UPDATE2: It was not the bug I was thinking of. After having a few communication messages with Avast, who actually were very helpful, I have to agree with them that this was NOT something they did on purpose – and I didn’t think so at all -  and also “it does not affect a lot of users as it requires special order of tasks to occur“. Indeed I was able to reproduce the bug by recording my steps and performing them on different devices. Maybe it was bad luck for me to discover these steps, but I am happy that I discovered the bug so that Avast’s customers will feel safer. Another thing I want to note is that Avast has issued a test update (only available to few until it will go into production), I applied the fix and I can confirm the issue is fixed now. Great work Avast! Really fast response and much interest showed in solving the problem.

A couple of days ago, I have installed on a test Android based phone the avast Mobile Security solution from Google Play – the free version. After a few days when this antivirus solution was turning on the WiFi or the mobile data plan by itself, during the night, I chose to uninstall it.

Now something new came to my attention: I was checking my balance on the phone and noticed that 0.12 EUR were missing. Hmm, maybe I have sent a message to some of my Roaming SIM cards. I logged on to my account to check why I have been billed. I noticed that indeed a message was sent to a number outside my country, but after checking the number I realized this number was not mine.

See the below screenshot from my account:

So I looked for the country code: this number - 420720001669 – is from Czech Republic. Searching for this number on the web revealed that avast is actually sending this message. First occurrence from here:

Même problème, je viens de voir sur mon suivi un SMS vers le 420720001669 facturé à 19cts envoyé le 27 aout.

Il me semble que ça coïncide avec l’installation d’Avast Anti-Theft qui a l’autorisation d’envoyer des SMS. Et comme de par hasard AVAST software est une compagnie Tchèque …

which translated would mean:

Same problem, I just saw on my monitor SMS to 420720001669 charged 19cts sent on August 27.

It seems to me that it coincides with the installation of Avast Anti-Theft that has permission to send SMS messages. And as coincidence AVAST Software is a Czech company …

Second result from here

Buenos días, esta mañana al consultar mi lista de llamadas me aparece lo siguiente:

24/08/2012 420720001669 ENVÍO SMS 08:12:02 1 MENSAJE

A esa hora no he enviado ningún SMS me pueden decir a q corresponde dicha numeración? El SMS tiene un coste de 60 cent.

.. and translated:

Good morning, this morning to check my call list I get the following:

08/24/2012 8:12:02 420 720 001 669 1 MESSAGE SENDING SMS

At this time I have not sent any SMS I can say that numbering corresponds aq? The SMS is charged at 60 cent.

Thank you.

There was even a result from Google Play store, but couldn’t find in full so here is the screenshot along with the translation:

September 4, 2012 – … took a printout of the operator found to send an SMS to number 420720001669, struck on the forums that this number was Avast …

To me it’s pretty clear that it’s Avast fault for this. There was only one message sent from my number, but I haven’t used their software for more than 3 days so I can’t say for sure if the message is sent each week for example. I’ll try to contact them and see what they have to say about this.

However, this is something that it shouldn’t happen at all.

In case you have noticed this behavior also, please leave a comment here.

1. You call yourself “Carrefour“, you put up a marketing campaign and ask your customers to fill in a form where one of the fields is the Numerical Personal Code. Of course, you are not registered as a company who deals with private data (according to ANSPDCP‘s website). There are a lot of people out there that give their personal information just to get 10$.  I really wonder if it was to give their credit card info and PIN, would they really give it?

2. What about if you are a bank? Or a customer of a bank? Theoretically your private details like bank account, CNP, address, etc should be safe. Well…that’s the theory. There is one bank out there (you’ll discover the name below) that allows you to find protected info about any of its customers. Let’s say you have an i-banking account with them and you get the IBAN account of one of their customers. As soon as you try to make a money transfer to that person, you will get that person’s name. What’s wrong with that you will say. Well, you can just play around with the IBAN account and discover other valid accounts along with the holder’s name. Ok, I agree, maybe that’s not a serious security problem. Once you continue with the money transfer, you can see more: in the details of the transfer you also get the CNP of that someone. And yes, the bank is registered as a private company who deals with confidential data and obeys the law. Right!

See a demo for yourself. I have blurred some details, but that’s the only edit on the video.

A few months ago I was googleing a friend’s name in order to find his email address. While searching I got to a website which showed his address and telephone number. I was pretty surprised to see that and since the website had a search engine, I started to look for different persons – for some I got results. This was looking more and more interesting. I notice that there was also possible to create a test account with some free credits and with more search results. After waiting a day or so I finally got my account. Now the information I could find was astonishing. Not only I got the address and the phone, but also the Numerical Personal Code, what bank loans did they have (if any), how much they got ad so on.

As you can see all the information is there. For privacy reasons I have hidden the data. But from where such a website could get all that information? Is there someone freely submitting the information? The response came quickly:

I was WOW-ed. So our own government is publishing all these information to the public? What about data protection? What about privacy? It was kind of hard to believe, but after searching some published papers by the Romanian’s Official Journal I convinced myself of the reality.

After accessing the official published paper I could also find: address, the date when the ID card was issued, the issuer name, ID number, Numerical Personal Code. If this is published freely by the government, then what else could I ask to a private company? Luckily, I knew that there is also an agency which is taking care of such issues – ANSPDCP (hard to translate ). However, how could I contact the agency (which is controlled by the government) and ask them to remove such information?

All that Vrajitorul website does is to get this information and structure it in a way that you can easily find. BUT there is hope. In case your personal identification info is somewhere on a website, you can contact the owner of the website and kindly ask to remove all this information as they are breaking the personal data protection law and in case they will not do so, you will contact the ANSPDCP agency. My friend did this and all the data that the website had about him was removed the next day. I strongly suggest you to do the same.

Comments? Next time I’ll write about some private companies (including a bank) which have problems in protecting sensitive information about their customers.