How safe is your password with Verizon?(pranaya.co) |
How safe is your password with Verizon?(pranaya.co) |
Fulfillment companies are the companies that magazine publishers hire to handle customer service, charge and ship magazines to you at the right time.
Problem is, when it was time to put these magazines online, magazine companies looked to fulfillment companies to handle billing and customer service for them. These fulfillment companies had worked in 30/60 day cycles and were running software that was created in 1985.
So when the Internet came knocking, they just rigged up some stuff to kinda sorta do it the same way.
Before someone writes the obligatory "someone should create some software to make digital fulfillment for old-school publishing better", you should understand that these fulfillment companies own the customer/user data.
To migrate from one fulfillment company to another, you'd have to re-collect billing information for the entire subscription file, which would require the publisher to contact Grandma Barbara and ask hero to send in another check or get on AOL to add her credit card. Which just isn't going to happen.
I don't buy it. This was asking for a login password.
For example Netflix does this for support where you get the token from the web page (as a number) and enter it when you make the support call. Google business support has it too although it is valid for longer where the admins can get a token that is entered with support requests.
Calm Down.
Someone who is serious about security would never do this. The rest of the article falls on its face at this point.
http://vzwtipsandtricks.blogspot.com/2010/11/i-forgot-my-vzw...
http://support.verizonwireless.com/faqs/My%20Verizon/billing...
Reading the chat log, I failed to pick up the problem, and I am a Verizon customer. A few times talking to a Verizon rep, I've been asked for the last four of my SSN. I have to remember to give 0000. That's because, when I first signed up, I didn't want them storing my SSN post credit-check, and they complied.
However, I don't ever recall being asked for a "billing password". Maybe that's because mine is still the numeric 0000. Perhaps Pranaya set up an alpha one at some point and forgot, then got confused by the word "password".
As an AT&T customer, I know having one of these "passwords" is optional. If you choose to have one as an added level of security (in addition to the last 4 of the account holders social), you can add it to the account. Again, it can be completely different from your online login passowrd and is usually something simple that can be said/understood over the phone.
I found this whole article kind of funny. The rep must have been so confused as to why this customer was getting so hysterical over such a common thing.
After pressing the issue and refusing to provide it, she walked me through the steps needed to resolve my issue. My feeling was, esp after reading this, that they are probably using the same or a similar 3rd party to provide their live support and those 3rd parties are now finding that it's easier to log in as users and fix their issues vs trying to walk users through the various steps to fix it themselves. It probably brings their support times down - I seriously doubt they care about user security.
Or heck, maybe it's a malicious attempt to get passwords... heck if I know, just a theory. Seems like the easiest explanation. Still, unacceptable.
While I agree, that is more easily said than done for most folks. Looking through my Keychain file, I have almost 850 internet password items. Assuming that about a third are duplicates (www.site.com vs site.com for example) that's still well over 500 different sites I have passwords for. Because I'm comfortable with Keychain, I let it generate strong passwords for me (I frequently associate custom email addresses with those passwords as well since I own aunch of domains). Whenever I try to get others to use various password managers, they get confused and eventually fallback to writing passwords down or using the same password across sites.
Someone needs to get us away from passwords fast.
At most, a paranoid system might be designed to require a second login before a sensitive change, on the theory that a screen might have gone unattended. The outcome of that second logon (success or failure) is all that should be shown to a service rep. The system should immediately destroy the password after hashing it for comparison to the value stored in the database. This technique is decades old.
However, I know of vendors who do store raw passwords. This is because I have been asked to change passwords of long standing that do not stand up to silly new rules about variety of character classes, etc. If they were one-way hashing, they could not have known my old password didn't pass muster.
Someone might have lifted his account password and logged into the website with it impersonating him on the chat, and so it only makes sense to then confirm identity by challenging for that password over the same chat where he is being impersonated... hey wait a second!
I'm not entirely convinced that this customer service agent could see his password. She said she had to enter it in to verify it. She may have been confused about his questions, or just flustered by his attitude.
He is right that it's not secure at all, I forget the sequence of numbers I use every other time I've called them, and they've always let me have a few tries at it...
However, the insecurity of the Billing Code is actually worse than his website account password, as anyone could call up, figure out the 5-digit code (they've given me hints before), and change his service, request billing info mailed, etc. And good luck getting any service changed with the (more secure? Who knows...) site account password (although you do have access to billing records, which could be more valuable).
An end to passwords would be awesome. But, I haven't seen a compelling solution to the problem.
It is absolutely worth the time to setup and start using.
Oh, and now the CSR knows his banking password too. Handy.
I personally would never use a banking, brokerage, or charge card [edit: or email] password for any other purpose. But, for other sites, I'm as lazy as he is ..
Failing that, customer has to give CSR the password, CSR enters it, it is checked against hashed password (CSR sees plaintext but it could be arranged that it is never stored, which is better than storing all plaintext in a database).
If I have my super-secure password that I generated in my browser, Chrome will sync it and let me log in on my browser too. Great! Now how do I get that into my phone when the APP requests me to log in?
Answer: Some password system needs to tie into the IME of computers and phones in order to be effective and secure wherever your passwords need to go.
OpenID / OAuth seems like the general answer, but it's not easy to use, and it's not practical unless I can get my bank, Facebook, some mom-and-pop website and HN to all use the same system. IME integration would bypass all of these, and would be so much simpler than getting everyone to learn the OAuth dance.
As someone who recently factory reset their tablet and phone, boy was that painful. The password generator passwords are long and use a wide variety of characters, numbers and punctuation. Entering them is really tedious and time consuming. Usually you can't see the entered password so a single error means you have to keep trying again.
What disturbs me about this, why I feel it's relevant, is that these are people with the technical ability to configure their own minecraft servers and run jailbreak/root(?) hacks on consoles. Almost all of them have at least taken 1 or 2 C++ college courses or Codecademy courses. These people aren't technically challenged, nor are they Luddites. They should be aware of how insecure most passwords are, but they feel it's not relevant to their life.
Any suggestions on how to deal with that problem -- people calling you paranoid because you don't use an easy to remember password on all sites?
They think you are paranoid because they think that you are worried about Mark Zuckerburg logging in to your Google account or something along those lines. Explain that websites get compromised all the time - you could bring up the LinkedIn (http://lifehacker.com/5916177/65-million-linkedin-accounts-m...) or the Gawker (https://gawker.com/5712615/commenting-accounts-compromised-+...) compromise if they use one of those sites, and that when criminals get things like your Google passwords, they will often delete your data and try to scam your friends out of money - there are many stories, here is one about it: http://bits.blogs.nytimes.com/2007/11/09/e-mail-scammers-ask...