In the nefarious world of cybercrime, telecom companies continue being aimed as Vodafone reports the accounts of almost 2000 customers being hacked. Attackers used users data occupied from “an unknown source” and then attempted to breach their security by accessing accounts of 1,827 customers.
In the light of this bold attempt at rupturing the privacy, two hackers have been sentenced to three years in prison by a Czech court. Reportedly, the criminals used the stolen details to purchase 600,000 Czech Koruna worth of gambling services.
As Czech news site idnes.cz (reporting from Czech news site idnes.cz) placed the whole issue into perspective, it was deduced that the criminals used the password ‘1234’and accessed Vodafone customer’s accounts, once the access was acquired, new SIM cards from different branches were ordered and installed in their mobile phones without any further verification as they already had all the details. This consequently led the attackers to charge 30K USD (appx.) for gambling services.
Vodafone: Victims to be held responsible.
Vodafone attempted to sidestep the debate of responsibility that is bound to arise as the mobile phone provider expressed its will in antagonism to the users- they are supposed to pay for these charges as they were the ones using an assailable and weak password. And seemingly, the will has picked up momentum as debt collectors are already knocking at the doors of the users to recover the stolen money.
The narrative on the attacked users side has it that they weren’t at all aware about the passwords being set to ‘1234’ or that there even existed an online marketplace that could be used to buy services. Countering this narrative, Vodafone asserted the possibility of the password being set at default during the purchase of the phone and the user should still have it changed to an unassailable one.
As shown in the picture below, the passwords for the My Vodafone portal comprise of only 4-6 digits. The string in the password blank translates to ‘4 to 6 digit no.’ (Image source: Bleeping Computer)
According to the head of Threat detection Labs (ESET), Jiri Kropac, the passwords requirements still lack strength. He tested it for bleeping computer, it’s because the passwords comprising of 4-6 digits will quickly succumb to the brute force attack in the scenarios where the attacker is resolute enough.
Battling the reputational damage, Vodafone has reported the incident to The National Crime Agency, the Information Commissioner's Office and Ofcom. The mobile phone provider further added, reinstating its priorities - "Our investigation and mitigating actions have meant that only a handful of customers have been subject to any attempts to use this data for fraudulent activity on their Vodafone accounts. No other customers need to be concerned, as the security of our customers' data continues to be one of our highest priorities."
