Mobile Phone Provider Breaking The Law?

favicon

Hi All,

This isn't really a money saving question but since alot of people on here seem to be really knowledgeable on many things, i thought i'd ask.

I called my mobile provider last night because i needed to amend my Direct Debit details and i couldn't remember my username and password for logging in online to change it myself.

What shocked me was that the customer service rep on the phone gave me my username and password!!!
He knew my password.

My question is, is this illegal?

I work in web development and all our passwords for customers to longin to their websites are encrypted and even we can't see what they are. If customers lose their passwords, we can give them their username and a link to reset their password. But we cannot see their actual passwords.

I look forward to replies.

gjchester

favicon wrote: »

My question is, is this illegal?

I work in web development and all our passwords for customers to longin to their websites are encrypted and even we can't see what they are. If customers lose their passwords, we can give them their username and a link to reset their password. But we cannot see their actual passwords.

Bad practice yes, Illegal no.

Why should it be illegal? Data should to be kept securely and that usually means enfcrypted, but a written big book of passwords chained to a desk that in a locked room with limited access to it could be considered as safe (and potentially safer given the number of password losses that occur of late)

NFH

gjchester wrote: »

Why should it be illegal?

Because most consumers have a reasonable expectation that authentication data will be kept confidential and not unnecessarily divulged to employees. Given that a common form of hacking is to use the password from one service to log into another service, nefarious companies might set up their system in this same way in order to harvest passwords in order to facilitate hacking, given that most consumers foolishly use the same password for multiple services. Even if the company is not nefarious, this unreasonable practice facilitates hacking by its employees of its customers' user accounts hosted elsewhere. Although it is not illegal, it certainly should be.

ZhugeEX

Vodafone. Right?

Mulder00

Whilst the act of asking for a customer's password is not necessarily illegal, wouldn't the fact that this probably means that passwords are not encrypted properly go against the Data Protection Act which requires companies to keep personal information safe and secure?

favicon

Thanks for the replies. I agree with NFH totally and this was my main concern.

@ZhugeEX, not vodafone. It's EE.

Can we, as consumers, do much to encourage these companies to change the way they store and share such private data?

MataNui

Not illegal but the fact they could do this proves that they are not using best practice for storing your data. Your password should be encrypted. Best practice would be to do something to your password (like add your username to it) then hash it (a one way process) then encrypt it. This means that your actual password is NEVER recoverable in plain form. This is why most websites dont tell you your password but they allow you to change it. Its not so much that they dont want to tell you but more that its not technically possible to tell you what your password actually is.

WTFH

favicon wrote: »

Can we, as consumers, do much to encourage these companies to change the way they store and share such private data?

Yes, you leave that company and join one that has a better policy, it's really that simple.

NFH

WTFH wrote: »

Yes, you leave that company and join one that has a better policy, it's really that simple.

You know very well that this is a lot easier said than done.

WTFH

NFH wrote: »

You know very well that this is a lot easier said than done.

Is it easier to leave a company who you object to, or to try to get them to change their ways?

You know very well which is easier said than done!

ahillsy

As covered already, no it's not illegal but yes it is very bad form. Passwords should never be recoverable.

Ideally, every customer would have a unique, long, random "salt" value associated with their account - when you set up an account, the salt should be added to your password and then cryptographically hashed (one way). It's the unique salt value and the hash that should be stored with your account details - and from this, you can't reverse the process to get back to the original password. When you try logging in, it should apply your unique salt value to what password you enter, apply the same hash function and then it's the hashed value that you compare against your account to determine a match or not.

Unfortunately, there's what companies/developers *should* do, and what they do actually end up doing.

So, what can you do?
1) move to another provider (ok, easier said than done)
2) flag the issue up with them/request an explanation and hope they do something about it (a lot of companies get pulled up on this kind of thing on Twitter etc)
3) make sure you use a unique, secure password - this ideally should be what you try and do anyway - never duplicate passwords between different sites. Try a password manager like LastPass or KeePass - they will help generate you random/unique passwords. The best password is the one you can't remember!