14 DAY TRIAL // Security researcher Sijmen Ruwhof has published details about the many insecure policies used by Media Markt, a Dutch electronics store, and Dutch telecom operators.
According to a social engineering experiment he involuntarily had to carry out, he concludes that details of all Dutch citizens having ever owned a phone were easily accessible due to badly trained employees and weak password policies.
It all started when Mr. Ruwhof went to buy a new phone from a Media Markt store, and more precisely from Phone House, the biggest independent Dutch phone retail company, operating a store-in-store booth inside Media Markt locations.
How 21st century: passwords taped on screens
While talking to the employee, Mr. Ruwhof noticed many things that, if put together, would allow hackers easy access to extremely sensitive customer data.
For starters, employees had passwords written on post-its that were attached to their screens. He then noticed that employees never locked the computer when leaving their stations, and were also using an Excel file hosted on Google Docs where various passwords were recorded. All these passwords were for administration portals for various telecom providers.
Since employees often left their desk and didn't lock their computers, Mr. Ruwhof found no difficulties in taking pictures or recording a video of the screen.
With the passwords recorded on his phone, he tried to see if he could log into these portals, or if he could even find them online. His task was simplified, with Mr. Ruwhof finding a website hosted on Google Sites where another Phone House employee, from the city of Joure, decided to create a links directory that would provide easy-to-click links for all the telecom administration backends on one single page.
Dutch telecom providers aren't innocent either
Mr. Ruwhow verified each portal and found out that 12 out of 18 administration pages for these services were freely accessible via the Internet, with no limitation imposed like IP filtering.
Even worse, the passwords for accessing these portals were downright ridiculous, with choices such as: 12345678, m (just the lowercase letter M), Utrecht12345, Utretcht, (Utrecht is the city where the store was), Welcom03 (Welkom is Dutch for "Welcome," standard default string generated for most Intranet password phrases), and beginnen01 (Beginnen is "start" in Dutch, similar to Welcome in Intranet passwords).
While users will always try to choose simple passwords, the telcos obviously didn't enforce strong password rules in most cases, and never bothered to force password changes at regular intervals.
Additionally, the usernames were as insecure as the passwords, Mr. Ruwhof's observations showing these were generic accounts, used by multiple employees at once, not nominal in any way. This means that telecom providers had no way of knowing which Phone House employee changed what in their database.
Public disclosure, lawsuit threat, and slow changes
Categorizing himself as a white hat hacker, Mr. Ruwhof contacted all the parties involved, but things did not go as initially planned, with Media Markt threatening to sue him at first, while Phone House failed to respond in any way.
On the other hand, telecom providers did cooperate, and many changed password policies for their portals, limited IP access, and started enforcing password changes and stronger rules. Unfortunately, besides the good will he found with telcos, this was the only thing they could do in this situation.
Media Markt also decided not to pursue the foolish lawsuit and eventually added changes to employee protocols and its selling stands to prevent the easy capture of passwords off screens. Sadly, as usual in these cases, the security of any Web application also relies on the safe habits the people that use it form in time.
To nobody's surprise, when Mr. Ruwhof revised the Phone House store a few weeks later, despite the improved procedures, some employees still used the same Excel file and the awful 12345678 password for some of their accounts.
