Security WTF



  •  Hello all, I'm not sure this quite fits here but I'm slightly stuck for ideas so I thought I'd see what other people make of it.

    I recently signed up for a mobile contract from the French division of a major network. When I did so they supplied me with a 4 digit PIN to access my client area via their website, view bills, modify account details etc. I immediately tried to change the PIN for something more secure only to get an error message saying the PIN was incorrect. I contacted support and after a bit of back and forth, they asked me if I was complying with their password restrictions: it has to be 4 digits. No letters, only numbers. When I pointed out that this was very insecure they responded that no-one had ever complained so it can't be a problem and if I want to keep it secure I should change my password regularly. Like, every 6 hours I assume.

    So, am I being unreasonable to expect a level of security that a 12 year old with a copy of john the ripper can't crack inside 24 hours?There are no restrictions on the number of attempts you can make via the website.



  • I wonder how many people have a PIN of 1234...



  • A 4-digit PIN is sufficient to lock the phone to prevent a thief from getting at your apps until you can remotely wipe it. It's not nearly sufficient to protect the billing area of a website.

    You're right, they're wrong. You need to find another carrier, one who cares about security.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.