What I learned about "Security"
So, I set up my account - username, password - credit card information, etc. Get logged in and immediately receive an email. I've received this email before (because I always have to set up a new account since I can never remember what my 'old' account was) . It was the standard "welcome to T-Mobile" sort of email, but it always contains this (I've written to them before - that is like sending email to a bit bucket, no response, no action). Here is the email (xxxxx represents information I:
From - Fri May 21 09:05:34 2010
X-Apparently-To: email@example.com via 126.96.36.199; Fri, 21 May 2010 00:04:39 -0700
Received-SPF: none (mta1056.mail.mud.yahoo.com: domain of firstname.lastname@example.org does not designate permitted sender hosts)
Authentication-Results: mta1056.mail.mud.yahoo.com from=t-mobile.net; domainkeys=neutral (no sig); from=t-mobile.net; dkim=neutral (no sig)
Received: from 127.0.0.1 (EHLO wlansmtp.t-mobile.net) (188.8.131.52)
by mta1056.mail.mud.yahoo.com with SMTP; Fri, 21 May 2010 00:04:39 -0700
Received: from kxsnsrg2 (kxsnsrg1 [172.28.76.134])
by wlansmtp.t-mobile.net (Postfix) with ESMTP id 37BDD6716
; Fri, 21 May 2010 09:04:37 +0200 (CEST)
Date: Fri, 21 May 2010 09:04:37 +0200
Subject: T-Mobile welcomes you to your new HotSpot Pass Account
T-Mobile welcomes you to your new HotSpot Pass Account. The password for your
new account is XXXXXXXXX
Yes, that is right, they emailed my password - over unencrypted email, for no apparently good reason at all. Why??? Why would they do this??? What is the point? What is the reason?
Why am I posting this? Well, maybe they'll read or hear about it this way and change it. I found this funny - this is their FAQ:
Is the HotSpot registration (log in) secure?Well, that is not quite true is it. You can also be assured that your password will be transmitted to everyone on the planet in clear text via good old email.
Yes, because the access details are transmitted in code to the T-Home / T-Mobile HotSpots. The code that is used is SSL. The software for this is integrated into the browser. If this is not the case, you can update your browser. The relevant downloads are available from the browser provider.
By using our HotSpot Manager, which automatically logs onto T-Home / T-Mobile HotSpots, you can be assured that the registration details are only transmitted to a confidential hot spot web portal.
In the year 2010, you would think we'd know better.
They shouldn't be STORING my password let alone EMAILING IT to me. Sigh....
Now I've got some passwords to change, ugh....