
Vodafone Hacker Accesses 2 Million Customers’ Banking Data - basdevries
http://www.businessweek.com/news/2013-09-12/vodafone-germany-hacker-accesses-2-million-clients-banking-data
======
sehrope
> A person with insider knowledge stole data including names, addresses, birth
> dates, and bank account information, the world’s second-biggest mobile-phone
> carrier said in a statement today.

Am I correct in understanding that the data stolen is Vodafone's customer
payment details (ex: for auto payments)? At first read I thought that Vodafone
had gotten into banking but I don't think that makes sense.

> The hacker had no access to credit-card information, passwords, PIN numbers
> or mobile-phone numbers, Vodafone said.

Credit card numbers and passwords I can understand as not being accessible
(both can be either escrowed or hashed) but I don't see how it's possible to
not have access to mobile phone numbers. If Vodafone is anything like US
carriers then your phone number is basically your account number (sometimes a
couple extra digits, ususally nothing though). Does anyone really think they
have a separate account # per customer with the just the above data referenced
to it?

~~~
objclxt
> _If Vodafone is anything like US carriers then your phone number is
> basically your account number_

Although to the customer it may appear that your phone number is your account
number, that normally isn't the case. This is for a number of reasons:

* Phone numbers can change either through porting or by choice (i.e, due to nuisance/harassment, etc)

* Single 'accounts' can have multiple phone numbers (i.e, a family plan)

* Some plans may have phone numbers that are opaque to the user (i.e, 3G dongles, etc)

In the carrier systems I've seen / worked on there has normally been a unique
account identifier that isn't the MSISDN.

------
icecreampain
Customers punished by Vodafone's stupidity: 2 million Vodafone execs fired: 0
Vodafone execs given raises: several

Status quo is maintained.

~~~
patio11
I don't know why technologists would ever want a social norm of responding to
security vulnerabilities by severely punishing the people "responsible" for
them. It is highly, highly unlikely that anyone in the C suite made any
decision which proximately caused this vulnerability.

Instead, it is likely that you're advocating for firing a modestly compensated
engineer whose crime is shared by _substantially every production system
everywhere_.

~~~
wglb
I vividly remember reading Cuckoo's Egg where he is describing all the
machines in the field that shipped with username "Field" password "Service"
that were open doors. I thought at the time that the folks responsible for
those deployments ought to get a citation rather than throwing teenagers in
jail.

I wonder now how things might be now. Would folks think a bit more about
deploying busted web sites?

