The convoluted maze that is contacting Vodafone

Forums › One NZ (including Farmside) › The convoluted maze that is contacting Vodafone

1 | 2 | 3 | 4

freitasm

BDFL - Memuneh
80657 posts

Uber Geek
+1 received by user: 41065

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1306244 16-May-2015 12:00

There is no good excuse for passwords to be visible. Even for support. Worst case, reset password with a notification to owner so even then CSRs don't see them.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

ajobbins

5053 posts

Uber Geek
+1 received by user: 1279

Trusted

#1306248 16-May-2015 12:38

freitasm: There is no good excuse for passwords to be visible. Even for support. Worst case, reset password with a notification to owner so even then CSRs don't see them.

This x1000. People often reuse passwords all over the place, and this is a huge fraud opportunity for a less than honest CSR.

And the fact that the password is visible to the CSR in the first place indicates it's likely not encrypted. If your database get's hacked and someone makes off with all the email addresses and passwords....

Twitter: ajobbins

quickymart

14940 posts

Uber Geek
+1 received by user: 13954

ID Verified

#1306250 16-May-2015 12:42

Demeter:
freitasm: Two words: social engineering.

Hmm... I hear what you're saying, but if the person has such a vested interest and knows enough personal details to pass security checks so they can get an email password, for example, I'm sure they can get the info regardless of whether they are speaking to someone on the phone or using an automated system to retrieve it. Not allowing CSRs to see passwords has so many downsides (support wise) that I don't even know where to begin.

I can't see a user's password in my role. But we have a policy of resetting it and e-mailing it to the registered address, which works quite well. If the address needs updating, they send us an e-mail to let us know what the new one is and we update it (after confirming it's all above board).

BarTender

3629 posts

Uber Geek
+1 received by user: 2572

ID Verified

Trusted

Lifetime subscriber

#1306252 16-May-2015 12:47

ajobbins:
freitasm: There is no good excuse for passwords to be visible. Even for support. Worst case, reset password with a notification to owner so even then CSRs don't see them.

This x1000. People often reuse passwords all over the place, and this is a huge fraud opportunity for a less than honest CSR.

And the fact that the password is visible to the CSR in the first place indicates it's likely not encrypted. If your database get's hacked and someone makes off with all the email addresses and passwords....

This ×400000 times. Not encrypting your password database is asking for trouble from a less honest CSR or Network admin. It's not like there isn't plenty of examples why non encrypted passwords is bad. As someone who's day job is protecting exactly these sorts of credentials I find it yet another reason to never be a Vodafone customer.

I don't really look forward to Vodafone NZ joining the likes of Adobe and LinkedIn but only worse since they aren't even hashed.

Lesigh.

Rikkitic

Awrrr
19071 posts

Uber Geek
+1 received by user: 16317

Lifetime subscriber

#1306284 16-May-2015 13:26

I would not be happy receiving an important password by email, even if it is secure. Forum logins okay, they can be quickly changed, but not anything involving money.

Plesse igmore amd axxept applogies in adbance fir anu typos

BlakJak

1330 posts

Uber Geek
+1 received by user: 735

Trusted

#1306642 17-May-2015 14:36

Receiving a password that has been reset and can rapidly be changed again is different from being emailed your current password. One is ok, (but far from perfect), other is certainly poor practice.

No signature to see here, move along...

1 | 2 | 3 | 4