Plusnet password visible to call centre staff

Anonymous · ‎10-09-2013

@'Tulner' - So if I understand you correctly, what you are saying is -

VileReynard · ‎01-09-2007

Everyone who speaks to Plusnet does not have connectivity problems.
Why not just ask for their ~~account number~~ user name?
You could obtain their IP address from this, if you need to carry out a connection test.

"In The Beginning Was The Word, And The Word Was Aardvark."

jelv · ‎10-04-2007

You obviously don't understand what a connection test is!
It is where, on a test telephone line, Plusnet connect using the users credentials in the router. To do this they need the users ADSL login name and password. They'd do a test link this when the user is reporting their traffic isn't being shaped correctly (e.g. they'd gone over their allowance and paid for the extra but were still having their speeds restricted).

jelv (a.k.a Spoon Whittler)
Why I have left Plusnet (warning: long post!)
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£14.40/month)
Mobile: iD mobile (£4/month)

VileReynard · ‎01-09-2007

Quote from: jelv
You obviously don't understand what a connection test is!

And if a connection test is not needed?

"In The Beginning Was The Word, And The Word Was Aardvark."

Luzern · ‎31-07-2007

Though I can see that the OP believes he is justified in his opinion, I also believe that fears like his are unjustified. The near paranoia about security breaches has built up through the sensationalism of our national press.
Think about how much is known of a person like a doctor, revenue official etc. All such are under a duty of confidentiality and so would be the Plusnet staff.
Not to accept that one needs some trust in persons under such duty, leaves the ultra untrusting person in a sad position. We have to take some risks.
As to the OP's particular point. he/she could just change the password after the conversation,

No one has to agree with my opinion, but in the time I have left a miracle would be nice.

Chris · ‎05-04-2007

Quote from: avatastic
Every access to your password is logged by the system, so there is always a record of when a CSC Agent has had to look at it.
Additionally the passwords are probably stored encrypted but in a way that can be decrypted (rather than being stored as a one-way hash).
I believe it has also been said in the past the the systems used to store the passwords/retreive them are only accessible from an internal VPN and aren't directly connected to the internet.
This pops up from time to time, so I hope I've remembered everything!
Cheers,
A.

Pretty much nail on head there.
I understand peoples concerns with this, but we do monitor who is looking at passwords (the CSC actually should only ask for 2 random characters that are decrypted and displayed to them).

Former Plusnet Staff member. Posts after 31st Jan 2020 are not on behalf of Plusnet.

Mayfly · ‎04-06-2009

That's what I was told when I spoke to customers services some time ago - I was asked for 2 characters and I asked if he could see my password, he said no only the 2 characters he asked for.

RobPN · ‎17-05-2013

I might be wide of the mark here, but someone earlier in the thread asked what a malicious member of staff could do it they knew the complete password. Well I can think of several things, some of which could actually cause the account holder to be accused of acts which they hadn't done, and maybe even be convicted and sentenced for such acts.
One possibility I'm particularly thinking of above is what if a staff member logged on as the unfortunate account holder from another plusdsl realm account (which as you know is quite possible)? Surely the IP address for that connection (static or dynamic) would be logged against the account in question, and any dodgy online activity would then be traceable back to the account holder. I'll leave it to your imagination as to what activities could be carried out.

Wulfy · ‎01-08-2013

Rob in that instance mac address's shouldn't match

bobpullen · ‎04-04-2007

Quote from: RobPN
One possibility I'm particularly thinking of above is what if a staff member logged on as the unfortunate account holder from another plusdsl realm account (which as you know is quite possible)? Surely the IP address for that connection (static or dynamic) would be logged against the account in question, and any dodgy online activity would then be traceable back to the account holder.

Yes, however the RADIUS session would be associated with the perpetrator's circuit ID and not that of the actual account holder. In short, we'd know which line the account was being used from.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

RobPN · ‎17-05-2013

Quote from: Wulfy
Rob in that instance mac address's shouldn't match

I believe MAC Addresses can be spoofed easily enough.

Quote from: Bob
Quote from: RobPN
Surely the IP address for that connection (static or dynamic) would be logged against the account in question, and any dodgy online activity would then be traceable back to the account holder.

Yes, however the RADIUS session would be associated with the perpetrator's circuit ID and not that of the actual account holder. In short, we'd know which line the account was being used from.

OK, fair enough Bob. As I said above, I thought I was probably wide of the mark.

Wulfy · ‎01-08-2013

The way i look at it is this (and as a customer)
Your always recommended to use a different password for everything... why should your isp be any different? Use a random password for each account and all is well in the world job jobbed.
I knew my password was visible to the staff and quiet frankly working in a call centre the last thing i would be worried about would be taking a customers password..... Your closing cases to quickly to actually take these details down and ask yourself... what could they use it for if they did? effort v reward comes into play and to spoof a mac address is fine, to spoof it to the correct one would be the cleaver trick

VileReynard · ‎01-09-2007

Of course, it is absolutely impossible for these plain text passwords to be harvested by someone with external "evil" intentions.
They are not even stored as a secure one-way hash.
Sooner or later...

"In The Beginning Was The Word, And The Word Was Aardvark."

RobPN · ‎17-05-2013

Quote from: vilefoxdemonofdoom
They are not even stored as a secure one-way hash.
Sooner or later...

..... which brings back memories of the PlusNet email-hack fiasco of a few years ago .....

Anonymous · ‎11-09-2013

This one - http://community.plus.net/blog/2007/05/23/webmail-incident-report-2/