Danger, Danger, Will Robinson!

Here at Lockergnome World Headquarters, we received some news that I personally found to be quite disturbing. Apparently, there is an authentication issue at DirecTV’s Web site that could lead to some real problems.

Today a Gnomie reported to us that the problem is actually quite a serious one and that all of you DirecTV users out there had better watch out! Here is the information that we have received today about this issue. The following is an actual e-mail sent to DirecTV and to me in response to this potential exploit that has yet to be resolved.

I am surprised at the Security flaw I have found on the DIRECTV.com Web site. I want to draw your attention to the Sign In section, which has the link Show Password Hint.

When a customer clicks on this link, he is directed to a page to enter his username, after which a ‘Password Hint’ will display with the intention of that ‘Hint’ reminding the customer of what his password is.

The security flaw in this process is that anyone accessing the Internet can access that URL, enter in any username until a ‘Password Hint’ shows - then continuously try to guess the password of that username based upon the ‘Hint’ until they can eventually get it right. There are dozens of pieces of software written that can automate this process of ‘hacking’ into a customer’s account, processing hundreds of attempts per second while fooling the authentication server by using a different IP address for each attempt.

Once someone accesses a customer’s account, that user has access to process programming changes as well as performing other transactions, since the customer’s credit card information has already
been entered when the account was first set up. I highly suggest the prompting of the 3-digit security code for the customer to enter when processing an online transaction - this 3-digit security code is on the back of all credit cards. The majority of online credit card
transactions require entering this 3-digit security code to prevent fraud.

How embarrassing it would be to DIRECTV for a password recovery system, being so fundamentally wrong, to be exploited, jeopardizing the experience of DIRECTV customers worldwide.

There are a multitude of solutions to resolve this Security Flaw - I only hope.

Frightening, is it not? I was shocked that something would be so simple with a company with as many tech resources as DirecTV has at its disposal. It is my hope that it sees this and perhaps even chooses to resolve it ASAP. If it chooses to piddle around with this issue, I can all but guarantee that it will most certainly bite it in the butt. So heads up, people, you have been warned!

Let’s get digital!