BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

DiscoverCard stores passwords in plaintext, e-mails them on request

From: security curmudgeon <jericho () attrition org>
Date: Fri, 4 May 2012 15:18:44 -0500 (CDT)


---------- Forwarded message ----------
From: RISKS List Owner <risko () csl sri com>
Date: Fri, 4 May 2012 12:48:03 PDT
Subject: [RISKS] Risks Digest 26.81

RISKS-LIST: Risks-Forum Digest  Friday 4 May 2012  Volume 26 : Issue 81

------------------------------

Date: Sun, 29 Apr 2012 23:14:26 -0400
From: Gregory Marton <gremio () acm org>
Subject: DiscoverCard stores passwords in plaintext, e-mails them on request

I just had the misfortune of mistyping my discovercard.com password four
times.  Now locked out, I had to get an agent on a chat session.  She
verified only my e-mail address (verifying that it was the one on file), and
immediately caused a message to be sent to that address with my password in
plain text.

I pointed out to her the RISK: that were that e-mail compromised, e.g. even
by someone looking over my shoulder, they'd have my password, and that if I
happened to use similar passwords on other sites then the attacker would
potentially get access to multiple accounts.  She got this and agreed to
lodge a complaint, but she wondered how they could do better.

Hasn't it been the industry standard for a very long time now to send a
rapidly expiring reset link?  I even think discovercard did that in the
past.  Is there reason to move *away* from hashed passwords and reset links
to plaintext?  Perhaps too many people forget and use recovery options each
time?

I forgot to ask if the agent could see the password.  That would be another
risk.

Gregory A. Marton 617-858-0775 http://goo.gl/Ne09o http://csail.mit.edu/~gremio

------------------------------
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.
Previous By Date Next
Previous By Thread Next

Current thread: