Concerns over the security of the customer web portals used by South African ADSL Internet Service Providers (ISPs) were recently raised in a discussion on the MyBroadband forum.
It was found that a ISPs such as WebAfrica, Cybersmart, Axxess, and @lantic don’t use HTTPS for at least one of the login options offered on their websites.
HTTPS is a secure method of communicating with a web server that uses transport layer security (TLS) or secure socket layer (SSL) with hypertext transfer protocol (HTTP).
It’s worth noting that @lantic, Axxess, and WebAfrica do offer HTTPS logins from specific URLs, and that their control panels for ADSL users run over HTTPS.
Asked to explain their decision not to use HTTPS for the login from the main page of their website, WebAfrica’ chief’s chief technology officer, Rupert Bryant, said it was an oversight on their part.
“We’ve queued a fix which will be committed by [Wednesday, 15 August 2012],” Bryant said. “Security is very important to us, we’re always doing what we can to improve and make sure our customers are protected.”
@lantic responded similarly, and immediately made their whole website run over HTTPS.
“The issue you referred to was investigated [on Tuesday, 14 August 2012],” @lantic marketing manager Riaan Gouws said. “There was an issue that HTTPS only displayed in Safari. The other browsers only displayed HTTP. This issue was promptly addressed and fixed.”
Cybersmart CEO Laurie Fialkov said that they did not really consider this an issue until it was raised in the discussion, as none of their users’ ADSL accounts have been compromised.
“If you connect from a CyberSmart IP address it does not ask you for a password, it just displays your usage,” Fialkov said. He added that the only thing that can be compromised from this page is your ADSL username and password.
“The ADSL username and password is automatically locked to the location that you authenticate from, and we have a gig-back guarantee,” Fialkov explained. “So if it is used from elsewhere we refund the gigs that were used at the alternate location,” he added.
“This has never happened.”
Fialkov said that, should the account password be sniffed, you can potentially use it to top up. However, Cybersmart logs where the top up came from and they can check whether it was done from the address that the ADSL account belongs to, Fialkov said.
“I am not sure why someone would want to top up someone else’s account,” Fialkov joked, but added that even this is covered by their gig-back guarantee, so if a customer disputes the top-up and it really was not done from their location, a refund will be issued.
Despite being unconvinced of the purpose in securing their ADSL usage and top up pages, Fialkov said that they will do it if their users demand it.
“This is one of the reasons MyBroadband is so valuable to us, as it gives us a new perspective on what our customers may view as mandatory even though other sources of information may tell us otherwise,” Fialkov said.
User security education still lacking
Speaking about online security in general, WebAfrica’s Rupert Bryant said that educating users is one of the most over-looked aspects.
Bryant said that avoiding simple bad habits such as using the same password or picking simple/insecure passwords can dramatically improve security. Services like LastPass.com can make this convenient for users, Bryant said.
“While users do seem to be improving their habits slowly, the forms of threats and exploits are ever-evolving,” Bryant said.
* Does your ISP use HTTPS on its website? Do you care? Weigh in on the forum or the comments below.