
Thames Water don't get password security - edent
https://shkspr.mobi/blog/2019/12/thames-water-dont-get-password-security/
======
isostatic
"Not just the 4th and 17th character - the whole thing"

If any company asks for the 4th character of your password, that means they
are storing your password in a reversible fashion, and they should be dumped.

The online account should never be logged in by anyone other than the owner.
The person on the phone, if their job requires it, should have read/write
access to your account, but that should be audited as "Joe Bloggs" accedsing
the account

~~~
mstade
First Direct (a UK bank, subsidiary of HSBC I believe) also does this, and it
drives me nuts. Terrible bank, never get an account with them.

~~~
CM30
Natwest also does this with its login system (the whole 'enter the X, X and
Xth characters from your password' thing).

Seems like it may be an unfortunate 'trend' for banking services in this
country.

------
mstade
Thames Water is a joke, and a bad one at that. When I first moved to London
they didn’t send me a bill until the end of the year, for the full year. Then
they sent another – same exact amount, same address, different reference
number. I called them to say the bill was already paid and they confirmed over
the phone that they could see the payment for the other bill, but they
couldn’t trash the new one for some reason and to avoid any extra charges I
had to pay it and then ask for a refund. I remarked how dumb that was, but
acquiesced and paid the thing only to then ask for a refund. They said it’d be
processed within a couple of weeks, but of course it never was, so I called
again. And again. And again. About six months later I just gave up, and
accepted that Thames Water will forever owe me some £500 or so, and I’ll never
get them back.

I’m so glad I don’t live in the UK anymore.

~~~
yrro
Paying money you don't owe them is definitely the wrong move. I'd have written
them a letter providing them with proof that the first bill had been paid and
stating that I will not enter into any further correspondence. It would be up
to them to sort their shit out.

Anyone else in a similar situation should be able to resolve the matter by
complaining to the Consumer Council for Water. In the staggeringly unlikely
event that this did not resolve the situation then taking Thames Water to
small claims court would be the next step.

~~~
mstade
For sure, and it felt wrong at the time but I took their reassurances at face
value. While I'm sure there was some process by which I could reclaim the
money, in the end I just gave up and wrote it off.

~~~
yrro
Perfectly understandable. Having re-read what I wrote, I apologise if came off
as criticizing your past lack of action! I wrote more from the position of
wanting to provide advice for anyone else who finds themselves in a similar
situation and isn't sure if they can do anything about it.

~~~
mstade
Nothing to apologize for buddy, I read it exactly as you intended – advice,
not critique! Appreciate the concern and civility though, have a great day!
:o)

------
pbhjpbhj
So many companies in the UK don't seem to get it (or are purposefully doing
bad security), we need regulation .. or perhaps just application of current
legislation (I don't know) ..

There needs to be someone saying "you restricted your passwords to 8
alphabetic characters, your C-grade in charge of security can no longer hold a
position that involves security, and you company must pay 50% of profits
(subject to a minimum of 5% of revenue) as a fine.

With a very clear, basic, definition of minimum security levels for companies
(above a certain size) to comply with.

We can't leave security to the market as the information isn't public and the
market on the whole can't comprehend it.

~~~
pjc50
Careful; this is things like FIPS, and it's likely to include things you don't
like such as "ban the use of password managers and take technical measures to
prevent pasting in passwords".

~~~
pingyong
What are you referring to? The only FIPS I know are crypto standards from
NIST, and they seem pretty reasonable. (Except for the EC RNG of course lol.)
Even the NIST password recommendations are pretty reasonable IIRC, they
recommend having no upper limit (or like 60+ characters) and not enforcing any
kind of "you need at least 1 special sign and 2 numbers", except for a lower
limit (at least 8 characters).

------
OJFord
Heh, I had some 'fun' with that too...

"You're new account number is <big string of digits>, you must go to the
website and enter it there to re-register."

Uh.. ok? (Leaving aside that this reads like phishing, I go to the website.)

`input_mode="numeric"` prevents me pasting the <big string of digits>, so I
get rid of that, paste it, feel briefly sorry for customers that won't know to
do that, and then it errors anyway.

------
DannyB2
So much fail.

They shouldn't even be able to know what your password is. They shouldn't have
a copy of it anywhere. Only a hash function (or several) of it.

It should be impossible for any of their staff to ever obtain your password,
or tell it back to you, or verify that you're reading it to them correctly --
BECAUSE they don't have a copy of your password ANYWHERE.

~~~
Majromax
From the resolution:

> So, we came up with a compromise. They would reset my password, log in to my
> account, fiddle around with it, and then call me with the new password. And
> so they did.

I'm not sure that the staff did in fact have access to the password. It sounds
as if they needed to _log in as the customer_ to make necessary changes, so
the password request was in the context of a login attempt.

Of course, this just raises further questions about how they manage their
systems, if they cannot administratively perform any action required without
acting as the customer.

~~~
DannyB2
Yes. I got that out of the article as well, but didn't bring it up.

In many applications it is important for support staff to be able to access
your account in certain ways, but not other ways.

------
DoubleGlazing
I don't think I have ever used or developed a system with a login function
that did not have the means to allow admins, or someone with appropriate
privileges, to reset a password. I would regard that as a basic standard
feature.

------
tialaramex
What is the password even for ?

UK Residential water customers fall into basically two categories. Older
residences that haven't converted are billed based on "rates" \- a guess of
what a residence like that uses on average. Newer ones, or if you opt in to
have a meter fitted are billed for metered water usage plus (unless
exceptionally they have water but no sewage provision) a proportional amount
for sewage. There's a discount if you've at least set things up so that rain
water doesn't get dumped into the sewer.

But none of this is controllable, so for anyone with financial stability the
obvious thing to do is set up Direct Debit (in the UK the law lets you give
your bank account details to approved businesses like the water utilities and
then the bank just gives them whatever they ask for, the law includes a
safeguard so you can retrospectively unwind this with no questions asked) and
then forget about it.

If you're too poor for Direct Debit to be wise (residential water can't be
shut off for non-payment since courts consider it essential, so if you've got
£10 left in the account until the end of the month you don't want the water
company taking that money which could otherwise buy food) you still can't do
anything about that by having an account.

So I've never had such an account and can't imagine how I'd use it. When I
have had a dispute with the water company in the past an account wouldn't have
helped, I needed to argue with actual humans about why they were wrong.

~~~
edent
I log into my online account so that I can submit meter readings and download
monthly bills. I find that useful.

~~~
larnmar
Why not just email me my water bill?

Am I so worried about the security of my water bill that it needs to exist
behind a password? I’m perfectly happy if anyone who wants to put my address
into the website can see exactly how much I currently owe. They can even pay
it for me if they really want to.

But if you need to put in your own meter readings I get that that’s different.
I’m really complaining more about my own local utilities and other companies
that have totally pointless passwords that make paying bills extra difficult.

~~~
yrro
As we all know, email isn't secure!!1

------
aerojoe23
I wonder how hard it would be to fix their systems...

Why are you getting a new account number every month?

Why can't they add it to your online account automatically?

Why can't they access settings in your account with you login in as you?

------
gberger
And the _compliance_ department approved this? Wow.

~~~
TallGuyShort
The compliance is with regulation, which is not the same thing as, often the
complete opposite of, common sense.

