back to article Great Western Railway warns of great Western password reuse: Brits told to reset logins

Great Western Rail is urging all customers to change their GWR.com passwords after miscreants gained access to strangers' accounts over the last week. The British train company said circa 1,000 accounts were directly affected out of more than a million, and has written to those customers and the UK Information Commissioner's …

  1. JimmyPage Silver badge
    Stop

    We need a court action

    to decide a minimum level of protection below which an organisation is simply negligent (and thus liable) set as a precedent.

    Forget pratting around with the ICO - may as well talk to the cat.

    Any lawyers care to advise if this is possible ?

    1. Anonymous Coward
      Anonymous Coward

      Re: We need a court action

      I work for a large online company, we're constantly seeing attacks such as this - It's some script-kiddie taking lists of compromised usernames/email addresses and password, then simply replaying them against another sites login form, to see if the passwords are the same!

      I have sympathy with GWR here, they will be blamed for this.. and whilst there is steps they could take (2FA, behaviour and Geo monitoring etc), in reality, the fault lies primarily with the customer for reusing passwords (yes, we're all guilty of this, including me!).

      1. Paul Hargreaves
        Meh

        Re: We need a court action

        Re-use should be expected.

        My password manager shows ~802 passwords currently stored, with various sites having various rules about length, formation etc so horse-battery-staple won't work nor do I (nor most people) have photographic memories.

        Problem is, the average person can't (won't) cope with password managers and the like, especially on mobile devices where they're a pain to use.

        Even in my household, where they're trained to not use the same password, and I've given them the easiest tools I can find, they still insist on re-using a password. Excuse is 'not an important site to worry about faffing with copy/paste of 15 characters'.

        The old mantra was 'some you have, and something you know' but passwords no longer fit into that category... and I've no idea what the replacement is.

        1. Simon Harris

          Re: We need a court action

          Re-use should be expected.

          My password manager shows ~802 passwords currently stored, with various sites having various rules about length, formation etc so horse-battery-staple won't work nor do I (nor most people) have photographic memories.

          I think one of the problems is the number of places that force you to make an account when you shouldn't really need to before you can do anything. I've got usernames and passwords on theatre sites that I've visited only once because I couldn't buy tickets without registering (what's wrong with just saying here's my credit card, give me my tickets?*), and yesterday I missed a package from a well known delivery company - could I find anywhere on their website to reschedule the delivery? Not until I'd made an account with them!

          There must be millions of user accounts floating around with names and passwords that have been used exactly once and subsequently been forgotten about - it's not surprising people can't be arsed to think up a new password every time.

          * Of course, what's 'wrong' is that if you did that then they couldn't then spam you forever with marketing!

      2. Paul Hargreaves

        Re: We need a court action

        Another aside: Geo monitoring won't help much either. On my laptop I'm appearing to be in various different countries depending on how my employers VPN decides to connect. This morning it's Ireland.

        1. Anonymous Coward
          Anonymous Coward

          Re: We need a court action

          On my laptop I'm appearing to be in various different countries depending on how my employers VPN decides to connect. This morning it's Ireland.

          Is your employer deploying you offshore for tax purposes?

      3. tip pc Silver badge

        Re: We need a court action

        using the captcha system to interrupt multiple auth attempts from automated systems slows and or stops these types of automated fishing exercises.

        1. Dan 55 Silver badge

          Re: We need a court action

          A train company could get into bother if they use Captcha and someone takes their complaint to the right places, given that Capcha is accessibility hostile.

          1. Simone

            Re: We need a court action

            I can't remember all the list, but there are some basic rules that all users can check when they sign up to a new website. Perhaps this could be set as the "minimum level of protection"?

            * Passwords should not be accepted if they are the common 'words' used for passwords, i.e. password, secret, 1234, etc.

            * Passwords should require a mixture of upper / lower case, numbers and 'special' characters (I am not sure how much this helps)

            * Passwords should be a minimum length

            * Passwords that have been used before should be rejected (a time limit or quantity)

            * A forgotten password link should not be able to send your password - it must be encrypted in the websites database and so be unrecoverable. The recovery process should require the user to enter a new password before gaining access.

            * After a small number of failed attempts, login should be disabled for a time

            I'm sure there are other simple rules. Anyone can check for these rules when they sign up. There should be a way of reporting sites that fail these checks.

            This would not have protected GWR though.

