cancel
Showing results for 
Search instead for 
Did you mean: 

Customer passwords should NEVER be accessible to support technicians

pg90
Newbie
Posts: 8
Registered: ‎18-04-2015

Customer passwords should NEVER be accessible to support technicians

I was surprised when I was chatting with a support technician earlier today and they asked to confirm certain characters of my password when they were accessing my account. I cannot stress how shockingly insecure this is.
Firstly, not even considering your support technicians, passwords should always be stored using a one-way hash anyway, which means they are not stored in plain text and the encrypted form cannot be reversed back to their original form.
Secondly, if they are actually stored using two-way encryption (which is bad enough as it is), allowing your employees to access this information is a huge security risk. Not only does it take one rogue employee to ruin everything, it also creates a large number of entry points for a potential external hacker to gain access to everyone's passwords and everyone's accounts.
Where does Plusnet stand on this? I've read the same complaint from at least three years ago and still nothing has been done? Seems like it's only going to be a matter of time before your databases are breached and we have another high-profile breach (c.f. Yahoo, Moonpig, Twitch, amongst others).
25 REPLIES
Gel
Seasoned Pro
Posts: 1,663
Thanks: 168
Fixes: 14
Registered: ‎02-08-2007

Re: Customer passwords should NEVER be accessible to support technicians

Surely you could make same point about many institutions you deal with; this is a very common method for many companies.
The assistant won't have access to the whole p/word.
gswindale
Grafter
Posts: 942
Registered: ‎05-04-2007

Re: Customer passwords should NEVER be accessible to support technicians

So how exactly would you like your identity to be verified?
Many banks use a similar method when you contact them to verify that you are who you say you are.
pg90
Newbie
Posts: 8
Registered: ‎18-04-2015

Re: Customer passwords should NEVER be accessible to support technicians

I've contacted tens and tens of companies in the past and absolutely none of them have ever asked for my password or part of it. Most places ask for home address, date of birth etc., or the answer to a "secret question" that you set up when you joined.
If you think employees from banks will ever have access to your online password or part of it, you are terribly mistaken.
adie:quote
elkieluca
Grafter
Posts: 204
Registered: ‎21-08-2010

Re: Customer passwords should NEVER be accessible to support technicians

I've just switched to Natwest Bank and they definitely asked for 3 different letters and numbers of my password to log on their website.  I've always been asked that by companies.  Never had a problem so far. 
pg90
Newbie
Posts: 8
Registered: ‎18-04-2015

Re: Customer passwords should NEVER be accessible to support technicians

Asked by who? I'm not talking about logging into the website, I'm talking about support technicians and other employees. No Natwest employee is going to ask for anything from your password.
The difference here is that Plusnet store passwords in (at best) two-way encryption and allow employees access to this information.
Edit: This is a quote from a Plusnet employee in 2007 (yes, 8 years ago) and it seems practices haven't changed since then:
Quote
Customers password are encrypted on our system, in order to pass the data protection checks we need to verify that you are in fact the account holder. So to do this we ask for 2 characters from the password, in order for the CSC agent to see your password they have to click a link which then leaves an audit trail so we can see who has accessed your password.

adie:quote
elkieluca
Grafter
Posts: 204
Registered: ‎21-08-2010

Re: Customer passwords should NEVER be accessible to support technicians

Good point I'm thinking of websites.
gswindale
Grafter
Posts: 942
Registered: ‎05-04-2007

Re: Customer passwords should NEVER be accessible to support technicians

They've certainly done it in the past when I've spoken to Lloyds when ringing up to advise I'm going abroad.
I'm reasonably certain other companies have done the same in the past.
pwatson
Rising Star
Posts: 2,468
Thanks: 8
Fixes: 1
Registered: ‎26-11-2012

Re: Customer passwords should NEVER be accessible to support technicians

One Account ask for random letters from your password and passcode for online and phone security. 
x47c
Grafter
Posts: 878
Thanks: 1
Registered: ‎14-08-2009

Re: Customer passwords should NEVER be accessible to support technicians

I rang a typical large building society recently:
as well as the usual personal/address confirmation info, they wanted
1. a certain 2 digits from my password
2 The full name/place/thing whatever of a particular memorable word.
pg90
Newbie
Posts: 8
Registered: ‎18-04-2015

Re: Customer passwords should NEVER be accessible to support technicians

The difference (in the cases above) is that the people you're talking to on the phone do not have access to your full password. The people at Plusnet do. Are you really comfortable with that? Would you be comfortable if employees at said banks/building societies had access to your full password?
pwatson
Rising Star
Posts: 2,468
Thanks: 8
Fixes: 1
Registered: ‎26-11-2012

Re: Customer passwords should NEVER be accessible to support technicians

You may well be right, or perhaps PN have changed the system since 2007 and the support agent is now only shown the letters that they ask you for?
pg90
Newbie
Posts: 8
Registered: ‎18-04-2015

Re: Customer passwords should NEVER be accessible to support technicians

If Plusnet have changed their system to what you suggest then that would be better, but still not perfect. It would be nice if someone from Plusnet could confirm either way.
pwatson
Rising Star
Posts: 2,468
Thanks: 8
Fixes: 1
Registered: ‎26-11-2012

Re: Customer passwords should NEVER be accessible to support technicians

Indeed, only PlusNet can say, so you may be leaping to erroneous conclusions Wink
Their system may be better still in that the support agent is told which letters to ask for and then told if the answer given was correct?  I don't see any difference here to what my bank does...
pg90
Newbie
Posts: 8
Registered: ‎18-04-2015

Re: Customer passwords should NEVER be accessible to support technicians

I accept that I may be jumping to conclusions, however the assumptions are based on:
1. The support agents have in the past been able to see the full password and there's no evidence that this has changed
2. Instead of emailing a password reset email, Plusnet are one of the only remaining companies to actually display my password in plaintext when I use the 'forgotten password' link (and that's bad enough on its own!)
3. Banks have the technology and security to do this properly where Plusnet clearly doesn't (see point 2)
It's 2015 and using reversible encryption is just asking for trouble. It's a shame that Plusnet will only realise this when they get bitten in the bum by a hacker.