T-Mobile Austria Confirms They Stores All Customer Passwords In Clear Text - UPDATED

[SpaceGhostC2C]

10 hours ago, wkdpaul said:

I just went and read most of the Twitter thread, and the T-Mobile person says they do that so that they can use the password as a security question, both on the phone and in person at the stores ... This means an easy weak link is any T-Mobile store or kiosk, hearing this is just scary AF!!!t.

Not to mention that the company asking for passwords on the phone makes it so much easier for others to steal passwords through impersonating the company...

[mr moose]

This I believe is actually common for telco's, There is one company here that does something very similar.    I forgot the password to an account so I hit the "forgot password" button and they emailed me the password in plain text.   Yikes!

 

 

 

[asus killer]

someone says the reason is you have to give the password at the store and i guess the employee checks it (but then someone says the employees only see the first 4 letters!), so if you do this it's really not much a concern if you keep the passwords on a clear text on hanging on the side of the headquarters building. Anyone at the store can hear the password being spoken out loud, the employees know it, so all chances of having some security just went of the windows, where and how they keep the passwords is really irrelevant at this point.

[MyName13]

10 hours ago, Snaeb said:

I will chime in as I work in the Cyber Security field.  THIS IS A HORRIBLE IDEA!!!!  There is no reason not to encrypt this data....

In which field of information security do you work in?How did you enter the field and what would you recommend to those who are interested into the infosec?

 

 

Topic:

If T-Mobile does this then I'm really screwed with my ISP.

[Lurick]

3 minutes ago, MyName13 said:

In which field of information security do you work in?How did you enter the field and what would you recommend to those who are interested into the infosec?

CISSP and similar certs.

Cisco security or F5 certs as well plus at least basic networking knowledge, CCNA level, plus a bit of python programming helps too

Look for a community college that offers an associates in information security as well, that's very helpful.

[MyName13]

2 minutes ago, Lurick said:

CISSP and similar certs.

Cisco security or F5 certs as well plus at least basic networking knowledge, CCNA level, plus a bit of python programming helps too

Look for a community college that offers an associates in information security as well, that's very helpful.

Is there any other way than (probably very expensive) certifications (free courses, books etc.)?How do you prepare for these certifications?Unfortunately there are no colleges that offer security programs, only CS + software engineering hybrids.

[Lurick]

2 minutes ago, MyName13 said:

Is there any other way than (probably very expensive) certifications (free courses, books etc.)?How do you prepare for these certifications?Unfortunately there are no colleges that offer security programs, only CS + software engineering hybrids.

The CISSP definitely takes a ton of work and you need experience too.

https://www.isc2.org/Certifications/CISSP/Prerequisite-Pathway

 

Search on YouTube for playlists for cyber security or sign up to Lynda.com or one of the other book sites.

Preparation for a lot of the entry levels is mostly just memorization and a little practice.

[MyName13]

25 minutes ago, Lurick said:

The CISSP definitely takes a ton of work and you need experience too.

https://www.isc2.org/Certifications/CISSP/Prerequisite-Pathway

 

Search on YouTube for playlists for cyber security or sign up to Lynda.com or one of the other book sites.

Preparation for a lot of the entry levels is mostly just memorization and a little practice.

In which field should one work 4-5 years to be prepared for CISSP certification (this looks a little bit like the chicken and egg problem)?

[Lurick]

Just now, MyName13 said:

In which field should one work 4-5 years to be prepared for CISSP certification (this looks a little bit like the chicken and egg problem)?

Yah, it can be difficult.

That's why the other certs, F5 certs, CCNA, CCNA security, Security+, etc. help out a lot. They'll get you in the door and get you started on the path

[dfsdfgfkjsefoiqzemnd]

2 hours ago, mr moose said:

I forgot the password to an account so I hit the "forgot password" button and they emailed me the password in plain text.   Yikes!

You'll never believe who else does this ...

 

 

 

[LAwLz]

17 minutes ago, Captain Chaos said:

You'll never believe who else does this ...

That is very different though.

That is a new password, meaning that your old one was scrapped and that is the new one, which they expect you to change straight away.

What I think mr moose mean is that they sent him the old password, in clear text.

[dfsdfgfkjsefoiqzemnd]

26 minutes ago, LAwLz said:

What I think mr moose mean is that they sent him the old password, in clear text.

True, that would be slightly worse. 

 

 

26 minutes ago, LAwLz said:

which they expect you to change straight away.

whoops!  BRB

[79wjd]

15 hours ago, sof006 said:

Whoever is in charge of that T-Mobile twitter account needs sacked. They sound seriously stupid and are tarnishing the T-Mobile brand,

15 hours ago, Starelementpoke said:

Someone just lost a job.

