Phone House – Personal data of 12+ million Dutch mobile customers open to hackers

The  freelance IT security consultant Sijmen Ruwhof discovered that personal info of more than 12 million Dutch mobile phone are open to cyber attacks. Ruwhof  detailed all the security issues he noticed in a blog post.

Basically, all Dutch citizens who own a mobile phone are at risk of attack, the Phone House is a Dutch phone retail company that is a dealer for all telecom operators in the country.

Phone House points of sale are located in the Media Markt stores across the country. Ruwhof went to a Phone House store in a Media Markt store in Utrecht to get information about his phone subscription, and made a disconcerting discovery; the employees at the Phone House had access to customer data of all Dutch telecoms via dealer portals, and this access seems to be very insecure.

“The sales guy starts renewing my Vodafone subscription and therefore needs to log in at a dealer portal from Vodafone. He doesn’t remember the login password, and, here it comes, on the screen he opens an Excel file which contains *all* their passwords,” Ruwhof observed. “Curiously and intensively I looked on the screen to get a picture of the treasure trove that was in front of me. Passwords to view and modify customer data of KPN, Vodafone, Telfort, T-Mobile, UPC, Tele2 and other companies were right in front of me.”

The expert also noticed that the Excel file containing the passwords was stored on Google Docs, and he was also able to see the login for the Google Account used by Phone House.

At a certain point, the sales guy has left unattended the PC, he didn’t close the file or lock the computer. The passwords were stored in the browser and the excel file remain always open and often visible on the screen.

Ruwhof visited several times the Phone House stores and always observed the same unsafe behavior, a circumstance that demonstrate the “fundamental lack of security and privacy awareness within Phone House and Media Markt.”

The expert also noticed that the passwords used by the operators were easy to guess and vulnerable to brute-force attacks.

The computers in the stores have easy to reach USB ports opening the door to a malware based attack via USB pen drive.

“I hope this story is a wake-up call for everyone who works with computers and handles personal data of others,” said Ruwhof. 

Enjoy the Ruwhof’s post.

Pierluigi Paganini

(Security Affairs – Phone House, mobile)