Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Forums2degrees (including Slingshot, Orcon, Flip, Stuff Fibre, MyRepublic, 2talk and Vocus)[Snap] Snap passwords not encrypted
View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 
charsleysa
597 posts

Ultimate Geek


  #983238 10-Feb-2014 11:41
Send private message

Yes that is true, but we are also discussing the transit of PPP traffic in which the passwords are not encrypted so they route in which they travel is important as it is much more secure if Snap have a authentication server at the handover point, or securely VPN to the authentication server, before that unencrypted traffic hits the internet accessible network.




Regards
Stefan Andres Charsley



ubergeeknz
3344 posts

Uber Geek

Trusted
Vocus

  #983240 10-Feb-2014 11:49
Send private message

Given in most cases, port authentication is used anyway, what would someone have to gain from stealing your PPP password?  Seems like a lot of effort for very little.

edit: and of course the PPP traffic doesn't traverse the public internet, it's terminated to Snap or whichever ISP, and their auth server handles it.

charsleysa
597 posts

Ultimate Geek


  #983242 10-Feb-2014 11:56
Send private message

ubergeeknz: Given in most cases, port authentication is used anyway, what would someone have to gain from stealing your PPP password?  Seems like a lot of effort for very little.

edit: and of course the PPP traffic doesn't traverse the public internet, it's terminated to Snap or whichever ISP, and their auth server handles it.


And herein lies the answer to why Snap haven't bothered giving you separate passwords for your account and PPP login.




Regards
Stefan Andres Charsley



timmmay

20587 posts

Uber Geek

Trusted
Lifetime subscriber

  #983293 10-Feb-2014 13:22
Send private message

ubergeeknz: Given in most cases, port authentication is used anyway, what would someone have to gain from stealing your PPP password?  Seems like a lot of effort for very little.

edit: and of course the PPP traffic doesn't traverse the public internet, it's terminated to Snap or whichever ISP, and their auth server handles it.


As far as I can tell Snap customers have one password. Interception is far less likely IMHO than it being hacked or used by staff - no matter how well you vet people you can get a bad egg. If people reuse passwords (which is stupid but common) that could lead to bigger issues. It could let someone else use my bandwidth, and if Snap has a good customer portal it could give access to my payment details, home address etc.

So while what you say is true to some extent, think a little wider.

ubergeeknz
3344 posts

Uber Geek

Trusted
Vocus

  #983296 10-Feb-2014 13:29
Send private message

As I see it the problem here is twofold:

1. Users choosing their own PPP password - should be a secure password picked for them and provided to them, IMO
2. Using same password for account access - probably not a good idea, as has been established in this thread, PPP password is only *so* secure, by necessity.

mercutio
1392 posts

Uber Geek


  #983313 10-Feb-2014 13:48
Send private message

timmmay:
ubergeeknz: Given in most cases, port authentication is used anyway, what would someone have to gain from stealing your PPP password?  Seems like a lot of effort for very little.

edit: and of course the PPP traffic doesn't traverse the public internet, it's terminated to Snap or whichever ISP, and their auth server handles it.


As far as I can tell Snap customers have one password. Interception is far less likely IMHO than it being hacked or used by staff - no matter how well you vet people you can get a bad egg. If people reuse passwords (which is stupid but common) that could lead to bigger issues. It could let someone else use my bandwidth, and if Snap has a good customer portal it could give access to my payment details, home address etc.

So while what you say is true to some extent, think a little wider.


i think you'll notice pretty quickly if someone is using your password, as there'll be a simultaneous session limit.

a good customer portal doesn't expose payment details, but may address.  address is public knowledge though.

timmmay

20587 posts

Uber Geek

Trusted
Lifetime subscriber

  #983325 10-Feb-2014 14:15
Send private message

A good portal isn't vulnerable to SQL injection either, but that little trick hacks websites every day. Even if the credit card data isn't exposed in a portal it could still be sitting in the database, and could be discovered using simple SQL injection type techniques.

 
 
 
 

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.
eXDee
4032 posts

Uber Geek

Trusted

  #983433 10-Feb-2014 16:30
Send private message

mercutio:
timmmay:
ubergeeknz: Given in most cases, port authentication is used anyway, what would someone have to gain from stealing your PPP password?  Seems like a lot of effort for very little.

edit: and of course the PPP traffic doesn't traverse the public internet, it's terminated to Snap or whichever ISP, and their auth server handles it.


As far as I can tell Snap customers have one password. Interception is far less likely IMHO than it being hacked or used by staff - no matter how well you vet people you can get a bad egg. If people reuse passwords (which is stupid but common) that could lead to bigger issues. It could let someone else use my bandwidth, and if Snap has a good customer portal it could give access to my payment details, home address etc.

So while what you say is true to some extent, think a little wider.


i think you'll notice pretty quickly if someone is using your password, as there'll be a simultaneous session limit.

a good customer portal doesn't expose payment details, but may address.  address is public knowledge though.


Careful with dismissing data like address and other details as 'public'. While these can be very easy to get ahold of, if you gained several accounts worth of data with names, addresses, phone numbers, dates of birth, it allows a very easy starting base for fraud and social engineering attacks.
Just look at any of the high profile chained social engineering attacks where one company deems something 'public' and others consider it information to verify identity.

Snap's account portal shows account name, phone number, account number, billing email, direct debit info and account. You can obviously also access the primary email address attached to the account, and all the internet/voip self management tools too.

Not that I'm jumping into this debate, just adding a comment in regarding the value of such information.

timmmay

20587 posts

Uber Geek

Trusted
Lifetime subscriber

  #983504 10-Feb-2014 17:40
Send private message

A one or two character twitter handle was recently lost due to social engineering, paypal gave out the last four digits of a credit card and that was used to do all sorts of things.

1 | 2 | 3 
View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00

eero Pro 7 Review
Posted 23-Jul-2025 12:07

BeeStation Plus Review
Posted 21-Jul-2025 14:21

eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01

WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32

RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26

Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24

Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05

Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01

Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01

Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22

Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46

Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42

D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34

Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Affiliate links
Samsung
AliExpress
Wise
Sharesies
GoodSync
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright