If you use a simple, easy-to-guess password such as "QWERTY" or "1234," you might pay for your mistake by having someone access your online accounts without permission - and you may also find yourself paying out for subsequent damages and lost funds. That is, if Vodafone reportedly has its way, the portal ZDNet writes.
Recently, a court in Teplice, Czech Republic, sentenced two individuals to jail for compromising the accounts of Vodafone customers in order to make fraudulent mobile payments.
According to local media idnes.cz, two men were able to access customer accounts by testing out "1234" as a password, enabling them to order new SIM cards without permission which were picked up at local branches. These SIM cards were activated and used in mobile phones without any further authentication, as the attackers already knew the phone number and name associated with each compromised account. Once active, the SIMs were used to send premium SMS messages to gambling services.
The publication says that 667,000 crowns were stolen through the scheme, which began in April 2017. This equates to roughly $30,000.
Some customers impacted by the breach say that the "1234" password was set by default by Vodafone. It appears that access to the online self-service shop which the attackers exploited is automatic, but customers may not have been aware of the service at all at sign-up. The men have been sentenced to three and two years in jail, respectively. Vodafone, however, is reportedly refusing to pay up and wants the victims to cover the damages.
According to idnes.cz, Vodafone has argued the customers are at fault as they are responsible for the strength of their password. A Vodafone spokesperson told the publication that the default, weak password was not an automatic element; but rather, employees were able to set up an account with "1234" if customers could not decide on their password choice in-store -- but they would have been warned to change it to something stronger later.
A number of victims have denied knowing the supermarket existed at all until the time of the theft. The publication reports that some account holders impacted by the scheme have received debt collectors at their door to recoup lost funds.
"If the account was misused by an unknown offender, the correct procedure is that the customer will report the situation to the Czech police and file a criminal complaint," the Vodafone spokesperson said. "Unfortunately, we cannot compensate for the charged amount."
Jiri Kropac, the head of Threat Detection Labs at ESET, tested the portal on behalf of Bleeping Computer and confirmed that the portal's inherent security is poor as a password can only consist of four to six numbers. This is not difficult to brute-force attack.
Vodafone's apparent stance on the robbery is a dangerous one -- but it is not a mindset which hasn't been raised before. Former UK Met Police chief Sir Bernard Hogan-Howe, when he was in his previous role, said that customers who become victims of financial fraud should not be compensated by banks. Some banks argue that if a payment is made voluntarily, they should not be held responsible for such losses.
In 2015, Vodafone experienced a data breach which led to the theft of sensitive information belonging to 1,827 UK customers. The telecoms giant said the cyberattack was not due to vulnerable company systems, but rather, email address and password credentials were taken "from an unknown source" outside of Vodafone.
A Vodafone CZ spokesperson told ZDNet:
"We were sorry to hear that some of our customers fell victim to targeted fraudulent activity by criminals. We make it very clear to all our customers that they need strong, unique passwords in order to protect themselves from this kind of criminal behaviour.
We have been working with law enforcement to ensure that those responsible were brought to justice and compensate our customers."