Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




2 posts

Wannabe Geek


Topic # 225754 4-Dec-2017 16:03
Send private message

I have just had Spark confirm that if someone accesses the Live Chat on their website and has your NAME and DATE OF BIRTH, they can gain full access to your account, including being given new passwords for your email account.

 

I would have thought this is a pretty major flaw in that it seems awfully easy for someone to gain access to someones account. They did confirm if you specifically request it, you can get an additional password enabled in order to access account information. But most people won't have this or even be aware of it.

 

Is this me being paranoid, or is this a bit weak on behalf of SPARK?


Create new topic
247 posts

Master Geek
+1 received by user: 48

Trusted
Emergency Management

  Reply # 1912763 4-Dec-2017 16:22
One person supports this post
Send private message

Same as if you ring up over the phone.. This is not something that is new in the telco space. 

 

Most Telco's don't have an additional password.


4727 posts

Uber Geek
+1 received by user: 1445


  Reply # 1912769 4-Dec-2017 16:38
2 people support this post
Send private message

It's not a security flaw in Live Chat - it has little to do with chat at all.

 

Somehow any company needs to authenticate who they are communicating with, whatever the medium. They can only do this via information they hold on the individual, be it name and DOB, or password, or whatever. There's a balance, as people won't hand over too much personal information without good reason.

 

Normally you would expect that the greater the consequences of unauthorised access, the more stringent the security requirements. Banks probably require a higher level of security than a telco for example.

 

Ultimately, just about any system could be open to abuse - that's the basis of phishing attacks after all.


 
 
 
 


Try Wrike: fast, easy, and efficient project collaboration software


2 posts

Wannabe Geek


  Reply # 1912774 4-Dec-2017 16:45
Send private message

RunningMan:

 

It's not a security flaw in Live Chat - it has little to do with chat at all.

 

Somehow any company needs to authenticate who they are communicating with, whatever the medium. They can only do this via information they hold on the individual, be it name and DOB, or password, or whatever. There's a balance, as people won't hand over too much personal information without good reason.

 

Normally you would expect that the greater the consequences of unauthorised access, the more stringent the security requirements. Banks probably require a higher level of security than a telco for example.

 

Ultimately, just about any system could be open to abuse - that's the basis of phishing attacks after all.

 

 

 

 

I can get access to someone's email this way and from there, I can reset passwords for anywhere that the email address is used as the log-in. I guess I expected a higher level of security around obtaining access to someone's email. Am I better to simply use Gmail moving forward and drop the xtra account?


26197 posts

Uber Geek
+1 received by user: 5796

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1912775 4-Dec-2017 16:47
One person supports this post
Send private message

CitizenS:

 

I have just had Spark confirm that if someone accesses the Live Chat on their website and has your NAME and DATE OF BIRTH, they can gain full access to your account, including being given new passwords for your email account.

 

 

You've just described 95% of companies out there. The other 4% want really obvious additional things such as your email address. 1% may want something else to authenticate a customer.

 

What do you expect a company to do to authenticate users? it's an incredibly hard balancing act without collecting excessive personal information that people may not want to provide.

 

 


4727 posts

Uber Geek
+1 received by user: 1445


  Reply # 1912777 4-Dec-2017 16:49
Send private message

There's certainly a big move away from ISP supplied email, be it gmail, or any other solution - even if just for the ability to not be hooked into an ISP for life.

 

EDIT: Oh, and 2FA for all accounts isn't a bad thing either.


7759 posts

Uber Geek
+1 received by user: 765

Subscriber

  Reply # 1913078 5-Dec-2017 09:15
Send private message

RunningMan:

 

There's certainly a big move away from ISP supplied email, be it gmail, or any other solution - even if just for the ability to not be hooked into an ISP for life.

 

EDIT: Oh, and 2FA for all accounts isn't a bad thing either.

