cancel
Showing results for 
Search instead for 
Did you mean: 

Asking for passwords over the phone - really?

chenks76
All Star
Posts: 3,274
Thanks: 336
Fixes: 12
Registered: ‎24-10-2013

Re: Asking for passwords over the phone - really?

any pedantic points were merely in response to equally pedantic (and in some cases bizarre) replies.

however, the original point stands in that the caller DID NOT ask for the password.
they asked for a select number of characters to authenticate access to the account, which is standard practice.

i'm sure i've said this before but it would be quite easy to have a security "word or phrase" on your account that the caller had to give you, in the same way that you have to give them a validated response. the person making the call has this "word or phrase" available to them when making the call. of course, this relies on the account holder remembering such a "word or phrase", which is where the process will fall down.
Mav
Moderator
Moderator
Posts: 22,668
Thanks: 4,844
Fixes: 517
Registered: ‎06-04-2007

Re: Asking for passwords over the phone - really?

In similar situations I tend to take the name and department of the caller then say I will call back shortly.

 

Then I obtain the relevant number from the company website or use an already-known-to-me number.

 

I then ring a different number (usually my own mobile or landline) to verify that my line hasn't been hacked as in being kept open with the scammers sending the relevant tone(s) before ringing back happy to go through any DP necessary.

 

A bit of a hassle but feel it is the best option to maintain security integrity.

Forum Moderator and Customer
Courage is resistance to fear, mastery of fear, not absence of fear - Mark Twain
He who feared he would not succeed sat still

VileReynard
Hero
Posts: 12,616
Thanks: 579
Fixes: 20
Registered: ‎01-09-2007

Re: Asking for passwords over the phone - really?

Can you imagine trying to phone Plusnet?

"In The Beginning Was The Word, And The Word Was Aardvark."

Tagger
Grafter
Posts: 28
Thanks: 17
Registered: ‎28-02-2017

Re: Asking for passwords over the phone - really?

OK, for those people who asked.  Here's a more detailed time line.

  1. Plusnet called me.
  2. Plusnet asked for personal information to identify myself.
  3. I refused, since I didn't know who the caller was.
  4. The caller opened a ticket on Plusnet's system about the call.
  5. An email arrived from Plusnet about the ticket.
  6. I checked that the links in the email really went to Plusnet's web site, then clicked on the link.
  7. The link went to the ticket about the call.
  8. The caller asked for my name, address and phone number which I gave.
  9. The caller asked for characters from my password.
  10. I hung up on the caller.
  11. I used the ticket that had just been opened to make a complaint about the call.
chenks76
All Star
Posts: 3,274
Thanks: 336
Fixes: 12
Registered: ‎24-10-2013

Re: Asking for passwords over the phone - really?

so we now have some honestly about what was actually asked from you.
you originally claimed they asked for your "password", which clearly didn't happen.

you have clarified that you received validation that you were actually speaking to plusnet, so where is the issue with them wanting "select" characters from your password so that they can confirm they are talking to YOU?

Tagger
Grafter
Posts: 28
Thanks: 17
Registered: ‎28-02-2017

Re: Asking for passwords over the phone - really?


@chenks76 wrote:

so we now have some honestly about what was actually asked from you.
you originally claimed they asked for your "password", which clearly didn't happen.

you have clarified that you received validation that you were actually speaking to plusnet, so where is the issue with them wanting "select" characters from your password so that they can confirm they are talking to YOU?


First issue - you just don't do that.  There are so many scammers around trying steal personal details.  The last thing any company should do is to train its customers that it is appropriate to give account information like that to someone who calls out of the blue.

 

Second - it tells me that Plusnet are not storing my password securely.  My main account password should be stored in such a way that it is impossible to retrieve my password from the system - only to verify the next time I log in that I have typed in the same password as I did when I opened the account.  That is the only way to keep my password secure from hackers or malicious insiders.  If it is possible to verify that two characters are from my password, then they cannot have done that.  If Plusnet want some kind of phone verification word, then that should be totally separate from the account password.  But they would have to deal with customers forgetting it, because they will if they don't phone regularly.

