Advertisement

We need your help now

Support from readers like you keeps The Journal open.

You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.

If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.

password via Shutterstock

IT experts say your NTMA Prize Bonds password may not be stored securely

While no sensitive information is accessible on PrizeBonds.ie, customer’s emails and passwords could be easily revealed if the website was maliciously hacked.

Updated 11.07am

THE PRIVATE PASSWORDS and e-mail addresses connected to almost €2 billion worth of Prize Bonds accounts could easily be exposed if the website was hacked.

The weakness in the system was highlighted this week when a user received their original password in an e-mail.

Computer security experts say this indicates the passwords and email addresses are stored in a way that would be easily accessible by a hacker, and could then be used to access other accounts used by customers.

A spokesperson for the National Treasury Management Agency (NTMA), who manage Prize Bonds, confirmed that “no functions are available [on Prizebonds.ie] other than to check publicly available lists of winning prize bond numbers”.

The liability was highlighted on technology blog PMooney.net, who found that if a user requested to reset their password on the website, they receive their original password in an e-mail.

‘Plain text’

Computer security experts contacted by TheJournal.ie said that if it is possible to send passwords to users using this method, it indicates that they are likely stored in a ‘plain text’ format.

This means that if a malicious hacker was to access the site, customer’s email addresses and passwords could be easily retrieved, as an attempt has not been made to encode the information.

“It’s an absolutely no-no,” said CEO of Smarttech.ie Ronan Murphy.

The best practice for storing passwords is an encryption method MD5, where your password is ‘hashed’.

He said that e-mail was a highly unsecured way to transmit such sensitive information.

“The fact that they manage to send passwords in an unencrypted format could lead you to believe that they are stored in that format somewhere on their network,” the author of PMooney.net told TheJournal.ie.

“I would (hopefully) doubt this is the case and assuming that the passwords are only decrypted during the process of sending the email, it still is insecure.”

The developers may have a limited budget/resources. But it needs to be fixed.

PMooney.net also highlights that Tesco.com’s use of a similar system was investigated by the UK Information Commissioners Office last year.

The NTMA said that “details held within the system database are stored in an encrypted format, in line with best practice”.

A Security Statement on PrizeBonds.ie states that “all sensitive data is stored in an encrypted fashion on highly secure servers and is completely protected from unauthorised access”.

While no financial information or transactions can be accessed if an account holder’s Prize Bonds account was compromised, Mike Harris of Grant Thornton explained that once an email address and associated password have been compromised, it can lead to the hacker gaining access to many other accounts.

Same password

“The big issue is the fact that people share the same password across different services,” he said.

“In some cases, a simple, hack can compromise a lot of passwords… and these might be used across across a number of different services, such online banking, social media, and insurance websites.”

Most experts advise users to create strong passwords containing symbols, numbers, and capital letters, and to use a different password on every website.

Originally published 8.15am, updated to include clarification of MD5 encryption

Read: Adobe security breach much worse than originally feared >

More: LinkedIn says all accounts secure again after password hack >

In 2012: Hackers post nearly a half million Yahoo! passwords and email addresses >

Readers like you are keeping these stories free for everyone...
A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article. Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation.

Close
18 Comments
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.
    JournalTv
    News in 60 seconds