            1. Christoph

              Re: We need a court action

              "Passwords that have been used before should be rejected"

              How would they know? If the passwords are stored properly salted then they can't compare even the hashed versions. And do you really want a message saying "Sorry, you can't use that password because someone else on this site is using it"?

        2. PNGuinn
          Megaphone

          Re: We need a court action @tp pc

          "The train due at platform 7 will be 15 minutes late to enable online booking customers to wade through our new high security captcha logon system in order to book a ticket. Passengers are reminded that Great Western takes your security, safety and comfort very seriously."

        3. NonSSL-Login

          Re: We need a court action

          Depends on the attacker and the tools they use. Some of the programs used to try user/email combo lists against sites also allow you to specify a public proxy list which can be grabbed from many places. So you end up with hundreds of IP addresses with random User Agents with a bigger gap in time before a particular IP/proxy gets used again.

          Some of the better tools allow you to specify a timeout before retrying with the same IP so you work out beforehand what triggers the captcha and adjust settings accordingly.

          A captcha at every login would help but I hate with a vengeance having to fill in captures every time I want to login somewhere. Even then, it's easy to add code to a tool to cover sending the captcha's to a usually Indian based site where they charge you a fraction of a penny for each captcha solved on your behalf by an army of people employed to do so. 2captcha and anti-captcha are two such services. 50 cents for 1000 solved captchas, 2000 people online, 8 sec solve time.

    2. ArrZarr Silver badge
      Go

      Re: We need a court action

      Considering how the attack wouldn't be possible if proper password security had been in place from the users, I'm having a hard time seeing how GWR can be seen as responsible for this - if an attacker is in possession of both username and password, then the target system is working as intended if it grants access.

    3. Andy_Lee

      Re: We need a court action

      What could GWR have done in this case? Maybe monitor for multiple logon attempts from unknown users which would probably be the only real indicator that an attack was being carried out using a data base of existing user/password combinations harvested from the web. It would seem that they did pick it up using this sort of methodology but the basic issue is people reusing the same password everywhere and not being aware when their passwords may have been compromised or not changing them every where if they do become aware.

      I can't see how you can legislate for that sort of educational problem

    4. macjules

      Re: We need a court action

      Any company would simply blame the processors or the developers. Software/Web developers are already clobbered by this [EXPLETIVE DELETED] government for 20% additional tax, but make them liable for any website errors and they will have to take out huge professional indemnity cover as well.

      I have one client that has a very large user base (over 30m registered users) but they have so far totally refused to acknowledge GDPR and only when I gave up and sent them a compliance document requesting them to absolve us from any liability under GDPR have they now (less than 1 month to go) asked us to implement GDPR on the website.

    5. macjules

      Wot no jokes?

      C'mon commentariat: I was at least expecting "The site must have been done in Ruby - its come off the Rails"

    6. Anonymous Coward
      Anonymous Coward

      Re: We need a court action

      Maybe we could do with a court action.

      But lets make it a case where there's some real negligence and damage. There are enough such cases reported here on El Reg, but this doesn't look much like one of them.

    7. jphilweybr

      Re: We need a court action

      Does anyone know whether there has actually been a successful hacking? The Register quotes a comment from GWR but there is nothing on their website to confirm this. Indeed, entering "password" in their search produces a nil return. Needless to say, trying to contact them faces you with numerous obstacles.

      I received an e-mail telling me to re-set my password, but from a hosting service based in Indiana, and with link buttons to press.

      AFAIK, I do not have a GWR account, but when I pretended I did, they sent me a password reset link. Nevertheless, I have not received any coomunication from GWR that appears to be genuine.

      Does anyone have a clue as to what is happening here?

      1. diodesign (Written by Reg staff) Silver badge

        Re: "Does anyone have a clue as to what is happening here?"

        Yes, as the GWR person explained, people were reusing passwords from other websites, which were hacked and their login details presumably leaked to the dark web, allowing crooks to gain access to their GWR accounts.

        Let's say you use mycheapbikesexample.com to buy bicycle stuff, and GWR.com, with the same username and password pair. And mycheapbikesexample.com gets hacked and the username and password database stolen. If crooks can figure out your username-password combo from that DB, they can try it on other sites and eventually log in as you, on GWR.com, if you've reused your credentials.

        It's called credential stuffing, it's automated these days, and it's why you should use a unique password per-site and also two-factor authentication.

        C.

  2. Halcin

    Sorry, but there is no excuse for alarm bells not ringing when your online servers are being hit with multiple failed login attempts as "script-kiddies" test a list of username/password combo's.

