Get best of the week

How providers care about customer safety

Hello. It would seem that in the modern world there are fairly obvious (even for the average person not directly related to IT) concepts. For example, storing passwords in plaintext in txt on the desktop is bad. But, ukraine hosting, unfortunately, only realized this in January 2020. I don’t leave a link, so as not to break the rules, but google quickly. But what about other providers? For example, with Internet providers. I decided to conduct a small experiment, and share it with you. I will say right away: I had no malicious intent, just as there was no purpose to harm anyone. But there is a goal to convey to people that it is more responsible to treat user data and personal accounts, especially if they have the ability to freely change settings. Perhaps if this situation is made public, something will change. Or maybe not.Who knows ... I'll still try.

Foreword


Sitting at a friend's office noticed how he pays for the Internet to relatives. He goes into his personal account, pays the bill with a card. It would seem nothing unusual. Except that when entering the contract number he uses this number both as a login and as a password. I immediately asked him about this, and recommended changing the password, which he did immediately. I immediately thought. Keeping personal data secure is the user's sole responsibility. But he is not the only one. Surely out of a huge number of users of this provider there are those who do not change the password. Moreover, if these are elderly people, they may not even know about him. They go to pay for the Internet through the terminal in cash, and they have been using their personal account all this time without any protection. Maybe the provider somehow solves this problem? It’s worth checking it out.

Action


I asked the contract number from a friend. Based on it, I first manually tried to log into user accounts by constantly adding 1 to the number. Success: 20/20. We consider successful the attempt if the account exists and managed to enter your personal account. Here are examples of screenshots (user personal data is hidden).

Ticket list:



Still connected services from another account:



I felt sad. Maybe this is because I use the address of the same provider? Maybe if I connect from the network of another provider they will not let me get into my personal account? Quickly set up a VPN in another country, went in the direction of decreasing from the original number. Success: 9/10. One of the accounts does not exist.

Subsequently, I wrote a simple program that:

  • logs into your account if it exists;
  • if the account does not exist - leaves the corresponding mark in the database;
  • saves the database matching ID, phone number and connected services;
  • makes a delay per minute;
  • proceeds to the next user.

Analysis


The success of the experiment: 82/100. Of the 18 failed attempts - 11 non-existent accounts, or accounts without connected services, 7 accounts with non-standard passwords.

Based on what I saw even at this stage, we can draw the following conclusions:

  1. 82% of the sample use the same character set as login and password, which in combination is the contract number;
  2. the login form is not protected from busting accounts. I logged into 82 different accounts from the same IP with 100 attempts in total;
  3. your personal account is not protected from attempts to penetrate from another network;
  4. there is no protection against robots in the login form.

What can be done with the received data? We have a customer phone number and a list of connected services. If we are a competing provider, and we somehow got such data, we can call the received numbers and offer more favorable conditions. If not, we have a database of telephone numbers for calling in principle. Whatever we sell / advertise / offer. If we are evil jokers (well, or violators of the law) - we can change the password, call the wizard, or disable the service. And this is just offhand, without much thought. In any case, this situation can be used either for personal gain or for harming users.

Afterword


I, as a decent person, deleted the base. Code, executable files and a server with VPN too. What the reader should do with the information received is up to the reader to decide, it will be on his conscience. In no case do I urge to repeat this experiment, and in any way use the data. Moreover, I urge all providers to treat their customers and their data with full responsibility.

In general, kamon. This provider has half the country of customers, and it uses the default contract numbers as passwords. Use complex passwords by default, screw the captcha on the input, do elementary checks for brute force, prohibit entry by the contract number from all IP except the client, is it really so difficult?

And I recommend readers to check their personal account and their provider. In any case, do not forget that the user himself must take care of the safety of his own personal data, do not rely on someone else.

UPD 03/20/2020
The aforementioned provider took measures (at least some). There are still no captcha, I did not check the ability to log in from other networks, but I can’t access the standard password anymore. He says that the password is not strong enough, and offers to log in via phone (confirmation by SMS code).

image

Well, thanks for that (really thanks, not sarcasm).

More articles:


All Articles