Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsOff topicMercury Energy - poor security and user password practices


14362 posts

Uber Geek
+1 received by user: 2610

Trusted
Subscriber

Topic # 87833 8-Aug-2011 15:18
Send private message

I just got an email from Mercury Energy telling me my bills were now being sent to me online. They're already told me a couple of weeks back, so the email was pointless.

Of course I changed my password the first time I logged on. In this second welcome email they were kind enough to email me the password I chose. Since they can do this it suggest that either the password is stored in clear text. It's possible that they store it encrypted in the database then email it to you, but both are poor security practice. Storing the password hash is far preferable, if the user forgets their password a new one can be sent.

When I first tried to sign up to get my Mercury bills online on 26 July this year their website security certificate had expired. I think they've fixed it now, but here are the details of that one.

Details:
The certificate is only valid for the following names:
  *.24hours.co.nz , 24hours.co.nz 
The certificate expired on 14/01/2011 12:59 p.m.. The current time is 26/07/2011 1:55 p.m..

It looks like the certificate was expired for 5 months before I pointed it out and they fixed it. I have no idea what that 24hours domain is, but that's the message I got, I was on mercury.co.nz at the time.


Overall the impression I have of Mercury energy is of incompetence and lack of attention to security. I'll be moving my business away from them.




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
42 posts

Geek

Trusted
Powershop

  Reply # 503383 8-Aug-2011 15:29
Send private message

Come on over to Powershop. All of our business is done online and we do not store passwords in plain text nor would we email them. Hey, you might even save some money too :)

(disclosure: I am the CEO at Powershop)

42 posts

Geek

Trusted
Powershop

  Reply # 503385 8-Aug-2011 15:31
Send private message

Oh, and we don't use dodgy SSL certificates :)

 
 
 
 


xpd

Chief Trash Bandit
9220 posts

Uber Geek
+1 received by user: 1478

Mod Emeritus
Trusted
Lifetime subscriber

  Reply # 503387 8-Aug-2011 15:32
Send private message

So many companies have poor security, not just online.
When I first moved in with my wife, she was working from home and had a monitored alarm - she was the only name on the account.
We set it off one day by accident and 5 mins later the phone rung, it was the security company (at least they called within minutes). I took the call and explained we had set off the alarm by accident. That was it. No query who I was or if the account holder was even there which they were suppose to do as they required (or so they claimed when she signed up) a secret PIN only the account holder would know.

Complaints to them about this later went unanswered.... pity I cant remember which company it was.




XPD / Gavin / DemiseNZ

 

Server : i3-3240 @ 3.40GHz  16GB RAM  Win 10 Pro    Workstation : i5-3570K @ 3.40GHz  16GB RAM  Win 10 Pro    Console : Xbox One

 

https://www.xpd.co.nz - Games, geeks, and more.    

Stu

Hammered
5118 posts

Uber Geek
+1 received by user: 1088

Moderator
Trusted
Lifetime subscriber

  Reply # 503388 8-Aug-2011 15:32
Send private message

Unfortunately Mercury offer us the best deal according to the online calculators, so we'll have to put up with the dodgy security. If anyone wants to access my account and pay my bill, who am I to complain?

152 posts

Master Geek


  Reply # 503394 8-Aug-2011 15:47
Send private message

Contact just did the same thing with me. Sent my username and password 'hint'... Im staying with them for the 22% discount with online billing, for the remaining few months Im here in NZ.

Selling up before Christmas, anyone looking for a 5yr old 2 bed Townhouse, warm, dry (dvs), safe and extremely comfortable standalone on a low maint. full sun, full sized section, down Greymouth way.. Yell. Yes I know I have a cheek adding this here but hey, anything goes when it comes to the crunch. :)



14362 posts

Uber Geek
+1 received by user: 2610

Trusted
Subscriber

  Reply # 503401 8-Aug-2011 15:59
Send private message

It's not a serious problem in itself, and there aren't really any immediately obvious bad consequences from it, but I just don't like it. It's just bad security. People who reuse passwords should probably be more concerned.

I looked at Powershop, but for me Mercury was cheaper. Meridian was cheaper again, and now I have a reason to move. Powershop might end up cheaper if you actively manage your account and grab specials, but I just can't be bothered doing that sort of thing. It's all the same power, it all comes the same way, I find the idea of competition between retailers about who gets to bill us quite silly. Sure the competition might drive prices down, but the duplicated resources between companies drive the prices up overall.




