Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
ForumsOff topicMercury Energy - poor security and user password practices


13841 posts

Uber Geek
+1 received by user: 2451

Trusted
Subscriber

Topic # 87833 8-Aug-2011 15:18
Send private message

I just got an email from Mercury Energy telling me my bills were now being sent to me online. They're already told me a couple of weeks back, so the email was pointless.

Of course I changed my password the first time I logged on. In this second welcome email they were kind enough to email me the password I chose. Since they can do this it suggest that either the password is stored in clear text. It's possible that they store it encrypted in the database then email it to you, but both are poor security practice. Storing the password hash is far preferable, if the user forgets their password a new one can be sent.

When I first tried to sign up to get my Mercury bills online on 26 July this year their website security certificate had expired. I think they've fixed it now, but here are the details of that one.

Details:
The certificate is only valid for the following names:
  *.24hours.co.nz , 24hours.co.nz 
The certificate expired on 14/01/2011 12:59 p.m.. The current time is 26/07/2011 1:55 p.m..

It looks like the certificate was expired for 5 months before I pointed it out and they fixed it. I have no idea what that 24hours domain is, but that's the message I got, I was on mercury.co.nz at the time.


Overall the impression I have of Mercury energy is of incompetence and lack of attention to security. I'll be moving my business away from them.




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
42 posts

Geek

Trusted
Powershop

  Reply # 503383 8-Aug-2011 15:29
Send private message

Come on over to Powershop. All of our business is done online and we do not store passwords in plain text nor would we email them. Hey, you might even save some money too :)

(disclosure: I am the CEO at Powershop)

42 posts

Geek

Trusted
Powershop

  Reply # 503385 8-Aug-2011 15:31
Send private message

Oh, and we don't use dodgy SSL certificates :)

xpd

The Overrated Raccoons
8747 posts

Uber Geek
+1 received by user: 1275

Mod Emeritus
Trusted
Lifetime subscriber

  Reply # 503387 8-Aug-2011 15:32
Send private message

So many companies have poor security, not just online.
When I first moved in with my wife, she was working from home and had a monitored alarm - she was the only name on the account.
We set it off one day by accident and 5 mins later the phone rung, it was the security company (at least they called within minutes). I took the call and explained we had set off the alarm by accident. That was it. No query who I was or if the account holder was even there which they were suppose to do as they required (or so they claimed when she signed up) a secret PIN only the account holder would know.

Complaints to them about this later went unanswered.... pity I cant remember which company it was.




XPD / Gavin / DemiseNZ

 

For Free Games, Geekiness and Reviews, visit :

 

Home Of The Overrated Raccoons

 

Battlenet : XPD#11535    Origin/Steam/Epic/Uplay : xpdnz

 

Sea of Thieves Down Under

Stu

Hammered
4924 posts

Uber Geek
+1 received by user: 1024

Moderator
Trusted
Lifetime subscriber

  Reply # 503388 8-Aug-2011 15:32
Send private message

Unfortunately Mercury offer us the best deal according to the online calculators, so we'll have to put up with the dodgy security. If anyone wants to access my account and pay my bill, who am I to complain?

152 posts

Master Geek


  Reply # 503394 8-Aug-2011 15:47
Send private message

Contact just did the same thing with me. Sent my username and password 'hint'... Im staying with them for the 22% discount with online billing, for the remaining few months Im here in NZ.

Selling up before Christmas, anyone looking for a 5yr old 2 bed Townhouse, warm, dry (dvs), safe and extremely comfortable standalone on a low maint. full sun, full sized section, down Greymouth way.. Yell. Yes I know I have a cheek adding this here but hey, anything goes when it comes to the crunch. :)



13841 posts

Uber Geek
+1 received by user: 2451

Trusted
Subscriber

  Reply # 503401 8-Aug-2011 15:59
Send private message

It's not a serious problem in itself, and there aren't really any immediately obvious bad consequences from it, but I just don't like it. It's just bad security. People who reuse passwords should probably be more concerned.

I looked at Powershop, but for me Mercury was cheaper. Meridian was cheaper again, and now I have a reason to move. Powershop might end up cheaper if you actively manage your account and grab specials, but I just can't be bothered doing that sort of thing. It's all the same power, it all comes the same way, I find the idea of competition between retailers about who gets to bill us quite silly. Sure the competition might drive prices down, but the duplicated resources between companies drive the prices up overall.




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer

42 posts

Geek

Trusted
Powershop

  Reply # 503416 8-Aug-2011 16:18
Send private message

@Timmmay: we (Powershop) are currently running a $100 savings guarantee that you might like to check out.

6314 posts

Uber Geek
+1 received by user: 380

Moderator
Trusted
Lifetime subscriber

  Reply # 503423 8-Aug-2011 16:25
Send private message

timmmay: Overall the impression I have of Mercury energy is of incompetence and lack of attention to security. I'll be moving my business away from them.


If I may play devil's advocate, what's the worst someone could do if they got into your account - pay your bill for you?



