Overclock.net › Forums › Industry News › Software News › [Kitguru] - Virgin Media stores phone authentication passwords in plaintext
New Posts  All Forums:Forum Nav:

[Kitguru] - Virgin Media stores phone authentication passwords in plaintext

post #1 of 6
Thread Starter 
Quote:
You’d think with Sony’s big security hiccup last year, where most PlayStation 3 owners had their details stolen by hackers, that companies would have learned their lesson. Virgin, despite having a founder who I heartily agree with on a few things, seems to be one of those companies, as according to an admission on its official Twitter account, phone authentication passwords are stored in plaintext.
This all came about because one Twitter user commented that a phone operator at Virgin had just read his password out to him. A Virgin representative quickly responded that not all passwords are stored in plaintext, just the one for phone authentication. It did admit however in a later Tweet, that perhaps the operator should have asked for a couple of characters from the password and not given out the entire thing



Source
post #2 of 6
How does the ability of a customer service rep to view phone authentication passwords in plain text lead to the conclusion that they are stored in plain text??

I've run an ecommerce business before, and I could get access to a vast amount of personal customer information through my admin account. That didn't mean that this information was stored in plaintext, just that the admin account had access to unlock this information and view it.

Customer service at nearly every online business also has access to your address and email. Does that mean it's stored in plain text? No.

Dumb article.
VIP3R
(15 items)
 
  
CPUMotherboardGraphicsRAM
i5 750 @ 4.0GHz 1.35v EVGA P55 LE GTX 480 @ 850/2155 8GB Corsair XMS3 1600mhz 
Hard DriveOSMonitorKeyboard
2x 500GB F3s RAID0, 1x 7200.11 1.5TB, 1x 500GB Win7 64-bit 27'' Dell 2707WTP + 2x HP LP2465 IBM Model M mini 
PowerCaseMouseMouse Pad
OCZ ProXStream 1000w CM Storm Scout DeathAdder 3.5g Artisan Shiden-Kai mid 
AudioAudio
Xonar D2X Beyerdynamic DT880 '03 
  hide details  
Reply
VIP3R
(15 items)
 
  
CPUMotherboardGraphicsRAM
i5 750 @ 4.0GHz 1.35v EVGA P55 LE GTX 480 @ 850/2155 8GB Corsair XMS3 1600mhz 
Hard DriveOSMonitorKeyboard
2x 500GB F3s RAID0, 1x 7200.11 1.5TB, 1x 500GB Win7 64-bit 27'' Dell 2707WTP + 2x HP LP2465 IBM Model M mini 
PowerCaseMouseMouse Pad
OCZ ProXStream 1000w CM Storm Scout DeathAdder 3.5g Artisan Shiden-Kai mid 
AudioAudio
Xonar D2X Beyerdynamic DT880 '03 
  hide details  
Reply
post #3 of 6
Quote:
Originally Posted by mechtech View Post

How does the ability of a customer service rep to view phone authentication passwords in plain text lead to the conclusion that they are stored in plain text??

I've run an ecommerce business before, and I could get access to a vast amount of personal customer information through my admin account. That didn't mean that this information was stored in plaintext, just that the admin account had access to unlock this information and view it.

Customer service at nearly every online business also has access to your address and email. Does that mean it's stored in plain text? No.

Dumb article.

the CSRs should not be able to see your password, i mean, what for?
post #4 of 6
Quote:
Originally Posted by ghostrider85 View Post

the CSRs should not be able to see your password, i mean, what for?

I agree, but that's an entirely different issue than the false statement of "Virgin Media stores phone authentication passwords in plaintext".

CSR's being able to see a password has no relation to how the passwords are stored.

And I hate to tell you, but more often than not CSRs have access to passwords and vast amounts of customer service related information (maybe not bottom level CSRs). It's an unfortunate fact that customers call in and demand help with systems that they entirely set up themselves, and no amount of explaining will calm them down.
Edited by mechtech - 7/29/13 at 11:59am
VIP3R
(15 items)
 
  
CPUMotherboardGraphicsRAM
i5 750 @ 4.0GHz 1.35v EVGA P55 LE GTX 480 @ 850/2155 8GB Corsair XMS3 1600mhz 
Hard DriveOSMonitorKeyboard
2x 500GB F3s RAID0, 1x 7200.11 1.5TB, 1x 500GB Win7 64-bit 27'' Dell 2707WTP + 2x HP LP2465 IBM Model M mini 
PowerCaseMouseMouse Pad
OCZ ProXStream 1000w CM Storm Scout DeathAdder 3.5g Artisan Shiden-Kai mid 
AudioAudio
Xonar D2X Beyerdynamic DT880 '03 
  hide details  
Reply
VIP3R
(15 items)
 
  
CPUMotherboardGraphicsRAM
i5 750 @ 4.0GHz 1.35v EVGA P55 LE GTX 480 @ 850/2155 8GB Corsair XMS3 1600mhz 
Hard DriveOSMonitorKeyboard
2x 500GB F3s RAID0, 1x 7200.11 1.5TB, 1x 500GB Win7 64-bit 27'' Dell 2707WTP + 2x HP LP2465 IBM Model M mini 
PowerCaseMouseMouse Pad
OCZ ProXStream 1000w CM Storm Scout DeathAdder 3.5g Artisan Shiden-Kai mid 
AudioAudio
Xonar D2X Beyerdynamic DT880 '03 
  hide details  
Reply
post #5 of 6
Quote:
Originally Posted by mechtech View Post

CSR's being able to see a password has no relation to how the passwords are stored.

