Usernames for one isn't case sensitive. This is confirmed when you look at how they handle the "stay-in" cookie****. If your username is aAbDC then you can log in with either AABDC or AAbdc since they always default to AABDC.
****I had to block out detail
These username as case insensitive seems to be a thing with various isps as mweb, axxess, afrihost and webafrica is accepting username as case insensitive.
Storing the info as plain text in the cookie, shows that they don't really know what they are doing. To think, not even popular free forum scripts do that. I don't think they really know what hashing is. That is why they can display the last few characters of the password in the logs. Seeing that a good hash, is supposed to be one-way, but now they are accessing parts of it. This shows that they simply store the password as plaintext or they encrypt everything with the same key. So if their db got exploited and their servers, the key would be found and everyone's login details will be gone as well.
A lot of free open source scripts for forums and ecommerce use salted hashtags nowadays. It is shocking that an ISP (like WebAfrica) can't do the same.
For the webafrica representative that sees nothing wrong in the plaintext cookie. You are supposed to put in a unique code string, that identifies the user. There are various ways you can do it, but just putting in the username and password is pathetic. And you need to clean up these strings after some time. Since it is a cookie, so it is supposed to be temporary.
With WA, the usernames are really short, and they all follow the same format. So its super easy to guess a different user's username. Atleast some of the other ISPs only use the email for logins.
Goes quite well the IT personas just thinking that someone else might top up for you.I'm concerned that if ISPs, with their supposed concentration of IT skills, can't get the basics right, then what hope is there for the wider community to tighten security.
Once hackers learn that South Africa is open sesame, they will have a field day and they will keep returning for the spoils
His attempt at humour is a monumental failure as he's clearly missing the point: too many people use a single password for all their accounts, from emails to (shockingly) internet banking. If somebody is able to sniff their password they won't be bothered with topping them up (what a stupid assumption!), they will rather garner more information about the user and try the password at a multitude of services. These days it's ridiculously easy to find out information about somebody online and track which services they use.Fialkov said that, should the account password be sniffed, you can potentially use it to top up. However, Cybersmart logs where the top up came from and they can check whether it was done from the address that the ADSL account belongs to, Fialkov said.
“I am not sure why someone would want to top up someone else’s account,” Fialkov joked, but added that even this is covered by their gig-back guarantee, so if a customer disputes the top-up and it really was not done from their location, a refund will be issued.
haha what? I bet you get a little buzz and a smile when you get the opportunity to mention rave names like 'PCI' don't you?This means, none of these companies have had an external or PCI audit.
Don't just remove the usernames and passwords from cookies - use a one way hash of passwords, and never store the plain text version - never, nowhere...there are many articles on the web on this, I'm sure you be able to find a proper tutorial with some googling.Thanks for the feedback guys.
I am fully in agreement with you that this is not good enough. I'll make sure we get this fixed.