    1. Warm Braw

      I'm assuming the alarm bells have rung, which is how GWR is aware of this issue affecting a relatively small number of their users. Short of warning the users concerned, I'm not sure what GWR might have been suppoed to do - disabling their site or forcing everyone to change their password would seem like overkill.

    2. Paul Hargreaves

      I suspect the bells at any 'major' public site are continually ringing then...

    3. Keith Langmead

      What do you propose should trigger the alarm bells? A failed login? Pointless as there will be many legit failed logins, so the attack would be lost within the noise. Multiple failed logins? If they’ve a list of email addresses and passwords to try, they may only be making one attempt with each email address so that wouldn’t trigger. Multiple failed logins from a single IP? I image something like his is done through a botnet, so there will be many IPs. Plus, the bad guys know full well too many failures with x minutes will trigger alarms, so they keep their attempts slower to stay under the radar.

      Also keep in mind, anything you do to detect and stop this kind of thing has to be balanced against not screwing over your own customers. It’s certainly not impossible to protect yourself from these things to a certain extent, but I think to suggest it’s simple is naïve.

    4. macjules

      And no Username Enumeration Prevention on the site. Still, nice to see that they have a Symnatec SSL certificate :)

      1. Prst. V.Jeltz Silver badge
        Paris Hilton

        "Username Enumeration Prevention"

        Whots that that then?. forget i decided to getoff (stay sat on) my arse and google it .

        for those who didnt, but wanna , know :

        its establishing usernames for a site in order to repeatedly brute force that login - sometimes by asking for a password reset and seeing if a "that username doesnt exist" message is returned.

        The fix appears to be to not tell the requestor wether it exists or not and just claim the reset email is sent.

        --------------

        Thats annoying for users like me who arnt sure what username \ email they used , and surely that kind of brute force attack is more easily defeated by setting the alarm bells off after a 3 wrong tries and inserting increasingly longer gaps before can be tried again.

        1. katrinab Silver badge

          The other way to find out if a user name exists is to try to create an account with that username, and see if it tells you that someone else already has it.

  3. Jon Smit

    No email here

    And unable to access site to change password, as there's "service error".

    Not good enough.

    1. Anonymous Coward
      Anonymous Coward

      Re: No email here

      Dammed if they do... Dammed if they don't..

      1. Jon Smit

        Re: No email here

        If I hadn't seen this article, I would have no knowledge of this data breach. Not receiving an email isn't good enough and yes, they are damned.

        1. Alister

          Re: No email here

          Have you considered that if you haven't received an email, it means your account was not breached?

          Do you use a different password for your GWR account than any other internet login? Then you probably don't have a problem.

          1. Anonymous Coward
            Anonymous Coward

            Re: No email here

            Not receiving an email just means you don't know either way. Given the almost unbelievable incompetence I have personally experienced at the hands of Great Wanky Rejects over a period of 6 months or so, I would trust them about as far as I could throw this planet

    2. 's water music

      Re: No email here

      I just went on to reset my password only to find that the existing (browser remembered) password didn;t work. I hadn't reached the point in the article that mentioned the general reset nor seen the email from GWR that only arrived five minutes ago. Normal password reset process worked ok though.

      Email said my account was not breached but they had forced a password reset anyway

    3. Gotno iShit Wantno iShit

      Re: No email here

      Similar here. Tried to log in despite not getting the email, password not recognised. It was possible, but not likely that I'd changed my password and forgotten to record it in my password manager so I did a reset. Can't log in with the temporary password either.

  4. Captain Badmouth

    Spam email or not?

    Windows users should be taught to use the likes of mailwasher to preview their emails before downloading them. Viewing everything in plaintext is very useful to see through the html links.

    1. Paul Hargreaves
      FAIL

      Re: Spam email or not?

      I'm not sure it would help TBH, the average person struggles with basic IT.

      e.g.

      'I turned it off' - no, you turned the monitor off, you need to turn off all the electrical sockets if you really want to be sure.

      'It's been doing that for ages' - the box that pops up to ask them to install a critical fix, closed.

      'The internet isn't working' - actually it's working fine, turn airplane mode on/off and your phone will reconnect

      'Please stop replying to all, please remove me, me too!' - users on any large corporate mailing lists.

      'I CAN'T LOG IN' - turn off capslock and try entering your password again

      etc etc etc.

    2. GingerOne

      Re: Spam email or not?

