Internet users in 9 million homes were wide open to hackers for nearly a month thanks to one major Internet provider's huge security flaw. Through this security hole, hackers could have taken over the users' computers, accounts, email, voice mail and even their cable TV service.
The dangerous vulnerability came to light last week with a tip from a former hacker. It turns out that one major Internet provider, Verizon, was depending upon a user's unique IP address to confirm their customers identification. Just one problem, an IP address can be easily faked.
By the way, an IP address, or Internet Protocol address, is that number of up to 12-digits that identifies every computer, smartphone, printer and everything else attached to the Internet. In this case, when Verizon received communication from an IP address that it assigned to home users, it used the IP as confirmation that it was talking to the owner of that account.
Once communication, like an online customer support chat, was started with a Verizon IP address, account settings like passwords could be changed or services ordered or canceled. With a new email password, a hacker could easily comb through a user's email looking for other account confirmations, bank statements, health records, social security numbers or anything else.
As if this security flaw wasn't scary enough, faking an IP address is actually really easy. Nearly anyone could pull off this hack with no special skills.
Information about this security hole started last week with a tip from a former hacker. He promised not to make the information public until Verizon had a chance to fix the problem. After being alerted about the flaw, Verizon released this statement:
“Once it was brought to our attention, our experts immediately investigated the issue and repaired the error within hours. We appreciate the responsible manner in which (the media) brought this matter to our attention. Addressing issues like this collaboratively is a constructive addition to our continuous actions to safeguard the security of customers’ information.”
According to a Verizon spokesperson, Alberto Canal, the vulnerability was due to a error programmed in the website’s code on April 22 of this year. “We have no reason to believe that any customers were impacted by this... If we discover that any were, we will contact them directly.”
One last note, a reporter working on this story tried out the hack prior to Verizon's fix. At one point he was given a security question by Verizon, "What was the amount of your last payment." He reports that he simply called Verizon customer service, claiming he was "balancing his check book," and asked the amount of his last payment. Armed with that specific detail, he easily sailed past the security question and got into the account.