Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
0x1B

RCN Corporation stores passwords and security questions in plaintext

Recommended Posts

Posted · Original PosterOP

RCN Corporation customer posted on Reddit about his exchange with RCN customer support via phone and later on Twitter. Turns out, RCN stores customer passwords and security phrases in plaintext and does not see any issue with this. In customer's own words:

Quote

[RCN phone customer support] without any validation (strike 1), was able to see my password that i had just set online, 5 minutes earlier, in plaintext (strike 2) and then straight up READ IT BACK TO ME, OVER THE PHONE, asking "the password looks very long and odd, are you sure this is what you want?" (strike 3, yer out!)

Shocked by this conversation, customer contacted the company's official representative on Twitter @RCNconnects and got the following reply (screenshot on imjur):

Quote

... Agents need to see this password to verify account ownership when certain changes are requested. We will pass your feedback along. -Jackie

For those who are not familiar with RCN (like me), RCN Corporation is a large American communications provider (telephone, cable television, and internet) with hundreds of millions in revenue and hundreds of thousands customers.

 

My personal thoughts: It's alarming that such a large infrastructure provider does not understand even the basic principles of hashes and how to use them to store passwords. Clearly, this is not for the lack of resources or something else, their security team (and support team and management) either completely do not care or are basically illiterate in security.

Do you personally use their services? If so, what do you plan to do (if anything)?

 

EDIT: Some people mentioned past post that T-Mobile Austria was storing passwords in plaintext as well. Yes, this is the point of this post: to publicize this information in hopes that the public pressure will convince the company (RCN in this case) to fix the issues.

Link to post
Share on other sites

Unfortunately these things will not get better until penalties increase. It is often cheaper to not use proper security and deal with the public response from hacks than it is to impliment proper security.

Link to post
Share on other sites
3 minutes ago, CUDAcores89 said:

It is often cheaper to not use proper security

Just change the font to Dingbats, problem solved....

/s

 

Jokes aside, I feel like security, especially cybersecurity these days, is greatly underappreciated. Most people think it's just fine to do stuff like this because it's cheaper, but they don't realize just how much of a needed investment it is.

Link to post
Share on other sites
4 minutes ago, Crunchy Dragon said:

Just change the font to Dingbats, problem solved....

/s

 

Jokes aside, I feel like security, especially cybersecurity these days, is greatly underappreciated. Most people think it's just fine to do stuff like this because it's cheaper, but they don't realize just how much of a needed investment it is.

This is something the federal trade comission could actually handle. Imagine if the FTC audited corporations completely at random to test their cyber security. If they didnt meet the requirements, they would have x days to correct it or be hit with a fine. They will continue to be hit with the fine every x days until the security is fixed. 

 

We already have a governement progrm in place that could easily handle things like this. It would be a simple change in the way the FTC operates to pull this off.

Link to post
Share on other sites
Posted · Original PosterOP
2 minutes ago, CUDAcores89 said:

Unfortunately these things will not get better until penalties increase. It is often cheaper to not use proper security and deal with the public response from hacks than it is to impliment proper security.

I'm posting this here hoping that increased public response will lead to changes before this issue is exploited. For example, if this piece gets featured on TechLinked, the company might think twice before sweeping this under the rug.

Also, I think it's not true that dealing with issues after they are exploited is cheaper than following the basic principles of security even disregarding revenue loss due to reputation loss. To fix this, they simply need to change sign-in logic a bit, add salt column to the database, and calculate salted hashes and delete plaintext passwords. That's it! To deal with a breach (a break-in or even a malicious tech support staff), they'd probably have to carry out a full-fledged investigation and follow disclosure process, then inform customers to change passwords.

Link to post
Share on other sites
Quote

But what if our security is so amazing? - T-Mobile Austria

 

Fines may or may not work, developers may be incompetent. Ideally database creators should add a warning if a column with "password" in the name is detected to offer transparent hashing with a salt and standard parameters - the less developers need to think the fewer mistakes they can make.

Link to post
Share on other sites
3 hours ago, Crunchy Dragon said:

Jokes aside, I feel like security, especially cybersecurity these days, is greatly underappreciated. Most people think it's just fine to do stuff like this because it's cheaper, but they don't realize just how much of a needed investment it is.

Many industry folk have stated that security is the biggest issue in IT. If the US government network can be breached then no one is safe. All these new stories are making me more and more interested in studying cyber security or being a cyber security consultant or something similar.

