Blog article
See all stories ยป

Cellphone Company doesn't understand Security basics

I had an interesting experience during the volcano disruptions which showed how Phone Companies aren't doing joined up thinking on Security.

I was stranded without phone access on my Blackberry. I emailed Virgin Media from my pre-registered e-mail account to ask them to give me international access for my location. Their response was that for my safety & security they couldn't accept a plain e-mail from me. They said I had to logon to the Virgin Media website and login to my BlackBerry account and e-mail them from therein.

Unfortunately I couldn't recall my password to access my Virgin Media account. So I asked them to e-mail me my Password.

They readily e-mailed me my Password in the clear, so it hadn't been stored hashed.

I then logged on, wasn't forced to do a password re-set, and I re-sent my original e-mail request, citing the same e-mail address. They then gave me the international access I needed so that I could make alternative arrangements with family & colleagues in the UK, as I was going to return to UK some 7 days behind schedule. In practice it took 4 days to arrange all of the above.

Given their refusal to accept my initial request from my pre-registered e-mail address, but their willingness to send out my password in the clear, rather than force me to do a password re-set, it would suggest they don't have too much joined-up thinking.

4650

Comments: (1)

John Dring
John Dring - Intel Network Services - Swindon 22 June, 2010, 12:19Be the first to give this comment the thumbs up 0 likes

I was about to assume that you were going to make a technical/picky point about security, but yep, it looks pretty dumb.  But wait.  Sending a password in the clear is pretty standard for such an account (a reminder might have been marginally better [if there was one].  Or if they didn't trust the integrity of the email sender then they could have generated a new password, which wouldn't expose a potential 'friendly' password and would allow you to set it back to one you prefer.

The obvious thing here, I would think, would have been for them to send you a text with the reminder/password!  Some encryption at least, and they are the phone company.

Keith Appleyard

Keith Appleyard

IT Consultant

available for hire

Member since

17 Aug 2007

Location

Bromley

Blog posts

60

Comments

111

This post is from a series of posts in the group:

Whatever...

A place to share stuff that isn't at all fintec related but is amusing, absurd or scary.


See all

Now hiring