Earlier this week I received a letter from the consumer services director in eircom informing me that there was a “potential” security problem with my broadband. The letter reassured me that only a “person with an advanced working knowledge of encryption and coding techniques” could illegally access my eircom internet connection. The letter went on to reassure that eircom takes this seriously and if I wanted I could log on to a website to find out how to “enhance” the security of my connection. So a nice customer-focused and reassuring letter from eircom telling me not to panic inspite of what I might hear in de meja.
Well, being a bored blogger, I decided to take up the implicit challenge set in the letter. I logged on Google a few minutes ago, typed in “eircom broadband crack” and within less than 5 minutes and just 4 clicks not only have I got this thing figured out, but I had found the site that enables me to tap into any eircom customer’s broadband connection (illegally of course). Now just to be clear, I don’t have “advanced knowledge of encryption or advanced coding techniques” – don’t forget it took me three days to set up this blog!
Put simply, in order to access the Internet from your computer via your eircom broadband modem you just need a username and password. Apparently the way our (eircom customers’) broadband security is set up, the customer identifier (the username if you like) is simply a different version of the WEP key (the password). Your username is structured like this; “eircom 1234 1234”, and your password is something like this; “F23412CBD536AE5686FDA20EF6”. Doesn’t look to be much similarity there I hear you say. Well the site that it took me less than 5 minutes and 4 clicks to find allows me to input my eircom username and converts it to my exact WEP password based on some mathematical formula (presumably quite a complex one).
Now the thing is if I stand outside or sit in my car infront of your house with my laptop I will be able to see if you have eircom broadband and worse still I’ll be able to see your username. Bottom line; I can very easily tap into your broadband internet access and use it without you ever knowing. Worse case scenario; I could be living next door to you and be using your broadband for years engaging in illicit activities which could only ever be traced back to you.
I’m not interested in using this as an opportunity to lash out at eircom – there’s plenty others out there who’ll do that. I should also say that I have a lot of respect for many of the good people who work there. There are however some fundamental issues for eircom here, some for the rest of us to watch out for;
1/ Get your security right from the start
Security can be a tricky thing to get right; it can be time consuming, expensive and sometimes not very user-friendly. However, if there is a chance that you will expose your customers in any way you have an obligation to your customers to put the effort in and make sure it is watertight. Your customers may have to undergo a bit of pain to ensure that their data is more secure, but if it is not secure they will certainly not be thankful.
2/ If a problem occurs fix it
From what I can see eircom haven’t actually done anything to rectify the potential risk. Guys, you need to sort this for your customers. It might be expensive and complex but you have exposed us to risk and your customers expect you to rectify the situation.
3/ Don’t underplay a serious problem
While a company does not want to cause panic amonst its customers; if there is a problem the last thing it should do is tell them there isn’t one or it’s not really a problem. I read the letter from eircom and decided that it didn’t need action. I now know better.
4/ Don’t make YOUR problems mine
Putting all this together I now have a problem and it looks like I’m the only one who’s going to sort it. I’m not really happy about that, even though I’ve been extremely happy with my eircom connection to date.
To add salt to the wound, having just reviewed the eircom support site it looks like I might need to be a “person with an advanced working knowledge of encryption and coding techniques” in order to fix it.
As I said earlier, I have a lot of respect for the people I know who work in eircom, and I expect them to take the next steps to fix this for me and their other 250,000 customers. That’s how business works.