Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

eMobile security breach

  • 02-07-2012 1:45pm
    #1
    Registered Users, Registered Users 2 Posts: 121 ✭✭


    I have posted the following posts on e-mobile thread, and they got kinda waved by - am I raging about nothing, or is it a security breach that needs to be investigated?
    I have sent in this via eMobile contact form:

    1. I have rang and changed my home address, and the 2 months later the bill still comes in to the old address. I was bouncing around automated service and kept on hold for 15mins on hold before I got to talk to someone, so I'm not calling customer service again. There is no option to change address online, which would take 2 minutes.
    2. To submit this form, I have to submit my phone PIN number, which is not even hashed. Both my phone number and the PIN are on the same form, which is very poor from security point of view.

    And then you get: "You will be contacted within 2 working days." Hoping that there is someone out there on the other end reading that query, and that someone will come back in the darn 2 days!
    Quote:
    Originally Posted by eMobile: Tony viewpost.gif
    Hi birchtree,

    If you PM your mobile number, pin and new address I can update it for you here.

    Tony

    Thanks Tony, I hope changes will not revert back again.
    By the way, I have just received ridiculous email from emobile customer support:

    Dear Customer,

    Thank you for your email.

    To protect the privacy of your account and comply with Data Protection legislation, can you please reply to this e-mail with the following information:

    ·Your full name
    ·The 12 digit number on the back of the sim

    Once we have received and verified the above, I can then access your account and assist you with your query.

    Should you have any concerns regarding providing such information by e-mail, you may also verify your account by contacting our customer care team or by letter to our registered address: 1 Heuston South quarter, St Johns Road Dublin 8.


    So I have options to send more sensitive information over http, or send a treeware snail-mail!

    My phone number and PIN number were included in the response email, all that is needed to logon to emobile.ie - hey everyone, why don't you check out my personal details!!! Have you guys heard of security???

    Ok, my tone was not exactly polite, but the point is - here are my mobile number and the pin circulating over the web, anyone having those two pieces of information can access my address and birth date. To me that's security issue, can any of the security experts comment on this? Where can this be reported to stop this from happening?


Comments

  • Registered Users, Registered Users 2 Posts: 121 ✭✭birchtree


    Can I at least get an opinion from moderators - am I raging about nothing, or do I have a case?


  • Moderators, Technology & Internet Moderators Posts: 11,017 Mod ✭✭✭✭yoyo


    What info do you want? If you feel that eMobile have security problems give them a call explaining them. Plenty of companies do include passwords and login names in emails though, I can't see it being an issue if you keep your email secure

    Nick


  • Registered Users, Registered Users 2 Posts: 10,912 ✭✭✭✭28064212


    If the contact form you used to submit your details is done through https (which I would assume it is), that's as much security as you're likely to need. Having the phone number and PIN on the same page is not a security breach.

    It is a security issue if the phone number and PIN were emailed in cleartext, can you confirm that they were? That's pretty poor security all right, but they wouldn't be the first. Although given that they already have form in this area, you might have expected them to increase security

    Boardsie Enhancement Suite - a browser extension to make using Boards on desktop a better experience (includes full-width display, keyboard shortcuts, dark mode, and more). Now available through your browser's extension store.

    Firefox: https://addons.mozilla.org/addon/boardsie-enhancement-suite/

    Chrome/Edge/Opera: https://chromewebstore.google.com/detail/boardsie-enhancement-suit/bbgnmnfagihoohjkofdnofcfmkpdmmce



  • Registered Users, Registered Users 2 Posts: 121 ✭✭birchtree


    I have double-checked, and yes, the contact form is https, but then the response that came back by email included all the web form details in plain text...
    Is there not a body that should govern security issues, even small-scale ones like this?
    28064212 wrote: »
    If the contact form you used to submit your details is done through https (which I would assume it is), that's as much security as you're likely to need. Having the phone number and PIN on the same page is not a security breach.

    It is a security issue if the phone number and PIN were emailed in cleartext, can you confirm that they were? That's pretty poor security all right, but they wouldn't be the first. Although given that they already have form in this area, you might have expected them to increase security


  • Registered Users, Registered Users 2 Posts: 10,912 ✭✭✭✭28064212


    birchtree wrote: »
    I have double-checked, and yes, the contact form is https, but then the response that came back by email included all the web form details in plain text...
    Is there not a body that should govern security issues, even small-scale ones like this?
    eMobile themselves would be the first stop. The Data Protection Commissioner would be who to go to if you get no joy. When contacting eMobile, I would make sure you mention that you will be going to the DPC if the matter isn't resolved satisfactorily

    Boardsie Enhancement Suite - a browser extension to make using Boards on desktop a better experience (includes full-width display, keyboard shortcuts, dark mode, and more). Now available through your browser's extension store.

    Firefox: https://addons.mozilla.org/addon/boardsie-enhancement-suite/

    Chrome/Edge/Opera: https://chromewebstore.google.com/detail/boardsie-enhancement-suit/bbgnmnfagihoohjkofdnofcfmkpdmmce



  • Advertisement
Advertisement