topic Customer passwords should NEVER be accessible to support technicians in Plusnet Feedback

Customer passwords should NEVER be accessible to support technicians

pg90 — Sat, 18 Apr 2015 14:39:22 GMT

I was surprised when I was chatting with a support technician earlier today and they asked to confirm certain characters of my password when they were accessing my account. I cannot stress how shockingly insecure this is.
Firstly, not even considering your support technicians, passwords should always be stored using a one-way hash anyway, which means they are not stored in plain text and the encrypted form cannot be reversed back to their original form.
Secondly, if they are actually stored using two-way encryption (which is bad enough as it is), allowing your employees to access this information is a huge security risk. Not only does it take one rogue employee to ruin everything, it also creates a large number of entry points for a potential external hacker to gain access to everyone's passwords and everyone's accounts.
Where does Plusnet stand on this? I've read the same complaint from at least three years ago and still nothing has been done? Seems like it's only going to be a matter of time before your databases are breached and we have another high-profile breach (c.f. Yahoo, Moonpig, Twitch, amongst others).

Re: Customer passwords should NEVER be accessible to support technicians

Gel — Sat, 18 Apr 2015 15:17:25 GMT

Surely you could make same point about many institutions you deal with; this is a very common method for many companies.
The assistant won't have access to the whole p/word.

Re: Customer passwords should NEVER be accessible to support technicians

gswindale — Sat, 18 Apr 2015 18:21:21 GMT

So how exactly would you like your identity to be verified?
Many banks use a similar method when you contact them to verify that you are who you say you are.

Re: Customer passwords should NEVER be accessible to support technicians

pg90 — Sat, 18 Apr 2015 18:25:42 GMT

I've contacted tens and tens of companies in the past and absolutely none of them have ever asked for my password or part of it. Most places ask for home address, date of birth etc., or the answer to a "secret question" that you set up when you joined.
If you think employees from banks will ever have access to your online password or part of it, you are terribly mistaken.
adie:quote

Re: Customer passwords should NEVER be accessible to support technicians

elkieluca — Sat, 18 Apr 2015 19:12:51 GMT

I've just switched to Natwest Bank and they definitely asked for 3 different letters and numbers of my password to log on their website. I've always been asked that by companies. Never had a problem so far.

Re: Customer passwords should NEVER be accessible to support technicians

pg90 — Sat, 18 Apr 2015 19:14:02 GMT

Asked by who? I'm not talking about logging into the website, I'm talking about support technicians and other employees. No Natwest employee is going to ask for anything from your password.
The difference here is that Plusnet store passwords in (at best) two-way encryption and allow employees access to this information.
Edit: This is a quote from a Plusnet employee in 2007 (yes, 8 years ago) and it seems practices haven't changed since then:

Quote
Customers password are encrypted on our system, in order to pass the data protection checks we need to verify that you are in fact the account holder. So to do this we ask for 2 characters from the password, in order for the CSC agent to see your password they have to click a link which then leaves an audit trail so we can see who has accessed your password.

adie:quote

Re: Customer passwords should NEVER be accessible to support technicians

elkieluca — Sat, 18 Apr 2015 19:41:51 GMT

Good point I'm thinking of websites.

Re: Customer passwords should NEVER be accessible to support technicians

gswindale — Sat, 18 Apr 2015 20:21:22 GMT

They've certainly done it in the past when I've spoken to Lloyds when ringing up to advise I'm going abroad.
I'm reasonably certain other companies have done the same in the past.

Re: Customer passwords should NEVER be accessible to support technicians

pwatson — Sat, 18 Apr 2015 21:34:30 GMT

One Account ask for random letters from your password and passcode for online and phone security.

Re: Customer passwords should NEVER be accessible to support technicians

x47c — Sat, 18 Apr 2015 21:39:31 GMT

I rang a typical large building society recently:
as well as the usual personal/address confirmation info, they wanted
1. a certain 2 digits from my password
2 The full name/place/thing whatever of a particular memorable word.

Re: Customer passwords should NEVER be accessible to support technicians

pg90 — Sat, 18 Apr 2015 21:45:40 GMT

The difference (in the cases above) is that the people you're talking to on the phone do not have access to your full password. The people at Plusnet do. Are you really comfortable with that? Would you be comfortable if employees at said banks/building societies had access to your full password?