Link to post
Share on other sites

Not at all surprising.  Remember the T-mobile thing (I think it was them) that was basically in the exact same situation a few months ago?

Link to post
Share on other sites

Great so now it dosent even matter if you have a good, strong password using their services! Everyone can just go with qwe123!!! 

 

/s

 

Wow this a massive load of crap, US needs some GDPR ;)


I spent $2500 on building my PC and all i do with it is play MTGA & watch anime at 720p...

Builds:

The Toaster Project! Northern Bee! The Cassette Deck!

 

The original LAN PC build log! (Old, dead and replaced by The Toaster Project & 5.0)

Spoiler

"Here is some advice that might have gotten lost somewhere along the way in your life. 

 

#1. Treat others as you would like to be treated.

#2. It's best to keep your mouth shut; and appear to be stupid, rather than open it and remove all doubt.

#3. There is nothing "wrong" with being wrong. Learning from a mistake can be more valuable than not making one in the first place.

 

Follow these simple rules in life, and I promise you, things magically get easier. " - MageTank 31-10-2016

 

 

Link to post
Share on other sites

I feel like nothing will change even if large fines are levied, until a major company or country gets ruined due to back security practices.  And I don't mean they lose some money, I mean like some company that everyone knows gets completely hacked and has to shut down, billions lost, stock value dropping to 0 over night.  No one will care until they see a mega company fail over night cause of getting hacked, or having every single financial detail put online for the world to see, or just all their IP stolen and given away to the world.  Its gonna have to be a giant too or no one will care.  It will have to be so public, and so bad that no one can ignore it.  Or like a country gets its power grid shut down or something.  There is just no point for companies to care about cyber security at the moment, the damages are never enough to matter, just the cost of business.

Link to post
Share on other sites

From the r/sysadmin original post
 

image.png.86ec16d04da455ae0260404f326ac00a.png

 

It should also be noted they've been doing this since AT LEAST 2014:

 

 


NotCPUCores Dev | Desktop Build: Ryzen 7 1800X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 32GB Corsair DDR4 @ 3000MHz, RX480 8GB OC, Benq XL2730 1440p 144Hz FS


 

Link to post
Share on other sites
On 9/23/2018 at 9:30 PM, mynameisjuan said:

At this point this doesn't bother me anymore. Even if these are plain text most hacks are just getting an admin's password and viewing them anyway. 

thats exactly how it DOESNT work when the passwords are hashed...


MSI GX660 + i7 920XM @ 2.8GHz + GTX 970M + Samsung SSD 830 256GB

Link to post
Share on other sites
On 9/23/2018 at 2:02 PM, 0x1B said:

RCN Corporation customer posted on Reddit about his exchange with RCN customer support via phone and later on Twitter. Turns out, RCN stores customer passwords and security phrases in plaintext and does not see any issue with this. In customer's own words:

Shocked by this conversation, customer contacted the company's official representative on Twitter @RCNconnects and got the following reply (screenshot on imjur):

For those who are not familiar with RCN (like me), RCN Corporation is a large American communications provider (telephone, cable television, and internet) with hundreds of millions in revenue and hundreds of thousands customers.

 

My personal thoughts: It's alarming that such a large infrastructure provider does not understand even the basic principles of hashes and how to use them to store passwords. Clearly, this is not for the lack of resources or something else, their security team (and support team and management) either completely do not care or are basically illiterate in security.

Do you personally use their services? If so, what do you plan to do (if anything)?

Dident T-Mobile Austria also store passwords in plain text for the same 'reason'?

Link to post
Share on other sites

I rang my ISP last week when by broadband died and their automated phone system asked me to say my password and pin out loud. Obviously i refused so it hung up on me.

 

I called back and gave false information to get through to an agent where I expressed my irritation as nicely as I possibly could.


Main Rig:-

Ryzen 7 2700X @ 4.2Ghz | Asus ROG Strix X370-F Gaming | 16GB Team Group Dark T-Force 3200Mhz | Samsung 970 Evo 500GB NVMe | Asus Rog Strix Vega 64 8GB OC Edition | Coolermaster Master Air 620P | WD Black 1TB | WD Green 4TB | EVGA SuperNOVA G3 650W | Coolermaster Master Box MB520P | Samsung C27HG70 1440p 144hz HDR FreeSync 2 | Windows 10 Pro X64 |

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×