Is using Cable Broaband's AUTO LOGIN feature a security risk ?

  • Thread starter Thread starter netuser123
  • Start date Start date
  • Replies Replies 20
  • Views Views 6,761
netuser123

netuser123

I got banned!
Messages
74
Location
KOLKATA
ISP
Reliance JioFi (4G)
In the past I have used SITI Broadband. I used to use a D-Link router. My LCO had enabled the "Auto Login" feature which in short meant that as soon as I switch ON my router I am connected to the internet. No need to login using username/password.

I am in the process of deciding which connection to take. Alliance looks like a good ISP.

Now Alliance too like SITI is a Cable Broadband ISP.

If I enable the Auto Login feature & someone gets to know my details like IP/Subnet Mask/Default Gateway will that person be able to use my account without my permission?
 
The manual login captive portal thing isn't very common nowadays. On pretty much every ISP you will get connected to internet when you connect to WiFi. This is completely safe provided you have a strong WiFi and router password.

ISPs which use Static IP on router also have a MAC Filter to prevent others from using your IP.

Also, some other ISPs (such as Airtel, Jio?) use PPPoE so the authentication is done on the router itself. Some ISPs combine MAC Filter with PPPoE for extra security.

Some ISPs (such as DEN (atleast when I was with them)) used cable modem MAC for authentication. Cable modem MAC unlike router MAC is very hard to change.
 
The manual login captive portal thing isn't very common nowadays. On pretty much every ISP you will get connected to internet when you connect to WiFi. This is completely safe provided you have a strong WiFi and router password.
Click to expand...
Some 5 years have passed since I used Cable Broadband. You have already told me that you don't know much about Kolkata based ISPs but still I am asking. Are you saying that ISPs like SITI, Alliance no longer use Captive Portal ? So these days all accounts are set to Auto Login by default ?
 
Alliance uses Mac binding for autologin. They will assign a public static IP with all ports blocked. They change that IP after 2-3 months. Yes, there is a high chance. But alliance has poor security. People have used their newly launched servicedesk to find all their customer details. I have seen one person doing it but I have not done it personally. Turns out their SQL server has no security. If you are on alliance, forget about security.

If you have a raspberry pi or openwrt, you can schedule a cronjob to execute a small python code my friend wrote to log in automatically, without asking your LCO turning on autologin.
 
@royalroy
There are 3 kinds of security flaws in this particular case :
1) You have an open port with a service like a web or email server listening on that port. The attacker scans your public IP, finds the open ports & tries to hack into you PC using those open ports. If Alliance blocks all ports then there is little or no chance of this kind of hacking to occur.
2) You are provided with an username/password. Someone by some illegal means finds what they are & start using your account.
3) If auto login is enabled and MAC binding is not implemented & the malicious individual gets to know about you IP/Subnet mask/Default Gateway & starts using your account without your permission/knowledge.

The first one depends on how secure you perimeter router & your client devices are & the 2nd & 3rd depends on the ISP.
 

@netuser123

Once upon a time I use alliance, wishnet just scan local other user IP via advance IP scanner and capture IP and mac. Then put on pc or router. Then free internet. Local isp have zero security. Personal experience and past working experience with local isp.

The method still works, mine many friends use it at mid-night because general time massive ping loss happens.

If the user uses a captive portal, bearly user logout every time after usage. It is an impossible task after some times and idiot task because every second your device needs to connect internet for communication.
 
1) Alliance never unblocks your ports unless you PAY them for a static IP. An open port, of course, increases security risk but I think people who would be well -versed to open a port, would also be efficient enough to put other measures in place. Also, if nothing is listening on that port (or something unimportant like a game), security risks are pretty minimal. Of course, UPnP will expose system reserved ports as well, which is a major security risk.
2) It is very easy to find that out. Username is like firstname_LCO Code. So, if your name is rahul and lco code is abcb, the username would be rahul_abcb. And the password is a 4 number pin, like "1234". It is generally the last 4 digits of your registered phone number. I am sure it is stored in plain text on Alliance servers. Many customer support agents have told me the password. Also, it is easy to use a python script to brute force the 4 digit password. So, security is minimal in this case.
3) MAC binding is implemented. It is easy to spoof mac as well if there is a targeted attack.
 
@royalroy Yea, LOC portal easy to find and easy to login. My alliance lco still use 1234 password. You get users all details, usages, recharge, ip. I have all record of in my area 120 users.
 
How do you get to the LCO portal? Is it the gateway IP? I went to my gateway IP (without that /0/up part) but it always shows my name while logging in and shows my details only.
 
My older Excitel LCO also provided ANI on same network. It had a captive portal and I was able to login with admin/no password lol.

But IPAcct login didn't work.

Maybe partner.isp.in is your login? Many ISPs use H8ssrms for LCO portal.
 

Similar threads

C
Netplus Broadband Bridging / Genexis Modem Unlock
2
Replies
20
Views
4,886
mydailydrops
abhishek_tfdr
  • Article Article
Airtel Fiber Bridge Mode
Replies
4
Views
3,985
salcykhan
J
How to Set Up 2nd Router with Nokia G-2425G-A As Primary
Replies
1
Views
3,007
madhusudhan7
L
Worried about unauthorized use of my pppoe username/password .... Please reply
Replies
3
Views
2,330
lovetosurf
Top