T-Mobile Austria Confirms They Stores All Customer Passwords In Clear Text - UPDATED

[LAwLz]

Update:

 

 

So it is not quite as bad as storing the passwords in clear text, however it is still very problematic because:

1) The passwords are encrypted. This means that if the case of a security breach, the attacker just needs to find the encryption key and it will have access to all passwords in clear text.

The proper way of storing passwords is as salted hashes. For more info, see this video called "How NOT to Store Passwords!".

 

2) They still allow the staff to see parts of the users password.

 

 

 

 

 

Original post:

 

 

So this is fun...

T-Mobile Austria's twitter account announced that they are storing all customer passwords in clear text. Not only that, but they also allow their customer service staff to see the first four characters of it.

 

When told that this was very bad security practice, T-Mobile's response was:

Quote

And when another user chimed in, saying that in the case of a data breach all the users information including the passwords would be completely visible, T-Mobile replied with:

Quote

 

Actually, the entire twitter thread is crazy.

You can read the original here, or look at this screenshot below (because I suspect T-mobile will remove it soon)

 

Spoilers because the image is big.

Spoiler

 

As the twitter users points out, T-Mobile Austria is not a subsidiary of T-Mobile (USA). However, both T-Mobile Austria and T-Mobile (USA) are owned by the same company, Deutsche Telekom AG. Telekom also stores their passwords in clear text. So if the parent company does it (Telekom), and one of the daughter companies does it (T-mobile Austria), then it is not too far fetched to assume other daughter companies (T-Mobile USA) does it too.

 

I don't know what is worse. The complete incompetence of whoever implemented their password system, or the terrible ignorance and naivety of their twitter support staff.

[Crunchy Dragon]

All the more reason for to me not use them...

 

Honestly, what is with company security?

[ItsMitch]

This isn't just TMobile Australia, this is TMobile in general tbh

[Unhelpful]

Fucking crazy, but also somehow not even remotely unexpected. Gotta love it.

[Teddy07]

5 minutes ago, LAwLz said:

So this is fun...

 

Yes. I fell of my chair because of all the laughing.

 

I knew you didn't need any qualifications but come one. This poor woman isn't even able to rub her two brain cells together. She just failed the 1+1=2 test.

[SpaceGhostC2C]

Just now, SC2Mitch said:

This isn't just TMobile Australia, this is TMobile in general tbh

It is T-Mobile Austria that explicitly admitted it (and even defended it... with the best arguments ever ), but yes, the question is how extended this practice is in companies we don't have confirmation either way.

If I remember correctly, when Equifax happened there were several instances of comparable "non-state of the art" practices involved.

[Teddy07]

The amazing part is that she even thinks that her company has amazing data protection

[handymanshandle]

storing passwords, is kinda expected but plaintext? Uhm that's risky as hell

[Bouzoo]

I am not sure how this is possible since I work for Croatian Telemom (which is owned by DT, it is T-Com and T-Mobile put together, a subsidiary), and we can see literally nothing. For pretty much every app you can just type in a new password abut can't see anything other than *******, if even that much. I am really curious where that plain text is supposed to be located. Then again, every DT subsidiary does have it's rules from DT but also has it's own corporate security policy afaik. 

 

Either way, that twitter staff is incompetent at their job.

[Lurick]

17 minutes ago, Crunchy Dragon said:

All the more reason for to me not use them...

 

Honestly, what is with company security?

Security costs money and we can't have companies spending money that interferes with profit

[Ekin]

 

Wow. The whole twitter thread is a disaster...

[MarbleHornets]

Reading that honestly made my security+ cert cry....Just why.?

[Lurick]

Oh, forgot to mention but another company that has crap security is American Express who doesn't enforce case sensitivity for passwords

[Valkyrie Lenneth]

just so u know guys, i just installed a friggen tmobile modem today lol

[Deus Voltage]

Just now, Ekin said:

 

Wow. The whole twitter thread is a disaster...

I have to applaud them. Somehow they managed to make a worse response than MSI 

[Fasterthannothing]

[Teddy07]

25 minutes ago, LAwLz said:

Actually, the entire twitter thread is crazy.

1

Holy shit. The twitter discussion is even better than your quotes.

 

Thanks for sharing mate! I already shared it with my fellow computer science students.

[GDRRiley]

Why? who would think this was a good idea. even LTT forum passwords are salted and hashed. 

[Teddy07]

I literally have tears in my eyes while reading the twitter discussion.

[Techstorm970]

25 minutes ago, Teddy07 said:

The amazing part is that she even thinks that any non-federal or non-government-contracting company has amazing data protection

FTFY  

[Jtalk4456]

That twitter thread made me cringe

[ScratchCat]

34 minutes ago, Lurick said:

Security costs money and we can't have companies spending money that interferes with profit

But plaintext really?

When I was in school even people who knew nothing about security or programming would at least XOR the password with a hard coded value (terrible yes) so if the database were to be compromised it wouldn't be immediately shown what the contents were.

 

Quote

You have so many passwords for evey app, for every mail-account and so on.

I'm sure all normal consumers use unique, complex passwords and don't store then in an unencrypted text file...

 

Edit: Did they explicitly say the passwords were stored entirely in plain text or only the first 4 characters? Storing the first 4 characters would allow verification in a poor way while hashing the actual password.

[DildorTheDecent]

haha! April Fools was 6 days ago....guess someone didn't tell them...

 

pls be fake

[WkdPaul]

I'm with @DildorTheDecent, please someone tell us this is just some failed April fool joke ...

[Drak3]

1 hour ago, Crunchy Dragon said:

Honestly, what is with company security?

My company has pretty good security.

 

Everything sensitive is paper copy only or on an external drive that has never, and will never, be used on a computer with any network access.

 

In a fire safe.

 

Guarded by a fairly vicious dog.

 

And occasionally, a guy with a gun.