2003年07月01日

Personal Security Online

A colleague of mine told me that Streamyx's authentication server behaves in funny ways. During one downtime period, he tried logging in with his ID and used a mock password (he used bulls***) and managed to get through. This strategy, if true, is great for availability (as users wouldn't know if the authentication server was down), but terrible for security. On another occassion, someone who claimed to be from TMNet called his house and asked for his password. He dodged the question a couple of times and finally told him that it was set to default. He changed the password shortly after. A third instance of dubious security practices is when his password expired and he called the helpdesk to reset it. The helpdesk staff asked him what password he wanted, saying that it is more convenient for him to tell then, rather than go to the designated website to set it himself.

I wonder if this is TMNet's standard practice. Technicians and engineers should know better than to ask someone what their password is. Password retrieval should be an automated task between the customer and a system, especially in this case where the customer is actually paying for access.

Related links:
1. Sample Corporate Basic Password Policy
2. What is Social Engineering and how it relates to Computer System Security
3. Of Digital Identities

Posted by Najah Nasseri at 2003年07月01日 14:00 | TrackBack



Comments

If this is true, someone should report TMnet. Don't let them get away with this.

Posted by: Aizuddin Danian at 2003年07月01日 14:34


It happened to me once, about the TMNet Customer Support asking for my password. Since I really can't log on for God knows what reason, I give it to them, but change it immediately once I manage to go online. I just wonder if asking for other people's password is their standard practise (which shouldn't be in the first place).

Posted by: Sue at 2003年07月01日 15:10


As I am in the helpdesk world, this is definitely a very bad practice indeed! In my working environment, we do not even know what a user's password is unless they tell us. We can only reset it to a default password and advises the user to change it immediately after.

And I do agree with Aiz. Somebody should report them!

Posted by: sarini at 2003年07月03日 23:30


Post a comment









Remember personal info?