THE PRIVATE PASSWORDS and e-mail addresses connected to almost €2 billion worth of Prize Bonds accounts could easily be exposed if the website was hacked.
The weakness in the system was highlighted this week when a user received their original password in an e-mail.
Computer security experts say this indicates the passwords and email addresses are stored in a way that would be easily accessible by a hacker, and could then be used to access other accounts used by customers.
A spokesperson for the National Treasury Management Agency (NTMA), who manage Prize Bonds, confirmed that “no functions are available [on Prizebonds.ie] other than to check publicly available lists of winning prize bond numbers”.
The liability was highlighted on technology blog PMooney.net, who found that if a user requested to reset their password on the website, they receive their original password in an e-mail.
Computer security experts contacted by TheJournal.ie said that if it is possible to send passwords to users using this method, it indicates that they are likely stored in a ‘plain text’ format.
This means that if a malicious hacker was to access the site, customer’s email addresses and passwords could be easily retrieved, as an attempt has not been made to encode the information.
“It’s an absolutely no-no,” said CEO of Smarttech.ie Ronan Murphy.
The best practice for storing passwords is an encryption method MD5, where your password is ‘hashed’.
He said that e-mail was a highly unsecured way to transmit such sensitive information.
“The fact that they manage to send passwords in an unencrypted format could lead you to believe that they are stored in that format somewhere on their network,” the author of PMooney.net told TheJournal.ie.
“I would (hopefully) doubt this is the case and assuming that the passwords are only decrypted during the process of sending the email, it still is insecure.”
The developers may have a limited budget/resources. But it needs to be fixed.
PMooney.net also highlights that Tesco.com’s use of a similar system was investigated by the UK Information Commissioners Office last year.
The NTMA said that “details held within the system database are stored in an encrypted format, in line with best practice”.
A Security Statement on PrizeBonds.ie states that “all sensitive data is stored in an encrypted fashion on highly secure servers and is completely protected from unauthorised access”.
While no financial information or transactions can be accessed if an account holder’s Prize Bonds account was compromised, Mike Harris of Grant Thornton explained that once an email address and associated password have been compromised, it can lead to the hacker gaining access to many other accounts.
“The big issue is the fact that people share the same password across different services,” he said.
“In some cases, a simple, hack can compromise a lot of passwords… and these might be used across across a number of different services, such online banking, social media, and insurance websites.”
Most experts advise users to create strong passwords containing symbols, numbers, and capital letters, and to use a different password on every website.
Originally published 8.15am, updated to include clarification of MD5 encryption