Virgin Media: You're only as secure as your weakest link.

Avid followers will know, I've long been an advocate of password managers... specifically 1Password. So much so, I'm often criticised for treating it as a panacea.

With that in mind, it's about time I outlined another risk which isn't immediately obvious; one which allows me access to almost any site you use and renders your long, unique & immensely-strong password redundant.

I am, of course, referring to the security of your email provider.

Preface

On August 27th, I received a tweet from Luca De Angeli, a twitter follower and UI developer.

Hmm, those are some strange password limitations!

If Virgin Media were hashing passwords correctly, there shouldn't be a need to artificially restrict the length or strength of a user's password; any input would result in an equal length output.

The Problem

This issue came to light some years ago, but Virgin Media weren't willing to share the reason behind such a bizarre restriction. However, it's 2014 and following a spate of aptly-named "mega hacks" on services like SnapChat, Adobe and Sony, let's see if they're more receptive to genuine concerns.

HINT: @troyhunt's awesome HaveIBeenPwned service provides 163 MILLION examples of why you should continue reading this article ;)

I created a new topic on Virgin's community forum. You can read the entire thread here, but here's the important parts.

Wait... encrypted? That can't be right, so I ask again.

Here's the problem. "BenMCR" is technically correct, but he doesn't understand that encrypting data with a key you know is akin to storing it in plain text.

As there's some confusion, I asked to have the issue escalated. The response however, mirrored that from last year.

That usually means one of two things are true...

1) Everything is fine, they just don't want to discuss it.
or

But which is it?

The Risk

I know what you're thinking...

"It's only my Virgin Media password, big deal! How is that ever going to affect me?"

What's one of the first pieces of information any site requires during registration?
Your email address.

What happens when you forget the password to that site? They'll probably send a reset link to...
Your email address.

Want to disable 2FA/Two Factor Authentication? Some sites ask you to click a link. Guess where it's sent...
Your email address!

Your email address is absolutely crucial to the security of virtually any site with which it's registered. Consider the damage potential for a moment...

  • Paypal: You can kiss goodbye to your balance and you'd better hope you haven't linked a debit/credit card too.
  • Twitter/Facebook: Don't be surprised if your timeline suddenly explodes.
  • Cloud storage (Dropbox/Drive etc): Your private files are no longer private.
  • Medical data: Some surgeries allow you to book/manage appointments/prescriptions online!
  • Other email accounts: Hotmail requires an alternative account for reset requests...
  • ... and so on.

By this point, you're hopefully and rightfully concerned that Virgin Media won't discuss how they store YOUR data despite repeated requests.

If they won't discuss it further, now what?

Let's assume for a moment that I'm completely and utterly wrong in my assumptions; the password is handled securely and if Virgin Media are ever breached, it's not viable for someone to gain access to my account. Let's also assume the worst has happened, Virgin's database has been leaked to the public.

Is there a way to access a Virgin Media email account without the password?

You bet! Like many sites, Virgin Media ask you to answer a "security question". Nothing wrong with that, I hear you cry...

Hang on... How does the site know that?
That's private, confidential information!

Pay careful attention to my answer. 2 spaces, 6 uppercase and 4 lowercase characters. Remember, they're visible in plain text and not hashed as they should be.

Let's look at the "forgot password" process in detail...

The attacker knows the security answer, but not the date of birth... or do they? Let's step back to the account profile page and dive into the source code.

Damn! My date of birth is available in plain text too!

So now an attacker has both pieces of information necessary to not only reset my password, but gain total access to my account.

Back to the "forgot password" page...

The observant amongst you will have noticed the deliberate mistake in my "security answer". No spaces, no uppercase characters...

That being the case, I shouldn't be able to proceed.

... but I can!

What does that actually mean?

1) It can't be hashed, as the values wouldn't match.
2) It can't be encrypted, as the values wouldn't match.
3) It must be stored in plain text, thus allowing anyone in possession of it to access my account without my password!

Do they not understand? The "security question" is just another pseudo password! It's also an answer which is likely to be shared across other sites which ask the same question, exposing them to attack too.

Here's one of BenMcr's replies on the forum.

Go on, I know you're dying to ask.

"They haven't been breached, so isn't this all irrelevant?"

Sadly not. This is of concern precisely because it hasn't happened... yet.

It's easier to make security improvements now than change your mother's maiden name ;)

However, the risks don't end there.

The Risks (part deux)

A complete database breach is just one way Virgin Media may inadvertently leak your credentials. Like many firms, they use an SSO or Single Sign On service which allows you to sign in to many services at the same time; with one username & password.

Although useful, it also increases the risk significantly. If one service, just one, leaks the credentials by mistake, the whole lot's at risk.

Until yesterday, the TV Anywhere application did exactly that. If you used the service over 3G or 3rd-party WiFi and happened to use the "forgot password" facility, you've already leaked your email address & password. A responsible, security-conscious firm would advise you (mindful of all the above) of the failure, suggest you change your passwords and at least give you an opportunity to protect yourself.

If you've ever signed into your account on a mobile/tablet, you may have leaked your details there too. But how?

Until just a few days ago, the process was handled over HTTP; an insecure protocol allowing anyone to read data sent over the wire. If you changed your password during this time, you now need to change it again.

Now, it's only fair to give some context here. The chances of it actually happening are pretty slim, let alone someone taking control of your digital life as a result. The point however, is that it's not only possible, but you were not made aware of it.

How to protect yourself.

Unfortunately, it's a tough issue to solve.

Each email provider handles data differently and with varying degrees of competence. As a general rule...

1) If you're forced to provide answers to "security questions", treat them as pseudo passwords; NEVER provide genuine answers as there's no guarantee the company will handle them safely. If you use a password manager, simply generate another password and use that instead. NEVER use your login password twice!
2) Where possible, don't use the "security question" facility at all. Many ask questions which can be easily answered from data stored in your twitter/facebook profiles etc.
3) Enable 2FA where possible, opting for 2SV codes by SMS/phone call if actual 2FA services like Yubikey/Google Authenticator aren't supported.
4) Call your current provider and ask questions. "Can you see the answers to my security questions?", "How do you store passwords?", "In the event of a breach, how do you protect my information".

If you're concerned, tweet me @rambling_rant and I'll take a look when I get chance :)

Are passwords dead?

Despite numerous claims to the contrary, I honestly don't believe they are.

The way we (as people & businesses) handle them however, is dead and needs a complete overhaul.

Google's manager of Information Security, Heather Adkins

"our relationship with passwords are done"

Curiously though, it's still a mandatory requirement. 2SV on the other hand, with all the added bells, whistles and added benefits; still an option which many do not take advantage of.

Make 2FA a mandatory option!

Sounds counter-intuitive doesn't it? Let me explain.

2FA has actually been around for decades, but adoption rates are still woefully low. There are no hard figures, but estimates range from 3-5%. Those people (assuming the method of 2FA is secure) are undoubtedly safer.

What isn't immediately obvious however, is the other 95% are actually at greater risk by NOT using it. But how?

Hackers frequently enable 2FA on breached accounts!

Oh, the irony! The facility designed to prevent unauthorised access is now working for the attacker, preventing the genuine user accessing the account.

If a user enables 2FA during registration, great! If not or they actively decide not to use it, remove the option from the account until an ID check is performed!

Summary

Just be mindful... all it takes is one screw up by your mail provider and they'll undo all your hard work.

Ask questions, demand answers and if you're still not happy, consider moving elsewhere. It's your private information; keep it that way.