Eircom storing passwords in the clear

MadsL

I just want to iterate that there is a Data Protection aspect to this, in that eircom are obliged to keep personal data secure. And in fairness to them they do, as both data centres are ISO 27001 certified.

However customer care and and marketing are often departments where security is downgraded in favour of convenience.

A security audit by someone who knows what they are doing should highlight these issue, alternatively eircom could extend the scope of their ISO 27001 certification to cover customer services.

RUCKING FETARD

Meteor and eMobile plead guilty to data legislation breaches

gerryk

eircom: James wrote: »

Hi gerryk,

I see the lads had responded to your Tweet earlier. Just to put the latest info here for others, our online security team are constantly working on aspects of security. I hope you can understand that due to the nature of this as a security issue there is not a lot that we can post publicly.
Regards

James

Hi James... any news on this?

eircom: Tony

gerryk wrote: »

Two weeks and counting, guys.

Hi gerryk
I appreciate your patience in this. At the moment we have no further information to that posted by us earlier. Our security and operations teams are aware of this issue and all issues related to security. For the most part companies would be unlikely to publish their approach to security, however we hope to be able to get appropriate statement to at least answer your own and others concerns.
We have brought all the points and cases mentioned in your posts to the attention of all responsible for security and have been advised that systems and proceedures are in place to deal with these.
While I think it is unlikely that we will be able to disclose these proceedures ( due to security reasone) we hope to have more info on this.
Tony

gerryk

Hi Tony... thanks for the reply, albeit somewhat delayed. Procedures can be circumvented. I thought that was clear. As long as there is a human component, there is a clear vector for exploit. Sure, there are technical vulnerabilities too, but the whole idea is to lessen your attack surface.
I am pretty upset at your (Eircom's) unwillingness to accept that you have done the wrong thing while communicating assurances to rectify that. Instead, this is an obvious 'ignore it and it will go away' tactic. Sure, I may go away, from sheer frustration at not being taken seriously, but others won't, and this thing has every potential to backfire spectacularly for you. I mean, come on... your company is hugely in debt, and the only way that can be managed is through investment. Investment requires a modicum of confidence in your return, and I, were I a potential investor, would find this behaviour a good reason to spend my money elsewhere.
I don't expect anything further from you... I understand that personally, your hands are tied, but find the arrogance of your company in this matter, shocking, but, I suppose, not all that surprising.

eircom: Tony

gerryk wrote: »

Hi Tony... thanks for the reply, albeit somewhat delayed. Procedures can be circumvented. I thought that was clear. As long as there is a human component, there is a clear vector for exploit. Sure, there are technical vulnerabilities too, but the whole idea is to lessen your attack surface.
I am pretty upset at your (Eircom's) unwillingness to accept that you have done the wrong thing while communicating assurances to rectify that. Instead, this is an obvious 'ignore it and it will go away' tactic. Sure, I may go away, from sheer frustration at not being taken seriously, but others won't, and this thing has every potential to backfire spectacularly for you. I mean, come on... your company is hugely in debt, and the only way that can be managed is through investment. Investment requires a modicum of confidence in your return, and I, were I a potential investor, would find this behaviour a good reason to spend my money elsewhere.
I don't expect anything further from you... I understand that personally, your hands are tied, but find the arrogance of your company in this matter, shocking, but, I suppose, not all that surprising.

Hi gerryk
Thanks and I do understand that it is taking time and that you can hardly be expected to wait indefinitely for a response to the points raised. Really I cannot add more to posts earlier from Ant or James. The reality is that companies are cautious in issuing operational information and even more so when that information revolves around company security. I can assure you though that all relevant sections are aware of this issue and that the issue is definitely not being ignored.
As pointed out by MadsL our data centres are security certified and security audits carried out to protect this. Due to the number of recent data security breaches worldwide these audits have become an even more important element of good business practices
As stated by MadsLl ‘eircom are obliged to keep personal data secure’ and I can assure you this is of the highest priority for the company
I still hope to be able to provide further information or statement on this issue for you and others concerned.

Tony

MadsL

eircom: Tony wrote: »

Hi gerryk
Thanks and I do understand that it is taking time and that you can hardly be expected to wait indefinitely for a response to the points raised. Really I cannot add more to posts earlier from Ant or James. The reality is that companies are cautious in issuing operational information and even more so when that information revolves around company security. I can assure you though that all relevant sections are aware of this issue and that the issue is definitely not being ignored.
As pointed out by MadsL our data centres are security certified and security audits carried out to protect this. Due to the number of recent data security breaches worldwide these audits have become an even more important element of good business practices
As stated by MadsLl ‘eircom are obliged to keep personal data secure’ and I can assure you this is of the highest priority for the company
I still hope to be able to provide further information or statement on this issue for you and others concerned.

Tony

Can I also point out that as far as I am aware your ISO 27001 certification does not cover your customer services operations - merely your data centres at Clonshaugh and Citywest.

