cancel
Showing results for 
Search instead for 
Did you mean: 

you called me - and asked for security details - this is NOT secure

snozboz
Rising Star
Posts: 408
Thanks: 14
Fixes: 1
Registered: ‎27-07-2007

you called me - and asked for security details - this is NOT secure

A customer service agent rang me (after I had started a ticket through the "Help Assistant").  My ticket (ID 29387510) was me asking to change my account to the new "Unlimited" package on the 12 month contract (because I am an existing user).  Because the agent had rung ME, I objected to answering the security question of giving two characters of my password.  (So the agent continued in writing on the ticket.)
In my next written response, I explained why and said:
Quote
When you rang me, I didn't want to continue on the phone because you had no way of proving that you were who you said you were - and you were asking for some parts of my password. What would stop someone engaged in criminal activity from ringing thousands of people, pretending to be from PlusNet, and asking for private details? For instance, if they only got part of a password, they could get an accomplice to repeat the call at a later date and get the rest of the password.
Please pass this feedback on to your superiors.

The response I got to this point was unsatisfactory:
Quote
We have acknowledged your statement and we are fully aware of the that security information cannot be confirmed over the phone. When you do contact us, we only require the first 2 characters of the password. We use this method to determine that you are the account holder.

This response did not address my point that it was PlusNet who had rung me - I had not contacted them by phone.  Also, the fact that only 2 characters was asked for does not totally remove the security risk - as I had explained in my original message.
It is not only PlusNet who do this; I've even had my bank ring me up and ask me to answer security questions.  I get annoyed by this - I'm doing my best to help prevent identity theft and fraud, and organisations continue to have procedures that leave security holes wide open.  If a legitimate organisation normally rings their customers and gets answers to security questions, then customers will learn to expect this as normal behaviour.  So if/when a criminal organisation decides to ring lots of random people, and pretend to be legitimate, some of these people will happily give their answers away.
When I've questioned this procedure, with my bank and now with PlusNet, the response has not engaged with my point and hasn't tried to understand the issue - they've merely stated what their policy and procedure is and why it exists.
Please, PlusNet, you're better than this!
25 REPLIES 25
Be3G
Grafter
Posts: 6,111
Thanks: 1
Registered: ‎05-04-2007

Re: you called me - and asked for security details - this is NOT secure

Did the agent not state that he/she was phoning in response to your request to change your package? If the agent did, then I don't see what the problem is - it would be clear that they really are phoning from Plusnet because that's the only way they could be privy to your ticket details.
James
Grafter
Posts: 21,036
Thanks: 5
Registered: ‎04-04-2007

Re: you called me - and asked for security details - this is NOT secure

Hiya,
Understand your concerns.  I'll try and find out what our policy is on calling you and asking for security details.
If we're calling you on your CLI (Broadband Telephone Number) and then ask you to confirm a cuple of letters of your password I'm not cewrtain if that's overkill, but ultimately, you're not giving out any personal information - what's someone going to do with 2 letters of a password that has to be at least 8 characters long?
jelv
Seasoned Hero
Posts: 26,785
Thanks: 971
Fixes: 10
Registered: ‎10-04-2007

Re: you called me - and asked for security details - this is NOT secure

What is needed is for users to be able to add a codeword to their profile on the portal. The agents ringing out should tell the end user what the codeword is to verify that they are calling from Plusnet.
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£14.40/month)
Mobile: iD mobile (£4/month)
Spider
Grafter
Posts: 1,100
Registered: ‎05-04-2007

Re: you called me - and asked for security details - this is NOT secure

This is something that as always concerned me as well and I used to be the one making the calls for a bank I worked for. As sooner as a customer was worried about the call or asked me how I can prove I was calling from the bank I just gave them my name and extension and then asked them to call back on the usual contact number. Some customers then decided that they wanted to proceed with the call, but I always declined and asked them to call us. The other piece of advice is never call back on a supplied number by the original caller as it could be false.
xpcomputers
Grafter
Posts: 461
Thanks: 1
Registered: ‎13-04-2007

Re: you called me - and asked for security details - this is NOT secure

I think the OP has the right to be concerned. But Plusnet also have a duty of care to make sure they are speaking to the account holder, not just anyone who answers the phone on that number.
There has to be an exchange of credentials to prove who you are, but Plusnet have to make the first move if they are doing the phoning, as they are the more "unknown" party in that case.
I think the best way to handle this is for Plusnet to make clear that they are phoning in response to a ticket (and the nature of that ticket), and by doing so give away a snippet that could only be known to them (not someone outside Plusnet). However, the tricky bit, is what info should they give out? It has to be something, non-confidential, in case the person on the receiving end isn't really the customer either. Having established that the caller really was from Plusnet on official business, I'd then be happy to give out my two characters as normal.
In the case of an upgrade they can say "I'm phoning in response to your ticket from yesterday about upgrading from PAYG to an Unlimited account".
Like the OP, I have had a cold call from my "mobile phone company" (can't be sure if it really was them), offering me a free upgrade phone, and asking me to confirm all my confidential data. The operator was bemused that I wouldn't give him anything! He couldn't see that he hadn't proved who he was, and that I would be silly to give him my details. He was saying things like "but don't you want the free upgrade phone? It is free. I can send it as soon as we've proved you are the owner of the phone account". I never got him to prove he was who he said he was, and instead I hung up and phoned the company direct and dealt with them there. Of course, they knew nothing of the other call, but often the "sales" teams are outsourced to a third party call centre anyway, so that proves nothing.
The two characters of the password are enough to verify you to Plusnet, so if a "fake Plusnet employee" got them, they could access the account by phone in the same way I could by phone call. Say the fake person then phoned Plusnet and said the password wasn't working on email and asked them to reset the main password (having proved they knew the first 2 digits asked for).
Plusnet, need to take security seriously, and so do customers. I would refuse to answer security questions until I was sure of the identity of the caller, but giving me trust in their identity should be easy enough in most cases without revealing anything confidential, and therefore betraying the customers security.
Maybe there should be a challenge question asked in the ticket, that the Plusnet staff member can repeat to the customer if challenged about being from Plusnet. Like I could have my authentication word as "banana" for a current ticket, so if Plusnet needed to phone me about a ticket, they would say "banana" so I knew I could trust them. But it is meaningless other than fr that ticket, so no-one else could use the info. It would always have to be different from the password, and nothing confidential, and that would have to be stressed. It would be optional for customers to give a secret authentication word if thy wanted that feature.
Just an idea....
Of course, as already said, most tickets have enough non-confidential info in them that can be repeated with harm anyway, like time & day when the ticket was logged, and reason for ticket. That would be enough for me.... did the OP confirm if that info was provided by the Plusnet staff on the phonecall? If it was, then I don't see there was much more the Plusnet staff could do, without my authentication word idea... I'd have been happy without it in this case.
Mike
edited: Cross posted with jelv... my own fault for writing an essay!!! code word is the same idea as mine, but seems jelv got there first! Great minds and all that....
snozboz
Rising Star
Posts: 408
Thanks: 14
Fixes: 1
Registered: ‎27-07-2007

Re: you called me - and asked for security details - this is NOT secure

@Be3G No, I think I remember rightly that the agent didn't say what they were phoning in response to, they just said they were phoning in response to a question I'd raised.
@Jameseh Yes, they called on my CLI and asked for two characters of my password.  On it's own, this wouldn't give a criminal anything.  But if it was repeated over time by a different voice, and each time they asked for a different 2 characters, a whole password could be gained.  A criminal wouldn't make just one random call to try this - they'd call many thousands of people and repeat it over time, and even if it only works on a small percentage of people, this could be enough to make it worth while.
@jelv, spider and xpcomputers: I agree with y'all - thanks for the backup to my rant Smiley
I can see that some PlusNet passwords wouldn't give big gains to criminals.  So maybe the risk is justifiable, though I do think it is still a risk.  But more broadly my rant is about the normal behaviour of PlusNet and other organisations: if it is normal for members of the public to be phoned and asked for answers to security questions and the public gets used to giving these answers, then the opportunity for criminals to get answers to security questions increases.
Be3G
Grafter
Posts: 6,111
Thanks: 1
Registered: ‎05-04-2007

Re: you called me - and asked for security details - this is NOT secure

I'm not a security expert so perhaps there's an implication I haven't considered if this were to be done but... why not do a two-way password-character swap? Say, PN tell you the last two digits of the password, then you tell them the first two? That way there's still enough unknown information to not give anything away, but it proves both that the PN caller really is from PN (as s/he has your account details) and that you really are the account holder.
xpcomputers
Grafter
Posts: 461
Thanks: 1
Registered: ‎13-04-2007

Re: you called me - and asked for security details - this is NOT secure

Quote from: Be3G
why not do a two-way password-character swap? Say, PN tell you the last two digits of the password, then you tell them the first two?

I wouldn't want Plusnet giving out two characters of my password to someone who answered my phone. I wouldn't consider that to be good practice at all.
I think a date & time of the ticket and a vague subject matter would be enough in most cases, to elicit the required trust to give the two characters back to Plusnet. I might want more if it was to reveal my inside leg measurement, my mother in laws birthdate and my full password!
It is about appropriate security for the need, and about worst case scenarios. You don't want to be sailing close to the line though.... on one hand, two letters isn't MUCH of of the password... especially where the same two are always used, so other parts could never be gleaned. However, whilst the password at first glance you might think it couldn't do much to my Plusnet Account directly (like see my usage on the portal!), very importantly, it could allow them to change email passwords... gain access to my emails... and from there my full digital life... included requesting password changes on any internet account... there is a LOT of damage that can be done with a compromised email address!!!
Protecting the Plusnet Account Password is a very important matter. And the procedures surrounding disclosure of any of it, should be water tight...
Mike
snozboz
Rising Star
Posts: 408
Thanks: 14
Fixes: 1
Registered: ‎27-07-2007

Re: you called me - and asked for security details - this is NOT secure

Quote from: xpcomputers
on one hand, two letters isn't MUCH of of the password... especially where the same two are always used, so other parts could never be gleaned

As long as all customers know and remember all the time that Plusnet will only ever ask for the first 2 characters...
Even if Plusnet only ever ask for the first 2 characters, customers won't necessarily remember this, particularly if they become accustomed to giving answers to security questions when someone phones them.  If someone rang saying they were from Plusnet, and asked for the last 2 characters, I'd imagine that most people would give them what they had been asked for.
Even if the security question Plusnet asks is safe (which, as other posters have explained, it isn't), the fact that they ask one without proving (and saying they are proving) that they are who they say they are, means members of the public get used to answering security questions when they have been phoned.
And I don't think it's quite enough to mention the ticket date (for example) - Plusnet would have to give the ticket date AND say they are doing this to prove that they are who they say they are.  This "trains" the customer to expect this proof from all callers; otherwise, merely mentioning the date is only of use to a customer who is actively trying to be secure.
Lurker
Grafter
Posts: 1,867
Registered: ‎23-10-2008

Re: you called me - and asked for security details - this is NOT secure

MY GOD THIS IS TERRIBLE.
Somebody could steal my internetz.
Call the police and the Daily Mail - I am outraged.
Seriously, it would be so much effort for somebody to get my details, and with no real guarantee of any reward for them that I can't see anybody trying to do this other than to test or prove the theory.
Yes, it can be made more robust, but I don't think any of us need to lose any sleep over it.
PS @Jameseh my password is not 8chars long. Smiley
mal0z
Grafter
Posts: 3,486
Registered: ‎02-10-2008

Re: you called me - and asked for security details - this is NOT secure

I share the OP concerns in general, especially regarding banks.
In this case I think XPComputers is spot on.
PN agent specifies ticket number and asks for first two characters of password.
One's password should be at least 8 characters and preferably more - mine most certainly are and changed regularly.
In fact why not force people to change passwords regularly - say every six months ?
Lurker
Grafter
Posts: 1,867
Registered: ‎23-10-2008

Re: you called me - and asked for security details - this is NOT secure

Because not everybody wants to or needs to.
Its a password to access an internet account for Pete's sake.
I work in IT, and I recognise the need for secure passwords, things that are deserving of decent security get it by way of a proper length password.
Some things just don't need that level of security though - there is nothing there worth trying to pinch.
mal0z
Grafter
Posts: 3,486
Registered: ‎02-10-2008

Re: you called me - and asked for security details - this is NOT secure

Fair point - but it's also the main email access password ?
[edit  ]
Plusnet do recommend changing password every six months -
http://www.plus.net/support/security/usernames_and_passwords/username_and_password_security.shtml
[/edit ]
xpcomputers
Grafter
Posts: 461
Thanks: 1
Registered: ‎13-04-2007

Re: you called me - and asked for security details - this is NOT secure

James,
I thought the same at first. But even with just those two characters, someone could contact Plusnet, answer the two characters asked for, say that the email program was not accepting their password anymore, and get Plusnet to change the email password.
Suddenly the thief has access to all your email and through that, any digital account on the internet authenticated on that email address (using the forgotten password link of those sites, they can reset those passwords too).
Likely to happen? Not very.
Possible to do relatively easily? Yes scarily so!
This is about much more tnan borrowing your bandwidth or viewing your usage stats... it could very easily be full identity & finacial theft for the determined with motivation.
Mike