back to article Vehicle owner data exposed in GM credential-stuffing attack

Automaker General Motors has confirmed the credential stuffing attack it suffered last month exposed customers' names, personal email addresses, and destination data, as well as usernames and phone numbers for family members tied to customer accounts. Trucks come off the assembly line at GM's Chevrolet Silverado and GMC Sierra …

  1. Yet Another Anonymous coward Silver badge

    GM online account

    Why do I need an online account for a pickup truck ?

    Do I need to download updates?

    Does it come with a built in vinyl printer to print new political bumper stickers every time the Great leader tweets a bon-mot ?

    1. doublelayer Silver badge

      Re: GM online account

      To use their reward system, however that works. If you earn points and have to identify yourself to spend them, that's one of the only ways. I think if you don't care about that system, you can refrain from setting up an account and just drive the thing. You would then lose whatever advantages there are in the reward points, although I'm having trouble imagining how they could set it up to be very useful.

      1. Yet Another Anonymous coward Silver badge

        Re: GM online account

        >To use their reward system

        I wondered about that.

        For every 24 pickups you buy you get one free ?

        1. Youngone Silver badge

          Re: GM online account

          If you're buying a GM vehicle you should get a spare to tow the first one back to the dealer to get fixed.

          1. J. Cook Silver badge
            Coat

            Re: GM online account

            I thought that was ford (Fix Or Repair Daily). /rimshot

            1. bpfh

              Re: GM online account

              They stole that from Lotus: Lots Of Trouble, Usually Serious.

              1. Anonymous Coward
                Anonymous Coward

                Re: GM online account

                Nah, it was FIAT: Fix it again, Tony!

                1. EnviableOne Silver badge

                  Re: GM online account

                  I thought it Was Fix It Again Tomorrow ...

                  but that's the competition (FIAT own Chrysler)

    2. Anonymous Coward
      Anonymous Coward

      Re: GM online account

      Oh, you probably need to download updates, you just can't do them online or over the air.

      Hi ho, hi ho, to the dealer you go.

      What will it cost? Nobody knows...

  2. M.V. Lipvig Bronze badge

    Sure, blame the victim

    If these companies weren't treating their own security in such a lazy manner these data breaches wouldn't keep happening. My own company requires that I log in multiple times across multiple systems to do my job. It's a huge pain, in fact 25 percent of my workday involves entering password after password. An example? Just submitting a timesheet requires that I enter a password to log into the computet, a second passeord with MFA to enter the VPN, a password to enter the company website, a password to enter the HR website, and a password to enter the timesheet site, all so I can say I worked 43-45 hours a week. To reach actual equipment requires more logins, more VPNs and more MFA logins. I wouldn't mind so much if they'd add some processing power to these systems as it can take several minutes to get in. I'd also like if they increased the timeouts once you do get in. The timeout is the worst part, as it's so short I'll be kicked out in the middle of testing, only with no indication that it timed out.

    1. Anonymous Coward
      Anonymous Coward

      Re: Sure, blame the victim

      This is really an IT problem. This is fixable.

      At my employer, the entire company is 100% work from home, but we have implemented single-sign-on (SSO) across all of our systems. We have one sign in for nearly 30 different systems/servers/VPNs/etc. This works with Linux and Windows servers. We do use multi-factor and very strong passwords, since the down side to SSO is the "keys to the kingdom" issue.

      It was not easy, and I did not set it up. We have one (very smart) guy that made it all work. It can be done. We are not that big of a company, and we can do it.

      1. FlamingDeath Silver badge

        Re: Sure, blame the victim

        Until your users get duped into entering their SSO password on a convincingly crafted web page, no doubt the 2FA too if prompted

        Obviously that last part (2FA) would need to play maninthemiddle due to it being time-based

        single sign on, while convenient, is not a security feature

    2. werdsmith Silver badge

      Re: Sure, blame the victim

      I work on systems that are secured down so tightly that I can't get into them, even though I officially have access. It starts with a 2 factor authorised VPN with local certs that I can only use from an secure-issue laptop that is locked down so I can't change anything. Once that VPN is up then I connect to a virtual desktop, and then from there I start one of another selection of similar VPNs depending on which part of the network I am working on. I connect into that next part of the network on another virtual desktop, from which I can use tools to reach the resources I am after. I frequently forget how to reach some parts of the system that I don't often access. Before I can do any of that I have to have a current DV clearance.

      No GM customer is going to tolerate that.

      1. M.V. Lipvig Bronze badge

        Re: Sure, blame the victim

        "No GM customer is going to tolerate that."

        I was thinking less about GM's customers, and more about systems that let an attacker slurp hundreds of thousands of user credentials. A customer should never be able to access anything more than their own information, and the hackers didn't get into the back door by getting hold of Mary Jo Parker's account login. Unless, of course, Mary Jo is GM's head IT admin.

    3. FlamingDeath Silver badge

      Re: Sure, blame the victim

      Have you ever heard of a password manager?

      They do exist, some are even open source and contain no “cloud feature” thank god

  3. Mike 137 Silver badge

    Although passwords are poorly managed...

    The first big issue with multi-factor is the plethora of different factors used by different service providers, resulting huge complexity for the user. The second is increasing reliance on biometrics, which necessarily are used on multiple sites and can not be changed or rescinded.

    The source of the password problem is not passwords in principle, but inadequate understanding of how they should be created and used.