Terranova667
Pro
Posts: 1,514
Thanks: 125
Fixes: 5
Registered: ‎19-02-2014

Re: Asking for passwords over the phone - really?

First I don't see what your problem is here ok calls out of the blue and giving info out i can kind of understand but you then went and found it to actually be Plusnet you were dealing with but still had a problem because they wanted to verify it was YOU by requesting a couple of characters from your password which is standard practice for the majority of companies.

 

Secondly when it comes to password verification where I Work uses the same process as do many other companies, the staff DO NOT see the password nor can they retrieve or request it, two or three characters appear on the screen as it is with online shopping where the last 3 or 4 digits of a credit / debit card can be seen at checkout the rest is fully encrypted, the staff ask the customer to confirm the characters they see, they have no idea what the password is, it's length or anything else related to it its not their concern.

 

 

 

VileReynard
Hero
Posts: 12,616
Thanks: 579
Fixes: 20
Registered: ‎01-09-2007

Re: Asking for passwords over the phone - really?

But if Plusnet ask for a different pair of characters each time, they must store the password in both a plain text and an encrypted form.

When I make a connection with my router is my password sent in an encrypted form?

"In The Beginning Was The Word, And The Word Was Aardvark."

ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: Asking for passwords over the phone - really?

https://en.wikipedia.org/wiki/Challenge-Handshake_Authentication_Protocol

CHAP requires that both the client and server know the plaintext of the secret, although it is never sent over the network.

Charleh
Newbie
Posts: 1
Registered: ‎13-11-2017

Re: Asking for passwords over the phone - really?

Winds me up this - I'm not a Plusnet customer because of this reason.

 

 

I got asked for "select characters" of my password twice, each person asked for different parts of the password.

 

If that's the case, how long until someone is able to piece together my password? 

 

That's not really my main concern though - my main concern is that companies of this size are a target for attacks and data theft. Since Plusnet do not store the passwords in a hashed form, it makes it a million times easier for someone to steal the password data for the whole user-base. 

 

We aren't talking address/mail details here, we are talking passwords which people may not realise are not stored securely that people may have used elsewhere (yes it's not good practice to use the same password for multiple sites but people do it).

 

It's Plusnet's responsibility to adopt industry best practices. I've heard that the same password is used for your online account, CHAPS authentication, phone verification...

 

Plusnet, all you need to do is introduce a couple of separate passwords for these mechanisms or you are introducing a massive weakness into your systems and putting thousands of customer's privacy at risk.

 

 

Stop trying to defend Plusnet - it's an easily remedied issue.

 

 

Here's a short story - when I was a lot younger, messing about with PHP websites, I wrote one for my friends online gaming clan. At that time I didn't know much about password hashing or best-practice, and I stored passwords in plain-text at the back end.

 

Since a friend of mine used the same password on the site as his machine administrator password, I managed to remotely use his c$ share and log-in as the administrator on his machine. This gave me access to his whole file system. I left a few troll text files around here and there. 

 

Now some of this isn't as easy anymore, but I was a 14/15 year old kid who managed to compromise someone's personal machine on a whim, what if I'd been a malicious person intent on stealing data?

VileReynard
Hero
Posts: 12,616
Thanks: 579
Fixes: 20
Registered: ‎01-09-2007

Re: Asking for passwords over the phone - really?

You forgot that Plusnet now also issue router admin passwords and wifi passwords (which I guess few people change).

"In The Beginning Was The Word, And The Word Was Aardvark."

malky3200
Dabbler
Posts: 17
Thanks: 2
Registered: ‎04-05-2018

Re: Asking for passwords over the phone - really?

have a look at this post I just made regarding Plusnet passwords being stored as cleartext....

the have recently improved matters
admittedly not everyone will be 100% chuffed but it is an improvement, (IF YOU KNOW ABOUT IT AND TAKE ACTION)

dvorak
Moderator
Moderator
Posts: 29,716
Thanks: 6,593
Fixes: 1,485
Registered: ‎11-01-2008

Re: Asking for passwords over the phone - really?

Moderators Note.
Thread locked in favour of linked topic.
Customer / Moderator
If it helped click the thumb
If it fixed it click 'This fixed my problem'