

Logitech Z623 Speakers/Subwoofer

Windows 10 Pro

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×