Kaleva/Amadeus security doublefail
This is just fucking insane: Kaleva Travels (and/or Amadeus, not sure which one is the real culprit here) not only stores the user passwords in plaintext, they also routinely share them with the service desk. Check out this email I got (real password blocked out, duh, and some not-so-useful mail headers removed):
Date: Wed, 25 Apr 2012 13:33:02 +0000 (GMT) From: firstname.lastname@example.org To: xxxxxxxxxxxxxxx Cc: email@example.com Message-ID: <19272339.55056.1335360782390.JavaMail.SYSTEM@relay.amadeus.net> Subject: Oma salasanasi Hyvä Janne Jalkanen, Salasanasi on: xxxxxxxx Kiitos, että käytit yrityksesi online-varausjärjestelmää. Arvostamme asiointiasi.
Note the CC-line.
How could a company at this day and age so blithely ignore customer security is completely beyond me; storing plain text passwords is bad enough, but sharing them with who knows how many people...? In this case, I didn't even request a password reset; they just decided to send it to me at random and made it useless.
I fully realize that this is all done in the name of customer service, but there are far better ways - and secure - ways of doing this than just sharing the password around like it were a big box of cookies.
Also, this highlights the importance of using a different password across all the systems. You never know who's going to leak it.
Update: Our assistant just let me know that she also received the email with my password in it. So now I have no idea how many people have received my email/password combination. This is just fucking great.
Update, May 9th: Someone from Kaleva's Marketing called me and wanted to have a chat about what they could do about this. That's a good response.
Back to weblog
|"Main_blogentry_040512_1" last changed on 09-May-2012 10:23:04 EEST by JanneJalkanen.|