We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Mobile Phone Provider Breaking The Law?
Options
Comments
-
It depends on the many other reasons that one remains a customer, for example minimum contract period, price, coverage in particular locations (e.g. home, work etc). You have applied a very simplistic approach to this, ignoring the other factors. As I said, it is easier said than done.Is it easier to leave a company who you object to, or to try to get them to change their ways?0 -
It depends on the many other reasons that one remains a customer, for example minimum contract period, price, coverage in particular locations (e.g. home, work etc). You have applied a very simplistic approach to this, ignoring the other factors. As I said, it is easier said than done.
You're ignoring an even simpler fact: what value personal security?
You're also ignoring the fact that we don't know what sort of deal the OP is on, so your very simplistic approach of "it's not easy to switch/leave is just perpetuating a myth based on not having enough facts to justify your blanket statement.
...again, another great example of misguided misinformation, deliberate or not, on MSE.1. Have you tried to Google the answer?
2. If you were in the other person's shoes, how would you react?
3. Do you want a quick answer or better understanding?0 -
Whilst the act of asking for a customer's password is not necessarily illegal, wouldn't the fact that this probably means that passwords are not encrypted properly go against the Data Protection Act which requires companies to keep personal information safe and secure?Because most consumers have a reasonable expectation that authentication data will be kept confidential and not unnecessarily divulged to employees.
The DPA does not require data and passwords to be encrypted, only safe and secure. My scenario of a password in a book that only one can be seen at once is fine just unworkable in real life, and remember authorised employees need access to at least some of the data to authenticate you. Be that a clear password, a part of password or something else from your account.
Adobe had lost 38 million encrypted passwords, Cupid Media (Oz dating site) was in the media as they recently lost 42 million passwords. Adobe data WAS encrypted, just not very securely and could be recovered, Cupids was apparently in plain text
Encrypting and hashing passwords alone is not the answer alone, if someone can get to the data it can be stolen, Hashing makes it harder to get the password back but the company always needs to so something to get the plain unencrypted password back to do the verification, if the encryption is so strong the password can't be verified its useless to use.
Hashing means you need to work harder to get a password back, but it's not impossible and given the top passwords in the Adobe breech were things like password, 123456, 12345678 and adobe then it would not be hard to try and brute force the hash and get access to a good proportion of accounts, and have something to work from to de-hash other passwords
Lets also remember system that companies use may be years old, and not easily replaced, A mobile network has millions of customers accounts, they can't simply port everything to the latest and greatest at a whim, IT system moves take years of planning and execution, and even then the new system may be outdated by the time it gets in place. That's not an meant to be an excuse, just reality.0 -
... Hashing makes it harder to get the password back but the company always needs to so something to get the plain unencrypted password back to do the verification, if the encryption is so strong the password can't be verified its useless to use.
No, companies never need to get the plain unencrypted password back to validate your login attempt. Adding a unique salt to a user's password, then applying a one-way cryptographic hash to that and storing the resulting hash is all they need to do. Per my previous comment, a login attempt involves comparing the salted hash in the db with the salted hash generated from the entered password at login time, so no need to actually know what the plaintext password is.
Someone gains access to the db and gets all the usernames & passwords? Much more secure in this scenario as they don't get the user's actual password, they just get the hash which they then can't use to try logging in to the site (or other sites for the same user) as it won't work.0 -
Someone gains access to the db and gets all the usernames & passwords? Much more secure in this scenario as they don't get the user's actual password, they just get the hash which they then can't use to try logging in to the site (or other sites for the same user) as it won't work.
Your right, I corrected myself in the first line, but not later on. Its also a case of just because you can do it, it doesn't mean company ABC can do it on their systems without major changes.
The problem is Hashing and Salting is fine IF done correctly, and people use unique passwords. Site and People don't, it tends to be a simple hash, or the site is subject to "pass the hash" type attacks.
Security is not just about the company holding your data, its also you taking responsibility, if you look at the top 20 passwords from the adobe release (http://mashable.com/2013/11/05/20-most-popular-passwords-adobe/) password reuse is usually so simplistic you don't need to break a hash just get the data..
XKCD did a good cartoon - http://www.xkcd.com/792/ Easiest way to get Passwords is to get the user to give them to you on a fake site (and how much phishing works) that you harvest and use elsewhere.0 -
I wish companies who do store passwords in plain text tell you what they are after you have satisfied other security checks...
The best account password is "errrmmm"0 -
Its probably more important that mobile providers use good encryption since any potential hacker doesnt have to guess the username as well as the password. Your username is very likely to be your mobile phone number. This means a hacker would only need to brute force your password and that wont be difficult. In fact you could probably buy a database of mobile number allocations per provider then just set your computer to try each one on a brute force attack. I reckon you could probably pull at least one valid account per day. The fact that this and other (mobile provider) forums are littered with posts about accounts being hijacked and upgrades ordered suggests this already happens0
-
I used to work at a large telecommunications company (not mobile) and we had access to all customers passwords. That wasn't an issue, the information that we could access through a customer's online account was exactly the same as the information we could view as part of our job in billing. However, we NEVER was allowed to give out the password over the phone, it was a sackable offence, instant dismissal. We could change the password if the customer could clear security but if they couldn't, the only way of the customer accessing their account was if we sent a password reminder through the post.
I'll hasten a bet that the rep you spoke to should have followed a similar processbut was too lazy/uniformed to do their job correctly.Have I helped? Feel free to click the 'Thanks' button. I like to feel useful (and smug).
0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.9K Banking & Borrowing
- 253.1K Reduce Debt & Boost Income
- 453.5K Spending & Discounts
- 243.9K Work, Benefits & Business
- 598.8K Mortgages, Homes & Bills
- 176.9K Life & Family
- 257.2K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards