---

@malky3200 wrote:

if I was misinformed.... then for the record it was 2 of your agents, several weeks apart.

I know, I'm sorry that you were misinformed. 

So for the record - what was the job that was carried out relating to passwords and encryption on the 17th of April ?  Or did both agents get this wrong also ?

---

It was an improvement to our security practices, that we will not discuss further. Sorry. 

Jono H  Plusnet Community Manager

fair enough

regardless I'm pretty sure I know what it is - As I was told on the phone, more than once
But I guess we'll never know if that is correct.  I'd still change my password for that, for sure.

All I wanted to know at the time was
1 - do you store the passwords as clear text, I was told yes.  (then again I did need to suggest a yes or a no was all that was relevant)
2 - when will you encrypt them in the DB, the answer of the 17th it now appears is the other reason, which I would not be mentioning either, fair enough.

Did I miss something or does plus net have a statement on this on the web ?  I did ask on the calls and I was told no, but worth asking here I guess.

Came here after chatting with the support to start exactly the same topic only to see that someone already did.

Here is what we know:

- Customer support confirmed that they can check if 2 characters in your password are valid.

- Customer support asks different characters randomly

- After changing your password they can still validate characters in your new password.

- it's technically impossible to check separate letters in a secure, hashed and salted password. 

It does not really matter how exactly they store passwords, it might be plaintext or XOR or any other crazy and insecure approach. Regardless, they encryption is reversible and it means that:

- Hundreds pf plusnet employees have access to your password

- Support has access to your passwords indirectly - by asking different letter each time they can eventually 

- Hackers can steal full password database

- People who use the same password for more than one account(I'd estimate this number at up to 90%) can lose 

- Millions, maybe tens of millions users are in a grave danger - they could lose access to everything - their social network accounts, their bank accounts, their email and any service they ever registered with the same account. They are at risk of fraud and identity theft.

It's a MASSIVE, INSANE security issue.

GDPR becomes enforceable on 25 May 2018.

All companies must guarantee the safety of the user data by then or face quite significant fines.

I suggest handing Plusnet GDPR Subject Access Request on that same day and they will have to respond within 30 days.

Moderator's note by Dick (Strat): Post released from Spam Filter.

ConcernedUser , Indeed - I fear you are correct.
Now why would I think that.
A - I came to the same conclusion, years ago.  Frankly in March to learn this was still going on just staggered me.
B - So have others noticed this state of affairs
What are the chances of you, me and others all being bonkers ?  Zero.

The only thing I would point out is the 2 characters are not really that random.
If you call them up a few times in a few days, as I have had to on a separate matter you will notice the 2 characters, or at least one, stay relatively static.  So either I have experienced a few statistically quite unlikely events or more likely this is by design.  Therefore it may take a while to get the whole password.
We can only hope (as plusnet will not talk) that the job on the 17th of April stops ALL employees reading the entire password.  Of course this has never happened cough cough, so why on earth are their reports of CSRs "helping" users with their entire email password (hell I even had this verbally confirmed recently).   And as I am sure you are aware that password for many users IS the same as their PN account password.   Incidentally.... How secure do you think PN email is ?  No reply required, as that's just me joking. 
BTW : recently I was told by PN that PN email is only provided as they have a legal requirement to do so and I was advised to source A N Other email provider.  Interesting advice, however I did this many many years ago. 

All that said a DB that can reveal the password via plain text or by obtaining the key or equivalent is just insane - I could not agree more.

- A horrible consequence......  I have encouraged folks I know on PN to change their password to strong ones.  HOWEVER having to answer the question of what the 2 characters are on the password has the following consequence.....  An old age pensioner I know had to get me to change to something simpler as the new password was "too difficult"  indeed I was told "I just cannot do that", so the consequence is it had to be changed again to a less secure password. Understandable - but helps no one.  Before anyone goes ape on this please note, I am authorised to do this as I am nominated to be a co-user on the account.

So what's the plan ConcernedUser ?   Shall we look into GDPRing PN (you are not the first to suggest) or GCHQing PN ?
Have either of these organisations set any standards on this issue ?  I confess to not having looked it up.

Moderator's note by Mike (Mav): Post released from Spam Filter.

@ConcernedUser @malky3200 Have either of you any proof that PlusNet user accounts have violated in the ways you suggest are possible?

Okay, seeing as neither of these two individuals have come back with any answer to my simple question, I assume they haven't got one.

jab1

Have you not seen the evidence online that demonstrates clearly that in the past PN employees could read the entire password ?
Or maybe you have not asked questions whilst on the phone to PN support where the answers clearly indicate the very same.

I admit to typing up a couple of lengthy replies a week or so ago to your question.  I did not post these as I see little merit in debating when you can clearly see there has been an concern.  See the 2015 GCHQ article.  Ask PN what their response to that article is.  I wish you well getting an answer.  So far I have not spotted that and when asked PN was stated "we have published nothing"

Here's what I feel is a more relevant question.
Do you know how in March 2018 many PN customers got phishing emails, very specific PN content ?  3 out of the 5 PN customers I asked all got these emails.  And at least one of the 2 remaining likely had it deleted due to email spam filtering software on their client PC. This of course does not prove the email list was obtained via PN itself, but do you know ? have you asked PN ?  Of course many people's email address are out there in the ether for all to see,  However since I help a plus net customer whose email is very unlikely to on a spammer list and they got the email and not to a default catch all mailbox this interested me.  I did ask PN if they suspected their DB had been compromised and the answer is not helpful - ie they had no idea.   Indeed "wait to see if we are front page news tomorrow" is an understandable response, from a CSR who, I paraphrase, "had been called in like many others to deal with the increased phone calls".  So I guess you can assume all is ok, your choice.   Perhaps a PN moderator is able to add information now as they may have come to a conclusion.  Or perhaps a moderator will for security reasons not feel able to post ?

Another question.... Do we need any evidence of a vulnerability, did Talk Talk (not having a pop at Talk Talk I'm sure this is also true of other companies) customers have this before they became front page news?  I'd bet many if not all of their customers assumed their ISP was following best practices.  Do we just assume all is well or alternatively PN could issue a statement stating you records (yes more than password) are encrypted.  Some of us would also like to see that the password has been hashed and cannot therefore be decrypted, clearly this is not the case.  In the event of no information from PN then I guess the idea assuming all is well, or not, is your only option.

Assume if you wish, but it only takes one PN employee to ruin your day.  And like it or not a system of security is not just about algorithms it is about people and processes.  As many on these forums clearly know if the systems are weak it only makes it easier for the people to exploit the system.  

I took a quick look at the GDPR rules on this and I think ConcernedUser has a good point.  Who audits ISPs to ensure they meet the standards I have no clue.   Perhaps PN can make a statement stating they have met the requirements   Now Moderators that wouldn't be giving too much away to the bad guys would it ?

Of course if PN have not tighted up the process and the information we have seen in the past is disclosed once more then with the GDPR in place that will help any concerns users may have.

Sorry for the long reply - essentially I don't see how any prior knowledge does anything more than give false peace of mind since we do we know the process/system changed very recently.

Thanks for the reply, @malky3200.

What evidence online has shown that PN employees could see the entire password? I admit I have not asked the question' as I have had no reason so to do.

I would imagine a 2015 report, by anyone, would have much relevance to 2018 - organisations revise and update their security protocols 'behind closed doors' - for obvious reasons.

If the March 2018 incident is the the one I think you are referring to, I got a relatively small number of 'spam' - NOT phishing - emails, but on examining the full headers and the other 'recipients' listed therein, concluded that it was the result of a 'dictionary attack' and a temporary failure of the PN spam filter - for whatever reason. If you ask front-line staff that kind of question, that is the response I  would expect - they are call-centre operatives, not fully-cleared Plusnet security staff. Plusnet moderators would not be able to add any further information - just like me and you, they are customers with no special access to the inner workings.

We need evidence of a vulnerability, in the same way as you are asking for evidence to the contradictory. As you specifically reference TalkTalk in your reply, my understanding of that debacle is that is was due to the outsourcing, by TT, of all their customer support and accounting functions to entities on the Asian sub-continent, who had not been properly verified or monitored.

Has there been any evidence that the data held by PN has been improperly used by a 'rogue' PN employee - if so please point me in the direction of that evidence,otherwise I shall conclude that none exists.

Obviously, Plusnet (or any ISP for that matter), will not divulge security procedures on an open forum, and, as I said above, moderators are NOT PN staff, and cannot speak for PN.

My comments are based on currently observable information, and experience over the 6+ years I have been on this forum, also backed up by 20+ years working closely with IT professionals in an industry which had to manage the security of its' data to a much higher level than an ISP - what are you qualifications for such a task?

Interesting - @malky3200 seems reluctant to answer, and his/her only real supporter was a one-shot wonder.

Whoa. This is actually rude. Sorry, not everyone has time hanging around on random forums.

Honestly, I don't think that you deserve a reply. You add nothing to the conversation and you clearly have no clue about anything related to encryption, security and bad practices. But for the sake of people who might be reading this thread in the future I will reply to questions that at least somewhat make sense.

>Have either of you any proof that PlusNet user accounts have violated in the ways you suggest are possible?

No, and this is irrelevant. You don't need to wait for bad things to happen. IT security is preventive, not reactive. And GDPR clearly states "pseudonymisation and encryption of personal data" is a must.

>What evidence online has shown that PN employees could see the entire password?

I can confirm that after just 2 talks to support that they know 4 letters (half) of my password. They also confirmed that character numbers are generated randomly.

