eMobile security breach

birchtree

I have posted the following posts on e-mobile thread, and they got kinda waved by - am I raging about nothing, or is it a security breach that needs to be investigated?

I have sent in this via eMobile contact form:

1. I have rang and changed my home address, and the 2 months later the bill still comes in to the old address. I was bouncing around automated service and kept on hold for 15mins on hold before I got to talk to someone, so I'm not calling customer service again. There is no option to change address online, which would take 2 minutes.
2. To submit this form, I have to submit my phone PIN number, which is not even hashed. Both my phone number and the PIN are on the same form, which is very poor from security point of view.

And then you get: "You will be contacted within 2 working days." Hoping that there is someone out there on the other end reading that query, and that someone will come back in the darn 2 days!

Quote:
Originally Posted by eMobile: Tony
Hi birchtree,

If you PM your mobile number, pin and new address I can update it for you here.

Tony

Thanks Tony, I hope changes will not revert back again.
By the way, I have just received ridiculous email from emobile customer support:

Dear Customer,

Thank you for your email.

To protect the privacy of your account and comply with Data Protection legislation, can you please reply to this e-mail with the following information:

·Your full name
·The 12 digit number on the back of the sim

Once we have received and verified the above, I can then access your account and assist you with your query.

Should you have any concerns regarding providing such information by e-mail, you may also verify your account by contacting our customer care team or by letter to our registered address: 1 Heuston South quarter, St Johns Road Dublin 8.


So I have options to send more sensitive information over http, or send a treeware snail-mail!

My phone number and PIN number were included in the response email, all that is needed to logon to emobile.ie - hey everyone, why don't you check out my personal details!!! Have you guys heard of security???

Ok, my tone was not exactly polite, but the point is - here are my mobile number and the pin circulating over the web, anyone having those two pieces of information can access my address and birth date. To me that's security issue, can any of the security experts comment on this? Where can this be reported to stop this from happening?

birchtree

Can I at least get an opinion from moderators - am I raging about nothing, or do I have a case?

yoyo

What info do you want? If you feel that eMobile have security problems give them a call explaining them. Plenty of companies do include passwords and login names in emails though, I can't see it being an issue if you keep your email secure

Nick

28064212

If the contact form you used to submit your details is done through https (which I would assume it is), that's as much security as you're likely to need. Having the phone number and PIN on the same page is not a security breach.

It is a security issue if the phone number and PIN were emailed in cleartext, can you confirm that they were? That's pretty poor security all right, but they wouldn't be the first. Although given that they already have form in this area, you might have expected them to increase security

birchtree

I have double-checked, and yes, the contact form is https, but then the response that came back by email included all the web form details in plain text...
Is there not a body that should govern security issues, even small-scale ones like this?

28064212 wrote: »

If the contact form you used to submit your details is done through https (which I would assume it is), that's as much security as you're likely to need. Having the phone number and PIN on the same page is not a security breach.

It is a security issue if the phone number and PIN were emailed in cleartext, can you confirm that they were? That's pretty poor security all right, but they wouldn't be the first. Although given that they already have form in this area, you might have expected them to increase security

28064212

birchtree wrote: »

I have double-checked, and yes, the contact form is https, but then the response that came back by email included all the web form details in plain text...
Is there not a body that should govern security issues, even small-scale ones like this?

eMobile themselves would be the first stop. The Data Protection Commissioner would be who to go to if you get no joy. When contacting eMobile, I would make sure you mention that you will be going to the DPC if the matter isn't resolved satisfactorily