You have to bare in mind that the people managing that social media account is probably only a few grades higher than your average call centre puppet who follows a script. While some of VM's responses could have been phrased better (within the confines of Twitters max character count), these people are generally there to answer end user rage about their router crashing and such like rather than this. Sadly information security is quite significantly more advanced - so much so that even IT professionals frequently get it wrong.
What should really be happening here is the discussion being escalated to their systems / security team and an official open letter published.
This is an international thing - I'm with Virgin Mobile in Australia and the "Forgot Password" button sends me my password in plain text (which is, even better, only allowed to be numbers, and only 6 of them! Guessing 10^6 numbers doesn't take long)
I think the pitchforks may have been lit a bit early here. The password all support staff can see is for phone verification, and is completely separate from the online log in password [0]
However, Virgin don't seem to have clarified if and how the online log in password is hashed.
"Only Virgin Media staff are able to view your password in an camera free enviroment. How would you take care of peoples sensitive banking details? MCr"
The password is the one you tell them on initial setup of the account, they'll ask you for a memorable word to verify that it's the account holder they're talking to.
This isn't anything to do with account logins etc. No different than companies asking you to verify your DOB and address to prove who you are.
Memorable word! That's the term I was trying to think of, thank you! If they called it that in the tweets this whole thing probably could have been avoided.
Yeah, for the people confused, "authentication codeword" might be a better way to think of it. This is not the traditional password, this is akin to the phone support version of your mother's maiden name.
If I were to call up Virgin and say, "Hey, this is MattBearman, I want to add a phone to my account and an international calling plan," they need a way to verify that I am MattBearman. Instead of asking for personal information, they ask for an "account password" which is not your online password and is only used for the purpose of identifying the caller.
It has to be plaintext or encrypted; they're not going to give you a hashing algorithm to work out over the phone.
Well, in theory they could just tell the phone rep the unencrypted password and the phone rep could enter it into the system and the system could tell them if the hash matches. That's pretty much how it happens with most websites these days anyway. But I can see there's a big benefit in the rep being able to accept passwords which are obviously (to a human) the same, but would hash differently.
In the US, it's still extremely common for carriers to have a phone PIN number just for the purpose of making changes through a phone call. If the user fails to remember that, they are asked more questions about private personal information to verify the account. Horrible practice, but very standard in the US.
Is this actually a password or something closer to a PIN? I don't know that there's anything wrong with not cryptographically mangling a PIN since there are so few combinations in the first place. I think the SOP in most cases (my bank, for one) is to use multiple forms of ID verification (last 4 of social, birthday, and PIN, e.g.).
Whoever runs their twitter also later claims that this account password is different than their online password, which seems to support that it's more of a PIN than global password. I'm not a Virgin employee or customer though, so I'm not sure if this is the case or not.
Whenever I need to call Virgin to try and get some info, I need to:
- Type in my account number
- Wait for an agent
- Get an agent. Give my name and account number
- Explain my problem
- Get transferred to another agent
- Wait
- Get an agent, give my account number
- Give the third letter of my password (which got me confused, as I thought they were asking for my account password)
- Explain my problem
- Get transferred to another agent
- Wait
- Get an agent, give my account number
In the end, I talked to three persons, in the same company, and gave 4 times my account number, and one time my "password".
Can confirm, does not save time at all!
Note: this is for Virgin Media UK. Did not experience that with Virgin Media in Canada.
"Administrators and/or customer service reps need to be able to see passwords for XYZ purposes" is a relative common requirement even nowadays, especially if those requirements were drawn up by non-technical people.
One part of me wishes that the governments of the world would just outlaw this kind of idiocy. On the other hand, I'm not sure if I'd like that much regulation. I certainly wouldn't want to be a developer in a world where I can get sued for using a non-NIST-approved algorithm or something.
Fortunately, "PCI-DSS" seems to be the magic word that can developers can use to beat sense into people's heads most of the time.
So, it seems this only applies to the phone verification password and not the online account password. Can someone explain to me what the better alternatives are for phone verification? Is punching in a PIN considerably better? Banks ask for last 4 of social, which I don't think is something I would give anyone besides a bank.
Virgin's hardly the only one doing this. ADT reps ask for a password when verifying an alarm. At least its better than just asking for your name and address.
The advantage of punching in four digits is that your phone rep doesn't get to see/hear them. You've identified yourself to the system, not the individual.
DTMF isn't transmitted in secret. Of course they could eavesdrop on what you entered through a keypad. Keying it into a machine listening to an unsecured phone line is the equivalent of sending it in plaintext and just as vulnerable as telling it to an agent on the other end of the call.
I have a Virgin Media account authorisation password to identify myself as an account manager over the phone. Has nothing to do with any online login system.
Seems like we've moved from calling out companies for long standing bad practises to some kind of tribal behaviour where people are almost looking for a reason to call a company out for "bad security."
Let me be clear: Phone passwords are superior to phone pins, phone secret question/answers are superior to both, and the agent needs to be able to verify the secret question/answer set, and also the password. You CAN design it so the agent cannot see the whole password, but that means the agent cannot use common sense to account for differences in spelling, or interpretation e.g. "to" as 2, to, two, and too (plus "the third digit of your password" is hard for humans, we aren't designed that way).
People saying things like: "an agent cannot be trusted!" Are missing the point, that the entire system is built on agent trust. When you call you're purposely giving this agent access to your account, making the password useless, there's no proof they logged off when you hang up, there's also no proof that they aren't writing down your responses and will then relay it to another agent later.