13841 posts

Uber Geek
+1 received by user: 2451

Trusted
Subscriber

  Reply # 503424 8-Aug-2011 16:26
Send private message

deepthought: @Timmmay: we (Powershop) are currently running a $100 savings guarantee that you might like to check out.


Thanks for the tip, i'll have a proper read of that later. The whole active management thing seems annoying, and passively Meridian was cheaper for me last time I looked, but I like the idea so i'll consider it :)




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer



13841 posts

Uber Geek
+1 received by user: 2451

Trusted
Subscriber

  Reply # 503425 8-Aug-2011 16:27
Send private message

nate:
timmmay: Overall the impression I have of Mercury energy is of incompetence and lack of attention to security. I'll be moving my business away from them.


If I may play devil's advocate, what's the worst someone could do if they got into your account - pay your bill for you?


A lot of people use the same password for multiple things. Like I said above there's not much of a problem on this one, maybe people could cut your power off if they have your details, i'm not sure if there's enough information in the online system or not to call up and do that.




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer

42 posts

Geek

Trusted
Powershop

  Reply # 503448 8-Aug-2011 16:56
Send private message

timmmay:
deepthought: @Timmmay: we (Powershop) are currently running a $100 savings guarantee that you might like to check out.


Thanks for the tip, i'll have a proper read of that later. The whole active management thing seems annoying, and passively Meridian was cheaper for me last time I looked, but I like the idea so i'll consider it :)


You don't have to be active at all; you can "set and forget" and everything gets done for you, and we send weekly and monthly emails that contain quite a lot of info so you can get insights into your usage for very little effort. With the saving guarantee there's really not a lot of downside. Don't want this to sound like a hard sell, so I'll leave it to you to from here...



13841 posts

Uber Geek
+1 received by user: 2451

Trusted
Subscriber

  Reply # 503489 8-Aug-2011 18:44
Send private message

Thanks DT. I've been told PowerShop is best value if you actively manage your power, looking for specials, and according to the consumer calculator your estimated default rate isn't as good as Meridian. The $100 guarantee is interesting though.

I was trying to work out what I pay to Mercury today, but I can't find their price plans anywhere on their website, and i'm just coming off a 3 year fixed plan with them so it's not on my bill. If you type in your address they tell you what's available at your address and offer you an "online only" price plan, which is quite good value. Going into my account though you can't switch to that plan, it's only for new customers. Overall, i'm not impressed with Mercury.

Meridian or PowerShop it is!




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer

850 posts

Ultimate Geek
+1 received by user: 125

Trusted

  Reply # 503516 8-Aug-2011 19:42
Send private message

timmmay: Meridian or PowerShop it is!


Same people, different way of paying!

42 posts

Geek

Trusted
Powershop

  Reply # 503521 8-Aug-2011 19:51
Send private message

timmmay: Meridian or PowerShop it is!


Spoilt for choice :P 



13841 posts

Uber Geek
+1 received by user: 2451

Trusted
Subscriber

  Reply # 503543 8-Aug-2011 20:26
Send private message

The Meridian packs are confusing, I have no idea what they're about. They seem to have different payment options, different levels of on time payment discount, some only let you get your bill online, and some mention fixed price periods. I suspect the rates are the same for each pack. I bet the whole pack thing has put plenty of people off joining.

Does anyone know what the packs are for? I just want the standard rates, I pay on time by direct debit, and I don't need a fix price pack. Their call centre's closed right now. I suspect the Really Simple pack is what I need, but I don't know what the pack concept is about so i'm not sure.




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

IBM leads Call for Code to use cloud, data, AI, blockchain for natural disaster relief
Posted 25-May-2018 14:12

New FUJIFILM X-T100 aims to do better job than smartphones
Posted 24-May-2018 20:17

Stuff takes 100% ownership of Stuff Fibre
Posted 24-May-2018 19:41

Exhibition to showcase digital artwork from across the globe
Posted 23-May-2018 16:44

Auckland tops list of most vulnerable cities in a zombie apocalypse
Posted 23-May-2018 12:52

ASB first bank in New Zealand to step out with Garmin Pay
Posted 23-May-2018 00:10

Umbrellar becomes Microsoft Cloud Solution Provider
Posted 22-May-2018 15:43

Three New Zealand projects shortlisted in IDC Asia Pacific Smart Cities Awards
Posted 22-May-2018 15:14

UpStarters - the New Zealand tech and innovation story
Posted 21-May-2018 09:55

Lightbox updates platform with new streaming options
Posted 17-May-2018 13:09

Norton Core router launches with high-performance, IoT security in New Zealand
Posted 16-May-2018 02:00

D-Link ANZ launches new 4G LTE Dual SIM M2M VPN Router
Posted 15-May-2018 19:30

New Panasonic LUMIX FT7 ideal for outdoor: waterproof, dustproof
Posted 15-May-2018 19:17

Ryanair Goes All-In on AWS
Posted 15-May-2018 19:14

Te Papa and EQC Minecraft Mod shakes up earthquake education
Posted 15-May-2018 19:12


Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.