[clug] OT: Passwords to verify identity

Travis Simon tsimon at gmail.com
Wed May 15 22:08:44 MDT 2013

Do you use that password to login to their service? Or is it just a
verification password?

Because if you use it to log in, I would say it's kind of a big deal
because your login becomes vulnerable to social engineering attacks,
employee mistakes and malicious employee activities. I believe those types
of attacks are much more common than serious hacking of vulnerabilities.

For example, the first thing I would do is try to figure out your birthday,
as that's most likely the first piece of information they are going to ask
for - so I might send you an email saying I'm doing a study of Linux use in
Canberra, and I need some demographic information to present to the
government for some open source initiatives. Could you please send me the
distribution you use, the number of installations you have, how long you've
been using Linux, your suburb (for demographic purposes) and your birthday.
I would then call up Pacific Internet (which I got from googling zipworld
ISP, but I could just keep trying until I found it), and explain that I,
Andrew Steele, lost my password, and could they reset it for me?

However, what is the damage done if your login is compromised? I could
screw around with your account, but that's probably not a big deal. The
main thing I would be worried about would be the ISP storing your credit
card in plain text. That said, your bank will hopefully have some
protections on illegal activity, and should insure you against fraudulent
activity. Do they have some sort of web portal for their service? I would
have a look through it from the eyes of an intruder and see if there is any
sensitive information.

In short - yes, it's an obvious attack vector, but it's probably not a huge
risk as the damage from a breach would likely be minimal(?).

On 16 May 2013 13:40, Andrew Steele <fozzy at zipworld.org> wrote:

> This is not strictly Linux related, but I thought this might be a good
> technical forum to initially raise the issue.
> I recently had to call up my ISP[1] about a problem with my service.  In
> the course of that conversation they wanted to verify my identity.
> So they asked "Can you tell me your password?"
> Turns out their passwords are all stored in plain text so they can use them
> to verify identity.  I've suggested this is a bit of a security weakness
> and I was told it wasn't.
> I've since had a similar situation where a mobile telco did a similar thing
> but in their case, they could only see the first characters of the
> password.
> I can accept an organisation's need to verify my identity, but do people
> think this is an appropriate way to implement it?
> Andrew
> [1] I've chosen not to name the ISP involved, suffice to say it's a local
> Canberra ISP.
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux

More information about the linux mailing list