Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3
dclegg

2754 posts

Uber Geek

Trusted
Subscriber

  #1490503 11-Feb-2016 15:23
Send private message

andrew027:

 

@dclegg: Spark have informed me that these URLs expire. 

 

Yes, they expire after 18 months. 

 

 

18 months?! If true, then they basically don't expire for all intents and purposes of ID theft.


surfisup1000
4875 posts

Uber Geek


  #1490586 11-Feb-2016 16:06
Send private message

dclegg:

 

And we're all OK with this?

Seems like a pretty serious breach of personal data. Email is far from a secure medium. At the very least, it should require an authenticated session before allowing it to be viewed.

Follow up: Is there a way to opt out of these electronic bills? I can't seem to find any option to do so via MySpark.

 

 

 

 

I guess if someone is making lots of dodgy 0900 for sex calls, then it looks a bit off if someone gets your invoice.   But, in the days of internet do those even exist any longer?

 

How do I get the bill of someone considerably more famous than myself? It is an issue for them perhaps. 


 
 
 
 


richms
23681 posts

Uber Geek

Trusted
Subscriber

  #1490618 11-Feb-2016 16:15
Send private message

The issue I have is that there is enough info on a bill to be able to initiate a number port, and that is apparently an acceptable source of 2FA for banks and stuff, so while you are on hold with spark about why your phone isnt working, someone could be cleaning out your accounts, logging into the google etc with a SMS 2 factor etc.





Richard rich.ms

dclegg

2754 posts

Uber Geek

Trusted
Subscriber

  #1490622 11-Feb-2016 16:24
Send private message

surfisup1000: 

 

I guess if someone is making lots of dodgy 0900 for sex calls, then it looks a bit off if someone gets your invoice.   But, in the days of internet do those even exist any longer?

 

How do I get the bill of someone considerably more famous than myself? It is an issue for them perhaps. 

 

 

Privacy issues aside, what if someone gets hold of your bill and leverages the information to gain access to your Spark account? They then use this information to gain access to other services you own. This is how identity theft starts. 

We obviously need it to become a more common occurrence here in New Zealand before people start to be more proactive or concerned about it. But it is a big deal overseas.


mendit
13 posts

Geek


  #1490625 11-Feb-2016 16:25
Send private message

Good news. Hopefully someone opens my bill and pays it for me


timmmay
16529 posts

Uber Geek

Trusted
Subscriber

  #1490630 11-Feb-2016 16:42
Send private message

mendit:

 

Good news. Hopefully someone opens my bill and pays it for me

 

 

Or uses it to get more information about you from Spark through social engineering, then uses that information to call your bank and drain your bank account.


cokemaster
Nate wants an iphone
3942 posts

Uber Geek

Mod Emeritus
Trusted
Lifetime subscriber

  #1490654 11-Feb-2016 17:18
Send private message

When you log in to my spark, you can access historic bills upto 18 months or so.
If you click on the email link, believe there is a 1 month period. Have tested old emails myself and got the following which indicates that bill links do expire.

Click to see full size




webhosting

Loose lips may sink ships - Be smart - Don't post internal/commercially sensitive or confidential information!


 
 
 
 


hashbrown
463 posts

Ultimate Geek


  #1490661 11-Feb-2016 17:37
Send private message

If someone has access to your email they can initiate a password reset and get all your bills.

Email is sufficient for this stuff. In most cases the email will be sent from Spark to Yahoo/Google/Microsoft using opportunistic TLS and downloaded by the user using pops/imaps/https. If you don't trust those companies, you've got bigger issues.

nakedmolerat
4555 posts

Uber Geek

Trusted
Lifetime subscriber

  #1491234 12-Feb-2016 15:56
Send private message

@dclegg:

 

Privacy issues aside, what if someone gets hold of your bill and leverages the information to gain access to your Spark account? They then use this information to gain access to other services you own. This is how identity theft starts. 

 

How do you go about doing this? 

 

Other than in the movie, it requires a bit more than pressing a few button on the keyboards.






dclegg

2754 posts

Uber Geek

Trusted
Subscriber

  #1491261 12-Feb-2016 16:30
Send private message

nakedmolerat:

 

How do you go about doing this? 

 

Other than in the movie, it requires a bit more than pressing a few button on the keyboards.

 

 

Going about getting the bill? Or leveraging the information once done?

For the former, it'd be trivial to write an app to perform a HTTP GET using the base URL, incrementing the UUID for each request. For any responses that return a PDF, you have a hit. Save that to file, and use the information later. If the URLs really do take 18 months to expire, it may be feasible to be able to crack a few of these with enough hardware thrown at the problem (disclaimer: I've not done the math on this, but it would be interesting to do so).

And nefarious cracking attempts aside, what about accidental sharing of the URL? E.g. sending it to your partner via email or TXT, but sending to the wrong recipient.

 

For the latter, there is enough information on there to use social engineering to gain access to the users Spark account. And considering the amount of users out there that use an ISP email (we still do), that will unlock access to even more of the users information and accounts.