8 hours ago, Ryan_Vickers said:

This level of arrogance and incompetence is a terrible combination.

In all fairness, this is the kind of response that people have come to enjoy from Twitter, the difference in this case is that the representative is wrong -- if she was right, then people would find it entertaining. But, I wouldn't expect MOST people to know that passwords aren't stored in clear text (or what that even means tbh), so I can't entirely fault the representative for handling the situation in a Twitter-esque fashion, she should have done some research before responding, no question, but even then she likely wouldn't have really understood most of what she read anyway.

[Evanair]

Wow.. I have T-Mobile... time to go make the first 4 letters of my password super offensive. 

[acbluflame]

I just can't imagine the incompetence occurring within either the dev or devops team for TMobile Austria.  It's not as if it is a bug: - it's just bad security principles (i.e. not secure by design), and unfortunately bad principles normally begets more bad principles.

 

If you did this within the NHS and were breached, you're getting carpet bombed by the ICO.  If you left this until May whereupon GDPR comes into effect, you're getting nuked from low orbit.

[LAwLz]

T-Mobile Austria has replied, trying to calm people down a bit. Apparently they are not storing the passwords in clear text.

Update in the OP.

 

 

I am not sure if this warrants being in the OP or not, so I'll just post it here. I am not sure if this info is legitimate or not.

 

A person going by hanno on twitter decided to look a bit into their "amazing security".

He found that three of T-Mobile Austria's subdomains (blog/kids/newsroom) were running wordpress. The git repo controlling those subdomains were accessible from the outside. So hanno scraped the repo and apparently they stored the wp-config.php file in there, which contains the username and password. Not good security but it's not devastating... except they also allowed remote access to the phpmyadmin page. So hanno was able to find the phpmyadmin page, as well as the admin username and password to it.

He could have logged in there and done basically anything he wanted to the subdomains.

 

Please note that this is not the same database as the customer info reference in the OP is stored in, but still...

 

 

 

 

 

 

[vanished]

2 hours ago, LAwLz said:

T-Mobile Austria has replied, trying to calm people down a bit. Apparently they are not storing the passwords in clear text.

Update in the OP.

So am I understanding this correctly?

1. It's not quite plain text but they are absolutely storing passwords "literally" rather than as a hash
2. Related services are hilariously poorly secured

I'm not sure this is much comfort to be honest

[LAwLz]

37 minutes ago, Ryan_Vickers said:

So am I understanding this correctly?

1. It's not quite plain text but they are absolutely storing passwords "literally" rather than as a hash
2. Related services are hilariously poorly secured

I'm not sure this is much comfort to be honest

1. That's what it seems like, yes. I mean, maybe that other rep said encryption when he meant hashes, but since they are able to display the first 4 characters of the password it can't be a hash (unless they store that separately, which wouldn't make much sense). It seems very likely that they store encrypted passwords, and then decrypts it and displays the first 4 characters to their support staff.

 

2. Yes, really, really bad security for their other services. Bad as in, they had their admin password in clear text, accessible by anyone who could figure out the URL.

Several people have also reported that they can inject cross site scripts into their website but I haven't been able to find any hard evidence for it (and the reports are not from people I know about, so I wouldn't take their word for it).

[anotherriddle]

9 hours ago, djdwosk97 said:

so I can't entirely fault the representative for handling the situation in a Twitter-esque fashion, she should have done some research before responding, no question, but even then she likely wouldn't have really understood most of what she read anyway.

I agree. However, if as a company you know what you are doing you should train your media representatives better. It is certainly not always feasible to give your PR people in depth IT security knowledge but you could train them to look out for certain topics and ask for advice instead of instantly typing anything that comes to mind.

[Beskamir]

Welp I know what next week's news headlines are gonna be. "Massive T-Mobile data breach, passwords were stored in plain text"

[Big Head Tech]

On 4/7/2018 at 6:41 AM, MyName13 said:

In which field of information security do you work in?How did you enter the field and what would you recommend to those who are interested into the infosec?

 

 

Topic:

If T-Mobile does this then I'm really screwed with my ISP.

I work for an email security company who just opened up shop in the US (Based in Germany). I was prospected because I have both a sales and tech background.

[Mutoh]

So how fired is that CS rep? 

[ItsJosh18]

On 4/6/2018 at 2:14 PM, Crunchy Dragon said:

All the more reason for to me not use them...

 

Honestly, what is with company security?

they think they are so big they are bulletproof