cancel
Showing results for 
Search instead for 
Did you mean: 

Asking for passwords over the phone - really?

Tagger
Grafter
Posts: 28
Thanks: 16
Registered: ‎28-02-2017

Asking for passwords over the phone - really?

I've been with Plusnet a few weeks now.

 

I just got a call, apparently from a Plusnet customer service person to ask how my service was (or more likely to try and sell me upgrades).  The call didn't start well with the person asking for personal details - which I refused.  After all, I have no idea who the caller really is.

 

So they sent me a survey email, which arrived at my Plusnet email address, and appears to be genuine.

 

Given that, I gave the caller my name, address and phone number.  They then asked for characters from my Plusnet password.  At that point, I felt obliged to hang up on them.

 

Do Plusnet really phone people out of the blue and then ask for their passwords?  Given the number of hacks and frauds that are going around these days, how can Plusnet possibly do such a stupid thing?

27 REPLIES
VileReynard
Seasoned Pro
Posts: 11,066
Thanks: 276
Fixes: 11
Registered: ‎01-09-2007

Re: Asking for passwords over the phone - really?

If you ask for support, they will ask for a specified couple of characters of your password (usually the same ones) plus your user name.

They've always done this - it probably dates back to the time when they were an ISP who didn't try to flog all sorts of extra services that they are ill-equipped to support.

If you get calls asking for personal stuff, just hang up.

Community Veteran
Posts: 3,274
Thanks: 339
Fixes: 12
Registered: ‎24-10-2013

Re: Asking for passwords over the phone - really?


Tagger wrote:

Do Plusnet really phone people out of the blue and then ask for their passwords?  Given the number of hacks and frauds that are going around these days, how can Plusnet possibly do such a stupid thing?


they never asked for your password though (by your own admission).
they asked for selected characters from your password so that they could bring up your account on the system.

Tagger
Grafter
Posts: 28
Thanks: 16
Registered: ‎28-02-2017

Re: Asking for passwords over the phone - really?

They already knew who I am - they phoned me.  I was a BT customer for many years.  All they ever asked me for was stuff like my name, address or account number.  Never my password.  Nobody ever asks for my password over the phone - banks don't do it, energy companies don't do it.

 

But it's worse than that.  Industry standard practice for decades has been that passwords are always stored using a secure one-way hash.  Once the password has been hashed, there is no known way to recover it again other than by brute force - keep guessing passwords until you get lucky.

 

You can still tell if the genuine user is logging on again - just pass the password they type in through the same secure hash and see if it gives the same result.

 

If Plusnet can verify a password given just a few characters, then it says that they are totally ignoring industry best practice.  They must be using some form of reversible encryption.  But the software to decrypt the password again and they key to do that must be stored on their system somewhere.  If Plusnet gets hacked in the way that TalkTalk did, then the hackers could get everything they need to decrypt all Plusnet customer's passwords.  That would give total access to everybody's accounts, even once they have logged out of whatever server they hacked into.

 

I have just written a complaint to Plusnet's Data Controller (the person responsible for complying with the Data Protection Act).  I will see what response I get.

Community Veteran
Posts: 3,274
Thanks: 339
Fixes: 12
Registered: ‎24-10-2013

Re: Asking for passwords over the phone - really?

they don't know it is the account holder they are speaking to though, anyone could answer your phone.

and again, they DID NOT ask for your password, they asked for select characters from it.


and have you seriously never came across anyone asking for select characters from your password? you must live in a bubble if you haven't. either that you are just spouting nonsense to get a reaction.

any time i log into online banking or call them they DO ask for select characters from the password or passcode.
good luck with your complaint to the data controller. i hope you get the response you deserve.

Anon
Pro
Posts: 413
Thanks: 128
Registered: ‎16-04-2007

Re: Asking for passwords over the phone - really?

Hang on a minute chenks76, this was an unsolicited call, I would expect if I contacted my bank or whatever that they take me through security, but for an unsolicited call, that is typical Pnet with no thought for customers or their security.

Whatever happens always remember "We will do you
.........................proud" say Pnet.
Community Veteran
Posts: 3,274
Thanks: 339
Fixes: 12
Registered: ‎24-10-2013

Re: Asking for passwords over the phone - really?

so if it was unsolicated why did the OP give the following information to the caller.
"name, address and phone number".

if security was the primary concern then why even give that info?
those 3 pieces of information are much more valuable then 2 or 3 random characters in a password.

however, there appears to be some inconsistencies in the original report.
firstly the OP said no personal information was supplied, then says it was supplied.
Anon
Pro
Posts: 413
Thanks: 128
Registered: ‎16-04-2007

Re: Asking for passwords over the phone - really?

