Two of South Africa’s mobile operators, Vodacom and Cell C have reported security flaws over the past week, exposing\u00a0subscribers\u2019 personal details including account balances.<\/p>\n
MyBroadband alerted Cell C on 2 January 2014, to a\u00a0security flaw with it’s\u00a0online portal \u2013 aka My Cell C \u2013 which allowed anyone with an internet connection to view personal information about many of Cell C\u2019s subscribers.<\/p>\n
A Cell C subscriber alerted MyBroadband that the \u201cMy Cell C My Account\u201d portal provided access to personal details about many Cell C numbers by using a generic master password.<\/p>\n
The security flaw was tested by MyBroadband using a new Cell C SIM and existing Cell C accounts. All Cell C numbers could be accessed, except those where the user changed their online password.<\/p>\n
A wide range of personal information could be accessed through the portal, including account details, banking details, numbers called, PIN and PUK numbers and payment history.<\/p>\n
Cell C confirmed the vulnerability, adding that it had since been\u00a0resolved.<\/p>\n
The operator said that they suspect the flaw was the result of recent system maintenance.<\/p>\n
\u201cWe are pleased to confirm that by mid-afternoon today [3 January 2014], a patch was developed, tested and deployed and the issue is now fully resolved,\u201d said Cell C.<\/p>\n
\u201cThe security of customer information is of the utmost importance to Cell C and we will be appraising our systems accordingly.\u201d<\/p>\n
Vodacom<\/strong><\/p>\n <\/p>\n It follows a security flaw in the \u201cMy Vodacom\u201d online portal which exposed Vodacom subscribers\u2019 personal details, including account balances, package details, service providers, average monthly spend, the phone used, PUK and PIN details.<\/p>\n The flaw allowed a Vodacom subscriber who is logged into the My Vodacom online portal to enter any Vodacom number and find personal details linked to this number.<\/p>\n Vodacom was alerted to the security flaw on the afternoon of the 26 December and the company launched a \u201ccomplete investigation\u201d.<\/p>\n It said that the flaw was identified, and a patch was developed overnight.<\/p>\n The patch was tested successfully on the morning of the 27 December and was deployed into production by midday on the same day.<\/p>\n \u201cOnly high level account summary information was exposed such as the type of package and the balances. No banking information was compromised nor was it possible to transact on the affected number,\u201d said Vodacom.<\/p>\n My Vodacom security flaw exposes subscriber details<\/strong><\/a><\/p>\nThis article first appeared on MyBroadband<\/strong><\/a><\/h3>\n
More on security flaws<\/h3>\n