Poor password security from TAB

Forums › Off topic › Poor password security from TAB

samsam

167 posts

Master Geek

#133830 4-Nov-2013 13:55

Just, gave the TAB a call, so I could place a bet on tonight a-league game. Lady on the phone asks me some questions then reads out my password over the phone.

Is this normal practice for a company to be able to access your password? I was under the impression that there was some sort of one-way process... I'm not sure if I want to give TAB my credit card details anymore

sidefx

3711 posts

Uber Geek

Trusted

#927015 4-Nov-2013 14:10

That's extremely bad practice (ideally it should be a one way hash of some kind, properly salted, etc,etc) but probably not as uncommon as you might hope...

Credit cards should, in theory, be a different kettle of fish, with PCI compliance requirements and so on.

"I was born not knowing and have had only a little time to change that here and there." | Octopus Energy | Sharesies
- Richard Feynman

reven

3743 posts

Uber Geek

Trusted

#927044 4-Nov-2013 15:14

you would be surprised how many forums/sites don't 1 way hash/protect passwords. personally i have a bunch of passwords I use depending on the level I care for the site, if its something stupid like pizza hut (who dont have my CC details), ill just use my generic "stupidpassword" (well not that, but a stupid password).

even with md5/sha1 etc you can reverse them some what easily and quickly thanks to cloud computing, bcrypt is a lot safer to use.

samsam

167 posts

Master Geek

#927046 4-Nov-2013 15:17

Wouldn't my account need to have some information to access the cc details that I keep on there. So in theory if someone was able to access my password then they could use my cc, at least on that site.

If this is common practice, is there any information on what sites do one way hashing

sidefx

3711 posts

Uber Geek

Trusted

#927116 4-Nov-2013 17:00

I'm not sure how TAB is setup. They may use a 3rd party payment gateway and store a token on their system from the payment gateway, where the token allows them to reuse your CC via the payment gateway without storing the CC details on their system.

But as you say it's possible, depending on how their process works, that someone might be able to use your CC details through the TAB system (if it remembers your CC details for subsequent bets?) but I'd say it's very unlikely. And if they did it's fairly likely they'd be caught depending on what options TAB offers to withdraw your winnings.

I generally deselect options to "store my credit card details for use later" when making payments online though... I'm fine with just re-entering it each time.

I doubt there's a list of sites that don't one-way hash passwords. In many cases you as the user won't know they're doing this unless said site does something like email you the password. As a user, you should probably try use different passwords for different sites. Maybe use something like keepass to manage them. And use 2-factor authentication where available, especially on your email which can be used to reset all your passwords ;-)

"I was born not knowing and have had only a little time to change that here and there." | Octopus Energy | Sharesies
- Richard Feynman