    M.V. Lipvig's problem, which could be managed by use of single sign-on (provided the master credential were robust enough), is a good example of that lack of understanding on the part of the organisation, as are almost all "password rules". I recently moved a web site to a new host. Some passwords that were deemed 'highly secure' on the old host were considered unacceptable 'weak' on the new, and vice versa, strongly suggesting that one or both sets of rules are completely arbitrary. That doesn't invalidate passwords per se, just legitimately questions the competence of those setting the rules.

    If we got their creation and management right, passwords might emerge as much safer than they are while we get all that wrong.

    1. McAron
      FAIL

      Re: Although passwords are poorly managed...

      "increasing reliance on biometrics, which necessarily are used on multiple sites and can not be changed or rescinded."

      Yes. Wide-spread biometrics will enable ultimate credential stuffing attacks. A shared, unchangeable credential. What could go wrong?

      1. usbac

        Re: Although passwords are poorly managed...

        I have always just shaken my head at the use of fingerprints for verification. Why not use a credential that you leave hundreds of copies of laying around everywhere, every day?

        It's like writing down your password on hundreds of post-it notes, and randomly sticking them to every surface you touch!

        1. bpfh
          Devil

          Re: Although passwords are poorly managed...

          All depends on what you are protecting... finger print or iris scans are great but can be defeated with a sufficiently motivated attacker with EMT shears or a warm spoon...

      2. Jimmy2Cows Silver badge

        Re: Although passwords are poorly managed...

        To labour an already well-laboured point... biometrics are at best a user name, and even that's questionable since you can change your user name but it's much, much harder to change your face and/or fingerprints.

        They are not authentication, and should never be used so.

        1. John Brown (no body) Silver badge

          Re: Although passwords are poorly managed...

          "biometrics are at best a user name, and even that's questionable since you can change your user name but it's much, much harder to change your face and/or fingerprints."

          This bears repeating. Again. And again. In 72pt text. With mozilla marquee tags!

          1. J. Cook Silver badge

            Re: Although passwords are poorly managed...

            and BLINK tags. and in red, just to drive the point home with the surety that only a 5 pound sledge putting a nail into a wood beam can deliver.

    2. Anonymous Coward
      Anonymous Coward

      Re: Although passwords are poorly managed...

      Yeah, the conflicting results you mention are the result of yet another flash in the pan idea to "fix" password re-use. The idea went something like this:

      If you make the "complexity" rules completely arbitrary and wacky for every site, people can't re-use the same password everywhere.

      The problem being is that it fails to accomplish that end reliably, and inflicts pain an annoyance everywhere consistently. It is now considered unfashionable.

      We need to just stop trying to fix them. There are much better, easier, and more secure ways to do this. FIDO, TOTP, and phone or hardware tokens run rings around passwords. Once you get there SSO is easier.

      Something else that would be good is getting more of these systems off their custom built login windows and onto something with a more modular interface. PAM meant that *nix based systems could update or swap authentication sources or methods W/O ripping up the front end.

      1. yetanotheraoc Silver badge

        Re: Although passwords are poorly managed...

        "yet another flash in the pan idea to "fix" password re-use"

        Can I play? How about forcing the user to do a password reset after every login.... That way even if they re-use the password on multiple sites, it still won't when the credential stuffer gets their hands on it. What could go wrong?

      2. katrinab Silver badge
        Flame

        Re: Although passwords are poorly managed...

        But then you end up maintaining a spreadsheet with all your passwords, because frankly there is no other way to deal with it. Telling people they have to memorise them all just isn't going to work.

    3. MachDiamond Silver badge

      Re: Although passwords are poorly managed...

      "That doesn't invalidate passwords per se, just legitimately questions the competence of those setting the rules."

      It could be a good idea to move from a single password to a call and response.

      "To the axeman, all supplicants are the same height."

  4. FlamingDeath Silver badge

    If you’re using the same password across different online services, then you are dumb as shit and should not be allowed anywhere near a computer

    1. captain veg Silver badge

      using the same password across different online services

      I do this routinely.

      It's entirely possible that other users chose the same password as me. What they can't do is choose the same user name.

      I use a different user name for each online service I use (which isn't many). Mostly they require an email address for that purpose, but this is easy for me since I run my own MX on my own domains.

      Remembering a strong password that you use everywhere is easy. Remembering the user name when it's basically name-of-website@mydomain.tld is also easy.

      I recommend it.

      -A.

  5. MachDiamond Silver badge

    Strike that. Reverse it.

    If entities that store the information were on the hook for severe penalties, including prison time for executives (no sacrificial employees), maybe they'd stop storing the information as it might wind up being a liability rather than a sale-able asset. There may be a nice bonus in that the information also becomes more expensive. For less than the cost of a coffee at Starbucks, it's possible to get a nice dossier on the target of your choice. It you pay for a subscription, it can be much less. While credit card info, bank details and other financial information being exposed is a big problem, even mundane information can be weaponized. If "your ISP" calls to sell you an upgrade package with the first 3 months free and no obligation, they will find it much easier to dupe people if they have a stack of info such as account numbers, names, addresses, current subscription details, etc. The problem is that it is a scammer that needs one more piece of information from you to ruin your life. By reciting what they already know, they lull you, or a family member, into being comfortable revealing that info. This happened to a friend that immediately slapped her forehead for being such a dolt and raced to contain the damage. This is why it's a good idea to share as little information about yourself as possible.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022