
Virgin Media stores user passwords in plaintext? - atoponce
https://twitter.com/virginmedia/status/595135419152474112
======
MattBearman
I think the pitchforks may have been lit a bit early here. The password all
support staff can see is for phone verification, and is completely separate
from the online log in password [0]

However, Virgin don't seem to have clarified if and how the online log in
password is hashed.

[0]
-[https://virginmedia.response.lithium.com/portal/conversation...](https://virginmedia.response.lithium.com/portal/conversation/3957067)

~~~
pflats
Yeah, for the people confused, "authentication codeword" might be a better way
to think of it. This is not the traditional password, this is akin to the
phone support version of your mother's maiden name.

If I were to call up Virgin and say, "Hey, this is MattBearman, I want to add
a phone to my account and an international calling plan," they need a way to
verify that I am MattBearman. Instead of asking for personal information, they
ask for an "account password" _which is not your online password and is only
used for the purpose of identifying the caller_.

It has to be plaintext or encrypted; they're not going to give you a hashing
algorithm to work out over the phone.

~~~
itsybitsycoder
Well, in theory they could just tell the phone rep the unencrypted password
and the phone rep could enter it into the system and the system could tell
them if the hash matches. That's pretty much how it happens with most websites
these days anyway. But I can see there's a big benefit in the rep being able
to accept passwords which are obviously (to a human) the same, but would hash
differently.

------
jasonkester
So in short:

    
    
      - They're doing things correctly
      - They ask for a code over the phone to verify your account
      - Their Twitter guy refers to this as a "password"
      - Nobody reads anything on the internet, therefore everybody is concerned and fighty.
    

There's no indication of how _passwords_ are actually stored. This is all
about the passphrase you tell the guy on the phone so that he can verify your
account. It seems reasonable that that guy would need to be able to see that
word on a screen so that he can compare it to what you say.

Still, it's good that people are still really angry about this, 23 hours after
their support guy explained what's going on.

~~~
shultays
If the operator is only one that checks credential, it is still huge security
risk IMHO. He/she can reuse this information to imitates one of the customers
he got the credentials.

Here, the operator forwards you to a machine and you input your phone
password, so the operator does not know your whole credentials.

------
Someone1234
Seems like we've moved from calling out companies for long standing bad
practises to some kind of tribal behaviour where people are almost looking for
a reason to call a company out for "bad security."

Let me be clear: Phone passwords are superior to phone pins, phone secret
question/answers are superior to both, and the agent needs to be able to
verify the secret question/answer set, and also the password. You CAN design
it so the agent cannot see the whole password, but that means the agent cannot
use common sense to account for differences in spelling, or interpretation
e.g. "to" as 2, to, two, and too (plus "the third digit of your password" is
hard for humans, we aren't designed that way).

People saying things like: "an agent cannot be trusted!" Are missing the
point, that the entire system is built on agent trust. When you call you're
purposely giving this agent access to your account, making the password
useless, there's no proof they logged off when you hang up, there's also no
proof that they aren't writing down your responses and will then relay it to
another agent later.

A lot of people who whine about plain text in particular don't really seem to
understand what it is that hashing even does. They seem to think things like:
"if you get hacked, someone cannot steal passwords" (nope) or "then someone
cannot sniff your password over free wifi" (nope). All hashing does is add
time between the hack, and when the hacker can start using the stolen
credentials, that's it. It is there to give the company time to detect the
leak and to notify/reset, if the company fails to detect then it has done
absolutely nothing of worth.

To be honest I find "HTTP offenders" (e.g. HTTP web-sites that redirect to
HTTPS login forms, essentially breaking HTTPS's MitM protections) far worse
than "plain text offenders." But none of this has anything to do with calling
out security issues at this point. A bunch of people who don't seem to
understand the technicals here feel like they're doing "good" by calling out
companies for things that don't even make sense.

------
andrewstuart2
Is this actually a password or something closer to a PIN? I don't know that
there's anything wrong with not cryptographically mangling a PIN since there
are so few combinations in the first place. I think the SOP in most cases (my
bank, for one) is to use multiple forms of ID verification (last 4 of social,
birthday, and PIN, e.g.).

Whoever runs their twitter also later claims that this account password is
different than their online password, which seems to support that it's more of
a PIN than global password. I'm not a Virgin employee or customer though, so
I'm not sure if this is the case or not.

