If you ask for support, they will ask for a specified couple of characters of your password (usually the same ones) plus your user name.

They've always done this - it probably dates back to the time when they were an ISP who didn't try to flog all sorts of extra services that they are ill-equipped to support.

If you get calls asking for personal stuff, just hang up.

---

@Tagger wrote:

Do Plusnet really phone people out of the blue and then ask for their passwords?  Given the number of hacks and frauds that are going around these days, how can Plusnet possibly do such a stupid thing?

---

they never asked for your password though (by your own admission).
they asked for selected characters from your password so that they could bring up your account on the system.

They already knew who I am - they phoned me.  I was a BT customer for many years.  All they ever asked me for was stuff like my name, address or account number.  Never my password.  Nobody ever asks for my password over the phone - banks don't do it, energy companies don't do it.

But it's worse than that.  Industry standard practice for decades has been that passwords are always stored using a secure one-way hash.  Once the password has been hashed, there is no known way to recover it again other than by brute force - keep guessing passwords until you get lucky.

You can still tell if the genuine user is logging on again - just pass the password they type in through the same secure hash and see if it gives the same result.

If Plusnet can verify a password given just a few characters, then it says that they are totally ignoring industry best practice.  They must be using some form of reversible encryption.  But the software to decrypt the password again and they key to do that must be stored on their system somewhere.  If Plusnet gets hacked in the way that TalkTalk did, then the hackers could get everything they need to decrypt all Plusnet customer's passwords.  That would give total access to everybody's accounts, even once they have logged out of whatever server they hacked into.

I have just written a complaint to Plusnet's Data Controller (the person responsible for complying with the Data Protection Act).  I will see what response I get.

they don't know it is the account holder they are speaking to though, anyone could answer your phone.

and again, they DID NOT ask for your password, they asked for select characters from it.

and have you seriously never came across anyone asking for select characters from your password? you must live in a bubble if you haven't. either that you are just spouting nonsense to get a reaction.

any time i log into online banking or call them they DO ask for select characters from the password or passcode.
good luck with your complaint to the data controller. i hope you get the response you deserve.

Hang on a minute chenks76, this was an unsolicited call, I would expect if I contacted my bank or whatever that they take me through security, but for an unsolicited call, that is typical Pnet with no thought for customers or their security.

I don't think most of us would be too worried to give name, address and phone number, it was when they started asking for anything from the password that I would be worried. But this is no new problem with Pnet, there is a thread about unsolicited calls asking for personal information. Pnet really do not care that they are copying the techniques of the spammers and encouraging their customers to believe that it is OK to divulge information.

Shame on Pnet for still operating this way. Yes my signature is correct.

This is unsolicited, it is up to Pnet to be able to verify themselves FIRST before asking the customer for verification. Send them an email with a code saying they will call later and use the code to identify themselves.

People should be encouraged to give little or no information to unsolicited, unidentified callers. Giving information away is a sure fire way to one day give it to someone who will steal their identity. How much do Pnet care they are encouraging this? NOT A WHIT. They don't care about their customers.

send who an email? the person making the call send an email to the person they are going to call?
how is that any validation? a scammer could easily send such an email.

that solution of sending an unsolicited email to advise of an unsolicated phone call is quite frankly bizarre!

Not as bizarre as teaching people to give out any information to unsolicited calls from what could easilly be someone who is seeking to steal their identity.

Best solution....Pnet to NOT make unsolicited calls, and if they want to contact customers they must find a solution that does NOT encourage customers to divulge information to potential scammers. Easy.

you mean like giving your name, address and phone number? just like the OP did?

the simply solution here is to just never answer your phone, or tick the box to opt-out of receiving such calls.

of course, then what will happen is that people will start complaing about why they are not getting offers for being a "loyal" customer.

Moderator's note by Mike (Mav): Full quote of preceding post removed as per Forum rules.

As I said they are teaching people to give information out, glad you agree.

I have never heard people complain they have not been made offers over the phone, only complaints about unsolicited calls.

As I said, Pnet need to work out how they can safely contact customers, it is not a customer problem it is a Pnet problem but they don't give a single jot about customer safety just making some more ££££££££££££££££££££

Neither have you even bothered to offer any solution, just try and shoot someone else down.

This is my last comment on here say what you like as I am sure you will, judging by your last posts. Bye.

I'm afeared that you are tilting at another imaginary windmill @chenks76.  The OP raised a very pertinent issue that Plusnet (and most other institutions) strive to ignore.  Security / data protection needs a two way verification process to minimise the risk to either party.  Various schemes have been proposed and tried but as yet with no consensus for standard land line calls, there are processes in use for mobile phones.

It remains an issue until there is a realisation that "I'm from 'XYZ'' - trust me!, is no longer a workable process in today's scammer paradise.

Pick up on pedantic points of order if you wish, but please accept that there is a fundamental problem to be solved.