The company claims that the cyberattack was the responsibility of its customers because they did not take care of establishing a secure password
In recent days, a Czech court sentenced two hackers to three years in prison for accessing the mobile accounts of Vodafone customers and using them to purchase 600k Czech koruna in gambling services. According to local media reports, Vodafone wants the victims of the cyberattack to pay the charges made to their accounts, because the affected clients used a password “1234”, very easy to guess.
According to experts in ethical hacking, the attackers accessed the accounts of Vodafone customers using the password “1234”. Once they were able to get access, they requested new SIM cards that they collected from several branches; as they knew the phone number and password, they were able to pick up the SIM card and install it on different phones without any other verification step. This allowed hackers to charge more than 600k Czech koruna, or approximately $30k USD for gambling services.
The company blames its clients for the hack
Ethical hacking experts claim that Vodafone has refused to be responsible for the charges made by the attackers, mentioning that customers whose accounts were hacked must assume payment of the money. Some victims have revealed that Vodafone sent debt collectors to recover the money stolen by the hackers.
On the other hand, the victims have stated that they have no idea how their passwords were changed to “1234”, stating that they even ignored that they could be charged via their Vodafone accounts. In addition, the company has stated that it is possible that one of its employees had set up this password at the time of purchasing telephone equipment, but it is the user’s responsibility to change their password for a more secure one. The problem is that the My Vodafone portal only supports passwords consisting between 4 and 6 digits.
According to specialists in ethical hacking from the International Institute of Cyber Security, the password requirements on this website are not strong enough. This is because the passwords that consist of 4-6 digits can still be violated with brute force attacks quite quickly.
However, Vodafone’s stance is a dangerous precedent and one more reason for users to make sure they use secure passwords at every site they visit.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.