~~~
lcmatt
Correct, it's just a simple way to verify you're the account holder. Saves
asking for DOB, address, account number which are more accessible.

~~~
m_t
Whenever I need to call Virgin to try and get some info, I need to:

    
    
      - Type in my account number
      - Wait for an agent
      - Get an agent. Give my name and account number
      - Explain my problem
      - Get transferred to another agent
      - Wait
      - Get an agent, give my account number
      - Give the third letter of my password (which got me confused, as I thought they were asking for my account password)
      - Explain my problem
      - Get transferred to another agent
      - Wait
      - Get an agent, give my account number
    

In the end, I talked to three persons, in the same company, and gave 4 times
my account number, and one time my "password".

Can confirm, does not save time at all!

Note: this is for Virgin Media UK. Did not experience that with Virgin Media
in Canada.

------
mattybrennan
So, it seems this only applies to the phone verification password and not the
online account password. Can someone explain to me what the better
alternatives are for phone verification? Is punching in a PIN considerably
better? Banks ask for last 4 of social, which I don't think is something I
would give anyone besides a bank.

Virgin's hardly the only one doing this. ADT reps ask for a password when
verifying an alarm. At least its better than just asking for your name and
address.

~~~
preinheimer
The advantage of punching in four digits is that your phone rep doesn't get to
see/hear them. You've identified yourself to the system, not the individual.

~~~
chinpokomon
DTMF isn't transmitted in secret. Of course they _could_ eavesdrop on what you
entered through a keypad. Keying it into a machine listening to an unsecured
phone line is the equivalent of sending it in plaintext and just as vulnerable
as telling it to an agent on the other end of the call.

------
a_bonobo
This is an international thing - I'm with Virgin Mobile in Australia and the
"Forgot Password" button sends me my password in plain text (which is, even
better, only allowed to be numbers, and only 6 of them! Guessing 10^6 numbers
doesn't take long)

This is known since at least 2013: [http://www.kitguru.net/gaming/security-
software/jon-martinda...](http://www.kitguru.net/gaming/security-software/jon-
martindale/virgin-media-stores-phone-authentication-passwords-in-plaintext/)

Edit: Others are saying this is for the "phone verification password", but my
password is to log into the online account to pay my phone bill.

~~~
atoponce
Upload a screenshot to
[http://plaintextoffenders.com/](http://plaintextoffenders.com/)

~~~
a_bonobo
I had thought of that - my mail (even though from virginmobile.com.au) is
identical to the UK one:
[http://plaintextoffenders.com/post/4983474119/virginmobile-c...](http://plaintextoffenders.com/post/4983474119/virginmobile-
co-uk-virgin-mobile)

And that one's from 2011!!

------
kijin
"Administrators and/or customer service reps need to be able to see passwords
for XYZ purposes" is a relative common requirement even nowadays, especially
if those requirements were drawn up by non-technical people.

One part of me wishes that the governments of the world would just outlaw this
kind of idiocy. On the other hand, I'm not sure if I'd like that much
regulation. I certainly wouldn't want to be a developer in a world where I can
get sued for using a non-NIST-approved algorithm or something.

Fortunately, "PCI-DSS" seems to be the magic word that can developers can use
to beat sense into people's heads most of the time.

------
keeran
I have a Virgin Media account authorisation password to identify myself as an
account manager over the phone. Has nothing to do with any online login
system.

------
szx
Incidentally, I just found out yesterday that Straight Talk (AT&T MVNO) keeps
their _online_ passwords in plaintext. Restoring your password actually sends
you the password by email.

I'm glad I never reuse a password.

------
JacobEdelman
The end result of this is that I'm impressed with Virgin Media's quick
responses on twitter.

------
DyslexicAtheist
and they don't seem to get it even after people explaining it to them

~~~
atoponce
Even better, it appears that it will require legal motivation for them to
change their behavior:
[https://twitter.com/virginmedia/status/595241181065383936](https://twitter.com/virginmedia/status/595241181065383936)

~~~
laumars
You have to bare in mind that the people managing that social media account is
probably only a few grades higher than your average call centre puppet who
follows a script. While some of VM's responses could have been phrased better
(within the confines of Twitters max character count), these people are
generally there to answer end user rage about their router crashing and such
like rather than this. Sadly information security is quite significantly more
advanced - so much so that even IT professionals frequently get it wrong.

What should really be happening here is the discussion being escalated to
their systems / security team and an official open letter published.

------
chris_wot
So... this password... this is a password for what?

------
hitlin37
Nothing new here.

