You are viewing [info]diffrentcolours's journal

You Don't Live Like I Do - Vodafone Security [entries|archive|friends|userinfo]
Carefully, Correctly Wrong

[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

Vodafone Security [Oct. 11th, 2005|03:32 pm]
Previous Entry Add to Memories Share Next Entry
[Tags|]
[mood |pissed offpissed off]
[music |Orbital - "Fahrenheit 303"]

I'm seriously considering switching away from Vodafone. It's just too easy to hack their systems.

To change the statement address for a Vodafone account, all you need to give Vodaphone is a name and address. They don't even ask you for the corresponding phone number (which is at least less public), let alone the account number (which should only be on bills). When you get your hands on an intercepted statement, you have the account number with which I'm sure you can do all kinds of nastiness.

I spoke to Vodaphone about this, and they say that they set up a PIN the first time someone calls them. However, this PIN is apparently only authenticated with the name and address of the caller, so again provides no security - I've had my phone for years and never called their customer service line before. The chances are that most people will be in the same situation. Why don't they ask you for your account number, which shouldn't be known by anybody other than you and them?

Update: Rather than just blogranting, I have e-mailed Vodafone. Again, I will let people know if I get a reply.

From: [info]diffrentcolours
To: customer.care@vodafone.co.uk
Date: Tue, 11 Oct 2005 15:47:33 +0100

I just phoned your customer service line to change the billing address on my Vodaphone account. I was shocked to be able to do this just by providing my name and postcode, both of which are fairly common knowledge.

Apparently Vodafone are implementing a PIN system for the phone system, but if changing your PIN (or even setting it in the first place) is as easy as changing the address, or if making changes to my account doesn't require a PIN (as it didn't today), then the PIN system is useless.

Why are callers not asked to confirm either their phone number or (preferably) their account number? The latter in particular should only be known by the legitimate customer and Vodafone, and is printed on every phone bill. This would obviate the need for a complicated PIN system, for the customer to memorise yet another "secret", and provide the necessary security immediately.

I'm very interested in matters of privacy and security, and would like to know why Vodafone have opted for a complicated and vulnerable solution rather than taking the obvious course of action to provide security for their customers. I will be investigating the security policies of other phone providers, and will consider switching my account to a provider who has a more sensible approach to keeping their customers safe from fraud.

Update: I've had a reply and responded to it, and heard nothing for a few days. I think it's time to start shopping for a new provider.

From: customer.care@vodafone.co.uk
To: [info]diffrentcolours
Date: Wed, 12 Oct 2005 09:12:31 +0100

Re Mobile Telephone Account/BAN Number (Not supplied).

Thank you for your mail.

Please can you provide your mobile number / your account number so we can access your details. We will then be able to respond to your mail.

If there is anything else we can help you with, please do not hesitate to contact us.

From: [info]diffrentcolours
To: customer.care@vodafone.co.uk
Date: Wed, 12 Oct 2005 13:55:31 +0100

Please can you explain to me why you need my mobile number or account number to answer a query on the security policy of your phone line? My mobile number and account number are irrelevant to the question I asked, which is not specific to my account.

Furthermore, sending my account number or mobile number in an e-mail would expose it to others, further reinforcing Vodafone's lack of regard for customer security.

Please can you reply to my query about Vodafone's lack of security on their customer care lines, without insisting on a lack of security on their customer care e-mail as well?

linkReply

Comments:
[User Picture]From: [info]asw909
2005-10-11 02:48 pm (UTC)

(Link)

Is it really that bad? Sheesh.

At o2, full security checks (i.e. customer provides mobile or account number, then confirms name and address as security - and often a password, customers were encouraged to set them up) were always done - and it was seen as not doing your job properly if not done...
[User Picture]From: [info]cultureofdoubt
2005-10-11 02:50 pm (UTC)

(Link)

You're lucky. I've tried to log in to 'My Vodafone' online, only to find I couldn't remember my username.

Of course even though I had a phone number I couldn't get my username through any sort of retrieval form, and couldn't reregister as my phone number was already in use.

So I email customer support and eventually get that sorted (finding that my username was case-sensitive and I'd almost got it in one attempt before).

Then I didn't know my password so used the password retrieval mechanism which refused to let me have my password. So a really useful retrieval thing there.

I'm yet to hear back from customer support. I wish I could hack my account.
[User Picture]From: [info]flooks
2005-10-11 04:59 pm (UTC)

(Link)

ditto. I tried to go to their website to do stuff, same problem.
From: (Anonymous)
2005-10-11 06:29 pm (UTC)

(Link)

I worked for Vodafone - morons at every level.

fuzzix.
[User Picture]From: [info]lemurkind
2005-10-12 03:43 pm (UTC)

(Link)

orange are not to bad they have a pass word and account number id thingy. If you forgett your pass word they do the whole mothers maiden name, first cat thing?
How's manc kand? Might be in your neck of the woods for the 6th November you likely to still be alive?

Will
[User Picture]From: [info]diffrentcolours
2005-10-15 12:50 pm (UTC)

(Link)

I'll be in Manchester then - the 6th is the last day of the Roleplaying Weekend of Doom with [info]wehmuth, [info]greyeyedeve and Jim.
[User Picture]From: [info]mirrorphase
2005-10-12 09:06 pm (UTC)

(Link)

What is this mysterious vodaphone.
[User Picture]From: [info]diffrentcolours
2005-10-15 12:51 pm (UTC)

(Link)

Vodafone are a mobile phone service provider.
[User Picture]From: [info]james_r
2006-02-11 12:04 am (UTC)

(Link)

I'm surprised vodafone changed your details so easily, they usually won't do anything with my account (which is admittedly a business one) without at least several of name, postcode, type of legal entity of the account holder, how many sims are on the contract, the method by which the bill is paid, and what service plan is being used.

I moved to vodafone from orange a few months ago because orange had no way of blocking geographic location service providers from disclosing my whereabouts to unknown persons. (hint, on o2 dial 1300 and follow a menu system, on vodafone dial #120# to protect yourself from this, orange has no way of stopping your location from being disclosed).

I'd suggest emailing Data Protection <data.protection@gb.vodafone.co.uk>, I got a very useful reply from their data protection manager on the geographic location service blocking from there a few months ago, seemed highly competant. Perhaps their business customer service is just much better than their personal ones.

BTW, orange have a culture of phoning their customers and their first question being 'what is your orange password?' - encouraging your customers to disclose their password in this way is just madness (yes i know you could check caller id, but that is trivially faked).. I asked one of their call centre people "what would you do if you received a call apparently from your bank and they asked you to confirm your identity by giving them your account details and mothers maiden name and your date of birth" their response "i'd have no reason to believe they weren't who they said they were, so i would" *sigh*.