It has absolutely everything to do with how it's stored. Either the password is stored in cleartext, in a poorly obfuscated manner that is easily reversible (no, a storing as binary does not count as security), or it is encrypted with a key that they hold. What we do know is that the passwords are definitely not stored using cryptographic hashes which is the standard format in which to store them securely.

Certain information should be accessible to customer service staff. Email addresses and phone numbers are needed to contact customers. Staff should never have access to basic authentication information like passwords! If they have access to it then anyone who gains access to the network has access to it, whether this be via exploiting network vulnerabilities or calling up these same staff and asking for it...
Edited by randomizer - 7/29/13 at 6:06pm
    
CPUMotherboardGraphicsRAM
i7 920 D0 MSI X58 Pro-E GTX 560 Ti 448 3x2GB G.Skill DDR3-1333 9-9-9-24 
Hard DriveHard DriveOptical DriveOS
840 Pro Caviar Black LG BD-ROM Windows 8.1 Pro x64 
MonitorMonitorKeyboardPower
Dell U2713HM Dell U2311H Turbo-Trak (Google it :D) Corsair HX-520 
CaseMouseMouse PadAudio
CM690 Mionix Avior 7000 Everglide Titan AKG K 242 HD 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
i7 920 D0 MSI X58 Pro-E GTX 560 Ti 448 3x2GB G.Skill DDR3-1333 9-9-9-24 
Hard DriveHard DriveOptical DriveOS
840 Pro Caviar Black LG BD-ROM Windows 8.1 Pro x64 
MonitorMonitorKeyboardPower
Dell U2713HM Dell U2311H Turbo-Trak (Google it :D) Corsair HX-520 
CaseMouseMouse PadAudio
CM690 Mionix Avior 7000 Everglide Titan AKG K 242 HD 
  hide details  
Reply
post #6 of 6
the same way you are admin you need to create and give a sub-user "some" privilege to see and use some actions. for ex: like MOD on this thread not every mod can edit or lock this thread here they do have permission where they are granted., not just hand over you admin access to the entire crew. LOL that's 5ucks.
Black Hawk
(25 items)
 
  
CPUMotherboardGraphicsRAM
4770k - 13 B 666 Asus Maximus VI Formula 1080 SeaHawk EK | K|NGP|N  G.SKILL Ripjaws Series 8GB 
Hard DriveCoolingCoolingCooling
SAMSUNG 830 128GB raiD 0 rx 360 rx240 rx240 
CoolingCoolingCoolingCooling
Ek-Res X3 250mm Swiftech MCP35X2 COUGAR CF-V12HPB Vortex Lamptron FC9 
CoolingCoolingOSMonitor
Bitspower compression fittings koolance CPU 370 Windows 10 Pro Acer XB271HU ‑ 27" 
KeyboardPowerCaseMouse
Quick fire TK EVGA 1300g2 Corsair 800D MoDeD G502 
Mouse PadAudioOtherOther
Rosewill REACT XL Creative Sound Blaster Z Sennheiser HD 555  AKG K267 
Other
M-Audio BX5a 
  hide details  
Reply
Black Hawk
(25 items)
 
  
CPUMotherboardGraphicsRAM
4770k - 13 B 666 Asus Maximus VI Formula 1080 SeaHawk EK | K|NGP|N  G.SKILL Ripjaws Series 8GB 
Hard DriveCoolingCoolingCooling
SAMSUNG 830 128GB raiD 0 rx 360 rx240 rx240 
CoolingCoolingCoolingCooling
Ek-Res X3 250mm Swiftech MCP35X2 COUGAR CF-V12HPB Vortex Lamptron FC9 
CoolingCoolingOSMonitor
Bitspower compression fittings koolance CPU 370 Windows 10 Pro Acer XB271HU ‑ 27" 
KeyboardPowerCaseMouse
Quick fire TK EVGA 1300g2 Corsair 800D MoDeD G502 
Mouse PadAudioOtherOther
Rosewill REACT XL Creative Sound Blaster Z Sennheiser HD 555  AKG K267 
Other
M-Audio BX5a 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Software News
Overclock.net › Forums › Industry News › Software News › [Kitguru] - Virgin Media stores phone authentication passwords in plaintext