Using a former coworker's account name and password, a laid-off employee from an Austin car dealer remotely disabled the ignition on over 100 cars.
IT pros (assuming they have any) at the Texas Auto Center in Austin learned a valuable lesson in password security this week. According to Wired, an employee who was laid off last month is accused of using a Web-base vehicle immobilization service to disable the ignition system on more than a 100 cars.
The dealership used a system called WebTeck Plus from Pay Technologies (PayTeck). The system allows the dealership to disable vehicles of customers who don't make their monthly payments. The system can also be used to physically locate the vehicle and honk the horn-as a warning shot for nonpayment.
According to various reports, the disgruntled employee's account was disabled when he was let go, but he is accused of using a former coworker's user ID and password to access the system and wreak havoc on the dealership's customers.
I don't know how the ex-employee obtained his coworker's log on credentials. Dealership employees may have freely shared user accounts and passwords with each other. While still employed, the accused individual could have shoulder surfed a coworker while they were logging on. The account credentials could have been written down and stored in an unsecured location. Regardless of how this individual obtained a valid user ID and password, this event is a stark reminder of the very real consequences lax password policies can have.
Check out this video from the local NBC affiliate of an annoyed customer describing her experience.
The following TechRepublic resources can help you create a robust password policy:
- Lock IT Down: Make a password policy part of your security plan
- Password redundancy for the help desk: Craft your own escrow
- The importance of an effective password policy
- TechRepublic's Password Policy
- Legal docs for password policies
- Password Change Policy
- Establishing Good Password Policies
- Enterprise Password Management: A Guide for Best Practices
- Strong password management for the mobile user
- Help users create complex passwords that are easy to remember