Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3


2613 posts

Uber Geek
+1 received by user: 604

Trusted

  Reply # 1490503 11-Feb-2016 15:23
Send private message

andrew027:

 

@dclegg: Spark have informed me that these URLs expire. 

 

Yes, they expire after 18 months. 

 

 

18 months?! If true, then they basically don't expire for all intents and purposes of ID theft.


3680 posts

Uber Geek
+1 received by user: 1191


  Reply # 1490586 11-Feb-2016 16:06
Send private message

dclegg:

 

And we're all OK with this?

Seems like a pretty serious breach of personal data. Email is far from a secure medium. At the very least, it should require an authenticated session before allowing it to be viewed.

Follow up: Is there a way to opt out of these electronic bills? I can't seem to find any option to do so via MySpark.

 

 

 

 

I guess if someone is making lots of dodgy 0900 for sex calls, then it looks a bit off if someone gets your invoice.   But, in the days of internet do those even exist any longer?

 

How do I get the bill of someone considerably more famous than myself? It is an issue for them perhaps. 


21292 posts

Uber Geek
+1 received by user: 4296

Trusted
Subscriber

  Reply # 1490618 11-Feb-2016 16:15
One person supports this post
Send private message

The issue I have is that there is enough info on a bill to be able to initiate a number port, and that is apparently an acceptable source of 2FA for banks and stuff, so while you are on hold with spark about why your phone isnt working, someone could be cleaning out your accounts, logging into the google etc with a SMS 2 factor etc.





Richard rich.ms



2613 posts

Uber Geek
+1 received by user: 604

Trusted

  Reply # 1490622 11-Feb-2016 16:24
One person supports this post
Send private message

surfisup1000: 

 

I guess if someone is making lots of dodgy 0900 for sex calls, then it looks a bit off if someone gets your invoice.   But, in the days of internet do those even exist any longer?

 

How do I get the bill of someone considerably more famous than myself? It is an issue for them perhaps. 

 

 

Privacy issues aside, what if someone gets hold of your bill and leverages the information to gain access to your Spark account? They then use this information to gain access to other services you own. This is how identity theft starts. 

We obviously need it to become a more common occurrence here in New Zealand before people start to be more proactive or concerned about it. But it is a big deal overseas.


13 posts

Geek
+1 received by user: 6


  Reply # 1490625 11-Feb-2016 16:25
4 people support this post
Send private message

Good news. Hopefully someone opens my bill and pays it for me


14061 posts

Uber Geek
+1 received by user: 2514

Trusted
Subscriber

  Reply # 1490630 11-Feb-2016 16:42
Send private message

mendit:

 

Good news. Hopefully someone opens my bill and pays it for me

 

 

Or uses it to get more information about you from Spark through social engineering, then uses that information to call your bank and drain your bank account.





AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer


Nate wants an iphone
3901 posts

Uber Geek
+1 received by user: 28

Mod Emeritus
Trusted
Lifetime subscriber

  Reply # 1490654 11-Feb-2016 17:18
One person supports this post
Send private message

When you log in to my spark, you can access historic bills upto 18 months or so.
If you click on the email link, believe there is a 1 month period. Have tested old emails myself and got the following which indicates that bill links do expire.

Click to see full size




webhosting |New Zealand connectionsgeekzone IRC chat
Loose lips may sink ships - Be smart - Don't post internal/commercially sensitive or confidential information!


446 posts

Ultimate Geek
+1 received by user: 125


  Reply # 1490661 11-Feb-2016 17:37
Send private message

If someone has access to your email they can initiate a password reset and get all your bills.

Email is sufficient for this stuff. In most cases the email will be sent from Spark to Yahoo/Google/Microsoft using opportunistic TLS and downloaded by the user using pops/imaps/https. If you don't trust those companies, you've got bigger issues.

4433 posts

Uber Geek
+1 received by user: 833

Trusted
Lifetime subscriber

  Reply # 1491234 12-Feb-2016 15:56
Send private message

@dclegg:

 

Privacy issues aside, what if someone gets hold of your bill and leverages the information to gain access to your Spark account? They then use this information to gain access to other services you own. This is how identity theft starts. 

 

How do you go about doing this? 

 

Other than in the movie, it requires a bit more than pressing a few button on the keyboards.








2613 posts

Uber Geek
+1 received by user: 604

Trusted

  Reply # 1491261 12-Feb-2016 16:30
Send private message

nakedmolerat:

 

How do you go about doing this? 

 

Other than in the movie, it requires a bit more than pressing a few button on the keyboards.

 

 

Going about getting the bill? Or leveraging the information once done?

For the former, it'd be trivial to write an app to perform a HTTP GET using the base URL, incrementing the UUID for each request. For any responses that return a PDF, you have a hit. Save that to file, and use the information later. If the URLs really do take 18 months to expire, it may be feasible to be able to crack a few of these with enough hardware thrown at the problem (disclaimer: I've not done the math on this, but it would be interesting to do so).

And nefarious cracking attempts aside, what about accidental sharing of the URL? E.g. sending it to your partner via email or TXT, but sending to the wrong recipient.

 

For the latter, there is enough information on there to use social engineering to gain access to the users Spark account. And considering the amount of users out there that use an ISP email (we still do), that will unlock access to even more of the users information and accounts.

