Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




2 posts

Wannabe Geek


#225754 4-Dec-2017 16:03
Send private message

I have just had Spark confirm that if someone accesses the Live Chat on their website and has your NAME and DATE OF BIRTH, they can gain full access to your account, including being given new passwords for your email account.

 

I would have thought this is a pretty major flaw in that it seems awfully easy for someone to gain access to someones account. They did confirm if you specifically request it, you can get an additional password enabled in order to access account information. But most people won't have this or even be aware of it.

 

Is this me being paranoid, or is this a bit weak on behalf of SPARK?


Create new topic
455 posts

Ultimate Geek

Trusted
Emergency Management

  #1912763 4-Dec-2017 16:22
One person supports this post
Send private message

Same as if you ring up over the phone.. This is not something that is new in the telco space. 

 

Most Telco's don't have an additional password.


5766 posts

Uber Geek


  #1912769 4-Dec-2017 16:38
2 people support this post
Send private message

It's not a security flaw in Live Chat - it has little to do with chat at all.

 

Somehow any company needs to authenticate who they are communicating with, whatever the medium. They can only do this via information they hold on the individual, be it name and DOB, or password, or whatever. There's a balance, as people won't hand over too much personal information without good reason.

 

Normally you would expect that the greater the consequences of unauthorised access, the more stringent the security requirements. Banks probably require a higher level of security than a telco for example.

 

Ultimately, just about any system could be open to abuse - that's the basis of phishing attacks after all.


 
 
 
 




2 posts

Wannabe Geek


  #1912774 4-Dec-2017 16:45
Send private message

RunningMan:

 

It's not a security flaw in Live Chat - it has little to do with chat at all.

 

Somehow any company needs to authenticate who they are communicating with, whatever the medium. They can only do this via information they hold on the individual, be it name and DOB, or password, or whatever. There's a balance, as people won't hand over too much personal information without good reason.

 

Normally you would expect that the greater the consequences of unauthorised access, the more stringent the security requirements. Banks probably require a higher level of security than a telco for example.

 

Ultimately, just about any system could be open to abuse - that's the basis of phishing attacks after all.

 

 

 

 

I can get access to someone's email this way and from there, I can reset passwords for anywhere that the email address is used as the log-in. I guess I expected a higher level of security around obtaining access to someone's email. Am I better to simply use Gmail moving forward and drop the xtra account?


28793 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  #1912775 4-Dec-2017 16:47
One person supports this post
Send private message

CitizenS:

 

I have just had Spark confirm that if someone accesses the Live Chat on their website and has your NAME and DATE OF BIRTH, they can gain full access to your account, including being given new passwords for your email account.

 

 

You've just described 95% of companies out there. The other 4% want really obvious additional things such as your email address. 1% may want something else to authenticate a customer.

 

What do you expect a company to do to authenticate users? it's an incredibly hard balancing act without collecting excessive personal information that people may not want to provide.

 

 


5766 posts

Uber Geek


  #1912777 4-Dec-2017 16:49
Send private message

There's certainly a big move away from ISP supplied email, be it gmail, or any other solution - even if just for the ability to not be hooked into an ISP for life.

 

EDIT: Oh, and 2FA for all accounts isn't a bad thing either.


8290 posts

Uber Geek

Subscriber

  #1913078 5-Dec-2017 09:15
Send private message

RunningMan:

 

There's certainly a big move away from ISP supplied email, be it gmail, or any other solution - even if just for the ability to not be hooked into an ISP for life.

 

EDIT: Oh, and 2FA for all accounts isn't a bad thing either.

 

 

But for talking  in an online chat to say Spark asking about a product or service?? A bit over the top..   Fine if you doing some for of account change and then I have been asked for account number, full name and  DoB. 





Regards,

Old3eyes


5766 posts

Uber Geek


  #1913400 5-Dec-2017 15:56
Send private message

old3eyes:

 

RunningMan:

 

There's certainly a big move away from ISP supplied email, be it gmail, or any other solution - even if just for the ability to not be hooked into an ISP for life.

 

EDIT: Oh, and 2FA for all accounts isn't a bad thing either.

 

 

But for talking  in an online chat to say Spark asking about a product or service?? A bit over the top..   Fine if you doing some for of account change and then I have been asked for account number, full name and  DoB. 

 

 

It was a reply this question, not a suggestion that 2FA be used for chat.

 

CitizenS: Am I better to simply use Gmail moving forward and drop the xtra account?


 
 
 
 


'That VDSL Cat'
11880 posts

Uber Geek

Trusted
Spark
Subscriber

  #1913476 5-Dec-2017 18:09
One person supports this post
Send private message

Okay so  i was a little slow off the mark catching this one.

 

 

 

Authentication of a customer comes in many levels, if your just contacting to ask oh what is this plan; We arent going to nail you to the wall and check every inch of your body..

 

Any account requiring a change, be it technical or such goes through a cross section of requiring further details.

 

 

 

I can't really common on further details of your exact case, without reading the transcripts myself.

 

Please feel free to DM me your account number, and i'll happily look into it. If things don't look like the right process has been followed, I'll certainly be passing that along to ensure it doesn't happen.

 

 

 

 

 

 

 

End of the day, i'd have to comment from my time previously being on the front lines.

 

Verification is can be a pain, Some customers hate it with a passion, others launch into it and shove it in your face to get it over and done with. Truth be told though, It's a required thing and often is a breeze to get past (as an agent checking these things).

 

Some customers do prefer to have 2FA via the use of a password or supporting details, That's cool i welcome it.

 

 

 

The best way i was ever told to handle it is, if the customer doesn't feel right; They probably aren't.

 

Anyone can steal a bill; Look up a birthdate on facebook and try there best, but chances are they will always show a tell. In all my time, I've had exactly 4 cases of this and all of them were raised as very big red flags straight way.





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

 


4 posts

Wannabe Geek


  #1913595 5-Dec-2017 22:06
Send private message

The sms-to-your-mobile-with-a-code method of authentication isn't a bad one.

 

 


Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

New online learning platform for kids stuck at home during COVID-19 lockdown
Posted 26-Mar-2020 21:35


New 5G Nokia smartphone unveiled as portfolio expands
Posted 26-Mar-2020 17:11


D-Link ANZ launches wireless AC1200 4G LTE router
Posted 26-Mar-2020 16:32


Ring introduces two new video doorbells and new pre-roll technology
Posted 17-Mar-2020 16:59


OPPO uncovers flagship Find X2 Pro smartphone
Posted 17-Mar-2020 16:54


D-Link COVR-2202 mesh Wi-Fi system now protected by McAfee
Posted 17-Mar-2020 16:00


Spark Sport opens its platform up to all New Zealanders at no charge
Posted 17-Mar-2020 10:04


Spark launches 5G Starter Fund
Posted 8-Mar-2020 19:19


TRENDnet launches high-performance WiFi Mesh Router System
Posted 5-Mar-2020 08:48


Sony boosts full-frame lens line-up with introduction of FE 20mm F1.8 G large-aperture ultra-wide-angle prime Lens
Posted 5-Mar-2020 08:44


Vector and Spark teamed up on smart metering initiative
Posted 5-Mar-2020 08:42


Schneider Electric launches new PDL Pro Series designed specifically for the commercial building market
Posted 5-Mar-2020 08:39


Kiwi app Pedigree DentaStix Studios uses pet images to counter impact of negative social media Content
Posted 5-Mar-2020 08:32


Samsung expands to New Zealand in 5G Networks Deal with Spark
Posted 5-Mar-2020 08:17


New Vodafone mobile data plans with unlimited data
Posted 26-Feb-2020 06:55



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.