Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3


2595 posts

Uber Geek
+1 received by user: 600

Trusted

  Reply # 1490503 11-Feb-2016 15:23
Send private message

andrew027:

 

@dclegg: Spark have informed me that these URLs expire. 

 

Yes, they expire after 18 months. 

 

 

18 months?! If true, then they basically don't expire for all intents and purposes of ID theft.


3529 posts

Uber Geek
+1 received by user: 1110


  Reply # 1490586 11-Feb-2016 16:06
Send private message

dclegg:

 

And we're all OK with this?

Seems like a pretty serious breach of personal data. Email is far from a secure medium. At the very least, it should require an authenticated session before allowing it to be viewed.

Follow up: Is there a way to opt out of these electronic bills? I can't seem to find any option to do so via MySpark.

 

 

 

 

I guess if someone is making lots of dodgy 0900 for sex calls, then it looks a bit off if someone gets your invoice.   But, in the days of internet do those even exist any longer?

 

How do I get the bill of someone considerably more famous than myself? It is an issue for them perhaps. 


 
 
 
 


Try Wrike: fast, easy, and efficient project collaboration software
21012 posts

Uber Geek
+1 received by user: 4155

Trusted
Subscriber

  Reply # 1490618 11-Feb-2016 16:15
One person supports this post
Send private message

The issue I have is that there is enough info on a bill to be able to initiate a number port, and that is apparently an acceptable source of 2FA for banks and stuff, so while you are on hold with spark about why your phone isnt working, someone could be cleaning out your accounts, logging into the google etc with a SMS 2 factor etc.





Richard rich.ms



2595 posts

Uber Geek
+1 received by user: 600

Trusted

  Reply # 1490622 11-Feb-2016 16:24
One person supports this post
Send private message

surfisup1000: 

 

I guess if someone is making lots of dodgy 0900 for sex calls, then it looks a bit off if someone gets your invoice.   But, in the days of internet do those even exist any longer?

 

How do I get the bill of someone considerably more famous than myself? It is an issue for them perhaps. 

 

 

Privacy issues aside, what if someone gets hold of your bill and leverages the information to gain access to your Spark account? They then use this information to gain access to other services you own. This is how identity theft starts. 

We obviously need it to become a more common occurrence here in New Zealand before people start to be more proactive or concerned about it. But it is a big deal overseas.


13 posts

Geek
+1 received by user: 6


  Reply # 1490625 11-Feb-2016 16:25
4 people support this post
Send private message

Good news. Hopefully someone opens my bill and pays it for me


13833 posts

Uber Geek
+1 received by user: 2449

Trusted
Subscriber

  Reply # 1490630 11-Feb-2016 16:42
Send private message

mendit:

 

Good news. Hopefully someone opens my bill and pays it for me

 

 

Or uses it to get more information about you from Spark through social engineering, then uses that information to call your bank and drain your bank account.





AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


Nate wants an iphone
3901 posts

Uber Geek
+1 received by user: 28

Mod Emeritus
Trusted
Lifetime subscriber

  Reply # 1490654 11-Feb-2016 17:18
One person supports this post
Send private message

When you log in to my spark, you can access historic bills upto 18 months or so.
If you click on the email link, believe there is a 1 month period. Have tested old emails myself and got the following which indicates that bill links do expire.

Click to see full size




webhosting |New Zealand connectionsgeekzone IRC chat
Loose lips may sink ships - Be smart - Don't post internal/commercially sensitive or confidential information!


441 posts

Ultimate Geek
+1 received by user: 125

Subscriber

  Reply # 1490661 11-Feb-2016 17:37
Send private message

If someone has access to your email they can initiate a password reset and get all your bills.

Email is sufficient for this stuff. In most cases the email will be sent from Spark to Yahoo/Google/Microsoft using opportunistic TLS and downloaded by the user using pops/imaps/https. If you don't trust those companies, you've got bigger issues.

4387 posts

Uber Geek
+1 received by user: 820

Trusted
Lifetime subscriber

  Reply # 1491234 12-Feb-2016 15:56
Send private message

@dclegg:

 

Privacy issues aside, what if someone gets hold of your bill and leverages the information to gain access to your Spark account? They then use this information to gain access to other services you own. This is how identity theft starts. 

 

How do you go about doing this? 

 

Other than in the movie, it requires a bit more than pressing a few button on the keyboards.








2595 posts

Uber Geek
+1 received by user: 600

Trusted

  Reply # 1491261 12-Feb-2016 16:30
Send private message

nakedmolerat:

 

How do you go about doing this? 

 

Other than in the movie, it requires a bit more than pressing a few button on the keyboards.

 

 

Going about getting the bill? Or leveraging the information once done?

For the former, it'd be trivial to write an app to perform a HTTP GET using the base URL, incrementing the UUID for each request. For any responses that return a PDF, you have a hit. Save that to file, and use the information later. If the URLs really do take 18 months to expire, it may be feasible to be able to crack a few of these with enough hardware thrown at the problem (disclaimer: I've not done the math on this, but it would be interesting to do so).

And nefarious cracking attempts aside, what about accidental sharing of the URL? E.g. sending it to your partner via email or TXT, but sending to the wrong recipient.

 

For the latter, there is enough information on there to use social engineering to gain access to the users Spark account. And considering the amount of users out there that use an ISP email (we still do), that will unlock access to even more of the users information and accounts.