 

 

But for talking  in an online chat to say Spark asking about a product or service?? A bit over the top..   Fine if you doing some for of account change and then I have been asked for account number, full name and  DoB. 





Regards,

Old3eyes


4727 posts

Uber Geek
+1 received by user: 1445


  Reply # 1913400 5-Dec-2017 15:56
Send private message

old3eyes:

 

RunningMan:

 

There's certainly a big move away from ISP supplied email, be it gmail, or any other solution - even if just for the ability to not be hooked into an ISP for life.

 

EDIT: Oh, and 2FA for all accounts isn't a bad thing either.

 

 

But for talking  in an online chat to say Spark asking about a product or service?? A bit over the top..   Fine if you doing some for of account change and then I have been asked for account number, full name and  DoB. 

 

 

It was a reply this question, not a suggestion that 2FA be used for chat.

 

CitizenS: Am I better to simply use Gmail moving forward and drop the xtra account?


'That VDSL Cat'
7502 posts

Uber Geek
+1 received by user: 1489

Trusted
Spark
Subscriber

  Reply # 1913476 5-Dec-2017 18:09
One person supports this post
Send private message

Okay so  i was a little slow off the mark catching this one.

 

 

 

Authentication of a customer comes in many levels, if your just contacting to ask oh what is this plan; We arent going to nail you to the wall and check every inch of your body..

 

Any account requiring a change, be it technical or such goes through a cross section of requiring further details.

 

 

 

I can't really common on further details of your exact case, without reading the transcripts myself.

 

Please feel free to DM me your account number, and i'll happily look into it. If things don't look like the right process has been followed, I'll certainly be passing that along to ensure it doesn't happen.

 

 

 

 

 

 

 

End of the day, i'd have to comment from my time previously being on the front lines.

 

Verification is can be a pain, Some customers hate it with a passion, others launch into it and shove it in your face to get it over and done with. Truth be told though, It's a required thing and often is a breeze to get past (as an agent checking these things).

 

Some customers do prefer to have 2FA via the use of a password or supporting details, That's cool i welcome it.

 

 

 

The best way i was ever told to handle it is, if the customer doesn't feel right; They probably aren't.

 

Anyone can steal a bill; Look up a birthdate on facebook and try there best, but chances are they will always show a tell. In all my time, I've had exactly 4 cases of this and all of them were raised as very big red flags straight way.





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


4 posts

Wannabe Geek


  Reply # 1913595 5-Dec-2017 22:06
Send private message

The sms-to-your-mobile-with-a-code method of authentication isn't a bad one.

 

 


Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Amazon launches the International Shopping Experience in the Amazon Shopping App
Posted 19-Apr-2018 08:38


Spark New Zealand and TVNZ to bring coverage of Rugby World Cup 2019
Posted 16-Apr-2018 06:55


How Google can seize Microsoft Office crown
Posted 14-Apr-2018 11:08


How back office transformation drives IRD efficiency
Posted 12-Apr-2018 21:15


iPod laws in a smartphone world: will we ever get copyright right?
Posted 12-Apr-2018 21:13


Lightbox service using big data and analytics to learn more about customers
Posted 9-Apr-2018 12:11


111 mobile caller location extended to iOS
Posted 6-Apr-2018 13:50


Huawei announces the HUAWEI P20 series
Posted 29-Mar-2018 11:41


Symantec Internet Security Threat Report shows increased endpoint technology risks
Posted 26-Mar-2018 18:29


Spark switches on long-range IoT network across New Zealand
Posted 26-Mar-2018 18:22


Stuff Pix enters streaming video market
Posted 21-Mar-2018 09:18


Windows no longer Microsoft’s main focus
Posted 13-Mar-2018 07:47


Why phone makers are obsessed with cameras
Posted 11-Mar-2018 12:25


New Zealand Adopts International Open Data Charter
Posted 3-Mar-2018 12:48


Shipments tumble as NZ phone upgrades slow
Posted 2-Mar-2018 11:48



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.