[clug] OT: Passwords to verify identity

[Andrew Steele]

I'll just clear up a few points and let substantive discussion continue:

1. The ISP uses the same the password to access both their online account
management tools and the one my router uses.

2. It's not Pacific Internet (pacnet) - I don't want to be responsible for
giving them a bad name.

There is a connection (and lesson) for anyone who's interested.

I was with "zipworld.com.au" - who were bought out by Pacnet many years
ago.  A number of years ago I decided to setup email on my own domain so I
wasn't tied to an ISP.  That lead to the question "What domain do I
choose?".  In my searching I found "zipworld.org" was free.  I thought I'll
get that - stupidly thinking having something similar would make things
easier.

It didn't.

Confusion such as Travis' has abounded ever since - exacerbated because for
many years I used both.

A good lesson to learn, but one I'll never need again as now that I've
switched.

I'm not planning on changing again!

Andrew

On Thu, May 16, 2013 at 2:08 PM, Travis Simon <tsimon at gmail.com> wrote:

> Do you use that password to login to their service? Or is it just a
> verification password?
>
> Because if you use it to log in, I would say it's kind of a big deal
> because your login becomes vulnerable to social engineering attacks,
> employee mistakes and malicious employee activities. I believe those types
> of attacks are much more common than serious hacking of vulnerabilities.
>
> For example, the first thing I would do is try to figure out your
> birthday, as that's most likely the first piece of information they are
> going to ask for - so I might send you an email saying I'm doing a study of
> Linux use in Canberra, and I need some demographic information to present
> to the government for some open source initiatives. Could you please send
> me the distribution you use, the number of installations you have, how long
> you've been using Linux, your suburb (for demographic purposes) and your
> birthday. I would then call up Pacific Internet (which I got from googling
> zipworld ISP, but I could just keep trying until I found it), and explain
> that I, Andrew Steele, lost my password, and could they reset it for me?
>
> However, what is the damage done if your login is compromised? I could
> screw around with your account, but that's probably not a big deal. The
> main thing I would be worried about would be the ISP storing your credit
> card in plain text. That said, your bank will hopefully have some
> protections on illegal activity, and should insure you against fraudulent
> activity. Do they have some sort of web portal for their service? I would
> have a look through it from the eyes of an intruder and see if there is any
> sensitive information.
>
> In short - yes, it's an obvious attack vector, but it's probably not a
> huge risk as the damage from a breach would likely be minimal(?).
>
>
> On 16 May 2013 13:40, Andrew Steele <fozzy at zipworld.org> wrote:
>
>> This is not strictly Linux related, but I thought this might be a good
>> technical forum to initially raise the issue.
>>
>> I recently had to call up my ISP[1] about a problem with my service.  In
>> the course of that conversation they wanted to verify my identity.
>>
>> So they asked "Can you tell me your password?"
>>
>> Turns out their passwords are all stored in plain text so they can use
>> them
>> to verify identity.  I've suggested this is a bit of a security weakness
>> and I was told it wasn't.
>>
>> I've since had a similar situation where a mobile telco did a similar
>> thing
>> but in their case, they could only see the first characters of the
>> password.
>>
>> I can accept an organisation's need to verify my identity, but do people
>> think this is an appropriate way to implement it?
>>
>> Andrew
>>
>> [1] I've chosen not to name the ISP involved, suffice to say it's a local
>> Canberra ISP.
>> --
>> linux mailing list
>> linux at lists.samba.org
>> https://lists.samba.org/mailman/listinfo/linux
>>
>
>