[Mark I]

I'll be hoping it's more @Simon..Hewison's than @AbleArcher's reasonable guesses which matches the truth. Unless it's a serious data breach, we'll probably never know for certain.

It took me about 10 minutes to set up my new password this morning. The Swarco web site was working, unlike others' experiences, but very slow to respond (1-2 minutes to load each new page of the process). It's reminded me why I prefer contactless, or multi-charge-point-operator accounts like Electroverse: the nuisance value is diluted. That said, I usually go for the cheapest reasonable (i.e. not GeniePoint) chargers on my route rather than the most convenient to use.

 

[Padrino]

Obviously a lot of people have millions upon millions in the current account and are worried that someone will get the money...because they have DB set up.....
There is a very simple solution....don't use CPS account. There is an option to delete your account if you want to. By not using the network will free a lot of chargers and will be easy for the rest of us to use them if we need them.
Everybody happy 😁

 

[srichards]

Can't login with old password. Password recovery still isn't sending a reset email.

Nothing in mail server logs showing them being bounced either. Half wondering whether my account has been deleted due to never really using it but they've not actually deleted my email off their account holders mailing list. Haven't logged into the website in donkeys.

 

[mcgrst]

Just updated both mine, no problems with lag or delays with the emails.

 

[Duff]

My app is still working with the old password. I use my phone to generate passwords so it’s a long password already, maybe my account details were not compromised or it’s long enough already so meets the requirement. Mind you, if they track people’s Password length that weakens their security anyway.

could be tomorrow I will have to reset.

 

[h8ten]

Another one that is needing to be changed is Be-EV, exact same email as CPS and the site is also the exact same layout.

 

[DBMandrake]

Their systems then can't allow users to continue to use weak (or no) has for user passwords, and now the passwords are hashed better, something like sha256 rather than a 64 bit RSA, or whatever.

Not quite correct - a website can actually upgrade a password to use a new hashing scheme (or add hashing if it wasn't there before 😁) seamlessly without any specific user intervention and without sending out a mass password reset email to all customers as CPS have just done. (I received the Chargeplace Scotland one too but have so far ignored it...)

Companies do it all the time as hashing techniques improve. They simply keep a record in the database of what type of hashing algorithm each users password is hashed with, the next time a user still on an old password hash logs in instead of just hashing their password the old way to verify their password they then also rehash it with the new hash scheme and update this in the database along with the record that says what kind of hash is in use, all despite the user only logging in and not actually changing their password. Completely seamless and invisible to the user.

The vulnerability with this approach is that if the database has already been stolen, it is not sufficient, of course, and if it is likely that the database will be stolen between the time when they want to start using new hashes and the time when the last users hash has updated (through that user logging in) and the previous hashing scheme is grossly inadequate it is also not sufficient. But the risk here is only the possibility of the database being stolen before everyone has logged in to cause their passwords to be rehashed.

For them to send out a massive password reset to everyone causing all this inconvenience means either there was a breach, or auditors looked at their systems and discovered a gaping hole like unsalted hashes, still using MD5 or (gasp) not even hashing at all and deemed the risk of the database "escaping" in this vulnerable state too high. To be honest I can't believe they wouldn't have any password hashing at all, that seems unlikely, but I can see something like unsalted hashes.

 

[Rbrian]

Maybe I'll try to log in to my CPS account again. Last time I tried, almost a year ago, it wouldn't let me log in, so I called the helpdesk and they said I didn't have an account. I set up a new account, and it wouldn't let me log in, saying the account didn't exist. Well then who ordered this RFID card which still works? And who's paying for it? If I hadn't lost my wallet, I'd keep using that card.

 

[SueH]

I have a CPS card and it seems an account too, not that I knew what the password was, so a new ~12 character one it now is. I seem to have a Swarco card too so I'd better go and have a look! Neither app is on my phone though, and I'm doing this on my desktop.

All these precautionary accounts that I've never used! If only they were on Electroverse, which I know works..