      Before downloading them? You think people still use email clients? Every major email provider (yes, I do mean GMail, Outlook.com, Yahoo!, etc) are either browser based or have their own dedicated mobile apps. No one (that is to say the vast majority of ordinary Joes) 'download' their email any more.

      1. Captain Badmouth
        Happy

        Re: Spam email or not?

        "Before downloading them? You think people still use email clients?"

        Yes, I don't like leaving sh*t lying around on a server somewhere when it could be *safe* at home with me.

  5. MartyOhr

    Current advice from GCHQ is not to reset passwords

    The NCSC who are part of GCHQ have updated their password advice. They advice NOT changing passwords unless the account has actually been compromised.

    It seems like GWR were trying to do the right thing, but now they have 1000 users scrabbling around to try to figure out new passwords.

    Password managers are great - but have limited use. If I need to login into an account from somewhere different then I'm screwed if the password manager on my laptop is not in the same location. That 15 character random password will be useless to me. A standard reusable password with 2FA is likely to be much stronger.

  6. Nigel Sedgwick

    Grinding to a Halt

    So, as I understand it, after worries about (circa) 1,000 GWR online customers having the passwords compromised (seemingly on another website or websites where the same passwords were used as on GWR's website), GWR have now cancelled the passwords of all (circa one million) of their website registered users. That includes deregistering those fairly wise persons who use strongish and different password for every website (or other thingy) that they are registered with - and hence were not compromised in the way feared by GWR.

    If every website is going to have all their registrants deregistered every time a few of their unwise users get their (easily guessable or multiply used) passwords hacked, the modern world is going to grind to a halt.

    Best regards

  7. Anonymous Coward
    Anonymous Coward

    FFS! Can we just abandon passwords and use x509 client certificates already?! It's not like they've been around for ~30 years or anything...

    1. Nick Kew

      Get rid of passwords - yes.

      x509 Client Certs: problematic. You need to map certs to people, not to browsers, systems, installations. Even if you introduce technology that works like that, you're up against a legacy of certs deployed with entirely different policies.

      Not insurmountable, but not straightforward either. I'd use PGP in preference, on the grounds that it's always been associated with people, and has 25 years worth of WoT infrastructure.

  8. arctic_haze
    FAIL

    They should at least stick to one domain name

    Frankly, I myself was 100% sure it is a scam. The company apparently uses two domains gwr.com and firstgreatwesterm.co.uk.

    What an experienced Internet user should think about a message titled "Your GWR.com account - password reset" but sent from... <greatwesternrailway@e.firstgreatwestern.co.uk>? Actually I hesitated and decided to wait until I learn more.

    1. Christoph

      Re: They should at least stick to one domain name

      I strongly suspected a scam since it had a link to reset my password!

      However it used my name in the message, and was sent to the unique email address that I gave Great Western - if scammers had that then they'd already broken into my account.

    2. Nick Kew

      Re: They should at least stick to one domain name

      I expect that'll be down to their half-baked rebranding exercise.

      And of course, nowadays whois is no longer much help. Though firstgreatwestern.co.uk still has an oldfahioned entry naming the registrant as FirstGroup PLC and dating back to 1998 (a much longer lifetime than one might expect of an imposter).

  9. Androgynous Cow Herd

    Only 1000 accounts?

    Must be a slow news day.

  10. veti Silver badge

    Why in the name of Brunel

    ... does anyone need a password for a railway system anyway? Why do you need an account with them?

    All you need is some way to buy tickets and know about services. Both of these functions are best served by a public portal that operates on the basis of anonymity. There is zero reason for GWR to know anything about its users except what journeys they've bought and what trains they're riding on. Name, sex, age, address, nationality, employment - no, no, no, no, no, no. None of your f***ing business.

    This fetish for "knowing your users" is creating bazillions of points of failure in our world that just don't need to exist.

  11. Nick Kew

    Rebellion

    Prompted by this story, I've just realised I must be one of the vast number of users whose passwords just got reset (albeit against my will and better judgement).

    Well, I for one won't be resetting my password. Sodthat.

  12. TrumpSlurp the Troll
    Windows

    Security Upgrade!

    Now even I don't know the password.

    I haven't used/needed the account for about 9 years now.

    So good luck to anyone who breaks in.

    Nothing to see there.

    For the commentard asking why you even need an account.

    I buy discounted rail tickets on line pre-purchasing.

    However I do buy them from a commercial provider, my local rail franchise.

    Just the same as if I walked into a station and bought one over the counter.

    It is not clear to me what is wrong with this arrangement.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like