14 DAY TRIAL // While trying to recover a forgotten password, software engineer Alex North discovered that the Australian Taxation Office’s (ATO) Publications Ordering Service (POS) is actually storing customer passwords in plain text.
North noticed that the password recovery emails sent to customers contained the password in clear text, a practice that’s discouraged by many security experts.
After confronting ATO representatives with his findings, he was told that this is “one of the most commonly adopted methods of password recovery process,” arguing that if the emails are intercepted, the information contained in them cannot be misused.
However, as North has highlighted, they’re wrong. The email contains all the information necessary for an attacker to breach an account: the username, represented by the recipient’s email address; the password in clear text; and the domain the account is registered on.
So, in addition to storing passwords in plain text, POS – whose site is operated by a third-party – is also exposing user accounts via its password recovery process.
“There are easy and secure alternatives to storing plain-text passwords and no excuses for not using them. That my government is so reckless with its taxpayers’ security just leaves me speechless,” North wrote.
ATO representatives told SC Magazine that the agency would force the company in charge of the POS website to address the issue and implement additional security measures.
The agency also emphasizes the fact that tax and financial information are stored on a separate system.
However, considering that a large number of individuals use the same password to protect all of their accounts, gaining access to a clear text password is more than enough for cybercriminals.
Moreover, as we’ve seen in the ABC breach, even encrypted passwords can be easily cracked if a weak algorithm is used.