I don't think most of us would be too worried to give name, address and phone number, it was when they started asking for anything from the password that I would be worried. But this is no new problem with Pnet, there is a thread about unsolicited calls asking for personal information. Pnet really do not care that they are copying the techniques of the spammers and encouraging their customers to believe that it is OK to divulge information.

Shame on Pnet for still operating this way. Yes my signature is correct.

Whatever happens always remember "We will do you
.........................proud" say Pnet.
Community Veteran
Posts: 3,274
Thanks: 339
Fixes: 12
Registered: ‎24-10-2013

Re: Asking for passwords over the phone - really?

the question would be then, if they shouldn't be doing this (and i'm not convinced they shouldn't), how do they validate that they are speaking to the account holder?

name, address and phone number clearly isn't sufficient to validate that.
Anon
Pro
Posts: 413
Thanks: 128
Registered: ‎16-04-2007

Re: Asking for passwords over the phone - really?

This is unsolicited, it is up to Pnet to be able to verify themselves FIRST before asking the customer for verification. Send them an email with a code saying they will call later and use the code to identify themselves.

People should be encouraged to give little or no information to unsolicited, unidentified callers. Giving information away is a sure fire way to one day give it to someone who will steal their identity. How much do Pnet care they are encouraging this? NOT A WHIT. They don't care about their customers.

Whatever happens always remember "We will do you
.........................proud" say Pnet.
Community Veteran
Posts: 3,274
Thanks: 339
Fixes: 12
Registered: ‎24-10-2013

Re: Asking for passwords over the phone - really?

send who an email? the person making the call send an email to the person they are going to call?
how is that any validation? a scammer could easily send such an email.

that solution of sending an unsolicited email to advise of an unsolicated phone call is quite frankly bizarre!

Anon
Pro
Posts: 413
Thanks: 128
Registered: ‎16-04-2007

Re: Asking for passwords over the phone - really?

Not as bizarre as teaching people to give out any information to unsolicited calls from what could easilly be someone who is seeking to steal their identity.

 

Best solution....Pnet to NOT make unsolicited calls, and if they want to contact customers they must find a solution that does NOT encourage customers to divulge information to potential scammers. Easy.

Whatever happens always remember "We will do you
.........................proud" say Pnet.
Community Veteran
Posts: 3,274
Thanks: 339
Fixes: 12
Registered: ‎24-10-2013

Re: Asking for passwords over the phone - really?

you mean like giving your name, address and phone number? just like the OP did?


the simply solution here is to just never answer your phone, or tick the box to opt-out of receiving such calls.

of course, then what will happen is that people will start complaing about why they are not getting offers for being a "loyal" customer.

Moderator's note by Mike (Mav): Full quote of preceding post removed as per Forum rules.

Anon
Pro
Posts: 413
Thanks: 128
Registered: ‎16-04-2007

Re: Asking for passwords over the phone - really?

As I said they are teaching people to give information out, glad you agree.

I have never heard people complain they have not been made offers over the phone, only complaints about unsolicited calls.

As I said, Pnet need to work out how they can safely contact customers, it is not a customer problem it is a Pnet problem but they don't give a single jot about customer safety just making some more ££££££££££££££££££££

Neither have you even bothered to offer any solution, just try and shoot someone else down.

This is my last comment on here say what you like as I am sure you will, judging by your last posts. Bye.

Whatever happens always remember "We will do you
.........................proud" say Pnet.
Superuser
Superuser
Posts: 3,353
Thanks: 1,779
Fixes: 12
Registered: ‎10-04-2007

Re: Asking for passwords over the phone - really?

I'm afeared that you are tilting at another imaginary windmill @chenks76.  The OP raised a very pertinent issue that Plusnet (and most other institutions) strive to ignore.  Security / data protection needs a two way verification process to minimise the risk to either party.  Various schemes have been proposed and tried but as yet with no consensus for standard land line calls, there are processes in use for mobile phones.

It remains an issue until there is a realisation that "I'm from 'XYZ'' - trust me!, is no longer a workable process in today's scammer paradise.

Pick up on pedantic points of order if you wish, but please accept that there is a fundamental problem to be solved.