No-one is asking for operational information, just the publically issued statement and assurance that eircom no longer store passwords in the clear.

Now that can be done voluntarily or under investigation by the DPC. Eircom's choice. If that sounds like a threat, it isn't - it is merely the consequence of eircom failing to provide that assurance.

N64

In fairness if you cared about security, would you really use eircon.net in the first place?

MagicRon

Are call centre agents still able to see user's passwords?

gerryk

Hi guys... any updates?
Should I be talking to the DP commissioner instead of waiting for a reply from your security team.

With regard to your comment that companies would not disclose their security policies, many companies, for instance Lastpass, are so proud of 'doing the right thing' that they actively publicise their password storage policies. May I draw your attention to the following links?

https://lastpass.com/support.php?cmd=showfaq&id=1096
https://lastpass.com/support.php?cmd=showfaq&id=111635

MadsL

Gerry, I think you have a better shot with the DP. In fact I would urge you to make a complaint anyway as eircom's 'ignore it and it will go away' attitude is shocking.

DP legislation obliges companies to keep personal information secure.

Protection of Privacy of Individuals with regard to Personal Data

2. Collection, processing, keeping, use and disclosure of personal data.
2.-(1) A data controller shall, as respects personal data kept by him or her, comply with the following provisions:
(d) appropriate security measures shall be taken against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

http://www.dataprotection.ie/viewdoc.asp?DocID=796#2C

eircom: Tony

MadsL wrote: »

Gerry, I think you have a better shot with the DP. In fact I would urge you to make a complaint anyway as eircom's 'ignore it and it will go away' attitude is shocking.

DP legislation obliges companies to keep personal information secure.



http://www.dataprotection.ie/viewdoc.asp?DocID=796#2C

Hi guys

Without trying to sound smart-assed, large companies are careful about posting sensitive information without a full investigation into how this will affect the company. To be honest it makes no sense to confirm a company’s security policy on a public forum either way. However you can see from our previous post that we are not ignoring this issue. As we posted previously we have passed on your concerns to the correct channels and they are aware of the query. Given that this is a security issue I would expect that before any response was made available (one which would not impact security) a full investigation and signoff would be necessary.
I can assure you that designated call centre agents are trained and mandated to authenticate every customer before any account information is divulged.
We are only too happy to post any information available to us and are more than happy for you to take the query up with the DP.


Tony and James

MadsL

eircom: Tony wrote: »

Hi guys

Without trying to sound smart-assed, large companies are careful about posting sensitive information without a full investigation into how this will affect the company. To be honest it makes no sense to confirm a company’s security policy on a public forum either way. However you can see from our previous post that we are not ignoring this issue. As we posted previously we have passed on your concerns to the correct channels and they are aware of the query. Given that this is a security issue I would expect that before any response was made available (one which would not impact security) a full investigation and signoff would be necessary.
I can assure you that designated call centre agents are trained and mandated to authenticate every customer before any account information is divulged.
We are only too happy to post any information available to us and are more than happy for you to take the query up with the DP.


Tony and James

Thanks for the response. Could you let us know what progress has been made in three months on the issue and when a statement is expected. What stage is the investigation at?

Also who authenticates the call centre agents? Can they access information without the customer on the line?

eircom: Tony

MadsL wrote: »

Thanks for the response. Could you let us know what progress has been made in three months on the issue and when a statement is expected. What stage is the investigation at?

Also who authenticates the call centre agents? Can they access information without the customer on the line?

Hi Madsl
No problem. We do not have update on this and will have no further information on until full investigation has been concluded.
Regarding the second request, this information would not be made available publicly as this falls under operational procedures.
Tony

MadsL

eircom: Tony wrote: »

Hi Madsl
No problem. We do not have update on this and will have no further information on until full investigation has been concluded.

Not even a timescale?

Regarding the second request, this information would not be made available publicly as this falls under operational procedures.
Tony

Does it form part of the investigation?

eircom: Tony

MadsL wrote: »

Not even a timescale?



Does it form part of the investigation?

If they have one, they haven't advised me MadsL:( ....big companies take these things very seriously and in my experience time to complete investigations like this. The mods here regularly chase the issue so when response is available we will know pretty quicky.
Tony

MadsL

eircom: Tony wrote: »

If they have one, they haven't advised me MadsL:( ....big companies take these things very seriously and in my experience time to complete investigations like this. The mods here regularly chase the issue so when response is available we will know pretty quicky.
Tony

Thanks Tony.

Still no word on VAT eh?

(think you should send a link to these two threads to your marketing department, this isn't playing all that well with your customers)

eircom: Tony

MadsL wrote: »

Thanks Tony.

Still no word on VAT eh?

(think you should send a link to these two threads to your marketing department, this isn't playing all that well with your customers)

Believe me, when we pick up these issues we let everyone know...

eircom: Tony

MadsL wrote: »

Thanks Tony.