I'll say it again, I'm quite surprised that more people aren't concerned about this. I'd expect it from the general public, but not from the more technically minded folks here. The same that do acknowledge that companies storing passwords in plain text in their databases are a security risk. 


21292 posts

Uber Geek
+1 received by user: 4296

Trusted
Subscriber

  Reply # 1491264 12-Feb-2016 16:34
Send private message

I would assume that there are brute force prevention measures on the bills as you have on a password etc. It is a huge string too.





Richard rich.ms



2613 posts

Uber Geek
+1 received by user: 604

Trusted

  Reply # 1491267 12-Feb-2016 16:41
Send private message

richms:

 

I would assume that there are brute force prevention measures on the bills as you have on a password etc. It is a huge string too.

 

 

I would've also assumed that clicking on my bill URL would throw up an authentication challenge, but this assumption was incorrect (and what motivated me to investigate further). So I wouldn't necessarily assume this is true.

One such brute force prevention measure would be to have expiring URLs. But if these do really last 18 months, it's almost as bad as having no expiry.

I concede it is a huge string. So as I said, it would be interesting to crunch the numbers to see how long it would take to generate a successful hit. 


3343 posts

Uber Geek
+1 received by user: 1089

Trusted
Vocus

  Reply # 1491272 12-Feb-2016 16:51
2 people support this post
Send private message

dclegg:

 

richms:

 

I would assume that there are brute force prevention measures on the bills as you have on a password etc. It is a huge string too.

 

 

I would've also assumed that clicking on my bill URL would throw up an authentication challenge, but this assumption was incorrect (and what motivated me to investigate further). So I wouldn't necessarily assume this is true.

One such brute force prevention measure would be to have expiring URLs. But if these do really last 18 months, it's almost as bad as having no expiry.

I concede it is a huge string. So as I said, it would be interesting to crunch the numbers to see how long it would take to generate a successful hit. 

 

 

it depends on how they're generating it (how much entropy there is) and how long it is.

 

If it is a 128 bit GUID and it's securely generated, then the answer is "a very long time" and certainly it would be noticed


4433 posts

Uber Geek
+1 received by user: 833

Trusted
Lifetime subscriber

  Reply # 1491279 12-Feb-2016 17:05
One person supports this post
Send private message

@dclegg:

 

Going about getting the bill? Or leveraging the information once done?

For the former, it'd be trivial to write an app to perform a HTTP GET using the base URL, incrementing the UUID for each request. For any responses that return a PDF, you have a hit. Save that to file, and use the information later. If the URLs really do take 18 months to expire, it may be feasible to be able to crack a few of these with enough hardware thrown at the problem (disclaimer: I've not done the math on this, but it would be interesting to do so).

 

As noted above - the link only lasts for 1 month. It may be feasible still - but the effort is worth it? Really?

 

 And nefarious cracking attempts aside, what about accidental sharing of the URL? E.g. sending it to your partner via email or TXT, but sending to the wrong recipient.

 

You can make the same error with PDF attachment.

 

 For the latter, there is enough information on there to use social engineering to gain access to the users Spark account. And considering the amount of users out there that use an ISP email (we still do), that will unlock access to even more of the users information and accounts.

 

Sure - this however depends on the information that they need. It is probably easier to get that from somewhere else than cracking those URL just to get your phone bills.

 

 I'll say it again, I'm quite surprised that more people aren't concerned about this. I'd expect it from the general public, but not from the more technically minded folks here. The same that do acknowledge that companies storing passwords in plain text in their databases are a security risk. 

 

As mentioned many times in this thread - the risk is no worse than resetting your password using email address etc.






21292 posts

Uber Geek
+1 received by user: 4296

Trusted
Subscriber

  Reply # 1491281 12-Feb-2016 17:07
Send private message

I think the 18 month thing could do with looking at however. That seems absurdly long. Accessing past bills is an ideal way to make people log in etc when you can then present them with offers etc so I would expect a link to become invalid as soon as the next bill is issued.





Richard rich.ms

1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Intel introduces new NUC kits and NUC mini PCs
Posted 16-Aug-2018 11:03


The Warehouse leaps into the AI future with Google
Posted 15-Aug-2018 17:56


Targus set sights on enterprise and consumer growth in New Zealand
Posted 13-Aug-2018 13:47


Huawei to distribute nova 3i in New Zealand
Posted 9-Aug-2018 16:23


Home robot Vector to be available in New Zealand stores
Posted 9-Aug-2018 14:47


Panasonic announces new 2018 OLED TV line up
Posted 7-Aug-2018 16:38


Kordia completes first live 4K TV broadcast
Posted 1-Aug-2018 13:00


Schools get safer and smarter internet with Managed Network Upgrade
Posted 30-Jul-2018 20:01


DNC wants a safer .nz in the coming year
Posted 26-Jul-2018 16:08


Auldhouse becomes an AWS Authorised Training Delivery Partner in New Zealand
Posted 26-Jul-2018 15:55


Rakuten Kobo launches Kobo Clara HD entry level reader
Posted 26-Jul-2018 15:44


Kiwi team reaches semi-finals at the Microsoft Imagine Cup
Posted 26-Jul-2018 15:38


KidsCan App to Help Kiwi Children in Need
Posted 26-Jul-2018 15:32


FUJIFILM announces new high-performance lenses
Posted 24-Jul-2018 14:57


New FUJIFILM XF10 introduces square mode for Instagram sharing
Posted 24-Jul-2018 14:44



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.