{"id":57421,"date":"2012-08-16T15:11:13","date_gmt":"2012-08-16T13:11:13","guid":{"rendered":"http:\/\/mybroadband.co.za\/news\/?p=57421"},"modified":"2012-08-16T15:16:21","modified_gmt":"2012-08-16T13:16:21","slug":"adsl-isp-website-security-concerns","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/security\/57421-adsl-isp-website-security-concerns.html","title":{"rendered":"ADSL ISP website security concerns"},"content":{"rendered":"

Concerns over the security of the customer web portals<\/a> used by South African ADSL Internet Service Providers (ISPs) were recently raised in a discussion on the MyBroadband forum.<\/p>\n

It was found that a ISPs such as WebAfrica, Cybersmart, Axxess, and @lantic don\u2019t use HTTPS for at least one of the login options offered on their websites.<\/p>\n

HTTPS is a secure method of communicating with a web server that uses transport layer security (TLS) or secure socket layer (SSL) with hypertext transfer protocol (HTTP).<\/p>\n

It\u2019s worth noting that @lantic, Axxess, and WebAfrica do offer HTTPS logins from specific URLs, and that their control panels for ADSL users run over HTTPS.<\/p>\n

ISPs explain<\/h3>\n

Asked to explain their decision not to use HTTPS for the login from the main page of their website, WebAfrica\u2019 chief\u2019s chief technology officer, Rupert Bryant, said it was an oversight on their part.<\/p>\n

\u201cWe\u2019ve queued a fix which will be committed by [Wednesday, 15 August 2012],\u201d Bryant said. \u201cSecurity is very important to us, we\u2019re always doing what we can to improve and make sure our customers are protected.\u201d<\/p>\n

\"Rupert

Rupert Bryant<\/p><\/div>\n

@lantic responded similarly, and immediately made their whole website run over HTTPS.<\/p>\n

\u201cThe issue you referred to was investigated [on Tuesday, 14 August 2012],\u201d @lantic marketing manager Riaan Gouws said. \u201cThere was an issue that HTTPS only displayed in Safari. The other browsers only displayed HTTP. This issue was promptly addressed and fixed.\u201d<\/p>\n

Cybersmart CEO Laurie Fialkov said that they did not really consider this an issue until it was raised in the discussion, as none of their users\u2019 ADSL accounts have been compromised.<\/p>\n

\u201cIf you connect from a CyberSmart IP address it does not ask you for a password, it just displays your usage,\u201d Fialkov said. He added that the only thing that can be compromised from this page is your ADSL username and password.<\/p>\n

\u201cThe ADSL username and password is automatically locked to the location that you authenticate from, and we have a gig-back guarantee,\u201d Fialkov explained. \u201cSo if it is used from elsewhere we refund the gigs that were used at the alternate location,\u201d he added.<\/p>\n

\u201cThis has never happened.\u201d<\/p>\n

Fialkov said that, should the account password be sniffed, you can potentially use it to top up. However, Cybersmart logs where the top up came from and they can check whether it was done from the address that the ADSL account belongs to, Fialkov said.<\/p>\n

\"Laurie

Laurie Fialkov<\/p><\/div>\n

\u201cI am not sure why someone would want to top up someone else\u2019s account,\u201d Fialkov joked, but added that even this is covered by their gig-back guarantee, so if a customer disputes the top-up and it really was not done from their location, a refund will be issued.<\/p>\n

Despite being unconvinced of the purpose in securing their ADSL usage and top up pages, Fialkov said that they will do it if their users demand it.<\/p>\n

\u201cThis is one of the reasons MyBroadband is so valuable to us, as it gives us a new perspective on what our customers may view as mandatory even though other sources of information may tell us otherwise,\u201d Fialkov said.<\/p>\n

User security education still lacking<\/h3>\n

Speaking about online security in general, WebAfrica\u2019s Rupert Bryant said that educating users is one of the most over-looked aspects.<\/p>\n

Bryant said that avoiding simple bad habits such as using the same password or picking simple\/insecure passwords can dramatically improve security. Services like LastPass.com can make this convenient for users, Bryant said.<\/p>\n

\u201cWhile users do seem to be improving their habits slowly, the forms of threats and exploits are ever-evolving,\u201d Bryant said.<\/p>\n

* Does your ISP use HTTPS on its website? Do you care? Weigh in on the forum or the comments below.<\/em><\/p>\n

Related articles<\/h3>\n

Worst passwords you can use<\/strong><\/a><\/p>\n

ISPA to launch cyber security code in SA<\/strong><\/a><\/p>\n

Beware free public Wi-Fi: Kaspersky<\/strong><\/a><\/p>\n

Strong encryption in SA: is it legal?<\/strong><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Internet Service Providers respond to security concerns that were recently raised<\/p>\n","protected":false},"author":15,"featured_media":57229,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[3212,1765,2954,35,4358,3676,14521,5250,2508],"class_list":["post-57421","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-lantic","tag-axxess","tag-cybersmart","tag-headline","tag-laurie-fialkov","tag-passwords","tag-riaan-gouws","tag-rupert-bryant","tag-webafrica"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/57421"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=57421"}],"version-history":[{"count":1,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/57421\/revisions"}],"predecessor-version":[{"id":57515,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/57421\/revisions\/57515"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/57229"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=57421"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=57421"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=57421"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}