Is this a security flaw for Spark's Live Chat?

Forums › Spark New Zealand (including Skinny and BigPipe) › Is this a security flaw for Spark's Live Chat?

CitizenS

2 posts

Wannabe Geek

#225754 4-Dec-2017 16:03

I have just had Spark confirm that if someone accesses the Live Chat on their website and has your NAME and DATE OF BIRTH, they can gain full access to your account, including being given new passwords for your email account.

I would have thought this is a pretty major flaw in that it seems awfully easy for someone to gain access to someones account. They did confirm if you specifically request it, you can get an additional password enabled in order to access account information. But most people won't have this or even be aware of it.

Is this me being paranoid, or is this a bit weak on behalf of SPARK?

ResponseMediaNZ

518 posts

Ultimate Geek

ID Verified

Trusted

#1912763 4-Dec-2017 16:22

Same as if you ring up over the phone.. This is not something that is new in the telco space.

Most Telco's don't have an additional password.

RunningMan

8955 posts

Uber Geek

#1912769 4-Dec-2017 16:38

It's not a security flaw in Live Chat - it has little to do with chat at all.

Somehow any company needs to authenticate who they are communicating with, whatever the medium. They can only do this via information they hold on the individual, be it name and DOB, or password, or whatever. There's a balance, as people won't hand over too much personal information without good reason.

Normally you would expect that the greater the consequences of unauthorised access, the more stringent the security requirements. Banks probably require a higher level of security than a telco for example.

Ultimately, just about any system could be open to abuse - that's the basis of phishing attacks after all.

CitizenS

2 posts

Wannabe Geek

#1912774 4-Dec-2017 16:45

RunningMan:

It's not a security flaw in Live Chat - it has little to do with chat at all.

Somehow any company needs to authenticate who they are communicating with, whatever the medium. They can only do this via information they hold on the individual, be it name and DOB, or password, or whatever. There's a balance, as people won't hand over too much personal information without good reason.

Normally you would expect that the greater the consequences of unauthorised access, the more stringent the security requirements. Banks probably require a higher level of security than a telco for example.

Ultimately, just about any system could be open to abuse - that's the basis of phishing attacks after all.

I can get access to someone's email this way and from there, I can reset passwords for anywhere that the email address is used as the log-in. I guess I expected a higher level of security around obtaining access to someone's email. Am I better to simply use Gmail moving forward and drop the xtra account?

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1912775 4-Dec-2017 16:47

CitizenS:

I have just had Spark confirm that if someone accesses the Live Chat on their website and has your NAME and DATE OF BIRTH, they can gain full access to your account, including being given new passwords for your email account.

You've just described 95% of companies out there. The other 4% want really obvious additional things such as your email address. 1% may want something else to authenticate a customer.

What do you expect a company to do to authenticate users? it's an incredibly hard balancing act without collecting excessive personal information that people may not want to provide.

RunningMan

8955 posts

Uber Geek

#1912777 4-Dec-2017 16:49

There's certainly a big move away from ISP supplied email, be it gmail, or any other solution - even if just for the ability to not be hooked into an ISP for life.

EDIT: Oh, and 2FA for all accounts isn't a bad thing either.

old3eyes

9119 posts

Uber Geek

Subscriber

#1913078 5-Dec-2017 09:15

RunningMan:

There's certainly a big move away from ISP supplied email, be it gmail, or any other solution - even if just for the ability to not be hooked into an ISP for life.

EDIT: Oh, and 2FA for all accounts isn't a bad thing either.

But for talking in an online chat to say Spark asking about a product or service?? A bit over the top.. Fine if you doing some for of account change and then I have been asked for account number, full name and DoB.

Regards,

Old3eyes

RunningMan

8955 posts

Uber Geek

#1913400 5-Dec-2017 15:56

old3eyes:

RunningMan:

There's certainly a big move away from ISP supplied email, be it gmail, or any other solution - even if just for the ability to not be hooked into an ISP for life.

EDIT: Oh, and 2FA for all accounts isn't a bad thing either.

But for talking in an online chat to say Spark asking about a product or service?? A bit over the top.. Fine if you doing some for of account change and then I have been asked for account number, full name and DoB.

It was a reply this question, not a suggestion that 2FA be used for chat.

CitizenS: Am I better to simply use Gmail moving forward and drop the xtra account?

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Note that to use Quic Broadband you must be comfortable with configuring your own router.

hio77

12999 posts

Uber Geek

ID Verified

Trusted

Lizard Networks

#1913476 5-Dec-2017 18:09

Okay so i was a little slow off the mark catching this one.

Authentication of a customer comes in many levels, if your just contacting to ask oh what is this plan; We arent going to nail you to the wall and check every inch of your body..

Any account requiring a change, be it technical or such goes through a cross section of requiring further details.

I can't really common on further details of your exact case, without reading the transcripts myself.

Please feel free to DM me your account number, and i'll happily look into it. If things don't look like the right process has been followed, I'll certainly be passing that along to ensure it doesn't happen.

End of the day, i'd have to comment from my time previously being on the front lines.

Verification is can be a pain, Some customers hate it with a passion, others launch into it and shove it in your face to get it over and done with. Truth be told though, It's a required thing and often is a breeze to get past (as an agent checking these things).

Some customers do prefer to have 2FA via the use of a password or supporting details, That's cool i welcome it.

The best way i was ever told to handle it is, if the customer doesn't feel right; They probably aren't.

Anyone can steal a bill; Look up a birthdate on facebook and try there best, but chances are they will always show a tell. In all my time, I've had exactly 4 cases of this and all of them were raised as very big red flags straight way.

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

cunningdavid

76 posts

Master Geek

#1913595 5-Dec-2017 22:06

The sms-to-your-mobile-with-a-code method of authentication isn't a bad one.