Asking for passwords over the phone - really?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Feedback
- :
- Plusnet Feedback
- :
- Asking for passwords over the phone - really?
- « Previous
-
- 1
- 2
- Next »
Re: Asking for passwords over the phone - really?
06-04-2017 5:27 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
however, the original point stands in that the caller DID NOT ask for the password.
they asked for a select number of characters to authenticate access to the account, which is standard practice.
i'm sure i've said this before but it would be quite easy to have a security "word or phrase" on your account that the caller had to give you, in the same way that you have to give them a validated response. the person making the call has this "word or phrase" available to them when making the call. of course, this relies on the account holder remembering such a "word or phrase", which is where the process will fall down.
Re: Asking for passwords over the phone - really?
06-04-2017 5:49 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
In similar situations I tend to take the name and department of the caller then say I will call back shortly.
Then I obtain the relevant number from the company website or use an already-known-to-me number.
I then ring a different number (usually my own mobile or landline) to verify that my line hasn't been hacked as in being kept open with the scammers sending the relevant tone(s) before ringing back happy to go through any DP necessary.
A bit of a hassle but feel it is the best option to maintain security integrity.
Forum Moderator and Customer
Courage is resistance to fear, mastery of fear, not absence of fear - Mark Twain
He who feared he would not succeed sat still
Re: Asking for passwords over the phone - really?
06-04-2017 5:58 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Can you imagine trying to phone Plusnet?
"In The Beginning Was The Word, And The Word Was Aardvark."
Re: Asking for passwords over the phone - really?
06-04-2017 11:32 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
OK, for those people who asked. Here's a more detailed time line.
- Plusnet called me.
- Plusnet asked for personal information to identify myself.
- I refused, since I didn't know who the caller was.
- The caller opened a ticket on Plusnet's system about the call.
- An email arrived from Plusnet about the ticket.
- I checked that the links in the email really went to Plusnet's web site, then clicked on the link.
- The link went to the ticket about the call.
- The caller asked for my name, address and phone number which I gave.
- The caller asked for characters from my password.
- I hung up on the caller.
- I used the ticket that had just been opened to make a complaint about the call.
Re: Asking for passwords over the phone - really?
07-04-2017 8:50 AM - edited 07-04-2017 8:50 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
so we now have some honestly about what was actually asked from you.
you originally claimed they asked for your "password", which clearly didn't happen.
you have clarified that you received validation that you were actually speaking to plusnet, so where is the issue with them wanting "select" characters from your password so that they can confirm they are talking to YOU?
Re: Asking for passwords over the phone - really?
07-04-2017 4:30 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
@chenks76 wrote:
so we now have some honestly about what was actually asked from you.
you originally claimed they asked for your "password", which clearly didn't happen.
you have clarified that you received validation that you were actually speaking to plusnet, so where is the issue with them wanting "select" characters from your password so that they can confirm they are talking to YOU?
First issue - you just don't do that. There are so many scammers around trying steal personal details. The last thing any company should do is to train its customers that it is appropriate to give account information like that to someone who calls out of the blue.
Second - it tells me that Plusnet are not storing my password securely. My main account password should be stored in such a way that it is impossible to retrieve my password from the system - only to verify the next time I log in that I have typed in the same password as I did when I opened the account. That is the only way to keep my password secure from hackers or malicious insiders. If it is possible to verify that two characters are from my password, then they cannot have done that. If Plusnet want some kind of phone verification word, then that should be totally separate from the account password. But they would have to deal with customers forgetting it, because they will if they don't phone regularly.
Re: Asking for passwords over the phone - really?
07-04-2017 6:33 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
First I don't see what your problem is here ok calls out of the blue and giving info out i can kind of understand but you then went and found it to actually be Plusnet you were dealing with but still had a problem because they wanted to verify it was YOU by requesting a couple of characters from your password which is standard practice for the majority of companies.
Secondly when it comes to password verification where I Work uses the same process as do many other companies, the staff DO NOT see the password nor can they retrieve or request it, two or three characters appear on the screen as it is with online shopping where the last 3 or 4 digits of a credit / debit card can be seen at checkout the rest is fully encrypted, the staff ask the customer to confirm the characters they see, they have no idea what the password is, it's length or anything else related to it its not their concern.
Re: Asking for passwords over the phone - really?
07-04-2017 7:56 PM - edited 07-04-2017 7:58 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
But if Plusnet ask for a different pair of characters each time, they must store the password in both a plain text and an encrypted form.
When I make a connection with my router is my password sent in an encrypted form?
"In The Beginning Was The Word, And The Word Was Aardvark."
Re: Asking for passwords over the phone - really?
07-04-2017 8:23 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
https://en.wikipedia.org/wiki/Challenge-Handshake_Authentication_Protocol
CHAP requires that both the client and server know the plaintext of the secret, although it is never sent over the network.
Re: Asking for passwords over the phone - really?
13-11-2017 5:37 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Winds me up this - I'm not a Plusnet customer because of this reason.
I got asked for "select characters" of my password twice, each person asked for different parts of the password.
If that's the case, how long until someone is able to piece together my password?
That's not really my main concern though - my main concern is that companies of this size are a target for attacks and data theft. Since Plusnet do not store the passwords in a hashed form, it makes it a million times easier for someone to steal the password data for the whole user-base.
We aren't talking address/mail details here, we are talking passwords which people may not realise are not stored securely that people may have used elsewhere (yes it's not good practice to use the same password for multiple sites but people do it).
It's Plusnet's responsibility to adopt industry best practices. I've heard that the same password is used for your online account, CHAPS authentication, phone verification...
Plusnet, all you need to do is introduce a couple of separate passwords for these mechanisms or you are introducing a massive weakness into your systems and putting thousands of customer's privacy at risk.
Stop trying to defend Plusnet - it's an easily remedied issue.
Here's a short story - when I was a lot younger, messing about with PHP websites, I wrote one for my friends online gaming clan. At that time I didn't know much about password hashing or best-practice, and I stored passwords in plain-text at the back end.
Since a friend of mine used the same password on the site as his machine administrator password, I managed to remotely use his c$ share and log-in as the administrator on his machine. This gave me access to his whole file system. I left a few troll text files around here and there.
Now some of this isn't as easy anymore, but I was a 14/15 year old kid who managed to compromise someone's personal machine on a whim, what if I'd been a malicious person intent on stealing data?
Re: Asking for passwords over the phone - really?
13-11-2017 7:21 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
You forgot that Plusnet now also issue router admin passwords and wifi passwords (which I guess few people change).
"In The Beginning Was The Word, And The Word Was Aardvark."
Re: Asking for passwords over the phone - really?
04-05-2018 10:57 AM - edited 04-05-2018 11:09 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
have a look at this post I just made regarding Plusnet passwords being stored as cleartext....
the have recently improved matters
admittedly not everyone will be 100% chuffed but it is an improvement, (IF YOU KNOW ABOUT IT AND TAKE ACTION)
Re: Asking for passwords over the phone - really?
04-05-2018 9:26 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Thread locked in favour of linked topic.
If it helped click the thumb
If it fixed it click 'This fixed my problem'
- « Previous
-
- 1
- 2
- Next »
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Feedback
- :
- Plusnet Feedback
- :
- Asking for passwords over the phone - really?