ConEd Customer's Personal Info Highly Vulnerable To Online Theft

ConEd customer’s personal information is in grave danger. ConEd’s online account system is easily crackable, only requiring entering an account number.

We emailed this information to ConEd earlier this month but never received a reply back, so now we’re going public.

Someone could easily break into this system with a simple brute-force program designed to run through every single numeric permutation.

Once inside, a cracker would have access to customer’s

• Name
• Address
• Telephone Number
• Two Years Billing & Payment History
• Due Amount
• Direct Payment Plan Enrollment Status
• Email Address (if provided)
• Alternate Phone Number (if provided)
• Fax Number (if provided)

This information could used to commit identity theft, such as opening fraudulent credit cards or bank accounts. Also, one of the options is “close my account.” Presumably, someone’s electricity could be shut off.

This is pathetic. ConEd needs to add stricter security measures, at least a password for crying out loud, before there’s a breach of customer’s personal information.

According to their website, ConEd serves over 1.1 million customers in the New York area. — BEN POPKEN

(Thanks to Jeff!)


Edit Your Comment

  1. timmus says:

    I think it would be beneficial if someone went ahead and wrote a bot to go through a range of 10,000 account numbers and at least post the name and a mangled address, and put it on a big ConEd sucks website. The negative publicity with a relatively harmless leak would be better than letting it sit there and stew, becoming a goldmine for identity thieves.

    Another idea might be to write letters to 500 NYC attorneys informing them that their very own identity information is vulnerable. That would get a response quick, assuming most have ConEd accounts.

    Reminds me of SBC (Southwestern Bell) in 1997 when you could call their voice response system and simply enter a phone number, no other authentication, and get account information. Unbelievable.

    Also my professional trade organization had a huge vulnerability. If you entered an account number to get journal subscription information, it would “confirm” back a bunch of address/telephone number details tied to the account. Since they only used the numerical ranges of 1-50,000 you could easily parse the entire database.

  2. cdmunch says:

    I would hate to have thieves break in and see my four months of unpaid bills up there.

  3. Narnia says:

    By the way, your new Favicon looks like the Chicago Cubs “C”. I like.

  4. TPIRman says:
  5. Kornkob says:

    Another idea might be to write letters to 500 NYC attorneys informing them that their very own identity information is vulnerable. That would get a response quick, assuming most have ConEd accounts.

    Or brute force the system, grab everyone’s names and start terminating service for any lawyer, politician or ConEd executive found.

    Not that I’m suggesting that anyone actually do such a thing but you can be damned sure the problem would be fixed toot sweet once a bunch of McMansions go dark.

  6. louise says:

    I was on a jury in a civil case involving Con Ed about 15 years ago; their lawyers were crude idiots.

    And, worst of all, badly dressed!

    I doubt anything’s changed in their law department.

  7. sissnitz says:

    Hey kornkob, I’m a lawyer, I have no McMansion (just a rent-gouged little 1br) and I’m drowning in student loan debt over here. Let’s just pick on the Con Ed execs and crooked politicos, OK? :)

  8. timmus says:

    No problem sissnitz… just get the people using over 5,000 kWh of power. Those are gonna be the McMansions. Or the sources of good weed.

  9. We emailed this information to ConEd earlier this month but never received a reply back, so now we’re going public.

    did you get multiple unsatisfactory responses from the reps/supervisors? did you escalate it to some executive-level csr? have any consumer protection agencies been notified?

    maybe it’s just me, but i’m a little leery of the whole “we haven’t gotten a response to this security issue, so we’re gonna go ahead and tell everyone” methodology. whether you’re talking about exploitable open ports or buffer overruns or weak website security, it’s advertising an issue to anyone who might be interested in taking advantage, who may not have known before the announcement.

    say someone breaks into coned’s system and starts going to town. say they found out about the vulnerability from consumerist or some link. coned may be the fools with the weak security, but consumerist would be part of the process that facilitated the escalation. if i stand on a street corner announcing to everyone, “hey, the bank left the vault unlocked!”, i may not be guilty of a crime, but i’m still an *sshole.

    unless of course you did more than just send them a single courtesy email a few weeks ago, in which case all is forgiven.

  10. timmus says:

    Oh, kudos to Ben & Co. for the screenshot.. that really drives the point home.

  11. mattbrown says:

    I’m going to call ConEd and see if they can disable the ability for my account to be accessed online. We’ll see what they say. I commend myself on a revolutionary idea.

  12. I gotta call you on this one dave. When somebody steals, it is not somebody elses fault. Period. The access to information is not what makes a person do wrong. I have no qualms with telling the world that somebody has been running around with their pants around their ankles and their junk there for all to see. But this is just my opinion.

    I wouldnt think you were an asshole for yelling that the bank left the vault unlocked. I would think that the person who took advantage of the situation would be the asshole. Wait, can I say asshole on consumerist??

  13. i’m not saying consumerist should be considered liable for any trouble that someone else decides to start over this. my concern is how much concern is shown for the consumers at risk.
    was coned simply sent a single email as a warning? was it sent to anyone in particular, or some anonymous “contact us” address? were there any follow-up messages sent? was there any regulatory agency contacted before the rest of the world? more information is needed.
    like i said, if more was done than a cursory notification, then all is forgiven. but if all that was sent was a single ‘fyi’, then coned wasn’t the only one who fell asleep at the consumer protection switch. keep in mind that we’re not talking about a bank- a criminal wouldn’t just have the capacity to defraud coned. they’d have the capacity to defraud any number of innocent consumers. to enable that behavior on a consumer-centric site seems counterproductive.

    it’s a fuzzy area to be sure, but it seems to me that consumerist’s obligation should be to steer clear of fuzziness when it’s their own base at stake. i’m not talking about legal interpretations, i’m concerned about right and wrong. (even if it’s just my own sense of it.)

  14. I completely understand what you meant with your pont. Just wanted to pick on you a bit. I definately would take the time to tell the person with the pants around the ankles several times that their pants were down before I proceed to call attention to his behaviour.

    Now that I think about it, that kinda makes me an ass.

  15. Anonymous says:

    Feb 2009, and still nothing has changed on the site- unbelievable! I was able to change direct payment info just with my account number and no other verification whatsoever! This is scary.