NTTA - Online Account Compromised?
Posted by Cloud99ine@reddit | askdfw | View on Reddit | 8 comments
Has anyone tried to login to their NTTA online account using the incorrect password? It still lets you log in.
E.g. - let’s say your correct password was “P@ssw0rd” but you misentered it as “p@SSW0RD” or any different combination of capital letter and lower case letter.
It. Still. Let’s. You. Log. In.
I’ve tried to reach out to NTTA multiple times but they’re not doing anything about this security risk and I’ve tried resetting my own password multiple times to test it out as well and it is still compromised.
I was wondering if anyone else has experienced this issue and have tried reaching out to their customer support to see if they will patch this security flaw in their system?
Radixx@reddit
Wow, this likely violates PCI rules which includes strong password requirements. The merchant bank that handles their transactions might be interested.
Raydr@reddit
What this means is that they're either storing your password in plain text or using reversible encryption. In the absolute best case it's possible they hashed an uppercase or lowercase version of your password and are now doing the same prior to the compare. Either way there's no real reason to do this...(unless maybe there's some old crappy backend system forcing a constraint on passwords). 🤔
Cloud99ine@reddit (OP)
Well wouldn’t this mean everyone who has an NTTA account and uses the online portal is compromised because of this crappy flawed design?
spargonaut@reddit
From the sounds of it, yes.
Protip (for everyone): hopefully you're not re-using passwords at all, but if you are, change it in all of the places you use it, asap.
Consider your NTTA account continuously compromised, and keep an eye on the credit card you're using for it to quickly catch any fraud.
NightGod@reddit
I could see someone making a case that people sometimes leave CAPS LOCK on and they're trying to account for that, but whew, I would love to have a few words with whoever approved the idea
Cloud99ine@reddit (OP)
The thing is, it doesn’t have to be that either. You can also do it all capital letters or just all lower case letters and it’ll still let you log in as well… I haven’t tested to see if there were other flaws like whether or not it checks the special characters though… but fuck NTTA.
NightGod@reddit
Well, yeah, they're almost certainly just doing a conversion to all caps/lower case before they store the hash and then doing the same conversion before they check the password. It was a semi-common idea in the late 90s when people were still getting used to computers, especially for specialized software that was only used within a single business. It's terrifying that they're doing it in 2026
Christopher3712@reddit
I just tried it. What a fantastically flawed system.