T-Mobile Austria Confirms They Stores All Customer Passwords In Clear Text - UPDATED

[WkdPaul]

1 minute ago, Drak3 said:

My company has pretty good security.

 

Everything sensitive is paper copy only or on an external drive that has never, and will never, be used on a computer with any network access.

 

In a fire safe.

 

Guarded by a fairly vicious dog.

 

And occasionally, a guy with a gun

 

You forgot to mention the moat filled with Legos and UK power plugs that surrounds the fire safe!

[NoxiousOdor]

1 minute ago, wkdpaul said:

 

You forgot to mention the moat filled with Legos and UK power plugs that surrounds the fire safe!

Also drunk soccer fans

[sof006]

59 minutes ago, Ekin said:

 

Wow. The whole twitter thread is a disaster...

Whoever is in charge of that T-Mobile twitter account needs sacked. They sound seriously stupid and are tarnishing the T-Mobile brand, we have no idea if what this person is saying is true. 

[Starelementpoke]

Someone just lost a job.

[Drak3]

1 minute ago, wkdpaul said:

 

You forgot to mention the moat filled with Legos and UK power plugs that surrounds the fire safe!

Both failed preliminary testing.

 

However, -Redacted political joke regarding a wall-

 

 

 

Microkappa

[WkdPaul]

I just went and read most of the Twitter thread, and the T-Mobile person says they do that so that they can use the password as a security question, both on the phone and in person at the stores ... This means an easy weak link is any T-Mobile store or kiosk, hearing this is just scary AF!!!

 

Anyone that has simple understanding of IT security would see why this is a problem (even if the stores didn't have access to the plain text passwords).

 

If this is all true, it's a horrific security hole.

 

1. Don't store your customer's passwords in plain text, whatever the reason is, it's not a good enough reason.
2. Don't use client's passwords as a security question, this is the least secure way to verify a client's identity, especially if the passwords are stored in plain text.

[WMGroomAK]

1 hour ago, wkdpaul said:

T-Mobile person says they do that so that they can use the password as a security question, both on the phone and in person at the stores

Seriously!!!  What level of security check do they perform on the person in the store or over the phone?  

[Big Head Tech]

I will chime in as I work in the Cyber Security field.  THIS IS A HORRIBLE IDEA!!!!  There is no reason not to encrypt this data....

[Ryujin2003]

Wow.. the first 4 characters are visible to employees??

 

THIS JUST IN, 95% OF ALL THE MOBILE CUSTOMERS HAVE PASSWORD: pass********

 

.... I'm waiting for a customer to sort this database by passed, alphabetically.

[Centurius]

I'm not saying this is good, it isn't But working on the Webcare team of the Dutch part of T-Mobile. A lot of people they let onto the Twitter account are full of shit.

[vanished]

wow, just ... amazing I really don't have words for it

[suchamoneypit]

I wonder how long until someone tries to hack them just to show how weak it is. "we have amazing security" is pretty much an open invitation for people to try and prove you wrong.

[goodtofufriday]

[vanished]

I've been thinking about this trying to take it all in and it's still just shocking to the point of being hard to accept this is actually happening.  The fact they store passwords like that should already be a huge piece of negative PR on its own, but their replies have only made it worse.  This level of arrogance and incompetence is a terrible combination.  Furthermore the announcement that they store passwords in plain text has made them a target whether they realize it or not since everyone now knows they could get passwords if they pull it off, which in most cases can't be assumed.  I can't wait until they inevitably are breached and have to explain to shareholders why they did this, announced that they did it, and then ignored cries that it's unsafe and that they need to fix it.  It will not be good for them.  It's common sense that this is a very bad practice, but for them to admit they do it, and then to defend it... it's incomprehensible.

 

And how can they say the employees can see the first 4 characters?  If it's in plain text, then they can see the whole thing lol

[2FA]

26 minutes ago, Ryan_Vickers said:

And how can they say the employees can see the first 4 characters?  If it's in plain text, then they can see the whole thing lol

Stored in plaintext in the database but most employees won't have the permissions available to read the whole field. Database admins can of course see the whole thing.

[vanished]

Just now, 2FA said:

Stored in plaintext in the database but most employees won't have the permissions available to read the whole field. Database admins can of course see the whole thing.

Yeah, and those DBAs are employees are they not?  

Not to mention if they're incompetent enough to do this, there's no telling what other unimaginably bad practices might be going on... for all you know the kiosk level people do have read access to the whole thing

[2FA]

1 minute ago, Ryan_Vickers said:

Yeah, and those DBAs are employees are they not?  

Not to mention if they're incompetent enough to do this, there's no telling what other unimaginably bad practices might be going on... for all you know the kiosk level people do have read access to the whole thing

Why are you being so semantic? I was explaining how it was possible.

 

I prefer not to speculate.

[vanished]

Just now, 2FA said:

Why are you being so semantic? I was explaining how it was possible.

 

I prefer not to speculate.

I'm just saying the whole thing is a mess.  I guess in the actual thread they specifically said the kiosk people have access to the first 4 characters, which I guess they intended as "oh don't worry we can't see the whole thing, just the first four", but I look at it as a) well it's stored so someone has access to the whole thing, so that's still bad, and b) if it was just the DBAs that would already be bad but the fact that kiosk people can see anything at all is even worse imo. It's just bad in all ways and it's breaking my brain to even try to comprehend this so if I don't make sense please don't take it the wrong way

[2FA]

1 minute ago, Ryan_Vickers said:

I'm just saying the whole thing is a mess.  I guess in the actual thread they specifically said the kiosk people have access to the first 4 characters, which I guess they intended as "oh don't worry we can't see the whole thing, just the first four", but I look at it as a) well it's stored so someone has access to the whole thing, so that's still bad, and b) if it was just the DBAs that would already be bad but the fact that kiosk people can see anything at all is even worse imo. It's just bad in all ways and it's breaking my brain to even try to comprehend this so if I don't make sense please don't take it the wrong way

Yeah, plaintext is bad. If they have one or both a CIO/CISO, they should be fired. Their authentication policies are terrible for using passwords as a security question. If you're going to use multiple "something you know" forms of authentication, make them not overlap at all.

[vanished]

Just now, 2FA said:

Yeah, plaintext is bad. If they have one or both a CIO/CISO, they should be fired. Their authentication policies are terrible for using passwords as a security question. If you're going to use multiple "something you know" forms of authentication, make them not overlap at all.

Yeah that kind of defeats the purpose of having two doesn't it?

[EPENEX]

But didn't you hear? They have amazing security.

[vanished]

5 minutes ago, EPENEX said:

But didn't you hear? They have amazing security.

Yes... their security is so good, it doesn't need to be good...

Spoiler

 

[Bananasplit_00]

This is insaine, I really hope the twitter person is just full of shit

[Vode]

Hmm pretty ignorant tweet. Amazing security...right.

 

10 hours ago, SC2Mitch said:

This isn't just TMobile Australia, this is TMobile in general tbh

Also: LOL

[suicidalfranco]

welp if anything, she just summoned every hacker in search of something fun to do for the weekend