A government bond site.. sending clear text passwords

A year ago, Tescos (US readers, think Walmart) got in a *lot* of hot water for sending clear, unencrypted passwords by email to customers.    When tech security hits mainstream press, you know you have screwed up (or been caught) big time.  With the haze of the holiday period disappearing, I plunged into my mailbox and noticed a couple of emails from an Irish Agency.  The irish government prize bonds agency.

prizebondsimage

It was real, from their real address with my online bond-tracking password in clear text.  Let’s put this in some level of perspective.  It is estimated (by end of 2010) that the total value of Irish prize bonds was estimated at €1.33 billion.  Over 1% of the country’s's national debt. (source).   Figuring something was up, I logged in and changed my password.  Then did a “forgotten password request” to get my new password sent to me, in clear text.

I emailed them querying this woeful security.  Some of the response.

I understand that you have received an e-mail containing a Bond Tracker password. I can confirm that this e-mail would have been sent from the Prize Bond website.

In the event you have not requested your  password we confirm from time to time this can happen and is usually the result of one of two possible scenarios.

1) A Bond Tracker user in logging on, makes a typing error which may result in the user name being wrong by one digit or letter. (this username will then be the same as yours). The password will then be rejected and the user requests that the forgotten password is e-mailed to them. As they’ve inadvertently logged on as you, the e-mail will be sent to your address.

2) From time to time you can get people who browse various websites and randomly try usernames to try and access details. If one of these people guessed your username, they could request your password. Again the password would only ever be sent to your e-mail address.

In both of these cases your password is only ever sent to your e-mail address. No one else receives it. Both of these scenarios are rare and of the two I would say it’s a case of someone accidentally keying in your username and then requesting the password, which they never receive.

In the event you have requested your password it will be sent directly to your email address which will contain your new password therefore to use when logging onto the Bond Tracker.

My follow on email explaining that the basic premise of the security model is terrible and do they understand that has as yet, remained unanswered.  For a basic site or free service to do this, it is poor.  For a company to do it, terrible.  For a multi billion government agency to do this, it is .. “fascinating”.

8 Comments »

  1. Ben Langhinrichs Said,

    January 6, 2014 @ 9:10 pm

    That is truly appalling. And not terribly likely to change soon, given the nature and pace of government agencies.

  2. Paul Mooney Said,

    January 6, 2014 @ 10:19 pm

    Yup – amazed myself.

  3. Russell Maher Said,

    January 7, 2014 @ 3:41 pm

    Um…we have a LUG in our community that does the same thing. Not good.

  4. Paul Mooney Said,

    January 7, 2014 @ 3:53 pm

    Massive difference though. Not ideal but I understand free services and community sites have limited time/resources.

  5. John Dillon Said,

    January 7, 2014 @ 4:53 pm

    Wow…. not a complete surprise, but still….. wow!

    Have you sent this to Brian Krebs of “Krebs On Security”?

  6. Paul Mooney Said,

    January 7, 2014 @ 7:52 pm

    No. Im tempted to submit it to
    http://plaintextoffenders.com/about/
    but not sure if I am making matters worse.

  7. Genia Holsing Said,

    January 21, 2014 @ 11:18 am

    Can’t you just sell the story to some newspaper? And offer your “expert quote” on it? :)

  8. Pat Flynn Said,

    January 25, 2014 @ 8:09 am

    I received one of these mails yesterday. I have e-mailed them. Maybe it’s not as rare an occurrence as is claimed?

Leave a Comment

Leave a Reply