cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Customer passwords should NEVER be accessible to support technicians

pg90
Newbie
Posts: 8
Registered: ‎18-04-2015

Customer passwords should NEVER be accessible to support technicians

‎18-04-2015 3:39 PM

I was surprised when I was chatting with a support technician earlier today and they asked to confirm certain characters of my password when they were accessing my account. I cannot stress how shockingly insecure this is.
Firstly, not even considering your support technicians, passwords should always be stored using a one-way hash anyway, which means they are not stored in plain text and the encrypted form cannot be reversed back to their original form.
Secondly, if they are actually stored using two-way encryption (which is bad enough as it is), allowing your employees to access this information is a huge security risk. Not only does it take one rogue employee to ruin everything, it also creates a large number of entry points for a potential external hacker to gain access to everyone's passwords and everyone's accounts.
Where does Plusnet stand on this? I've read the same complaint from at least three years ago and still nothing has been done? Seems like it's only going to be a matter of time before your databases are breached and we have another high-profile breach (c.f. Yahoo, Moonpig, Twitch, amongst others).
Message 1 of 26
(3,708 Views)
Reply
0 Thanks
25 REPLIES 25
Gel
Aspiring Champion
Posts: 2,366
Thanks: 296
Fixes: 29
Registered: ‎02-08-2007

Re: Customer passwords should NEVER be accessible to support technicians

‎18-04-2015 4:17 PM

Surely you could make same point about many institutions you deal with; this is a very common method for many companies.
The assistant won't have access to the whole p/word.
Broadband Connection Troubleshooter

Contact/Chat : CHAT service often suspended though!
BT Wholesale Speed Test:
PN Network Status:
Land Line Connection_Troubleshooter:
Message 2 of 26
(2,011 Views)
Reply
0 Thanks
gswindale
Grafter
Posts: 942
Registered: ‎05-04-2007

Re: Customer passwords should NEVER be accessible to support technicians

‎18-04-2015 7:21 PM

So how exactly would you like your identity to be verified?
Many banks use a similar method when you contact them to verify that you are who you say you are.
Message 3 of 26
(2,011 Views)
Reply
0 Thanks
pg90
Newbie
Posts: 8
Registered: ‎18-04-2015

Re: Customer passwords should NEVER be accessible to support technicians

‎18-04-2015 7:25 PM

I've contacted tens and tens of companies in the past and absolutely none of them have ever asked for my password or part of it. Most places ask for home address, date of birth etc., or the answer to a "secret question" that you set up when you joined.
If you think employees from banks will ever have access to your online password or part of it, you are terribly mistaken.
adie:quote
Message 4 of 26
(2,011 Views)
Reply
0 Thanks
elkieluca
Grafter
Posts: 225
Thanks: 7
Registered: ‎21-08-2010

Re: Customer passwords should NEVER be accessible to support technicians

‎18-04-2015 8:12 PM

I've just switched to Natwest Bank and they definitely asked for 3 different letters and numbers of my password to log on their website.  I've always been asked that by companies.  Never had a problem so far. 
Message 5 of 26
(2,011 Views)
Reply
0 Thanks
pg90
Newbie
Posts: 8
Registered: ‎18-04-2015

Re: Customer passwords should NEVER be accessible to support technicians

‎18-04-2015 8:14 PM

Asked by who? I'm not talking about logging into the website, I'm talking about support technicians and other employees. No Natwest employee is going to ask for anything from your password.
The difference here is that Plusnet store passwords in (at best) two-way encryption and allow employees access to this information.
Edit: This is a quote from a Plusnet employee in 2007 (yes, 8 years ago) and it seems practices haven't changed since then:
Quote
Customers password are encrypted on our system, in order to pass the data protection checks we need to verify that you are in fact the account holder. So to do this we ask for 2 characters from the password, in order for the CSC agent to see your password they have to click a link which then leaves an audit trail so we can see who has accessed your password.

adie:quote
Message 6 of 26
(2,011 Views)
Reply
0 Thanks
elkieluca
Grafter
Posts: 225
Thanks: 7
Registered: ‎21-08-2010

