TalkTalk security flaws or am I being fussy?

power2consumers

I wanted to change my email password, could not do so cos was not registered to my accout, so called customer service to ask them what was wrong. She asked for my name, address and DOB, hardly the most confidential of information, then proceeded to ask me what address I told her and she said so thats the one with the password sax?x? and told me my whole password. Now it might be just me and maybe I am overreacting but
1) Look how easy it was for her to hand out my password, the only information I gave was my name, address and DOB, and that was enough for her to tell me my entire password. Those 3 things are hardly the most classified of information about someone, I mean family, friends, neighbours, anyone who steals ur mail etc can have that information.
2) Should employees actually be able to see your email passwords, I mean think about how we might get frustrated with talktalk and might get a bit blunt or rude to customer service staff and at the end of the day its a fact employees do things to get back at customers eg spit in the Burger of a rude customer, or some employees are just natural !!!!!!!s, aka maldives wedding fiasco.
When I tried to explain she tried to say "but we did our checks" and she could not comprehend that those 3 things were not checks and information anyone could have and people for 100s of reasons could want it I.e suspicious GF could want to access emails or other things,
Does my point make sense, or is it an overreaction?

kwikbreaks

I don't think you are being fussy.

For them to be able to quote your pasword it must be stored somewhere in plain text and that should never be done. They should be storing an md5 of your password, creating an md5 of what you type in and comparing those. The only disadvantage is that if you forget your password all that can be done is to reset it, notify you what the new password is and require you to change it within a short timescale. Email is not encrypted so sending your new password in plain text isn't secure which is why it should be time limited and you required to change it.

None of that is radical it's the bare minimum that should be done - it could even be a data protection act requirement but probably isn't.

jayme1

I would ditch the ISP email and just use something like hotmail or gmail, they would be much more secure and if you ever left talktalk you wouldnt loose your email address.

TalkTalk

Hi power2consumers,

I appreciate where your coming from however these "Security checks" do adhere to DPA regulations and although i appreciate you don't feel they are sufficient it is an approved process.

With regards to the email account, almost all accounts have now been migrated into our new myaccount portal which means that we "staff" don't actually have any visibility of your email account password.

We do have some email accounts that are yet to migrate which i suspect yours is one of them however once fully migrated it is the customer and only the customer who will see the password.

Also the advice from JANME1 should be considered, using something like yahoo or gmail may be for the best, regardless of what ISP you have you can always keep them unlike your talktalk email which will be deleted when/if you leave talktalk.


Regards
Stephen

stubbyd

power2consumers wrote: »

Does my point make sense, or is it an overreaction?

Your point makes perfect sense and isn't an over-reaction.

This practice was commonplace amongst ISPs a few years back and I guess they all utilised similar backend systems for managing accounts .... but as noted by the TalkTalk rep above they along with most others have migrated from older systems that did this.

IMO, they should have done this years ago but still ...

The other grievance I have regards passwords is websites that want you to be secure but then don't allow punctuation as part of the password - or restrict the length to 8 characters ... grrr!