Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.



1568 posts

Uber Geek
+1 received by user: 217


Topic # 114601 25-Feb-2013 12:34 Send private message

My credit card was damaged and received a new one. Phoned all my utilities etc to update my CC number on direct debits.

But not Sky , they want me to 'mail' the new CC number.  I ask why, and the CSR said it was a security risk to update credit card numbers via phone. 

She then asked for my new credit card number to pay for the missed payment during the card number change. 

I wonder why sky have this policy of needing to send it in by mail.  

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
296 posts

Ultimate Geek
+1 received by user: 15


  Reply # 768851 25-Feb-2013 12:44 Send private message

What? I don't understand.

First the CSR told you it was a security risk to update the CC information. Then she TOOK the CC number to make a payment? What'd the difference she got the CC details over the phone either way?

In saying that I suppose most company's like to have a paper trail.









1568 posts

Uber Geek
+1 received by user: 217


  Reply # 768861 25-Feb-2013 12:50 Send private message

Yep, thats exactly what happened.  She said it was a security risk to update my direct debit CC details, but , she could take me CC over the phone to make the missed payment. 

Sky were the only utility who would refuse to update via phone. 

2065 posts

Uber Geek
+1 received by user: 118

Trusted

  Reply # 768866 25-Feb-2013 12:54 Send private message

surfisup1000: Yep, thats exactly what happened.  She said it was a security risk to update my direct debit CC details, but , she could take me CC over the phone to make the missed payment. 

Sky were the only utility who would refuse to update via phone. 


Possibly the system that handles the card payment is different from the direct debit one, ie more secure.....but neither prevents the CSR from keeping the card details and using them.  Therefore negating a secure payment system entirely....




Previously known as psycik

NextPVR Based HTPC:

Gigabyte AMD A8 Brix --> Samsung LA46A650D via HDMI, SiliconDust HDHomeRun Dual DVB-T Tuner, NextPVR, Plex Plugin 
Clients:
Popcorn Hour A-100, 1xATV2, 1xATV3, Roku3
Windows 7 Ultimate Host (Plex Server)
3x2TB, 1x3TB, 1x4TB + 1x1.5TB using DriveBender, VMWare Workstation 10 with 1xW7, 2xW2k3 1xUbuntu 11.10 Desktop, 1xWHS2011, Plex, Crashplan, NextPVR channel for Plex

UnblockUS - Unblock your freedom

1476 posts

Uber Geek
+1 received by user: 111

Subscriber

  Reply # 768867 25-Feb-2013 12:54 Send private message

Yes, I've found this to be the case too with Sky.  My CC was compromised over new years with a couple of dodgy purchases.  All companies, EXCEPT SKY, would happily update my payment details either over the phone or via their websites.

Monopolies don't need to provide efficient service.

2065 posts

Uber Geek
+1 received by user: 118

Trusted

  Reply # 768868 25-Feb-2013 12:57 Send private message

Id rather all did via a web site, I don't like passing CC details over the phone.




Previously known as psycik

NextPVR Based HTPC:

Gigabyte AMD A8 Brix --> Samsung LA46A650D via HDMI, SiliconDust HDHomeRun Dual DVB-T Tuner, NextPVR, Plex Plugin 
Clients:
Popcorn Hour A-100, 1xATV2, 1xATV3, Roku3
Windows 7 Ultimate Host (Plex Server)
3x2TB, 1x3TB, 1x4TB + 1x1.5TB using DriveBender, VMWare Workstation 10 with 1xW7, 2xW2k3 1xUbuntu 11.10 Desktop, 1xWHS2011, Plex, Crashplan, NextPVR channel for Plex

UnblockUS - Unblock your freedom

BDFL
49922 posts

Uber Geek
+1 received by user: 4622

Administrator
Trusted
Geekzone
Subscriber

  Reply # 768872 25-Feb-2013 13:12 Send private message

Oriphix: First the CSR told you it was a security risk to update the CC information. Then she TOOK the CC number to make a payment? What'd the difference she got the CC details over the phone either way?


Last year there was a high profile case where a guy in the USA had his iPhone, Macbook, iPad all wiped out through iCloud through a bit of social engineering.

The person doing it couldn't directly change the password on iCloud, he needed the last four digits of a credit card number stored with Apple - he used Amazon to get that information:


Getting a credit card number is tricker, but it also relies on taking advantage of a company’s back-end systems. Phobia says that a partner performed this part of the hack, but described the technique to us, which we were able to verify via our own tech support phone calls. It’s remarkably easy — so easy that Wired was able to duplicate the exploit twice in minutes.First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn’t have anything to share by press time.

Each company has different "security" and sometime they overlap, sometimes don't. When these don't overlap you can exploit it. What one company deems "private information" other companies don't. And that's when things can happen. Read the long version here.

Satch: Monopolies don't need to provide efficient service.


In this case they are probably right in doing the way they are doing. Asking for the credit card information for payment is different than recording a credit card against an account, which can then be used for reset, etc.





1476 posts

Uber Geek
+1 received by user: 111

Subscriber

  Reply # 768876 25-Feb-2013 13:20 Send private message

freitasm: Asking for the credit card information for payment is different than recording a credit card against an account, which can then be used for reset, etc.



