topic Re: PSN and PN passwords in Plusnet Feedback

PSN and PN passwords

phil4 — Wed, 27 Apr 2011 11:56:28 GMT

Hi, the recent debalce over Sony "losing" peoples usernames and passwords leads me to a question that's been niggling in my mind for a while....
Why do PN support operatives want to know my password when I call up? This makes me concerned that they can also see my password (thus then using it to check I am who I say I am).
Login to the portal is protected by SSL so that the password is sent encrypted, so why do the support staff need to see my password?
Does this therefore mean that once in a hacker would have a trivial time stealing it back?

Re: PSN and PN passwords

adamwalker — Wed, 27 Apr 2011 12:16:12 GMT

We ask for characters from your password as this is a quick and efficient means of performing data protection checks. Also it's important we can see this in case customer's lose or forget their password.
I'd like to reassure you that passwords are protected and are secure. It's also worth bearing in mind that passwords aren't visible on accounts by default. Agents have access to a link to view the password, this access is logged which means that it's entirely accountable.

Re: PSN and PN passwords

fourfourdevon — Wed, 27 Apr 2011 12:20:27 GMT

I have raised this issue repeatedly, PN believe that being able to access passwords is fine.
I believe them to be wrong.
The passwords need to be stored as hashes and totally inaccessible to the staff.
As far as I am concerned this is a serious security over sight.
If and when customers forget their passwords, as I'm sure they do, there should be other mechanism for generating new passwords.

Re: PSN and PN passwords

adamwalker — Wed, 27 Apr 2011 12:26:41 GMT

Quote
there should be other mechanism for generating new passwords.

What form would you want to see this take if we did this?

Re: PSN and PN passwords

Chris — Wed, 27 Apr 2011 12:32:53 GMT

FFD
It's not just the forgetting of passwords, we need to be able to dial test as customers on occassion and test webspace access, FTP, email etc. Without being able to do this would add a huge support overhead and IMO lead to more annoyed customers that we can't help fully.

Re: PSN and PN passwords

avatastic — Wed, 27 Apr 2011 12:32:58 GMT

New passwords sent out by pigeon.
That way we could have a new password and pigeon stew.
Or something that only remains valid for 24 hours (after first use) and has to be changed by the user, given over phone/text/pigeon/etc.

Re: PSN and PN passwords

grudkin — Wed, 27 Apr 2011 12:40:20 GMT

I don't believe this practice is uneque to plusnet!
Every ISP I have been with have asked for my password during calls I have made to them, Mobile phone networks are the same.

Re: PSN and PN passwords

fourfourdevon — Wed, 27 Apr 2011 12:56:53 GMT

Mobile phone networks request a password which is the password for accessing those services (i.e. the password requested is the password for the service you are accessing) the Plusnet password is the password for a whole lot more.
New passwords could be SMS's, sent by email, or delivered over the phone by CALLING the accounts registered number, or indeed by any means previously confirmed to be a method to contact the subscriber.
Having worked in tech support myself, I think for the most part "being able to access the users account" is mostly specious, but when it really is needed sometimes, a password reset can be done.

Re: PSN and PN passwords

James — Wed, 27 Apr 2011 12:59:01 GMT

44D - It's required a lot more than you would expect.
As a very rough guess, in the region of 5-10% of our calls are related to router setup, with a large proportion of those being down to forgotten passwords.
Whilst I appreciate your feedback and concern, our approach is unlikely to change.

Re: PSN and PN passwords

avatastic — Wed, 27 Apr 2011 13:00:55 GMT

I thought the routers were self configuring now. Or are those only new/PN supplied ones that do that?

Re: PSN and PN passwords

James — Wed, 27 Apr 2011 13:03:44 GMT

We still get a lot of customers who choose to keep their existing hardware when moving to us from another supplier.
The majority of our routers do self configure though.
Then you have the problem with people experiencing difficulties setting up email. We can't then send them an email with their password and not everyone has a mobile.
I'm pretty comfortable that our approach is fairly normal - as it has been for my previous 3 ISPs.