I'll say it again, I'm quite surprised that more people aren't concerned about this. I'd expect it from the general public, but not from the more technically minded folks here. The same that do acknowledge that companies storing passwords in plain text in their databases are a security risk. 


richms
23681 posts

Uber Geek

Trusted
Subscriber

  #1491264 12-Feb-2016 16:34
Send private message

I would assume that there are brute force prevention measures on the bills as you have on a password etc. It is a huge string too.





Richard rich.ms

dclegg

2754 posts

Uber Geek

Trusted
Subscriber

  #1491267 12-Feb-2016 16:41
Send private message

richms:

 

I would assume that there are brute force prevention measures on the bills as you have on a password etc. It is a huge string too.

 

 

I would've also assumed that clicking on my bill URL would throw up an authentication challenge, but this assumption was incorrect (and what motivated me to investigate further). So I wouldn't necessarily assume this is true.

One such brute force prevention measure would be to have expiring URLs. But if these do really last 18 months, it's almost as bad as having no expiry.

I concede it is a huge string. So as I said, it would be interesting to crunch the numbers to see how long it would take to generate a successful hit. 


ubergeeknz
3344 posts

Uber Geek

Trusted
Vocus

  #1491272 12-Feb-2016 16:51
Send private message

dclegg:

 

richms:

 

I would assume that there are brute force prevention measures on the bills as you have on a password etc. It is a huge string too.

 

 

I would've also assumed that clicking on my bill URL would throw up an authentication challenge, but this assumption was incorrect (and what motivated me to investigate further). So I wouldn't necessarily assume this is true.

One such brute force prevention measure would be to have expiring URLs. But if these do really last 18 months, it's almost as bad as having no expiry.

I concede it is a huge string. So as I said, it would be interesting to crunch the numbers to see how long it would take to generate a successful hit. 

 

 

it depends on how they're generating it (how much entropy there is) and how long it is.

 

If it is a 128 bit GUID and it's securely generated, then the answer is "a very long time" and certainly it would be noticed


nakedmolerat
4555 posts

Uber Geek

Trusted
Lifetime subscriber

  #1491279 12-Feb-2016 17:05
Send private message

@dclegg:

 

Going about getting the bill? Or leveraging the information once done?

For the former, it'd be trivial to write an app to perform a HTTP GET using the base URL, incrementing the UUID for each request. For any responses that return a PDF, you have a hit. Save that to file, and use the information later. If the URLs really do take 18 months to expire, it may be feasible to be able to crack a few of these with enough hardware thrown at the problem (disclaimer: I've not done the math on this, but it would be interesting to do so).

 

As noted above - the link only lasts for 1 month. It may be feasible still - but the effort is worth it? Really?

 

 And nefarious cracking attempts aside, what about accidental sharing of the URL? E.g. sending it to your partner via email or TXT, but sending to the wrong recipient.

 

You can make the same error with PDF attachment.

 

 For the latter, there is enough information on there to use social engineering to gain access to the users Spark account. And considering the amount of users out there that use an ISP email (we still do), that will unlock access to even more of the users information and accounts.

 

Sure - this however depends on the information that they need. It is probably easier to get that from somewhere else than cracking those URL just to get your phone bills.

 

 I'll say it again, I'm quite surprised that more people aren't concerned about this. I'd expect it from the general public, but not from the more technically minded folks here. The same that do acknowledge that companies storing passwords in plain text in their databases are a security risk. 

 

As mentioned many times in this thread - the risk is no worse than resetting your password using email address etc.






richms
23681 posts

Uber Geek

Trusted
Subscriber

  #1491281 12-Feb-2016 17:07
Send private message

I think the 18 month thing could do with looking at however. That seems absurdly long. Accessing past bills is an ideal way to make people log in etc when you can then present them with offers etc so I would expect a link to become invalid as soon as the next bill is issued.





Richard rich.ms

1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic





News »

Huawei introduces new features to Petal Search, Maps and Docs
Posted 26-Oct-2020 18:05


Nanoleaf enhances lighting line with launch of Triangles and Mini Triangles
Posted 17-Oct-2020 20:18


Synology unveils DS16211+
Posted 17-Oct-2020 20:12


Ingram Micro introduces FootfallCam to New Zealand channel
Posted 17-Oct-2020 20:06


Dropbox adopts Virtual First working policy
Posted 17-Oct-2020 19:47


OPPO announces Reno4 Series 5G line-up in NZ
Posted 16-Oct-2020 08:52


Microsoft Highway to a Hundred expands to Asia Pacific
Posted 14-Oct-2020 09:34


Spark turns on 5G in Auckland
Posted 14-Oct-2020 09:29


AMD Launches AMD Ryzen 5000 Series Desktop Processors
Posted 9-Oct-2020 10:13


Teletrac Navman launches integrated multi-camera solution for transport and logistics industry
Posted 8-Oct-2020 10:57


Farmside hits 10,000 RBI customers
Posted 7-Oct-2020 15:32


NordVPN starts deploying colocated servers
Posted 7-Oct-2020 09:00


Google introduces Nest Wifi routers in New Zealand
Posted 7-Oct-2020 05:00


Orcon to bundle Google Nest Wifi router with new accounts
Posted 7-Oct-2020 05:00


Epay and Centrapay partner to create digital gift cards
Posted 2-Oct-2020 17:34









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.