Still no word on VAT eh?

(think you should send a link to these two threads to your marketing department, this isn't playing all that well with your customers)

Hi MadsL

We will post any info on that subject here.... on our special Vat thread..
Have to keep things nice and neat.:D
Tony

tunedout

eircom: Tony wrote: »

Hi gerryk
For the most part companies would be unlikely to publish their approach to security, however we hope to be able to get appropriate statement to at least answer your own and others concerns.

I have 2 email accounts with eircom. And use a similar password with eircom as what I do with some of my other accounts online. It is very worrying for me if passwords can be seen openly by eircom staff.

Can you at least assure your customers that the passwords are now safer than what they were when you were asked 3 months ago?

You don't need to 'publish your approach to security' to reassure your customers of this much.

eircom: Tony

tunedout wrote: »

I have 2 email accounts with eircom. And use a similar password with eircom as what I do with some of my other accounts online. It is very worrying for me if passwords can be seen openly by eircom staff.

Can you at least assure your customers that the passwords are now safer than what they were when you were asked 3 months ago?

You don't need to 'publish your approach to security' to reassure your customers of this much.

Yes tunedout
I can certainly assure you that a full review of security procedures and controls was undertaken almost immediately as a result of comments posted here. I should also point out that due to the constantly changing nature issues affecting online security investigations of this nature are undertaken on a regular basis.
Hope this answers your post.
Tony

RUCKING FETARD

5 min phonecall and you'll soon find out if anything changed.

MagicRon

eircom: Tony wrote: »

If they have one, they haven't advised me

You're some bunch of cowboys.

eircom: Tony

MagicRon wrote: »

You're some bunch of cowboys.

It is easy to quote and post out of context MagicRon, however this is not constructive, please see the whole communication between myself and MadsL.
Tony

MagicRon

I've read the whole thread. It's a joke how little you're doing about this. Clearly don't care!

tunedout

eircom: Tony wrote: »

Yes tunedout
I can certainly assure you that a full review of security procedures and controls was undertaken almost immediately as a result of comments posted here. I should also point out that due to the constantly changing nature issues affecting online security investigations of this nature are undertaken on a regular basis.
Hope this answers your post.
Tony

Thanks Tony. Good to know.

gerryk

Hi Tony et al... 6 weeks on from the last comment from you. Anything from your security review yet?

gerryk

tunedout wrote: »

I have 2 email accounts with eircom. And use a similar password with eircom as what I do with some of my other accounts online.

This is extremely poor practice regardless of how eircom handle password storage. You could get a keylogger, or another sit you use might store passwords in plaintext, or weakly hashed and be compromised.

I recommend to you, and everyone, to use a password manager, and to use passwords of 10 characters or more, alphanumeric and punctuation.

Lastpass is probably the best out there. It has plugins for all the major browsers on Windows, OS X and Linux. It also has plugins for Dolphin on Android, and fully featured browser apps for iOS and Android (and possibly Windows RT/8)

Basically, you remember one very secure password, and Lastpass does the rest. It stores your passwords on their servers, but fully encrypted, using multipass AES-256. The decryption only happens on your computer. It is free, but if you pay for the premium service ($1/month) you get offline backup, Yubikey integration and all the mobile apps. It also has full two-factor authentication for free, using Google Auth.

TBH, anyone that reads this and doesn't at least consider it is really not taking online security as seriously as they should.

While you're at it, enable two factor auth on Google, and Dropbox, and everything else you can. It's a bit of an inconvenience, but worth it for added security.

eircom: Tony

gerryk wrote: »

Hi Tony et al... 6 weeks on from the last comment from you. Anything from your security review yet?

Hi gerryk
I should have some feedback soon on this soon.
Tony

tunedout

gerryk wrote: »

This is extremely poor practice regardless of how eircom handle password storage. You could get a keylogger, or another sit you use might store passwords in plaintext, or weakly hashed and be compromised.

I recommend to you, and everyone, to use a password manager, and to use passwords of 10 characters or more, alphanumeric and punctuation.

Lastpass is probably the best out there. It has plugins for all the major browsers on Windows, OS X and Linux. It also has plugins for Dolphin on Android, and fully featured browser apps for iOS and Android (and possibly Windows RT/8)

Basically, you remember one very secure password, and Lastpass does the rest. It stores your passwords on their servers, but fully encrypted, using multipass AES-256. The decryption only happens on your computer. It is free, but if you pay for the premium service ($1/month) you get offline backup, Yubikey integration and all the mobile apps. It also has full two-factor authentication for free, using Google Auth.

TBH, anyone that reads this and doesn't at least consider it is really not taking online security as seriously as they should.

While you're at it, enable two factor auth on Google, and Dropbox, and everything else you can. It's a bit of an inconvenience, but worth it for added security.

HI Gerry, what does the backup do? Does it mean if i don't have the backup i could lose all my passwords?