topic Re: Order Processing. in Plusnet Feedback

Order Processing.

leonaplusnet — Fri, 15 Jan 2016 19:19:27 GMT

Not sure where I can post this, but I have noticed an error on the order tracing page,
On the Broadband part is states

Quote
Your order is due to complete
The engineer appointment to install your broadband service is booked for %appointmentDate% between %appointmentStartTime% and %appointmentFinishTime%.

So a little quality control would be of use here.
I'm also concerned about parts of passwords being printed in letters, see my other post, does this mean PlusNet are storing plain text passwords, (ie not encrypted)

Re: Order Processing.

HarryB — Fri, 15 Jan 2016 19:45:40 GMT

This is the right place for this post.
Thanks for the feedback, I'll get that flagged up tomorrow when I'm back in work.
In regards to the passwords, no we do not store these as plain text.

Re: Order Processing.

ejs — Fri, 15 Jan 2016 19:57:41 GMT

But the passwords are stored so that the plain text of the password can be retrieved. This issue must have been raised numerous times over the years. Changing it would require having one password for the member centre, and another password for the PPP authentication the router does when it connects to Plusnet. The password for the PPP auth would need to be retrievable.

Re: Order Processing.

leonaplusnet — Fri, 15 Jan 2016 22:25:59 GMT

Thank you HarryB, look forward to the results of your investigation.
Indeed EJS, the password for our online account should NOT be the same as for our Broadband access, as this password can be 'sniffed' or otherwise recovered and then used to log into our on-line accounts, this is surly a very high security risk, with the attach on TalkTalk very recently, (my previous supplier, thankfully my data wasn't stolen) my anxiety level is Very high, I am a software developer with experience in the area of security and I can see that there is a security hole here that needs to be closed before another school kid decides to take advantage of it
While you might not store them as plain text, they are being decrypted, this shouldn't be possible, they should be hashed and salted, then a comparison performed to compare patterns, they should not be retrievable and most certainly not printed in letters!
Our online account have our bank, home and personal details, this would allow anyone who comprised your system to use this data illegally, I surely don't have to highlight how much damaging this would be, maybe over reacting but, as I said I've been bitten before by poorly secured systems, I don't want to be a victim of another, I need reassurance, backed up with evidence that your systems are secure, ie, do you run penetration tests, security checks, monitoring, etc?

Re: Order Processing.

Townman — Fri, 15 Jan 2016 23:05:24 GMT

Quote from: ejs
The password for the PPP auth would need to be retrievable.

I think it would be practical to store the password encrypted as a one way hash and the on PPP authentication one uses the same encryption on the supplied password and compares it to the stored hash. If they match the supplied password is deemed to be correct.

Re: Order Processing.

ejs — Sat, 16 Jan 2016 07:24:32 GMT

Someone might think that, if they don't know how it works.
https://tools.ietf.org/html/rfc1994

Quote
[tt]2.1. Advantages
...
This authentication method depends upon a "secret" known only to the
authenticator and that peer. The secret is not sent over the link.
...
2.2. Disadvantages
CHAP requires that the secret be available in plaintext form.
Irreversably encrypted password databases commonly available cannot
be used.[/tt]

The other end does not receive a supplied password during the PPP authentication.