Re: Customer passwords should NEVER be accessible to support technicians

‎18-04-2015 8:41 PM

Good point I'm thinking of websites.
Message 7 of 26
(2,011 Views)
Reply
0 Thanks
gswindale
Grafter
Posts: 942
Registered: ‎05-04-2007

Re: Customer passwords should NEVER be accessible to support technicians

‎18-04-2015 9:21 PM

They've certainly done it in the past when I've spoken to Lloyds when ringing up to advise I'm going abroad.
I'm reasonably certain other companies have done the same in the past.
Message 8 of 26
(2,011 Views)
Reply
0 Thanks
pwatson
Rising Star
Posts: 2,470
Thanks: 8
Fixes: 1
Registered: ‎26-11-2012

Re: Customer passwords should NEVER be accessible to support technicians

‎18-04-2015 10:34 PM

One Account ask for random letters from your password and passcode for online and phone security. 
Message 9 of 26
(2,011 Views)
Reply
0 Thanks
x47c
Grafter
Posts: 881
Thanks: 3
Registered: ‎14-08-2009

Re: Customer passwords should NEVER be accessible to support technicians

‎18-04-2015 10:39 PM

I rang a typical large building society recently:
as well as the usual personal/address confirmation info, they wanted
1. a certain 2 digits from my password
2 The full name/place/thing whatever of a particular memorable word.
Message 10 of 26
(2,011 Views)
Reply
0 Thanks
pg90
Newbie
Posts: 8
Registered: ‎18-04-2015

Re: Customer passwords should NEVER be accessible to support technicians

‎18-04-2015 10:45 PM

The difference (in the cases above) is that the people you're talking to on the phone do not have access to your full password. The people at Plusnet do. Are you really comfortable with that? Would you be comfortable if employees at said banks/building societies had access to your full password?
Message 11 of 26
(2,011 Views)
Reply
0 Thanks
pwatson
Rising Star
Posts: 2,470
Thanks: 8
Fixes: 1
Registered: ‎26-11-2012

Re: Customer passwords should NEVER be accessible to support technicians

‎18-04-2015 10:59 PM

You may well be right, or perhaps PN have changed the system since 2007 and the support agent is now only shown the letters that they ask you for?
Message 12 of 26
(2,011 Views)
Reply
0 Thanks
pg90
Newbie
Posts: 8
Registered: ‎18-04-2015

Re: Customer passwords should NEVER be accessible to support technicians

‎18-04-2015 11:00 PM

If Plusnet have changed their system to what you suggest then that would be better, but still not perfect. It would be nice if someone from Plusnet could confirm either way.
Message 13 of 26
(2,011 Views)
Reply
0 Thanks
pwatson
Rising Star
Posts: 2,470
Thanks: 8
Fixes: 1
Registered: ‎26-11-2012

Re: Customer passwords should NEVER be accessible to support technicians

‎18-04-2015 11:05 PM

Indeed, only PlusNet can say, so you may be leaping to erroneous conclusions Wink
Their system may be better still in that the support agent is told which letters to ask for and then told if the answer given was correct?  I don't see any difference here to what my bank does...
Message 14 of 26
(2,011 Views)
Reply
0 Thanks
pg90
Newbie
Posts: 8
Registered: ‎18-04-2015

Re: Customer passwords should NEVER be accessible to support technicians

‎18-04-2015 11:51 PM

I accept that I may be jumping to conclusions, however the assumptions are based on:
1. The support agents have in the past been able to see the full password and there's no evidence that this has changed
2. Instead of emailing a password reset email, Plusnet are one of the only remaining companies to actually display my password in plaintext when I use the 'forgotten password' link (and that's bad enough on its own!)
3. Banks have the technology and security to do this properly where Plusnet clearly doesn't (see point 2)
It's 2015 and using reversible encryption is just asking for trouble. It's a shame that Plusnet will only realise this when they get bitten in the bum by a hacker.
Message 15 of 26
(2,011 Views)
Reply
0 Thanks