I think I've missed the point of this last sentence.  The OP said "...the CSR said it was a security risk to update credit card numbers via phone."  This was to set up a new credit card reoccurring payment on his account, but then the CSR used the exact same means (phone call) to take down his credit card number to make a one off payment.

BDFL
49922 posts

Uber Geek
+1 received by user: 4622

Administrator
Trusted
Geekzone
Subscriber

  Reply # 768881 25-Feb-2013 13:23 Send private message

Correct. A one off payment means that credit card is not associated with your account. A recurring payment means the credit card is recorded against your account, which also means someone could use the same trick used on Amazon to get to reset your account password, change details, etc by claiming "I know my credit card number in the account."

In another side of this there are some security obssessed companies such as Trade Me. It seems they (or their credit card processor) record the credit card information EVEN IF YOU UNCHECK the option to store the number. I know because I once tried to use my Amex to pay my Trade Me balance and their processor compained that I had already used two different credit cards in my account, even though I NEVER check the option to store that data.






1476 posts

Uber Geek
+1 received by user: 111

Subscriber

  Reply # 768892 25-Feb-2013 13:29 Send private message

But Sky do allow recurring payments to be set up against a credit card. They won't take the details over the phone due to security reasons, instead require a direct debit authority to be completed by hand and mailed to them. Yet they happily take the same credit card number over the phone for a one off payment.

The issue here isn't about the storage of those details. It is about how you get those details to Sky in the first place. If Sky deem a phone call to be insecure, why do they still allow your number via phone for a one off payment?

BDFL
49922 posts

Uber Geek
+1 received by user: 4622

Administrator
Trusted
Geekzone
Subscriber

  Reply # 768893 25-Feb-2013 13:31 Send private message

The issue is the storage. If you send a mail in with your signature they have something to start working on if there's a breach. There's a signature and they will be responsible.

Read my post again, the one off and recurring are very different operations.





1476 posts

Uber Geek
+1 received by user: 111

Subscriber

  Reply # 768899 25-Feb-2013 13:40 Send private message

I'm sorry frietasm, but you still seem to be talking at cross purposes (to me at least).

The OP never mentioned that Sky refused to set up regular payments via phone due to storage security issues. What do you think they do with your number when you post it in? Store it against your account...

You then seem to justify the storage issue with the fact they get your signature which pins liability on them if there is a breach. I don't get the relation between this and storage of your CC details against your Sky account.

Anyway, none of this is helping the OP's question why they selectively take CC details via phone. I guess we will just have to agree to disagree ;-)

BDFL
49922 posts

Uber Geek
+1 received by user: 4622

Administrator
Trusted
Geekzone
Subscriber

  Reply # 768904 25-Feb-2013 13:42 Send private message

Satch: The OP never mentioned that Sky refused to set up regular payments via phone due to storage security issues. What do you think they do with your number when you post it in? Store it against your account...


And the CSR at the bottom of the food chain wouldn't even know why the company's policy is like this or that. S/he would just follow it and would just tell the OP "I can't do that". Whoever created the policy is being very good at security.






3bit.com
5886 posts

Uber Geek
+1 received by user: 193

Moderator
Trusted
Subscriber

  Reply # 768909 25-Feb-2013 13:44 Send private message

Just as bad, WorldxChange make you post/fax your credit card number to them if you want it saved.

No idea why.




2893 posts

Uber Geek
+1 received by user: 33

Trusted

  Reply # 768977 25-Feb-2013 15:51 Send private message

A month ago our bank made a mistake and accidentally cancelled our CC instead of just requesting a replacement for the worn out card. So we updated about 5 or 6 utilities etc. with the new number. Most do it in their on-line account portal, but ditto, Sky and WxC (XNet) wants it in writing and it takes a while. Sky acknowledged the change after about 3 weeks.




You can never have enough Volvos!


841 posts

Ultimate Geek
+1 received by user: 36


  Reply # 768984 25-Feb-2013 15:58 Send private message

Add southern cross healthcare to the list. They would take cc over the phone if you want to make a payment but not if you just want to change your card number

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic




Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





Trending now »

Hot discussions in our forums right now:

How stable are snap IP addresses?
Created by Physn, last reply by Oriphix on 23-Oct-2014 18:09 (20 replies)
Pages... 2


Spark Socialiser
Created by freitasm, last reply by freitasm on 22-Oct-2014 18:39 (34 replies)
Pages... 2 3


$39 iPhone plan goneburger
Created by MadEngineer, last reply by Demeter on 23-Oct-2014 16:09 (16 replies)
Pages... 2


American legal jurisdiction in New Zealand
Created by ajobbins, last reply by gzt on 21-Oct-2014 14:58 (30 replies)
Pages... 2


iPad Air 2 and iPad Mini 3. Gonna get one?
Created by Dingbatt, last reply by dickytim on 23-Oct-2014 21:35 (100 replies)
Pages... 5 6 7


Snap have failed our company!
Created by dafman, last reply by kornflake on 23-Oct-2014 17:41 (37 replies)
Pages... 2 3


Thief taunts 12 year old via stolen laptop
Created by macuser, last reply by charsleysa on 22-Oct-2014 23:49 (12 replies)

Another Trade Me competitor: SellShed
Created by freitasm, last reply by freitasm on 23-Oct-2014 19:00 (44 replies)
Pages... 2 3



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.