A lot of people who whine about plain text in particular don't really seem to understand what it is that hashing even does. They seem to think things like: "if you get hacked, someone cannot steal passwords" (nope) or "then someone cannot sniff your password over free wifi" (nope). All hashing does is add time between the hack, and when the hacker can start using the stolen credentials, that's it. It is there to give the company time to detect the leak and to notify/reset, if the company fails to detect then it has done absolutely nothing of worth.
To be honest I find "HTTP offenders" (e.g. HTTP web-sites that redirect to HTTPS login forms, essentially breaking HTTPS's MitM protections) far worse than "plain text offenders." But none of this has anything to do with calling out security issues at this point. A bunch of people who don't seem to understand the technicals here feel like they're doing "good" by calling out companies for things that don't even make sense.
Incidentally, I just found out yesterday that Straight Talk (AT&T MVNO) keeps their online passwords in plaintext. Restoring your password actually sends you the password by email.
- They're doing things correctly
- They ask for a code over the phone to verify your account
- Their Twitter guy refers to this as a "password"
- Nobody reads anything on the internet, therefore everybody is concerned and fighty.
There's no indication of how passwords are actually stored. This is all about the passphrase you tell the guy on the phone so that he can verify your account. It seems reasonable that that guy would need to be able to see that word on a screen so that he can compare it to what you say.
Still, it's good that people are still really angry about this, 23 hours after their support guy explained what's going on.
If the operator is only one that checks credential, it is still huge security risk IMHO. He/she can reuse this information to imitates one of the customers he got the credentials.
Here, the operator forwards you to a machine and you input your phone password, so the operator does not know your whole credentials.
31 comments
[ 3.1 ms ] story [ 29.9 ms ] threadWhat should really be happening here is the discussion being escalated to their systems / security team and an official open letter published.
This is known since at least 2013: http://www.kitguru.net/gaming/security-software/jon-martinda...
Edit: Others are saying this is for the "phone verification password", but my password is to log into the online account to pay my phone bill.
And that one's from 2011!!
However, Virgin don't seem to have clarified if and how the online log in password is hashed.
[0] -https://virginmedia.response.lithium.com/portal/conversation...
"Only Virgin Media staff are able to view your password in an camera free enviroment. How would you take care of peoples sensitive banking details? MCr"
https://virginmedia.response.lithium.com/portal/conversation...
This isn't anything to do with account logins etc. No different than companies asking you to verify your DOB and address to prove who you are.
If I were to call up Virgin and say, "Hey, this is MattBearman, I want to add a phone to my account and an international calling plan," they need a way to verify that I am MattBearman. Instead of asking for personal information, they ask for an "account password" which is not your online password and is only used for the purpose of identifying the caller.
It has to be plaintext or encrypted; they're not going to give you a hashing algorithm to work out over the phone.
http://plaintextoffenders.com/post/4983474119/virginmobile-c...
I'm with virgin mobile australia and I get the same mail when I click on "Forgotten Password" when I try to log into my online account to pay my bill.
Whoever runs their twitter also later claims that this account password is different than their online password, which seems to support that it's more of a PIN than global password. I'm not a Virgin employee or customer though, so I'm not sure if this is the case or not.
Can confirm, does not save time at all!
Note: this is for Virgin Media UK. Did not experience that with Virgin Media in Canada.
One part of me wishes that the governments of the world would just outlaw this kind of idiocy. On the other hand, I'm not sure if I'd like that much regulation. I certainly wouldn't want to be a developer in a world where I can get sued for using a non-NIST-approved algorithm or something.
Fortunately, "PCI-DSS" seems to be the magic word that can developers can use to beat sense into people's heads most of the time.
Virgin's hardly the only one doing this. ADT reps ask for a password when verifying an alarm. At least its better than just asking for your name and address.
Let me be clear: Phone passwords are superior to phone pins, phone secret question/answers are superior to both, and the agent needs to be able to verify the secret question/answer set, and also the password. You CAN design it so the agent cannot see the whole password, but that means the agent cannot use common sense to account for differences in spelling, or interpretation e.g. "to" as 2, to, two, and too (plus "the third digit of your password" is hard for humans, we aren't designed that way).
People saying things like: "an agent cannot be trusted!" Are missing the point, that the entire system is built on agent trust. When you call you're purposely giving this agent access to your account, making the password useless, there's no proof they logged off when you hang up, there's also no proof that they aren't writing down your responses and will then relay it to another agent later.
A lot of people who whine about plain text in particular don't really seem to understand what it is that hashing even does. They seem to think things like: "if you get hacked, someone cannot steal passwords" (nope) or "then someone cannot sniff your password over free wifi" (nope). All hashing does is add time between the hack, and when the hacker can start using the stolen credentials, that's it. It is there to give the company time to detect the leak and to notify/reset, if the company fails to detect then it has done absolutely nothing of worth.
To be honest I find "HTTP offenders" (e.g. HTTP web-sites that redirect to HTTPS login forms, essentially breaking HTTPS's MitM protections) far worse than "plain text offenders." But none of this has anything to do with calling out security issues at this point. A bunch of people who don't seem to understand the technicals here feel like they're doing "good" by calling out companies for things that don't even make sense.
I'm glad I never reuse a password.
Still, it's good that people are still really angry about this, 23 hours after their support guy explained what's going on.
Here, the operator forwards you to a machine and you input your phone password, so the operator does not know your whole credentials.