The long-silent PIN code is causing trouble again: Vodafone actually fell into trouble with "1234"

Although it will reveal your age, in the era when Nokia still accounted for half of the sales, there were indeed many friends who "cheated their hands" and broke the PIN code (SIM card personal identification number), causing their small flip phone, small slider or small straight phone to be locked, and then they could only go to the business hall to ask for help from the operator.

However, this long-lost name recently made headlines again. Two scammers actually used Vodafone's weak PIN code to defraud $26,000 from Czech users.

Vodafone presets 4-6 digit passwords for its users, but they are not vigilant enough and the passwords are too weak. As a result, two ignorant scammers successfully cracked the user's account after trying several weak passwords like 1234, even though they don't have any skills at all.

That’s not all. They were lucky enough to find that as long as they knew a phone number and tried out the PIN code of the account, they could use this loophole to obtain a new SIM card, without the need for photo ID or email confirmation.

In addition, the two scammers used a unique way to make money from the loophole. They connected the stolen account to an online gambling account and opened the payment gateway. Then, the two scammers took the money through the gambling account, leaving the debt to the stolen user, and went to the bank to withdraw cash.

The attack was not technically demanding, so the two scammers were quickly caught. However, the 60 victims were left with fraudulent transactions on their bills, and Vodafone did not take the initiative to take responsibility. The telecom giant even claimed that its customers were responsible for the fraud because they used these "weak" passwords, when in fact the security shortcomings of their own systems were the culprit for the incident.

Although Vodafone only gave users temporary credentials when they received the PIN, the telecom giant did not inform users that the code needed to be changed, and some users did not even know they had an online account.

El Reg learned about the incident from Prague software developer Michal Špaček, who subsequently blasted Vodafone on Twitter.

"Vodafone says you are responsible for your password and that it is detailed in the terms of service," he wrote. "But shouldn't Vodafone be held responsible if bad guys only know your phone number and password and can get a new SIM card?"

Subsequently, local newspapers also reported the incident, and the two suspects of the real-time fraud were eventually sentenced to 2 and 3 years in prison respectively.

It is reported that most of these accounts that were brute-forced were created before 2012. In the past six years, users have also chosen their own 6-digit passwords when setting up mobile store accounts. However, Špaček does not think that the security of Vodafone's new system is anything to praise. Špaček's friend Michal Illich also received a random password like "1234" many years ago, and he thought it was generated by a machine at the time.

It is reported that the two scammers were able to obtain the victim's birthday, organization, bank account and phone records through Vodafone's website homepage. Fortunately, they did not abuse this information to cause further harm to the victim.

El Reg asked Vodafone to explain the incident and criticized their security strategy. The telecom giant responded: "We are sorry to hear that some customers have fallen victim to targeted fraud by criminals. We have made it clear to our customers that they need strong, unique passwords to protect themselves from this type of crime. Vodafone has also been working with law enforcement to ensure that those responsible are brought to justice and our customers are compensated.

Security certification expert Per Thorsheim also told El Reg that Vodafone Czech Republic had security problems more than once or twice, and that even if they had used email addresses instead of PIN codes, they would not have been hacked by such low-level scammers.

"While some users will use passwords like 'password' under the policy of using email as username and 8-character password, it is not easy to obtain a large number of user email addresses, which will discourage criminals," said Per Thorsheim. "The crazy thing about this is that Vodafone's authentication settings are so bad that they give a weak password like '1234' and have the nerve to complain about users not paying attention to security."

Thorsheim also pointed out that even if they use some rate limiting, account locking, geo-fencing or time-based security settings on the login interface, they can significantly improve the security of their systems. In addition, he believes that the Czech Information Commissioner's Office should intervene in this matter. Such poor personal data protection does require risk analysis and data protection impact assessment.

vivo X23 released: Dual-turbo engine is the highlight, Jovi IoT is a surprise

Carbon dioxide leak at Samsung's Korean chip factory caused one death and two injuries. Why do accidents happen so frequently?