Longmont utility user information is not as secure as best practices would suggest it should be.
The city of Longmont allows residents to visit its homepage, click on the “Pay My Utility Bill” button and log into their Longmont utility account.
Users who forget their passwords need only to click the “Forgot your Password?” link, answer the security question they selected when they signed up and their password will be emailed to them.
While this may sound secure to some, industry leaders disagree.
The method used by the city of Longmont to store and recover users’ passwords is known as plain text. It means that your password is stored in a database within the entity’s system.
“Storing a password in plain text allows attackers to easily gain access to systems, potentially compromising personal information or other sensitive information,” states the National Institute of Standards and Technology website.
Not only can hackers use the password to gain access to that particular site but it is common for users to reuse the same password across multiple sites. After gaining access to one account, the hacker could have access to a person’s email which allows them access to other unrelated sites.
“It’s not unheard of for old websites not to be up to claims (updated), however, city governments definitely should be because they are much more susceptible to cybersecurity,” said Chuck Angerman, owner of Majestic Sky Web Hosting and Design in Berthoud.
Several Longmont residents identified the problem and announced it via Reddit. The city caught wind of the discussion and began working on a patch, said Sandi Seader, assistant city manager for the city of Longmont.
The city also said it has made other security upgrades to its system to prevent accounts from being hacked.
The billing system used for utilities was implemented in 1998, Seader said. The age of the system and the movement toward using an automated metering system is forcing the city to implement new technology for this service. Seader said the city expects to choose a new vendor this week, however, the new system may not go into effect until 2025 or 2026.
“It is probably not the best security measure right now but at the same time it also an acceptable standard considering what the utility billing application can do,” Seader said.
Users can pay their utility bills through the software and you can look at usage but Seader said “there is no secure information that you can necessarily get from it.”
The city offers customers the ability to enroll in automatic bill pay, which requires the user to input their credit card information. While this is done through the utility portal, Seader said the information itself is stored in a “secure network server at the city.” The only information a person who accesses the account can see is the last four digits of the credit card number.
Best practices in cybersecurity suggest that businesses storing sensitive information should not store passwords in a database. Instead, passwords should use a method called hashing.
“Password hashing fundamentally transforms your password into a string of unintelligible text. Anyone looking at a password would see gibberish. If you used ‘Password123,’ hashing might change the data to ‘873kldk#49lkdfld#1.,’’ according to the How To Geek website.
This method is a one-way function, meaning that if you forget your password, you have to reset it, because “you can’t ‘unhash’ data,” How to Geek states. The company never keeps a record of your actual password if it is hashed.
Angerman said another alternative is double-opt-in, where the website will email the user notifying them that someone is trying to access their account.
As of Jan. 23, changing a password in a city utility account would not notify the customer. This means that should someone gain access to a city of Longmont utility client’s account, that person could change the email and password on the account and the client would never know.
Seader said this flaw will be remedied by the new system.
“Security is so important to us, our customer data is so important to us, we want to make sure that we are using the best and highest standards when they’re available. In this particular case, this software is older so we are working on how we can patch it in the meantime, but our ultimate goal is full replacement to bring it up to modern specs,” Seader said.
To Seader’s knowledge, the utility billing system has never been hacked.
Angerman suggested that people create a special password for each site or use a password management system to keep hackers from being able to access multiple accounts.
“I think in this day and age, it is really important for people to protect themselves in addition to us making sure that we have good security,” Seader said. “It certainly feels like people who are hacking systems are getting better and better all the time. It is important to use strong passwords and not share them. At the same time the city is always trying to upgrade our own infrastructure and our own security to ensure that customer data is highly protected.”
