Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




2 posts

Wannabe Geek


Topic # 225754 4-Dec-2017 16:03
Send private message quote this post

I have just had Spark confirm that if someone accesses the Live Chat on their website and has your NAME and DATE OF BIRTH, they can gain full access to your account, including being given new passwords for your email account.

 

I would have thought this is a pretty major flaw in that it seems awfully easy for someone to gain access to someones account. They did confirm if you specifically request it, you can get an additional password enabled in order to access account information. But most people won't have this or even be aware of it.

 

Is this me being paranoid, or is this a bit weak on behalf of SPARK?


Create new topic
212 posts

Master Geek
+1 received by user: 41

Trusted
Emergency Management

  Reply # 1912763 4-Dec-2017 16:22
One person supports this post
Send private message quote this post

Same as if you ring up over the phone.. This is not something that is new in the telco space. 

 

Most Telco's don't have an additional password.


4563 posts

Uber Geek
+1 received by user: 1350


  Reply # 1912769 4-Dec-2017 16:38
2 people support this post
Send private message quote this post

It's not a security flaw in Live Chat - it has little to do with chat at all.

 

Somehow any company needs to authenticate who they are communicating with, whatever the medium. They can only do this via information they hold on the individual, be it name and DOB, or password, or whatever. There's a balance, as people won't hand over too much personal information without good reason.

 

Normally you would expect that the greater the consequences of unauthorised access, the more stringent the security requirements. Banks probably require a higher level of security than a telco for example.

 

Ultimately, just about any system could be open to abuse - that's the basis of phishing attacks after all.


 
 
 
 




2 posts

Wannabe Geek


  Reply # 1912774 4-Dec-2017 16:45
Send private message quote this post

RunningMan:

 

It's not a security flaw in Live Chat - it has little to do with chat at all.

 

Somehow any company needs to authenticate who they are communicating with, whatever the medium. They can only do this via information they hold on the individual, be it name and DOB, or password, or whatever. There's a balance, as people won't hand over too much personal information without good reason.

 

Normally you would expect that the greater the consequences of unauthorised access, the more stringent the security requirements. Banks probably require a higher level of security than a telco for example.

 

Ultimately, just about any system could be open to abuse - that's the basis of phishing attacks after all.

 

 

 

 

I can get access to someone's email this way and from there, I can reset passwords for anywhere that the email address is used as the log-in. I guess I expected a higher level of security around obtaining access to someone's email. Am I better to simply use Gmail moving forward and drop the xtra account?


25830 posts

Uber Geek
+1 received by user: 5555

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1912775 4-Dec-2017 16:47
One person supports this post
Send private message quote this post

CitizenS:

 

I have just had Spark confirm that if someone accesses the Live Chat on their website and has your NAME and DATE OF BIRTH, they can gain full access to your account, including being given new passwords for your email account.

 

 

You've just described 95% of companies out there. The other 4% want really obvious additional things such as your email address. 1% may want something else to authenticate a customer.

 

What do you expect a company to do to authenticate users? it's an incredibly hard balancing act without collecting excessive personal information that people may not want to provide.

 

 


4563 posts

Uber Geek
+1 received by user: 1350


  Reply # 1912777 4-Dec-2017 16:49
Send private message quote this post

There's certainly a big move away from ISP supplied email, be it gmail, or any other solution - even if just for the ability to not be hooked into an ISP for life.

 

EDIT: Oh, and 2FA for all accounts isn't a bad thing either.


7703 posts

Uber Geek
+1 received by user: 748

Subscriber

  Reply # 1913078 5-Dec-2017 09:15
Send private message quote this post

RunningMan:

 

There's certainly a big move away from ISP supplied email, be it gmail, or any other solution - even if just for the ability to not be hooked into an ISP for life.

 

EDIT: Oh, and 2FA for all accounts isn't a bad thing either.

