Asking for passwords over the phone - really?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Feedback
- :
- Plusnet Feedback
- :
- Asking for passwords over the phone - really?
Asking for passwords over the phone - really?
04-04-2017 8:11 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I've been with Plusnet a few weeks now.
I just got a call, apparently from a Plusnet customer service person to ask how my service was (or more likely to try and sell me upgrades). The call didn't start well with the person asking for personal details - which I refused. After all, I have no idea who the caller really is.
So they sent me a survey email, which arrived at my Plusnet email address, and appears to be genuine.
Given that, I gave the caller my name, address and phone number. They then asked for characters from my Plusnet password. At that point, I felt obliged to hang up on them.
Do Plusnet really phone people out of the blue and then ask for their passwords? Given the number of hacks and frauds that are going around these days, how can Plusnet possibly do such a stupid thing?
Re: Asking for passwords over the phone - really?
04-04-2017 9:58 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
If you ask for support, they will ask for a specified couple of characters of your password (usually the same ones) plus your user name.
They've always done this - it probably dates back to the time when they were an ISP who didn't try to flog all sorts of extra services that they are ill-equipped to support.
If you get calls asking for personal stuff, just hang up.
"In The Beginning Was The Word, And The Word Was Aardvark."
Re: Asking for passwords over the phone - really?
05-04-2017 11:19 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
@Tagger wrote:
Do Plusnet really phone people out of the blue and then ask for their passwords? Given the number of hacks and frauds that are going around these days, how can Plusnet possibly do such a stupid thing?
they never asked for your password though (by your own admission).
they asked for selected characters from your password so that they could bring up your account on the system.
Re: Asking for passwords over the phone - really?
05-04-2017 8:06 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
They already knew who I am - they phoned me. I was a BT customer for many years. All they ever asked me for was stuff like my name, address or account number. Never my password. Nobody ever asks for my password over the phone - banks don't do it, energy companies don't do it.
But it's worse than that. Industry standard practice for decades has been that passwords are always stored using a secure one-way hash. Once the password has been hashed, there is no known way to recover it again other than by brute force - keep guessing passwords until you get lucky.
You can still tell if the genuine user is logging on again - just pass the password they type in through the same secure hash and see if it gives the same result.
If Plusnet can verify a password given just a few characters, then it says that they are totally ignoring industry best practice. They must be using some form of reversible encryption. But the software to decrypt the password again and they key to do that must be stored on their system somewhere. If Plusnet gets hacked in the way that TalkTalk did, then the hackers could get everything they need to decrypt all Plusnet customer's passwords. That would give total access to everybody's accounts, even once they have logged out of whatever server they hacked into.
I have just written a complaint to Plusnet's Data Controller (the person responsible for complying with the Data Protection Act). I will see what response I get.
Re: Asking for passwords over the phone - really?
06-04-2017 7:53 AM - edited 06-04-2017 7:54 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
they don't know it is the account holder they are speaking to though, anyone could answer your phone.
and again, they DID NOT ask for your password, they asked for select characters from it.
and have you seriously never came across anyone asking for select characters from your password? you must live in a bubble if you haven't. either that you are just spouting nonsense to get a reaction.
any time i log into online banking or call them they DO ask for select characters from the password or passcode.
good luck with your complaint to the data controller. i hope you get the response you deserve.
Re: Asking for passwords over the phone - really?
06-04-2017 10:52 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Hang on a minute chenks76, this was an unsolicited call, I would expect if I contacted my bank or whatever that they take me through security, but for an unsolicited call, that is typical Pnet with no thought for customers or their security.
.........................proud" say Pnet.
Re: Asking for passwords over the phone - really?
06-04-2017 11:20 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
"name, address and phone number".
if security was the primary concern then why even give that info?
those 3 pieces of information are much more valuable then 2 or 3 random characters in a password.
however, there appears to be some inconsistencies in the original report.
firstly the OP said no personal information was supplied, then says it was supplied.
Re: Asking for passwords over the phone - really?
06-04-2017 2:33 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I don't think most of us would be too worried to give name, address and phone number, it was when they started asking for anything from the password that I would be worried. But this is no new problem with Pnet, there is a thread about unsolicited calls asking for personal information. Pnet really do not care that they are copying the techniques of the spammers and encouraging their customers to believe that it is OK to divulge information.
Shame on Pnet for still operating this way. Yes my signature is correct.
.........................proud" say Pnet.
Re: Asking for passwords over the phone - really?
06-04-2017 2:39 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
name, address and phone number clearly isn't sufficient to validate that.
Re: Asking for passwords over the phone - really?
06-04-2017 3:27 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
This is unsolicited, it is up to Pnet to be able to verify themselves FIRST before asking the customer for verification. Send them an email with a code saying they will call later and use the code to identify themselves.
People should be encouraged to give little or no information to unsolicited, unidentified callers. Giving information away is a sure fire way to one day give it to someone who will steal their identity. How much do Pnet care they are encouraging this? NOT A WHIT. They don't care about their customers.
.........................proud" say Pnet.
Re: Asking for passwords over the phone - really?
06-04-2017 3:39 PM - edited 06-04-2017 3:50 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
send who an email? the person making the call send an email to the person they are going to call?
how is that any validation? a scammer could easily send such an email.
that solution of sending an unsolicited email to advise of an unsolicated phone call is quite frankly bizarre!
Re: Asking for passwords over the phone - really?
06-04-2017 3:59 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Not as bizarre as teaching people to give out any information to unsolicited calls from what could easilly be someone who is seeking to steal their identity.
Best solution....Pnet to NOT make unsolicited calls, and if they want to contact customers they must find a solution that does NOT encourage customers to divulge information to potential scammers. Easy.
.........................proud" say Pnet.
Re: Asking for passwords over the phone - really?
on 06-04-2017 4:17 PM - last edited on 06-04-2017 5:41 PM by Mav
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
you mean like giving your name, address and phone number? just like the OP did?
the simply solution here is to just never answer your phone, or tick the box to opt-out of receiving such calls.
of course, then what will happen is that people will start complaing about why they are not getting offers for being a "loyal" customer.
Moderator's note by Mike (Mav): Full quote of preceding post removed as per Forum rules.
Re: Asking for passwords over the phone - really?
06-04-2017 4:51 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
As I said they are teaching people to give information out, glad you agree.
I have never heard people complain they have not been made offers over the phone, only complaints about unsolicited calls.
As I said, Pnet need to work out how they can safely contact customers, it is not a customer problem it is a Pnet problem but they don't give a single jot about customer safety just making some more ££££££££££££££££££££
Neither have you even bothered to offer any solution, just try and shoot someone else down.
This is my last comment on here say what you like as I am sure you will, judging by your last posts. Bye.
.........................proud" say Pnet.
Re: Asking for passwords over the phone - really?
06-04-2017 4:55 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I'm afeared that you are tilting at another imaginary windmill @chenks76. The OP raised a very pertinent issue that Plusnet (and most other institutions) strive to ignore. Security / data protection needs a two way verification process to minimise the risk to either party. Various schemes have been proposed and tried but as yet with no consensus for standard land line calls, there are processes in use for mobile phones.
It remains an issue until there is a realisation that "I'm from 'XYZ'' - trust me!, is no longer a workable process in today's scammer paradise.
Pick up on pedantic points of order if you wish, but please accept that there is a fundamental problem to be solved.
Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Feedback
- :
- Plusnet Feedback
- :
- Asking for passwords over the phone - really?