 

[mcgrst]

Not quite correct - a website can actually upgrade a password to use a new hashing scheme (or add hashing if it wasn't there before 😁) seamlessly without any specific user intervention and without sending out a mass password reset email to all customers as CPS have just done. (I received the Chargeplace Scotland one too but have so far ignored it...)

Companies do it all the time as hashing techniques improve. They simply keep a record in the database of what type of hashing algorithm each users password is hashed with, the next time a user still on an old password hash logs in instead of just hashing their password the old way to verify their password they then also rehash it with the new hash scheme and update this in the database along with the record that says what kind of hash is in use, all despite the user only logging in and not actually changing their password. Completely seamless and invisible to the user.

The vulnerability with this approach is that if the database has already been stolen, it is not sufficient, of course, and if it is likely that the database will be stolen between the time when they want to start using new hashes and the time when the last users hash has updated (through that user logging in) and the previous hashing scheme is grossly inadequate it is also not sufficient. But the risk here is only the possibility of the database being stolen before everyone has logged in to cause their passwords to be rehashed.

For them to send out a massive password reset to everyone causing all this inconvenience means either there was a breach, or auditors looked at their systems and discovered a gaping hole like unsalted hashes, still using MD5 or (gasp) not even hashing at all and deemed the risk of the database "escaping" in this vulnerable state too high. To be honest I can't believe they wouldn't have any password hashing at all, that seems unlikely, but I can see something like unsalted hashes.

It might be the Scottish government making them upgrade their security, they've not had CPS that long have they?

My company started bidding for civil service work and the IT security requirements were rediculous, way beyond anything the financial services needed, I suspect its to prevent loss of reputation (and keeping the new entrants out) more than a need for enhanced security.

 

[DBMandrake]

It might be the Scottish government making them upgrade their security, they've not had CPS that long have they?

My company started bidding for civil service work and the IT security requirements were rediculous, way beyond anything the financial services needed, I suspect its to prevent loss of reputation (and keeping the new entrants out) more than a need for enhanced security.

Maybe, but it seems very rushed and not well thought through.

If they really did have to reset everyone's passwords across the board, at the very least they should have staggered the resetting of passwords across a few days and only contacted those who had been reset at the time they were reset to spread the help desk workload and prevent their website being overloaded such that nobody could actually do the password reset.

I'm thinking of the people who were unaware of the looming password reset who arrived at a charger, tried to use the app to start it, found that they couldn't log in, maybe (?) got a warning in the app that they needed to reset their password but couldn't because the website was overloaded, or maybe the app just didn't work at all because the backend was down, and they couldn't get through to telephone support either.

When so many people rely on your service to be able to do something as fundamental as charge their car in the middle of a journey you can't screw people around like this by doing a blanket password reset that would throw everyone off at once and overload your website and telephone support staff.

Unless there was actually a data breach and they had no choice...

 

[Bomber209]

Hi, got my change password msg yesterday. I went through all the protocls (12 digit P/w wasn't easy). Everything seems to be working OK.

 

[NeonMan]

Anyone else having trouble with the Charge Place Scotland 🏴󠁧󠁢󠁳󠁣󠁴󠁿 App ?
Just getting an error 401 code on the log-in page.
It's only been about a month since I changed my password, following their security breach. Surely it hasn't happened again???

 

[Todor]

Anyone else having trouble with the Charge Place Scotland 🏴󠁧󠁢󠁳󠁣󠁴󠁿 App ?
Just getting an error 401 code on the log-in page.
It's only been about a month since I changed my password, following their security breach. Surely it hasn't happened again???

Try login on the web portal? I haven't used CPS, so don't know if they have it, but SWARCO used to have an online webportal.

 

[h8ten]

I can log into the webpage no problem however the app is showing the error 401.

 

[NeonMan]

I can log into the webpage no problem however the app is showing the error 401.

Yes, it is the App that I am referring to. The website is working fine, and showing account history etc, but the App just shows the error message.
Thankfully I have one of their Rfid cards, so fingers crossed that will still be working later today.

 

[Bomber209]

Hi, I had already changed and updated p/w. I just tried logging in on a new device, got 401 msg. Went to reset p/w and put in same new p/w and all worked fine. Logged out on different device, and logged in once again. No Probs