Personal info of 12+ million Dutch mobile phone owners easily accessible to hackers
Sijmen Ruwhof, a freelance IT security consultant and ethical hacker from Utrecht, recently stumbled across what turned out to be an example of how poor security practices of business partners can result in the compromise of a company’s customer data – in this case, the compromise of personal data of basically all Dutch citizens who own a mobile phone.
The players in this drama are Phone House, a Dutch phone retail company that is a dealer for all telecom operators in The Netherlands and which operates from within Media Markt, a popular and widespread chain of stores selling consumer electronics.
Ruwhof, who visited a Phone House store in a Media Markt store in Utrecht to get a few questions answered about his phone subscription, discovered that Phone House employees had access to customer data of all Dutch telecoms via dealer portals.
This, in itself, is nothing unusual – to do their job, they have to have access to this data. But practically everything else that has to do with how they access it (unsafely) has shocked Ruwhof.
“The sales guy starts renewing my Vodafone subscription and therefore needs to log in at a dealer portal from Vodafone. He doesn’t remember the login password, and, here it comes, on the screen he opens an Excel file which contains *all* their passwords,” he noted.
“Curiously and intensively I looked on the screen to get a picture of the treasure trove that was in front of me. Passwords to view and modify customer data of KPN, Vodafone, Telfort, T-Mobile, UPC, Tele2 and other companies were right in front of me.”
Not only that, but this Excel password database was stored on Google Docs, and the login details for the company’s Google Account were also visible to him.
Ruwhof also noticed that the sales guy did nothing to hide the screen and its contents from him or from other Media Markt or Phone House customers that were milling around the store. In fact, when the sales guy moved from the computer from a few minutes, he didn’t close the file or lock the computer.
The same unsafe modus operandi was repeated a few weeks later by another Phone House employee, leading Ruwhof to conclude that the problem was in the “fundamental lack of security and privacy awareness within Phone House and Media Markt.”
A review of the passwords used to access the telecoms’ customer databases also revealed predictable, easily brute-forced passwords that appear to be seldom changed, and in some cases seemingly never.
The fact that many of the telecoms’ dealer portals are accessible via Internet and easily found via a Google search increases the risk to the stored data manyfold.
Other poor security practices and habits he unearthed included Phone House employees storing passwords in browsers, and leaving the password file open (occasionally minimized) on unlocked computers. These computers also have easy to reach USB ports – a fact that can be taken advantage by attackers to achieve remote access by simply plugging in a USB drive containing malware.
These and other iffy practices – detailed in this extensive blog post – have spurred Ruwhof to notify executives from Phone House, Media Markt, and various Dutch telecoms about the problematic practices and behaviors he discovered.
Telecom providers were most grateful for the heads-up, and changed the way how passwords can be chosen and changed on their dealer portals.
After having been initially mistaken for an ill-intentioned hacker and being threatened with lawsuit by Media Markt, Ruwhof ultimately did get Media Markt and Phone House to listen to him and change the way they do things.
These changes include switching to a safe software product to store the passwords for the telecoms’ dealer portals, and privacy screens put on the monitors of company computers in order to prevent random customers from seeing what’s opened on them. It remains to be hoped that the employees will also be instructed on safe password practices.
“I hope this story is a wake-up call for everyone who works with computers and handles personal data of others,” says Ruwhof, adding that it wouldn’t have taken sophisticated computer skills to take advantage of the poor security practices he encountered in this particular case.