Massive Afrihost security flaw exposed

2012 said:
Now a much more interesting thing to ponder is how they manage those credit cards though.

Nowhere does Afrihost claim PCI compliance [at least not obviously on the webpage], which means if the credit card billing system is inhouse, there are some very legitimate concerns.

This password thing is ultimately trivial in comparison to credit card info.
Click to expand...

I think it's very important to note (as AfriMan mentioned before) that security matters should not be discussed on a public forum, but to answer your question, we do not store credit card information. We hand it off to a PCI compliant partner.
 
AfriFella said:
I think it's very important to note (as AfriMan mentioned before) that security matters should not be discussed on a public forum, but to answer your question, we do not store credit card information. We hand it off to a PCI compliant partner.
Click to expand...

That is good to note..

Maybe as a suggestion, you should put notices somewhere in your payment sections that you hand off to a PCI compliant partner... it will instill a bit of confidence from a certain segment of your client base
 
ToxicBunny said:
That is good to note..

Maybe as a suggestion, you should put notices somewhere in your payment sections that you hand off to a PCI compliant partner... it will instill a bit of confidence from a certain segment of your client base
Click to expand...

I'll be sure to pass your suggestion onto our Team :)
 
Vrotappel said:
Why not tell us how you stole users mobile data and took 10 days to fix it.
Click to expand...

When did this happen? My account got capped despite my phone reporting that I didn't use all the data...
 
Last edited:
RADIUS (AAA) Authentication systems requires access to the clear-text password of a user in order to use secure authentication algorithms such as CHAP, MS-CHAP.

This is a requirement of the algorithm(s) used during authentication and can't be avoided. This means that storing salted, or hashed passwords simply doesn't work in a RADIUS environment.

Thus, everyone's "best practice, everyone must hash passwords" arguments are all moot. AAA environments' requirements are very different from your average SQL, or Wordpress based website.
 
Little-Mermaid said:
When did this happen? My account got capped despite my phone reporting that I didn't use all the data...
Click to expand...

This article pertains specifically to DSL account credentials. If you have a mobile data usage dispute, please feel free to reach out to us on our support channels, social media or PM and we'll assist accordingly. :)
 
AfriFella said:
This article pertains specifically to DSL account credentials. If you have a mobile data usage dispute, please feel free to reach out to us on our support channels, social media or PM and we'll assist accordingly. :)
Click to expand...

Kicking a dog while it's down, but my last experience with your support department has tough me to let the data go instead of wasting time to try and sort it out...
 
Little-Mermaid said:
Kicking a dog while it's down, but my last experience with your support department has tough me to let the data go instead of wasting time to try and sort it out...
Click to expand...

That's definitely not the kind of experience we want anyone to go through. :( Feel free to drop me a Pm and I'll assist personally.
 
Ok, let me get this. User passwords are available meaning they can log in and use your data allocation.

Why all this hostility though. Afrihost has come out explaining their take on how and why, yet you guys are going on like Afrihost had your dogs killed... Geesus :D
 
Pitbull said:
Ok, let me get this. User passwords are available meaning they can log in and use your data allocation.

Why all this hostility though. Afrihost has come out explaining their take on how and why, yet you guys are going on like Afrihost had your dogs killed... Geesus :D
Click to expand...

I think just some clarity was needed. :)
 
TheRoDent said:
RADIUS (AAA) Authentication systems requires access to the clear-text password of a user in order to use secure authentication algorithms such as CHAP, MS-CHAP.

This is a requirement of the algorithm(s) used during authentication and can't be avoided. This means that storing salted, or hashed passwords simply doesn't work in a RADIUS environment.

Thus, everyone's "best practice, everyone must hash passwords" arguments are all moot. AAA environments' requirements are very different from your average SQL, or Wordpress based website.
Click to expand...

Please don't come ruin a story with facts. Our resident experts just finished Season 2 of Mr.Robot
 
For a security expert it is a little strange that ...

biometrics said:
Software and security expert Taylor Gibbrecently posted on Facebook that Afrihost staff had been able to provide ADSL account credentials to users over the phone, leaving information at risk.
Click to expand...
Is this the same Taylor Gibb that allowed himself to be trolled by someone that opened a github account in his "development company"'s name and pretended to be a beginner developer that can't do anything more than boilerplate code? I would love to hear more about his coding expertise and his security credentials.
 
Last edited:
cfilorux said:
Is this the same Taylor Gibb that allowed himself to be trolled by someone that opened a github account in his "development company"'s name and pretended to be a beginner developer that can't do anything more than boilerplate code? I would love to hear more about his coding expertise and his security credentials.
Click to expand...

Have references to that story by any chance?
 
2012 said:
Now a much more interesting thing to ponder is how they manage those credit cards though.

Nowhere does Afrihost claim PCI compliance [at least not obviously on the webpage], which means if the credit card billing system is inhouse, there are some very legitimate concerns.

This password thing is ultimately trivial in comparison to credit card info.
Click to expand...

This. I hope our details are really well taken care of
 
Oh I thought there was a story about him being trolled or something...
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X