Thursday, March 22, 2018

Fullers Ferries emails clear text passwords

Are you a Fullers Ferry customer? Before you continue to read this, change your password immediately to ensure that it is unique to all other passwords.

Fullers should shut down this service immediately until this is resolved.

Have you been getting random phone calls from scammers lately, wondering how they got hold of your personal information? I wonder if this is a potential source.

Recently, Fullers Ferries (a Public Transport contractor to Auckland Transport) provided a new mobile app to the citizens of Auckland City – My Ferries.

I downloaded the app to my mobile phone to find that it required me to log in so that I could use the app. The app provides basic information such as ferry timetables, ticket purchases and travel alerts through push notifications.

When attempting to use the app for the first time, I was asked for my user name and password. I could not remember the password that I had previously when wanting to gain access to Fullers online services. I requested that for my information to be emailed to me.

I expected that I would receive an email with a username and a link to rest my password. However, I received something that shocked me, a user name and a clear text password. For readers who are not familiar with the term “clear text”, it means I could read the password.

Why is this a concern? By operating in this manner there are a lot of people who could gain access to your password without even having to hack the Fullers system. Most people I know use the same password for multiple websites. This means that someone who gets hold of this password could potentially gain access to other accounts such as Social Media accounts, Bank Accounts, IT systems belonging to an employer and other essential services.

I wrote to Mike Horne, CEO of Fullers, to ask why they were using such a low form of security and to outline my concerns. I received an email back from Fullers IT Manager,  who reassured me that the passwords are encrypted in the system that they use and that this was a limitation of the software. In my view this is unacceptable, in today’s world, if an end to end secure system cannot assure a high degree of security, then the online service should not be offered.

The IT Manager then referred me to a privacy policy on the Fullers website. The policy is very simplistic, and basically says that Fullers will look after the information but may sell it on based on consent from you (whoever “you” is). They also mention that they may provide information to trusted third parties for specific projects that are covered by confidentiality agreements.

I would be interested in knowing what of my information has been provided to “trusted” parties and who these parties are. I would also like to run some background checks on staff at Fullers and their trusted third parties to ensure that I deem them safe to have my passwords.

There are so many questions that I have about online security with Fullers. If they have chosen to use a budget system, do they also have a budget firewall, budget security policies, budget security consultants, budget auditors?

No comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...