Even if they don't have access to any other letters (and there is no reason to assume that they don't), bruteforce of the remaining 4 letters would take less a second if you have access to the password hash or a system that does not throttle password requests. Internal systems usually don't throttle requests.

So they DO know my(and anyone elses) password. Even first level helpdesk employees.

>Has there been any evidence that the data held by PN has been improperly used by a 'rogue' PN employe

I don't know and this is irrelevant. GDPR specifically says that personal data must be encrypted.

There is nothing more personal than a password. Most people use the same password on many online services - from Facebook to Online banking. Even if currently Plusnet employees are the most loyal and honest people in the world, there is no guarantee that this will be like that forever.

You only need ONE employee with financial difficulties who will decide to sell the email/password database on darknet for $2 per pair. Even if just 30% of users use the same password on Plusnet and their other accounts, it's 30% from £20 million.

>Plusnet (or any ISP for that matter), will not divulge security procedures on an open forum

Security through obscurity is not security. Disclosing security procedures will make their systems more secure because people will be able to point out potential security issues in their systems. Such as keeping passwords in plain text or using reversible encryption.

Plusnet might not be required to disclose their security procedures to their clients by law. But they must disclose them to ICO under GDPR. And if ICO finds that Plusnet does not encrypt their users passwords they'll get a significant fine. Regardless of if there was a breach or not.

Anyway, I am writing an official GDPR "Information rights concern". So maybe after "spending 6 years on this forum" you might know an official email address I can send a copy to.

Hopefully this will be enough.

The next step would be to report the misconduct to the Information Commissioner’s Office.

Moderator's note by Adie (Dvorak): Full quote of preceding post removed as per the forum rules

I think encryption is, by definition, always reversible. The passwords are encrypted, as I'm sure everything else is, such as your name and address.

How do you think they are going to send your password to your router automatically without knowing what the password is?

Now I'm not faced with a wall of text that gave me a headache just looking at it, @ConcernedUser, I will respond, in the order in which you have selectively answered my post.

(1) I don't think I was being rude - if I  had posted to a topic which I thought of as being worthy of such a long reply, it would be one I would keep my eye on and surely if you are a Plusnet customer, then this forum is not 'random'.

(2) If I add nothing to the conversation, you are replying to nothing. As I said previously, but you seem to have ignored, I had 20+ years experience in IT in an industry where data security was paramount, so I had a reasonable knowledge of encryption, data security and best practice.

(3) You think that Plusnet 'wait for bad things to happen'? The fact that they have been in business for as long as they have, with only one major breach kind of points in a different direction. GDPR is a recent, well-intentioned - I hope - bit of legislation, and a company such as an ISP will, for its' own protection ensure that it complies.

(4) So you spoke to the same agent on both occasions? And she/he recorded the characters from your password both times? I think you will find they DON'T have access to any other than the two characters they ask for -it is fairly simple for the company to use software to ensure only those characters are displayed on the agents screen.  Brute force discovery of the other 4 characters as you rightly say, would require access to the password hash, or a system that does not throttle requests, I cannot believe that an internal system today would not have that facility - it was certainly active on the system at my employers, and that was on a network that was inward-facing only. So the agent will only know the two characters displayed to them.

(5) Again, I would suggest that passwords are encrypted, but can't prove it. Nor can you disprove it'

     If people do use the same password on different sites, then that is their own stupidity - there are myriad warnings online, and on many password-creation pages against such a practice.

You assume that other than a very select few have access to the database, which I think is disingenuous,to say the least.

(6) The most ridiculous statement you could make - disclosing security procedures means that anyone with a mind to do so could compromise the whole system in minutes.

Have you proof that Plusnet have NOT had their procedures cleared by the ICO? I think the legislation which the GDPR replaces already requires this.

(7) Please be sure to report back when you get a response to your "information rights concern" - I would be interested to learn the reply.

There is no email address for this purpose so far as I know but I would suggest that it would be safer to send this to the Data Controller at Plusnets head office by recorded and signed for mail.

---

@ConcernedUser wrote:

> Interesting - @malky3200 seems reluctant to answer, and his/her only real supporter was a one-shot wonder.

Whoa. This is actually rude. Sorry, not everyone has time hanging around on random forums.

Honestly, I don't think that you deserve a reply. You add nothing to the conversation and you clearly have no clue about anything related to encryption, security and bad practices. But for the sake of people who might be reading this thread in the future I will reply to questions that at least somewhat make sense.

---

@ConcernedUser Yes you are correct on all counts.  In addition as recently advised by a PN level one I have for years never bothered to trust PN email, so imagine by delight today when I had a peek and saw the post notifications.  But hell if someone wants to assume then that's up to them.

I quite liked your post.  Back in the Usenet 80s pre-web days, when I did have loads of time to hang around, I did notice forums have "features" that are good idea to ignore.  So much and yet so little has changed.

@ConcernedUser PM me if you need a hand with any of your actions.