 

 

But for talking  in an online chat to say Spark asking about a product or service?? A bit over the top..   Fine if you doing some for of account change and then I have been asked for account number, full name and  DoB. 





Regards,

Old3eyes


4563 posts

Uber Geek
+1 received by user: 1350


  Reply # 1913400 5-Dec-2017 15:56
Send private message quote this post

old3eyes:

 

RunningMan:

 

There's certainly a big move away from ISP supplied email, be it gmail, or any other solution - even if just for the ability to not be hooked into an ISP for life.

 

EDIT: Oh, and 2FA for all accounts isn't a bad thing either.

 

 

But for talking  in an online chat to say Spark asking about a product or service?? A bit over the top..   Fine if you doing some for of account change and then I have been asked for account number, full name and  DoB. 

 

 

It was a reply this question, not a suggestion that 2FA be used for chat.

 

CitizenS: Am I better to simply use Gmail moving forward and drop the xtra account?


'That VDSL Cat'
6983 posts

Uber Geek
+1 received by user: 1359

Trusted
Spark
Subscriber

  Reply # 1913476 5-Dec-2017 18:09
One person supports this post
Send private message quote this post

Okay so  i was a little slow off the mark catching this one.

 

 

 

Authentication of a customer comes in many levels, if your just contacting to ask oh what is this plan; We arent going to nail you to the wall and check every inch of your body..

 

Any account requiring a change, be it technical or such goes through a cross section of requiring further details.

 

 

 

I can't really common on further details of your exact case, without reading the transcripts myself.

 

Please feel free to DM me your account number, and i'll happily look into it. If things don't look like the right process has been followed, I'll certainly be passing that along to ensure it doesn't happen.

 

 

 

 

 

 

 

End of the day, i'd have to comment from my time previously being on the front lines.

 

Verification is can be a pain, Some customers hate it with a passion, others launch into it and shove it in your face to get it over and done with. Truth be told though, It's a required thing and often is a breeze to get past (as an agent checking these things).

 

Some customers do prefer to have 2FA via the use of a password or supporting details, That's cool i welcome it.

 

 

 

The best way i was ever told to handle it is, if the customer doesn't feel right; They probably aren't.

 

Anyone can steal a bill; Look up a birthdate on facebook and try there best, but chances are they will always show a tell. In all my time, I've had exactly 4 cases of this and all of them were raised as very big red flags straight way.





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


4 posts

Wannabe Geek


  Reply # 1913595 5-Dec-2017 22:06
Send private message quote this post

The sms-to-your-mobile-with-a-code method of authentication isn't a bad one.

 

 


Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

New Zealand's IT industry in 2018 and beyond
Posted 22-Jan-2018 12:50


Introducing your new workplace headache: Gen Z
Posted 22-Jan-2018 12:45


Jucy set to introduce electric campervan fleet
Posted 22-Jan-2018 12:41


Hawaiki cable system will be ready for service in June 2018
Posted 22-Jan-2018 12:32


New Zealand hits peak broadband data
Posted 18-Jan-2018 12:21


Amazon Echo devices coming to New Zealand early February 2018
Posted 18-Jan-2018 10:53


$3.74 million for new electric vehicles in New Zealand
Posted 17-Jan-2018 11:27


Nova 2i: Value, not excitement from Huawei
Posted 17-Jan-2018 09:02


Less news in Facebook News Feed revamp
Posted 15-Jan-2018 13:15


Australian Government contract awarded to Datacom Connect
Posted 11-Jan-2018 08:37


Why New Zealand needs a chief technology officer
Posted 6-Jan-2018 13:59


Amazon release Silk Browser and Firefox for Fire TV
Posted 21-Dec-2017 13:42


New Chief Technology Officer role created
Posted 19-Dec-2017 22:18


All I want for Christmas is a new EV
Posted 19-Dec-2017 19:54


How clever is this: AI will create 2.3 million jobs by 2020
Posted 19-Dec-2017 19:52



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.