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer

42 posts

Geek

Trusted
Powershop

  Reply # 503416 8-Aug-2011 16:18
Send private message

@Timmmay: we (Powershop) are currently running a $100 savings guarantee that you might like to check out.

6329 posts

Uber Geek
+1 received by user: 391

Moderator
Trusted
Lifetime subscriber

  Reply # 503423 8-Aug-2011 16:25
Send private message

timmmay: Overall the impression I have of Mercury energy is of incompetence and lack of attention to security. I'll be moving my business away from them.


If I may play devil's advocate, what's the worst someone could do if they got into your account - pay your bill for you?



14362 posts

Uber Geek
+1 received by user: 2610

Trusted
Subscriber

  Reply # 503424 8-Aug-2011 16:26
Send private message

deepthought: @Timmmay: we (Powershop) are currently running a $100 savings guarantee that you might like to check out.


Thanks for the tip, i'll have a proper read of that later. The whole active management thing seems annoying, and passively Meridian was cheaper for me last time I looked, but I like the idea so i'll consider it :)




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer



14362 posts

Uber Geek
+1 received by user: 2610

Trusted
Subscriber

  Reply # 503425 8-Aug-2011 16:27
Send private message

nate:
timmmay: Overall the impression I have of Mercury energy is of incompetence and lack of attention to security. I'll be moving my business away from them.


If I may play devil's advocate, what's the worst someone could do if they got into your account - pay your bill for you?


A lot of people use the same password for multiple things. Like I said above there's not much of a problem on this one, maybe people could cut your power off if they have your details, i'm not sure if there's enough information in the online system or not to call up and do that.




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer

42 posts

Geek

Trusted
Powershop

  Reply # 503448 8-Aug-2011 16:56
Send private message

timmmay:
deepthought: @Timmmay: we (Powershop) are currently running a $100 savings guarantee that you might like to check out.


Thanks for the tip, i'll have a proper read of that later. The whole active management thing seems annoying, and passively Meridian was cheaper for me last time I looked, but I like the idea so i'll consider it :)


You don't have to be active at all; you can "set and forget" and everything gets done for you, and we send weekly and monthly emails that contain quite a lot of info so you can get insights into your usage for very little effort. With the saving guarantee there's really not a lot of downside. Don't want this to sound like a hard sell, so I'll leave it to you to from here...



14362 posts

Uber Geek
+1 received by user: 2610

Trusted
Subscriber

  Reply # 503489 8-Aug-2011 18:44
Send private message

Thanks DT. I've been told PowerShop is best value if you actively manage your power, looking for specials, and according to the consumer calculator your estimated default rate isn't as good as Meridian. The $100 guarantee is interesting though.

I was trying to work out what I pay to Mercury today, but I can't find their price plans anywhere on their website, and i'm just coming off a 3 year fixed plan with them so it's not on my bill. If you type in your address they tell you what's available at your address and offer you an "online only" price plan, which is quite good value. Going into my account though you can't switch to that plan, it's only for new customers. Overall, i'm not impressed with Mercury.

Meridian or PowerShop it is!




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer

864 posts

Ultimate Geek
+1 received by user: 139

Trusted

  Reply # 503516 8-Aug-2011 19:42
Send private message

timmmay: Meridian or PowerShop it is!


Same people, different way of paying!

42 posts

Geek

Trusted
Powershop

  Reply # 503521 8-Aug-2011 19:51
Send private message

timmmay: Meridian or PowerShop it is!


Spoilt for choice :P 



14362 posts

Uber Geek
+1 received by user: 2610

Trusted
Subscriber

  Reply # 503543 8-Aug-2011 20:26
Send private message

The Meridian packs are confusing, I have no idea what they're about. They seem to have different payment options, different levels of on time payment discount, some only let you get your bill online, and some mention fixed price periods. I suspect the rates are the same for each pack. I bet the whole pack thing has put plenty of people off joining.

Does anyone know what the packs are for? I just want the standard rates, I pay on time by direct debit, and I don't need a fix price pack. Their call centre's closed right now. I suspect the Really Simple pack is what I need, but I don't know what the pack concept is about so i'm not sure.




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.