RCN Corporation stores passwords and security questions in plaintext

[0x1B]

RCN Corporation customer posted on Reddit about his exchange with RCN customer support via phone and later on Twitter. Turns out, RCN stores customer passwords and security phrases in plaintext and does not see any issue with this. In customer's own words:

Quote

[RCN phone customer support] without any validation (strike 1), was able to see my password that i had just set online, 5 minutes earlier, in plaintext (strike 2) and then straight up READ IT BACK TO ME, OVER THE PHONE, asking "the password looks very long and odd, are you sure this is what you want?" (strike 3, yer out!)

Shocked by this conversation, customer contacted the company's official representative on Twitter @RCNconnects and got the following reply (screenshot on imjur):

Quote

... Agents need to see this password to verify account ownership when certain changes are requested. We will pass your feedback along. -Jackie

For those who are not familiar with RCN (like me), RCN Corporation is a large American communications provider (telephone, cable television, and internet) with hundreds of millions in revenue and hundreds of thousands customers.

 

My personal thoughts: It's alarming that such a large infrastructure provider does not understand even the basic principles of hashes and how to use them to store passwords. Clearly, this is not for the lack of resources or something else, their security team (and support team and management) either completely do not care or are basically illiterate in security.

Do you personally use their services? If so, what do you plan to do (if anything)?

 

EDIT: Some people mentioned past post that T-Mobile Austria was storing passwords in plaintext as well. Yes, this is the point of this post: to publicize this information in hopes that the public pressure will convince the company (RCN in this case) to fix the issues.

[Crunchy Dragon]

3 minutes ago, CUDAcores89 said:

It is often cheaper to not use proper security

Just change the font to Dingbats, problem solved....

/s

 

Jokes aside, I feel like security, especially cybersecurity these days, is greatly underappreciated. Most people think it's just fine to do stuff like this because it's cheaper, but they don't realize just how much of a needed investment it is.

[0x1B]

2 minutes ago, CUDAcores89 said:

Unfortunately these things will not get better until penalties increase. It is often cheaper to not use proper security and deal with the public response from hacks than it is to impliment proper security.

I'm posting this here hoping that increased public response will lead to changes before this issue is exploited. For example, if this piece gets featured on TechLinked, the company might think twice before sweeping this under the rug.

Also, I think it's not true that dealing with issues after they are exploited is cheaper than following the basic principles of security even disregarding revenue loss due to reputation loss. To fix this, they simply need to change sign-in logic a bit, add salt column to the database, and calculate salted hashes and delete plaintext passwords. That's it! To deal with a breach (a break-in or even a malicious tech support staff), they'd probably have to carry out a full-fledged investigation and follow disclosure process, then inform customers to change passwords.

[mynameisjuan]

At this point this doesn't bother me anymore. Even if these are plain text most hacks are just getting an admin's password and viewing them anyway. 

[ScratchCat]

Quote

But what if our security is so amazing? - T-Mobile Austria

 

Fines may or may not work, developers may be incompetent. Ideally database creators should add a warning if a column with "password" in the name is detected to offer transparent hashing with a salt and standard parameters - the less developers need to think the fewer mistakes they can make.

[ZacoAttaco]

3 hours ago, Crunchy Dragon said:

Jokes aside, I feel like security, especially cybersecurity these days, is greatly underappreciated. Most people think it's just fine to do stuff like this because it's cheaper, but they don't realize just how much of a needed investment it is.

Many industry folk have stated that security is the biggest issue in IT. If the US government network can be breached then no one is safe. All these new stories are making me more and more interested in studying cyber security or being a cyber security consultant or something similar.

[vanished]

Not at all surprising.  Remember the T-mobile thing (I think it was them) that was basically in the exact same situation a few months ago?

[Bananasplit_00]

Great so now it dosent even matter if you have a good, strong password using their services! Everyone can just go with qwe123!!! 

 

/s

 

Wow this a massive load of crap, US needs some GDPR

[ChineseChef]

I feel like nothing will change even if large fines are levied, until a major company or country gets ruined due to back security practices.  And I don't mean they lose some money, I mean like some company that everyone knows gets completely hacked and has to shut down, billions lost, stock value dropping to 0 over night.  No one will care until they see a mega company fail over night cause of getting hacked, or having every single financial detail put online for the world to see, or just all their IP stolen and given away to the world.  Its gonna have to be a giant too or no one will care.  It will have to be so public, and so bad that no one can ignore it.  Or like a country gets its power grid shut down or something.  There is just no point for companies to care about cyber security at the moment, the damages are never enough to matter, just the cost of business.

[rcmaehl]

From the r/sysadmin original post
 

 

It should also be noted they've been doing this since AT LEAST 2014:

 

 

[Neftex]

On 9/23/2018 at 9:30 PM, mynameisjuan said:

At this point this doesn't bother me anymore. Even if these are plain text most hacks are just getting an admin's password and viewing them anyway. 

thats exactly how it DOESNT work when the passwords are hashed...

[Car712]

On 9/23/2018 at 2:02 PM, 0x1B said:

RCN Corporation customer posted on Reddit about his exchange with RCN customer support via phone and later on Twitter. Turns out, RCN stores customer passwords and security phrases in plaintext and does not see any issue with this. In customer's own words:

Shocked by this conversation, customer contacted the company's official representative on Twitter @RCNconnects and got the following reply (screenshot on imjur):

For those who are not familiar with RCN (like me), RCN Corporation is a large American communications provider (telephone, cable television, and internet) with hundreds of millions in revenue and hundreds of thousands customers.

 

My personal thoughts: It's alarming that such a large infrastructure provider does not understand even the basic principles of hashes and how to use them to store passwords. Clearly, this is not for the lack of resources or something else, their security team (and support team and management) either completely do not care or are basically illiterate in security.

Do you personally use their services? If so, what do you plan to do (if anything)?

Dident T-Mobile Austria also store passwords in plain text for the same 'reason'?

[Master Disaster]

I rang my ISP last week when by broadband died and their automated phone system asked me to say my password and pin out loud. Obviously i refused so it hung up on me.

 

I called back and gave false information to get through to an agent where I expressed my irritation as nicely as I possibly could.