Re: PSN and PN passwords

pierre_pierre — Wed, 27 Apr 2011 13:08:06 GMT

or to put another way James if you did not check, I could phone in, give the persons username and do a right screw up of their account, then they would really start SCREAMING

Re: PSN and PN passwords

phil4 — Wed, 27 Apr 2011 13:22:37 GMT

Quote from: _Adam_Walker_
We ask for characters from your password as this is a quick and efficient means of performing data protection checks.

Hi, I'd like to confirm this is incorrect, I have experience more than once, your support agents asking for my full password.
Though it seems the above is pretty irrelevant as you feel it is necessary to allow people access to passwords.
Just my opinion, but I disagree, and here's a little about why:
Through my professional experience I've come across scenarios before where people have told me that they "must know" the users passwords to do all manner of things.
Very easily we changed this, by hashing the passwords, and allowing the support people to reset them when needed. That way no one ever needed to know anyone's password.
This system is now used by banks big and small, and has been through the SOX process also.

Quote from: Jameseh
I'm pretty comfortable that our approach is fairly normal - as it has been for my previous 3 ISPs.

While it may be "normal" it doesn't mean it's right thing to do.

Re: PSN and PN passwords

James — Wed, 27 Apr 2011 13:51:22 GMT

May be worth adding that our support centre staff cannot see your full billing details.

Re: PSN and PN passwords

phil4 — Wed, 27 Apr 2011 14:01:06 GMT

That's a good thing. Are they stored encrypted? I hope so.
adie:quote

Re: PSN and PN passwords

adamwalker — Wed, 27 Apr 2011 14:16:50 GMT

avatastic,
re the routers they are self configuring but only new ones supplied by ourselves.
phil4,

Quote
Hi, I'd like to confirm this is incorrect, I have experience more than once, your support agents asking for my full password.

What I've mentioned is what should happen, agents should not ask for the full password. So I'll check your account and pass on some feedback if I can spot who did that.
The official line here is that agents should be asking for two characters (first two/last two/first and last etc).
Also agents cannot see full billing details.

Re: PSN and PN passwords

David_W — Sat, 30 Apr 2011 19:26:47 GMT

I think the issue is (if I'm reading it correctly), is it possible for anyone on an outside network (I say possible, not feasible) and obtain peoples usernames and passwords in an unencrypted format or are the passwords inside PN's system on a separate network where even if PN's internal servers were compromised there would be no possible way for the persons doing it to obtain the information? For instance, the link you describe for your staff to view the password, can it only be viewed by an IP address that comes from the internal network and such?

Re: PSN and PN passwords

Chris — Sat, 30 Apr 2011 20:50:06 GMT

It's on a internal. secure network, only staff with registered accounts can log in with their secure passwords or keyfobs.

Re: PSN and PN passwords

David_W — Sat, 30 Apr 2011 21:26:12 GMT

Then I really can't see any issue with PN having the passwords unencrypted as there is no way for them to be taken internally. I naturally assume that all passwords which are not internal (for instance, logging into the portal or DSL login details) are encrypted?

Re: PSN and PN passwords

phil4 — Sun, 01 May 2011 06:46:12 GMT

Hi David, appreciate your point of view,

Quote from: David
I naturally assume that all passwords which are not internal (for instance, logging into the portal or DSL login details) are encrypted?

My understanding of the preceeding statements is that, DSL login details, and portal (as opposed to forum) passwords are one and the same, and unencrypted.
Having a few years of IT security experience behind me there are many many facets to consider. For example, if a hacker can hack into the internal network, having the passwords on the internal secure network provides no additional security.
Next up, as the staff need registered accounts, secure passwords etc, we should consider aspects of their staff joiner, leaver and screening policies, their internal password policy, and the proven or otherwise efficiency of the mechanism used to allow access to the passwords. And more. A good example would be that you'd hope Plusnet are ISO 27002 certified, or at least trying to behave like they are.
What I think I'm saying is that demonstrating that the passwords are unencrypted yet securely stored, is pretty complex.