I had some interaction with Virgin mobile a couple of weeks ago and did not feel confident about their security at the end of the call which I blogged about here. Towards the end of that blog, I wrote about the 4 major problems that I saw with this interaction. How can Virgin address each of these? Let's find out.
a) Storing mobile pin (link) in clear text
The fact that a customer service rep is able to tell me my pin simply means that my pin is stored in clear text in their database. There is no way I can look at it and say it is secure development; it’s not. All sensitive information must be stored in a format that is not readable or easily reversible. There have been numerous high profile cases where passwords were stored in a format, which is easily crackable, leading to a lot of bad press for the organization involved. Our VP of Security Services, Joe Basirico, recently wrote a blog, which talked about how passwords should be stored; please have a read.
b) Using the pin as a form of verification
In all my years as a security consultant, I’ve seen plenty of wacky practices being followed. This though stunned even a thick skinned pen-tester like me. How can you expect someone to tell you their password, as a means of verification? It’s like asking someone to tell me the combination to your safe or your luggage. What guarantee do I have that the rep who took the call won’t misuse my credentials? None. Precisely none. I am completely dependent on that person being honest. And if that’s my only defense… well... then security wouldn’t be a problem at all, Security Innovation wouldn’t exist and I wouldn’t have a job.
Worse still, if someone flicks my phone, calls up Virgin and pretends to have forgotten the password, they just send it over as a text message. It’s not the customer representative’s fault; he/she is doing what they’re told, but it’s some really bad processes in place.
If a user has forgotten a password or pin, this is a good way to handle it.
c) Asking for a CVV number to complete a transaction
Seriously, I’m very uncomfortable making any transactions over the phone. And to top it all, if someone asks me my CVV at the end, those concerns just intensify even more. Asking a person for a CVV is saying –‘Could you please give me your credit card so I can shop to my hearts content for free?’. The reason I was asked my CVV was because they couldn’t find out why my previous 2 attempts had failed. How about addressing that and letting me make a payment myself? Instead you ask me for a password, possibly login as me and then use my CVV, from my account, to pay my bill.
If you run a support center where you address queries, and you’re reading this, please never ever ask someone for their CVV. It makes the customer very uncomfortable. Decline the transaction and give the client an alternative, but don’t ask people for their sensitive data.
d) What else is stored on Virgin’s servers? And how is it stored?
Now because of this incident, I have very little trust in how Virgin stores any of my sensitive information. What about my credit card information which is saved in my profile (Without the CVV)? Is that stored in clear text in the DB too? What happens to my CVV when I pay my bill? Do you store that? Do you maintain detailed transaction logs which enable you to find out the root cause of that failed transaction? Do you even have a security policy in place? Do you train your customer service team in basic security practices? And many more…
If someone from Virgin does read this, please understand that this isn’t about that employee, it’s a problem far deeper than that.
