BreachExchange mailing list archives
DiscoverCard stores passwords in plaintext, e-mails them on request
From: security curmudgeon <jericho () attrition org>
Date: Fri, 4 May 2012 15:18:44 -0500 (CDT)
---------- Forwarded message ---------- From: RISKS List Owner <risko () csl sri com> Date: Fri, 4 May 2012 12:48:03 PDT Subject: [RISKS] Risks Digest 26.81 RISKS-LIST: Risks-Forum Digest Friday 4 May 2012 Volume 26 : Issue 81 ------------------------------ Date: Sun, 29 Apr 2012 23:14:26 -0400 From: Gregory Marton <gremio () acm org> Subject: DiscoverCard stores passwords in plaintext, e-mails them on request I just had the misfortune of mistyping my discovercard.com password four times. Now locked out, I had to get an agent on a chat session. She verified only my e-mail address (verifying that it was the one on file), and immediately caused a message to be sent to that address with my password in plain text. I pointed out to her the RISK: that were that e-mail compromised, e.g. even by someone looking over my shoulder, they'd have my password, and that if I happened to use similar passwords on other sites then the attacker would potentially get access to multiple accounts. She got this and agreed to lodge a complaint, but she wondered how they could do better. Hasn't it been the industry standard for a very long time now to send a rapidly expiring reset link? I even think discovercard did that in the past. Is there reason to move *away* from hashed passwords and reset links to plaintext? Perhaps too many people forget and use recovery options each time? I forgot to ask if the agent could see the password. That would be another risk. Gregory A. Marton 617-858-0775 http://goo.gl/Ne09o http://csail.mit.edu/~gremio ------------------------------ _______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security equips organizations with security intelligence, risk management services and on-demand security solutions to establish customized risk-based programs to address information security and compliance challenges. Tenable Network Security (http://www.tenable.com/) Tenable Network Security provides a suite of solutions which unify real-time vulnerability, event and compliance monitoring into a single, role-based, interface for administrators, auditors and risk managers to evaluate, communicate and report needed information for effective decision making and systems management.
Current thread:
- DiscoverCard stores passwords in plaintext, e-mails them on request security curmudgeon (May 08)