Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


2 posts

Wannabe Geek


Topic # 225754 4-Dec-2017 16:03
Send private message

I have just had Spark confirm that if someone accesses the Live Chat on their website and has your NAME and DATE OF BIRTH, they can gain full access to your account, including being given new passwords for your email account.

 

I would have thought this is a pretty major flaw in that it seems awfully easy for someone to gain access to someones account. They did confirm if you specifically request it, you can get an additional password enabled in order to access account information. But most people won't have this or even be aware of it.

 

Is this me being paranoid, or is this a bit weak on behalf of SPARK?


Create new topic
311 posts

Ultimate Geek
+1 received by user: 85

Trusted
Emergency Management

  Reply # 1912763 4-Dec-2017 16:22
One person supports this post
Send private message

Same as if you ring up over the phone.. This is not something that is new in the telco space. 

 

Most Telco's don't have an additional password.


5117 posts

Uber Geek
+1 received by user: 1644


  Reply # 1912769 4-Dec-2017 16:38
2 people support this post
Send private message

It's not a security flaw in Live Chat - it has little to do with chat at all.

 

Somehow any company needs to authenticate who they are communicating with, whatever the medium. They can only do this via information they hold on the individual, be it name and DOB, or password, or whatever. There's a balance, as people won't hand over too much personal information without good reason.

 

Normally you would expect that the greater the consequences of unauthorised access, the more stringent the security requirements. Banks probably require a higher level of security than a telco for example.

 

Ultimately, just about any system could be open to abuse - that's the basis of phishing attacks after all.




2 posts

Wannabe Geek


  Reply # 1912774 4-Dec-2017 16:45
Send private message

RunningMan:

 

It's not a security flaw in Live Chat - it has little to do with chat at all.

 

Somehow any company needs to authenticate who they are communicating with, whatever the medium. They can only do this via information they hold on the individual, be it name and DOB, or password, or whatever. There's a balance, as people won't hand over too much personal information without good reason.

 

Normally you would expect that the greater the consequences of unauthorised access, the more stringent the security requirements. Banks probably require a higher level of security than a telco for example.

 

Ultimately, just about any system could be open to abuse - that's the basis of phishing attacks after all.

 

 

 

 

I can get access to someone's email this way and from there, I can reset passwords for anywhere that the email address is used as the log-in. I guess I expected a higher level of security around obtaining access to someone's email. Am I better to simply use Gmail moving forward and drop the xtra account?


27065 posts

Uber Geek
+1 received by user: 6509

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1912775 4-Dec-2017 16:47
One person supports this post
Send private message

CitizenS:

 

I have just had Spark confirm that if someone accesses the Live Chat on their website and has your NAME and DATE OF BIRTH, they can gain full access to your account, including being given new passwords for your email account.

 

 

You've just described 95% of companies out there. The other 4% want really obvious additional things such as your email address. 1% may want something else to authenticate a customer.

 

What do you expect a company to do to authenticate users? it's an incredibly hard balancing act without collecting excessive personal information that people may not want to provide.

 

 


5117 posts

Uber Geek
+1 received by user: 1644


  Reply # 1912777 4-Dec-2017 16:49
Send private message

There's certainly a big move away from ISP supplied email, be it gmail, or any other solution - even if just for the ability to not be hooked into an ISP for life.

 

EDIT: Oh, and 2FA for all accounts isn't a bad thing either.


7875 posts

Uber Geek
+1 received by user: 790

Subscriber

  Reply # 1913078 5-Dec-2017 09:15
Send private message

RunningMan:

 

There's certainly a big move away from ISP supplied email, be it gmail, or any other solution - even if just for the ability to not be hooked into an ISP for life.

 

EDIT: Oh, and 2FA for all accounts isn't a bad thing either.

 

 

But for talking  in an online chat to say Spark asking about a product or service?? A bit over the top..   Fine if you doing some for of account change and then I have been asked for account number, full name and  DoB. 





Regards,

Old3eyes


5117 posts

Uber Geek
+1 received by user: 1644


  Reply # 1913400 5-Dec-2017 15:56
Send private message

old3eyes:

 

RunningMan:

 

There's certainly a big move away from ISP supplied email, be it gmail, or any other solution - even if just for the ability to not be hooked into an ISP for life.

 

EDIT: Oh, and 2FA for all accounts isn't a bad thing either.

 

 

But for talking  in an online chat to say Spark asking about a product or service?? A bit over the top..   Fine if you doing some for of account change and then I have been asked for account number, full name and  DoB. 

 

 

It was a reply this question, not a suggestion that 2FA be used for chat.

 

CitizenS: Am I better to simply use Gmail moving forward and drop the xtra account?


'That VDSL Cat'
8692 posts

Uber Geek
+1 received by user: 1879

Trusted
Spark
Subscriber

  Reply # 1913476 5-Dec-2017 18:09
One person supports this post
Send private message

Okay so  i was a little slow off the mark catching this one.

 

 

 

Authentication of a customer comes in many levels, if your just contacting to ask oh what is this plan; We arent going to nail you to the wall and check every inch of your body..

 

Any account requiring a change, be it technical or such goes through a cross section of requiring further details.

 

 

 

I can't really common on further details of your exact case, without reading the transcripts myself.

 

Please feel free to DM me your account number, and i'll happily look into it. If things don't look like the right process has been followed, I'll certainly be passing that along to ensure it doesn't happen.

 

 

 

 

 

 

 

End of the day, i'd have to comment from my time previously being on the front lines.

 

Verification is can be a pain, Some customers hate it with a passion, others launch into it and shove it in your face to get it over and done with. Truth be told though, It's a required thing and often is a breeze to get past (as an agent checking these things).

 

Some customers do prefer to have 2FA via the use of a password or supporting details, That's cool i welcome it.

 

 

 

The best way i was ever told to handle it is, if the customer doesn't feel right; They probably aren't.

 

Anyone can steal a bill; Look up a birthdate on facebook and try there best, but chances are they will always show a tell. In all my time, I've had exactly 4 cases of this and all of them were raised as very big red flags straight way.





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


4 posts

Wannabe Geek


  Reply # 1913595 5-Dec-2017 22:06
Send private message

The sms-to-your-mobile-with-a-code method of authentication isn't a bad one.

 

 


Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.