How someone can steal your identity via your ISP

Here in Australia. A number of large and popular ISPs use the same username and password for your ADSL/Broadband connection as they do with the customer’s ISP website/webmail/account page.

For example if you sign up for ADSL2+ on an affected carrier. They ask you what ‘account name’ you want. They generally give you a password. This is what you enter into your modem/router to connect to their service. This same username and password is what you’d use on their website to gain access to webmail or to check your account usage, update contact details and view banking and invoice information. These online services allow you to change that password without affecting your internet connection, but majority of people don’t do this. The majority of people don’t even log in to their ISPs webmail or account page unless they need to update some details.

Why is this so dangerous? Most of the passwords they provide are pretty random and cryptic. They should be more safe than say… letting the customer choose a password of ‘molly123’ yeah? Well yes… and NO.

Enter wireless security. I am going to lean out of a limb and say 85% of people don’t change their Wireless Router’s default password (from in the field experience). Most people don’t touch it once it has been set up initially. If you are running WEP, or using WPA/WPA2 with weak password (yes WPA2 PSK can be cracked as easy as WEP if your password is not strong) and if you HAVEN’T changed your router’s default password… AND if you are signed up with an ISP that uses the same authentication for your internet service as they do with their online service website, then your account details can be compromised (There are a lot of IFs and BUTs here, but surprisingly enough, this is the case for a lot of users).

The way in which your account can be compromised is so easy, and so stupid, it may just make you decide to log in to your ISP’s website and change those passwords after reading this article.

Enter the beauty of Firefox Addons. https://addons.mozilla.org/en-US/firefox/addon/10174/

This addon will unmask the asterisks (*******) in a password field. On modem/routers, this will be there for the Internet Connection Settings (and VOIP if the modem uses this service).

This is a screen dump of a compromised router. The user did not have a strong WPA pass key and was easily cracked. They also didn’t change the default router password from ‘admin’ because they thought WPA was secure enough.

From here the attacker logs into the router and finds the section where the ISP is asking for a username and password for Internet Connectivity.

With the Firefox plugin installed, the attacker just hovers over the password and voila!

What can be stolen? Your personal account information including name, phone number, address, credit card or direct debit information (limited but still available), VOIP call records etc. People can use this information to aid in identity theft, or leverage it to gain access to other services, accounts and websites you may use.

Now you may be saying to yourself, “what’s the big deal?”. Yes if an attacker has gotten onto your wireless network, they could be sitting their running a sniffer, capturing MORE sensitive information. They may perform a sex-sandwich attack (man-in-the-middle styles) or they may find a way to exploit and take over any PC on the network. These things take a little time. Hovering over a password to steal the password, and using that to log in to a secure personal accounts page where A LOT of information is divulged takes just a minute. And the information on that page can and will be used against in a court of 0wnage.

How to avoid?

Simple. STRONG WPA2 authentication (AES CCMP at the minimum) with a LONG and random pass-phrase. Change the default password for your router to something complex. Insert the usual wireless security tips and tricks, MAC address filtering, rotating pass-keys, DHCP disabled, obscure subnet etc. And finally, change your online account settings with your ISP to use different login credentials than what is used on your modem/router.

Thing is, most people don’t know that someone is sitting their using their wireless connection. They only know when and if their connection may reach is bandwidth cap, or slows down or they get a large bill. THAT’S when the user will think “what the hell… i think someone is stealing my internet”. They will then change their security, or even disable wireless. This won’t happen if the attacker has access to your ISP accounts page, looks at your bandwidth usage and what ADSL plan you are on. They can use your connection freely without tipping you off because they know how much bandwidth they can get away with before someone notices.

EDIT:

I didn’t think this deserved a new post. But after writing this, I have discovered another way that this type of attack can be performed. (It isn’t really a discovery but in the aid of educating users, it should be said).

Depending on the settings on your home modem… there is a strong chance that by someone entering your public IP address into a browser, will get the management interface of your modem. WITHOUT having to go through the wireless hacking method mentioned above.

To do this… people could use the website from http://shodanhq.com to search for popular modem names. This will reveal modems with port 80 active. You can also limit your searches to country. A simple search for ‘netgear country:AU’ brings up hundreds of results. Most of them can be assessed by the default password. And again, majority of these allow you to view their ISP’s password using the Firefox plugin. This would be a gold mine for people trying to harvest personal information on people, which could easily lead to identity theft. Secure your routers people.

UPDATE:

It has just been discovered that some Linksys routers have a vulnerability where it displays your administration passwords in clear text. The Affected router is the Linksys WRT54G - Firmware Version: v7.00..

This doesn’t seem like too much of an issue. But if you have changed the default admin password (as you should), but someone cracks your wireless (which may be your weakest point of entry), then they can discover your router’s password, thus enabling them to carry out the techniques above.

If you have one of these routers, update the Firmware to a later version.

2 thoughts on “How someone can steal your identity via your ISP

Comments are closed.