Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


3832 posts

Uber Geek
+1 received by user: 234

Trusted

Topic # 96914 7-Feb-2012 14:05
Send private message



Rang subway , because I accidentally logged out of their windows phone version of the app and my subcard would not register inside the main subway app after logging in. I logged in via the subway website and it would not accept my subcard number and the 4 digit access code that is printed on the card. The app told me to ring an 0800 SUBCRD number to troubleshoot the subcard regisitration for the app and on the main subway website itself.


CSR picked up, asked me to spell out my full name and date of birth. Puts me on hold for a few minutes, comes back to me and said that the password I set for my subcard registration was xxxxxxxx. It then came to my mind that I must have changed by subcard password from their standard 4 digit access code to something different. I told the lady that this is very poor security from subway's end that you can see a user's password instead of only having the option to just reset it. She said this is normal.

I am sure this is not normal. Have my full name, DOB, password and my registered email address. Go for gold subway staff. Go for gold. 

     

ps - Luckily 90+% of my sites are controlled via lastpass with a random password. However for certain sites that I consider to be low risk, I go for a common password that I remember which in this case was the subcard password. My main subway account password was totally random and maybe subway staff can prob see that too but I am not sure about that one.    





Do whatever you want to do man.

  

Create new topic
Phil Gale
1107 posts

Uber Geek
+1 received by user: 44

Trusted
Red Jungle
Subscriber

  Reply # 578208 7-Feb-2012 14:14
Send private message

You're right. It's no longer 'normal' practice to store passwords in plain text. Its a sign of a very poor security infrastructure / culture.

But sadly it still happens all to often.




Red Jungle: we make fantastic software

RSS  Twitter  Facebook  Skype

1710 posts

Uber Geek
+1 received by user: 169

Trusted

  Reply # 578209 7-Feb-2012 14:14
Send private message

That's shocking! Someone needs to educate Subway.

Phil Gale
1107 posts

Uber Geek
+1 received by user: 44

Trusted
Red Jungle
Subscriber

  Reply # 578218 7-Feb-2012 14:26
Send private message

defnz: I'd understand the rant if it were for something like a credit card, not a worthless subcard


Yes and no. The issue is larger than it appears. Users re-use passwords all the time (they shouldn't but the brutal reality is that they do, consistently). So if subway has a breach of their database at some point, and all those users details and passwords are compromised, there's a very high probability that you could take those details and start logging into other services such as facebook, gmail etc. and then gleam all sorts of other interesting details about other services of greater value for example.

[Edit: Oh, post I quoted got removed :(]




Red Jungle: we make fantastic software

RSS  Twitter  Facebook  Skype

956 posts

Ultimate Geek
+1 received by user: 346
Inactive user


  Reply # 578220 7-Feb-2012 14:33
Send private message

I reread his rant and realised what you've just pointed out

Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.