We store your passwords in plain-text, but don’t worry, our security is amazingly good!

What a dumpster-fire last Friday was for T-Mobile Austria.

For anyone unaware of what went down, have a look at this twitter feed: http://archive.is/6566W

Now, I am not out to bash T-Mobile or the social media manager(s) that have been involved, but there are a few lessons to be learned from this.

T-Mobile’s representatives were trying to answer a question about plaintext storage of customer passwords, asked on Twitter. The following two statements from T-Mobile’s representatives are, by definition, mutually exclusive:

T-Mobile: We store the whole password, because you need it for the login for mein.t-mobile.at

(for anyone who hasn’t read the whole twitter threat, what the T-Mobile person meant was that they store the whole password in clear-text)

T-Mobile: What if this doesn’t happen because our security is amazingly good?

(T-Mobiles reply to the question if this would not be a problem if they get breached and attackers could read all passwords without any additional password cracking)

For non-technical people reading this: There is not a single valid use case to store passwords in clear text, cryptographic mechanisms to protect passwords are best practice for decades and customer support agents (and everybody else) should never be able to read your password in plain text.

There is no doubt that T-Mobile has some fancy technical security solutions in place, but the fact that they still store user credentials in plain-text proves a dangerous lack of technical security measures and also indicate missing controls on the formal side of IT Security.
Without well thought-through policies and effective and properly implemented processes and procedures the best technical security solution will eventually be compromised.

Proper IT Security does not only protect information assets from external and internal users, but also protects internal, valid users from the information/data. In a situation where customer support employees have the ability to view full user credentials the possibilities for misuse are figuratively endless. And once a data breach happens, all the internal personnel with access to those credentials will also come under scrutiny. Now, given the obvious lack of internal policies that govern this type of risk, it is not really a stretch to imagine some of those employees having their own passwords on a post-it on their monitor, or in a time of stress sharing their credentials with a colleague who’s own one doesn’t work for whatever reason. How is this person going to proof that it was somebody else that used their credentials to steal or manipulate information?

What this issue also implies is the lack of a formal risk management. Either they have never done a proper IT Security risk assessment, they did it but never did anything with the data, or their risk acceptance criteria is ludicrously high. A company the size of T-Mobile Austria, with such a vast amount of personal data, a mere month before the new GDPR is really coming into effect (it is already in effect, just that the fines will be put into force on the 25th of May), should not have a situation like this on their hands.

What made the matter way worse, from a social media communication perspective, is the fact that one of the T-Mobile representative got a bit irritated with people calling them out on this and started bashing people, like in this response to a person questioning their practice:

T-Mobile: Excuse me? Do you have any idea how telecommunication companies work? Do you know anything about our systems? But I’m glad you have the time to share your view with us.

Not a good look in my opinion and, by all indications, this person themselves does not have a firm grasp on neither IT Security or Compliance, in the telecommunications field or anywhere else.

As stated in the beginning, I do not intend to bash T-Mobile directly, as I know that a large number of companies, both big and small, are shockingly unprepared and/or ignorant towards IT Security and privacy threats in general. My guess is that some of those companies will experience a rude awakening once the first GDPR fines will have to be paid after a data breach. We all know that good IT Security practices don’t add revenue to most companies, but just seeing this field as a cost factor is ignorant at best and tremendously dangerous to the company and their customers at worst.