In a recent investigation (Case No. 200214122), Hong Kong's Privacy Commissioner for Personal Data found that a local Mobile Operator had contravened the requirement of Data Protection Principle 4 (Security of Personal Data) of the Personal Data (Privacy) Ordinance. An enforcement order was not issued because the company had already taken remedial measures to improve the security of personal data.
This is believed to be the first case where a Mobile Operator has been required to improve website security by the Privacy Commissioner. Data Protection Principle 4 states, "All practicable steps shall be taken to ensure that personal data … held by a data user are protected against unauthorized or accidental access…". The details of the case show that flawed security and procedures will not be considered adequate to fulfil this requirement and it is to be hoped that other Service Providers will take note and ensure they have appropriate security in place.
The investigation began in September 2002, when a complaint was made that the security of the Mobile Operator's website, where customers could view their bills, was inadequate. The billing website was protected by a username, password system, where the username was the customer's mobile number, and the password was 6 digits, with the default being the digits of the customer's ID card number. The system did not lock-out the account after repeated failed login attempts. Thus, an attacker only knowing a person's phone number could guess passwords until they succeeded - a test demonstrated that a simple Perl script was able to find the password of a customer in less than a week, without causing any kind of security alert at the company. An attacker could then access personal information of the victim, including their full name, address, and phone bill details - in many cases, they would also have discovered the 6 digits of the victim's ID card number.
In November 2002, the Mobile Operator modified the website to fix these, and some other, flaws, but, in doing so, made the security of the site worse. The major new flaw that was introduced was in the password reset procedures. The website would lock an account out after 5 invalid login attempts. Users could then call the Mobile Operator's Hotline, and the password would be reset to a fixed number: "123456". This makes it trivial for an attacker to force a lockout, and set a process to periodically try "123456" until the victim calls the Hotline, and the password is reset, allowing the attacker access.
In October 2003, after the flaws in the procedures were pointed out, the Mobile Operator made further changes. When a customer calls the Hotline for a password reset, it is reset to a randomly generated 6-digit number and the password is sent to the customer's mobile in a short message.
The latest changes make unauthorised access far more difficult - while SMS messages are not guaranteed to be secret, an attacker would find it difficult to intercept the required message (unless the phone was stolen, when there would be a far more pressing reason to freeze the account).
It would be hoped that similar investigations could be completed in a shorter timescale in future.