Re: Customer passwords should NEVER be accessible to support technicians

pwatson — Sat, 18 Apr 2015 21:59:14 GMT

You may well be right, or perhaps PN have changed the system since 2007 and the support agent is now only shown the letters that they ask you for?

Re: Customer passwords should NEVER be accessible to support technicians

pg90 — Sat, 18 Apr 2015 22:00:37 GMT

If Plusnet have changed their system to what you suggest then that would be better, but still not perfect. It would be nice if someone from Plusnet could confirm either way.

Re: Customer passwords should NEVER be accessible to support technicians

pwatson — Sat, 18 Apr 2015 22:05:16 GMT

Indeed, only PlusNet can say, so you may be leaping to erroneous conclusions
Their system may be better still in that the support agent is told which letters to ask for and then told if the answer given was correct? I don't see any difference here to what my bank does...

Re: Customer passwords should NEVER be accessible to support technicians

pg90 — Sat, 18 Apr 2015 22:51:27 GMT

I accept that I may be jumping to conclusions, however the assumptions are based on:
1. The support agents have in the past been able to see the full password and there's no evidence that this has changed
2. Instead of emailing a password reset email, Plusnet are one of the only remaining companies to actually display my password in plaintext when I use the 'forgotten password' link (and that's bad enough on its own!)
3. Banks have the technology and security to do this properly where Plusnet clearly doesn't (see point 2)
It's 2015 and using reversible encryption is just asking for trouble. It's a shame that Plusnet will only realise this when they get bitten in the bum by a hacker.

Re: Customer passwords should NEVER be accessible to support technicians

Luzern — Sun, 19 Apr 2015 06:20:55 GMT

Does the OP really think that any operative will note down the two characters for future nefarious use? Chosen randomly by a computer, it's going to nigh impossible to get a full set. Worse i'd think than those played with fuel station vouchers.
AND I bet the operatives are too busy.

Re: Customer passwords should NEVER be accessible to support technicians

Mayfly — Sun, 19 Apr 2015 06:40:24 GMT

I'm sure some time ago when I changed my password a PN CS advisor told me when I mentioned it, they can only see the 2 characters they ask me for, not the whole pass word, other than when I told them what password I wanted.

Re: Customer passwords should NEVER be accessible to support technicians

chrcoluk — Sun, 19 Apr 2015 11:50:33 GMT

Quote from: pg90
I've contacted tens and tens of companies in the past and absolutely none of them have ever asked for my password or part of it. Most places ask for home address, date of birth etc., or the answer to a "secret question" that you set up when you joined.
If you think employees from banks will ever have access to your online password or part of it, you are terribly mistaken.
[Moderator's note by Adie (dvorak): Full quote of preceding post removed, as per Forum Rule]

actually my bank asks for letters.
the rep cannot see the password.
what happens is the computer pops up asking for the letter, the rep asks the customer and then enters it, the computer then says if its correct or not.

Re: Customer passwords should NEVER be accessible to support technicians

x47c — Sun, 19 Apr 2015 12:43:39 GMT

Yes - that is how the Lloyds bank ID checking system works.
If a faster payment from you is blocked for some reason you get rung up by the bank to check it really is you.
The bank rep asks you lots of seemingly irrelevant question from your credit report
These are along the lines of Do you have a credit card with a, b,c or d company etc.
The rep enters up all the answers.
At the end their computer says to the rep whether you have passed or failed.
You are allowed to get some wrong as I certainly have!
Importantly the bank rep never knows which of the answers you gave were right and which were wrong.

Re: Customer passwords should NEVER be accessible to support technicians

pg90 — Sun, 19 Apr 2015 13:16:37 GMT

Everyone here seems to be missing the point. This isn't about what banks do, because their systems are entirely different. As I said, banks have the technology installed to allow their support staff to ask for certain bits of account information which their system can verify without their staff ever seeing the complete information.
Plusnet do not do this. Plusnet support staff can see your entire password (unless someone from Plusnet gets in here and tells me different).
Here is a quote form James, Plusnet staff, from about a year and a half ago:

Quote
We have to be able to see the full password for troubleshooting issues.

Find me a bank where their staff can view your online banking password...