Mercury Energy - poor security and user password practices

Forums › Off topic › Mercury Energy - poor security and user password practices

timmmay

14058 posts

Uber Geek
+1 received by user: 2513

Trusted

Subscriber

Topic # 87833 8-Aug-2011 15:18

I just got an email from Mercury Energy telling me my bills were now being sent to me online. They're already told me a couple of weeks back, so the email was pointless.

Of course I changed my password the first time I logged on. In this second welcome email they were kind enough to email me the password I chose. Since they can do this it suggest that either the password is stored in clear text. It's possible that they store it encrypted in the database then email it to you, but both are poor security practice. Storing the password hash is far preferable, if the user forgets their password a new one can be sent.

When I first tried to sign up to get my Mercury bills online on 26 July this year their website security certificate had expired. I think they've fixed it now, but here are the details of that one.

Details:
The certificate is only valid for the following names:
*.24hours.co.nz , 24hours.co.nz
The certificate expired on 14/01/2011 12:59 p.m.. The current time is 26/07/2011 1:55 p.m..

It looks like the certificate was expired for 5 months before I pointed it out and they fixed it. I have no idea what that 24hours domain is, but that's the message I got, I was on mercury.co.nz at the time.

Overall the impression I have of Mercury energy is of incompetence and lack of attention to security. I'll be moving my business away from them.

AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer

1 | 2

42 posts

Geek

Trusted

Powershop

Reply # 503383 8-Aug-2011 15:29

Come on over to Powershop. All of our business is done online and we do not store passwords in plain text nor would we email them. Hey, you might even save some money too :)

(disclosure: I am the CEO at Powershop)

deepthought

42 posts

Geek

Trusted

Powershop

Reply # 503385 8-Aug-2011 15:31

Oh, and we don't use dodgy SSL certificates :)

xpd

Chief Trash Bandit
8846 posts

Uber Geek
+1 received by user: 1303

Mod Emeritus

Trusted

Lifetime subscriber

Reply # 503387 8-Aug-2011 15:32

So many companies have poor security, not just online.
When I first moved in with my wife, she was working from home and had a monitored alarm - she was the only name on the account.
We set it off one day by accident and 5 mins later the phone rung, it was the security company (at least they called within minutes). I took the call and explained we had set off the alarm by accident. That was it. No query who I was or if the account holder was even there which they were suppose to do as they required (or so they claimed when she signed up) a secret PIN only the account holder would know.

Complaints to them about this later went unanswered.... pity I cant remember which company it was.

XPD / Gavin / DemiseNZ

For Free Games, Geekiness and Reviews, visit :

Home Of The Overrated Raccoons

Battlenet : XPD#11535 Origin/Steam/Epic/Uplay : xpdnz

Stu

Hammered
5045 posts

Uber Geek
+1 received by user: 1062

Moderator

Trusted

Lifetime subscriber

Reply # 503388 8-Aug-2011 15:32

Unfortunately Mercury offer us the best deal according to the online calculators, so we'll have to put up with the dodgy security. If anyone wants to access my account and pay my bill, who am I to complain?

SandyJ

152 posts

Master Geek

Reply # 503394 8-Aug-2011 15:47

Contact just did the same thing with me. Sent my username and password 'hint'... Im staying with them for the 22% discount with online billing, for the remaining few months Im here in NZ.

Selling up before Christmas, anyone looking for a 5yr old 2 bed Townhouse, warm, dry (dvs), safe and extremely comfortable standalone on a low maint. full sun, full sized section, down Greymouth way.. Yell. Yes I know I have a cheek adding this here but hey, anything goes when it comes to the crunch. :)

timmmay

14058 posts

Uber Geek
+1 received by user: 2513

Trusted

Subscriber

Reply # 503401 8-Aug-2011 15:59

It's not a serious problem in itself, and there aren't really any immediately obvious bad consequences from it, but I just don't like it. It's just bad security. People who reuse passwords should probably be more concerned.

I looked at Powershop, but for me Mercury was cheaper. Meridian was cheaper again, and now I have a reason to move. Powershop might end up cheaper if you actively manage your account and grab specials, but I just can't be bothered doing that sort of thing. It's all the same power, it all comes the same way, I find the idea of competition between retailers about who gets to bill us quite silly. Sure the competition might drive prices down, but the duplicated resources between companies drive the prices up overall.

AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer

deepthought

42 posts

Geek

Trusted

Powershop

Reply # 503416 8-Aug-2011 16:18

@Timmmay: we (Powershop) are currently running a $100 savings guarantee that you might like to check out.

nate

6319 posts

Uber Geek
+1 received by user: 382

Moderator

Trusted

Lifetime subscriber

Reply # 503423 8-Aug-2011 16:25

timmmay: Overall the impression I have of Mercury energy is of incompetence and lack of attention to security. I'll be moving my business away from them.

If I may play devil's advocate, what's the worst someone could do if they got into your account - pay your bill for you?

timmmay

14058 posts

Uber Geek
+1 received by user: 2513

Trusted

Subscriber

Reply # 503424 8-Aug-2011 16:26

deepthought: @Timmmay: we (Powershop) are currently running a $100 savings guarantee that you might like to check out.

Thanks for the tip, i'll have a proper read of that later. The whole active management thing seems annoying, and passively Meridian was cheaper for me last time I looked, but I like the idea so i'll consider it :)

AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer

timmmay

14058 posts

Uber Geek
+1 received by user: 2513

Trusted

Subscriber

Reply # 503425 8-Aug-2011 16:27

nate:
timmmay: Overall the impression I have of Mercury energy is of incompetence and lack of attention to security. I'll be moving my business away from them.

If I may play devil's advocate, what's the worst someone could do if they got into your account - pay your bill for you?

A lot of people use the same password for multiple things. Like I said above there's not much of a problem on this one, maybe people could cut your power off if they have your details, i'm not sure if there's enough information in the online system or not to call up and do that.

AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer

deepthought

42 posts

Geek

Trusted

Powershop

Reply # 503448 8-Aug-2011 16:56

timmmay:
deepthought: @Timmmay: we (Powershop) are currently running a $100 savings guarantee that you might like to check out.

Thanks for the tip, i'll have a proper read of that later. The whole active management thing seems annoying, and passively Meridian was cheaper for me last time I looked, but I like the idea so i'll consider it :)

You don't have to be active at all; you can "set and forget" and everything gets done for you, and we send weekly and monthly emails that contain quite a lot of info so you can get insights into your usage for very little effort. With the saving guarantee there's really not a lot of downside. Don't want this to sound like a hard sell, so I'll leave it to you to from here...

timmmay

14058 posts

Uber Geek
+1 received by user: 2513

Trusted

Subscriber

Reply # 503489 8-Aug-2011 18:44

Thanks DT. I've been told PowerShop is best value if you actively manage your power, looking for specials, and according to the consumer calculator your estimated default rate isn't as good as Meridian. The $100 guarantee is interesting though.

I was trying to work out what I pay to Mercury today, but I can't find their price plans anywhere on their website, and i'm just coming off a 3 year fixed plan with them so it's not on my bill. If you type in your address they tell you what's available at your address and offer you an "online only" price plan, which is quite good value. Going into my account though you can't switch to that plan, it's only for new customers. Overall, i'm not impressed with Mercury.

Meridian or PowerShop it is!

AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer

knoydart

852 posts

Ultimate Geek
+1 received by user: 128

Trusted

Reply # 503516 8-Aug-2011 19:42

timmmay: Meridian or PowerShop it is!

Same people, different way of paying!

deepthought

42 posts

Geek

Trusted

Powershop

Reply # 503521 8-Aug-2011 19:51

timmmay: Meridian or PowerShop it is!

Spoilt for choice :P

timmmay

14058 posts

Uber Geek
+1 received by user: 2513

Trusted

Subscriber

Reply # 503543 8-Aug-2011 20:26

The Meridian packs are confusing, I have no idea what they're about. They seem to have different payment options, different levels of on time payment discount, some only let you get your bill online, and some mention fixed price periods. I suspect the rates are the same for each pack. I bet the whole pack thing has put plenty of people off joining.

Does anyone know what the packs are for? I just want the standard rates, I pay on time by direct debit, and I don't need a fix price pack. Their call centre's closed right now. I suspect the Really Simple pack is what I need, but I don't know what the pack concept is about so i'm not sure.

AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer

1 | 2