I'll say it again, I'm quite surprised that more people aren't concerned about this. I'd expect it from the general public, but not from the more technically minded folks here. The same that do acknowledge that companies storing passwords in plain text in their databases are a security risk. 


21012 posts

Uber Geek
+1 received by user: 4155

Trusted
Subscriber

  Reply # 1491264 12-Feb-2016 16:34
Send private message

I would assume that there are brute force prevention measures on the bills as you have on a password etc. It is a huge string too.





Richard rich.ms



2595 posts

Uber Geek
+1 received by user: 600

Trusted

  Reply # 1491267 12-Feb-2016 16:41
Send private message

richms:

 

I would assume that there are brute force prevention measures on the bills as you have on a password etc. It is a huge string too.

 

 

I would've also assumed that clicking on my bill URL would throw up an authentication challenge, but this assumption was incorrect (and what motivated me to investigate further). So I wouldn't necessarily assume this is true.

One such brute force prevention measure would be to have expiring URLs. But if these do really last 18 months, it's almost as bad as having no expiry.

I concede it is a huge string. So as I said, it would be interesting to crunch the numbers to see how long it would take to generate a successful hit. 


Fully Operational
3343 posts

Uber Geek
+1 received by user: 1088

Trusted
Vocus
Subscriber

  Reply # 1491272 12-Feb-2016 16:51
2 people support this post
Send private message

dclegg:

 

richms:

 

I would assume that there are brute force prevention measures on the bills as you have on a password etc. It is a huge string too.

 

 

I would've also assumed that clicking on my bill URL would throw up an authentication challenge, but this assumption was incorrect (and what motivated me to investigate further). So I wouldn't necessarily assume this is true.

One such brute force prevention measure would be to have expiring URLs. But if these do really last 18 months, it's almost as bad as having no expiry.

I concede it is a huge string. So as I said, it would be interesting to crunch the numbers to see how long it would take to generate a successful hit. 

 

 

it depends on how they're generating it (how much entropy there is) and how long it is.

 

If it is a 128 bit GUID and it's securely generated, then the answer is "a very long time" and certainly it would be noticed


4387 posts

Uber Geek
+1 received by user: 820

Trusted
Lifetime subscriber

  Reply # 1491279 12-Feb-2016 17:05
One person supports this post
Send private message

@dclegg:

 

Going about getting the bill? Or leveraging the information once done?

For the former, it'd be trivial to write an app to perform a HTTP GET using the base URL, incrementing the UUID for each request. For any responses that return a PDF, you have a hit. Save that to file, and use the information later. If the URLs really do take 18 months to expire, it may be feasible to be able to crack a few of these with enough hardware thrown at the problem (disclaimer: I've not done the math on this, but it would be interesting to do so).

 

As noted above - the link only lasts for 1 month. It may be feasible still - but the effort is worth it? Really?

 

 And nefarious cracking attempts aside, what about accidental sharing of the URL? E.g. sending it to your partner via email or TXT, but sending to the wrong recipient.

 

You can make the same error with PDF attachment.

 

 For the latter, there is enough information on there to use social engineering to gain access to the users Spark account. And considering the amount of users out there that use an ISP email (we still do), that will unlock access to even more of the users information and accounts.

 

Sure - this however depends on the information that they need. It is probably easier to get that from somewhere else than cracking those URL just to get your phone bills.

 

 I'll say it again, I'm quite surprised that more people aren't concerned about this. I'd expect it from the general public, but not from the more technically minded folks here. The same that do acknowledge that companies storing passwords in plain text in their databases are a security risk. 

 

As mentioned many times in this thread - the risk is no worse than resetting your password using email address etc.






21012 posts

Uber Geek
+1 received by user: 4155

Trusted
Subscriber

  Reply # 1491281 12-Feb-2016 17:07
Send private message

I think the 18 month thing could do with looking at however. That seems absurdly long. Accessing past bills is an ideal way to make people log in etc when you can then present them with offers etc so I would expect a link to become invalid as soon as the next bill is issued.





Richard rich.ms

1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

UpStarters - the New Zealand tech and innovation story
Posted 21-May-2018 09:55


Lightbox updates platform with new streaming options
Posted 17-May-2018 13:09


Norton Core router launches with high-performance, IoT security in New Zealand
Posted 16-May-2018 02:00


D-Link ANZ launches new 4G LTE Dual SIM M2M VPN Router
Posted 15-May-2018 19:30


New Panasonic LUMIX FT7 ideal for outdoor: waterproof, dustproof
Posted 15-May-2018 19:17


Ryanair Goes All-In on AWS
Posted 15-May-2018 19:14


Te Papa and EQC Minecraft Mod shakes up earthquake education
Posted 15-May-2018 19:12


Framing Facebook: It’s not about technology
Posted 14-May-2018 16:02


Vocus works with NZ Police and telcos to stop scam calls
Posted 12-May-2018 11:12


Vista Group signs Aeon Entertainment, largest cinema chain in Japan
Posted 11-May-2018 21:41


New Privacy Trust Mark certifies privacy and customer control
Posted 10-May-2018 14:16


New app FIXR connects vehicle owners to top Mechanics at best prices
Posted 10-May-2018 14:13


Nutanix Beam gives enterprises control of the cloud
Posted 10-May-2018 14:09


D-Link ANZ launches Covr Seamless Wi-Fi System
Posted 10-May-2018 14:06


Telstra, Intel and Ericsson demonstrate a 5G future for esports
Posted 10-May-2018 13:59



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.