Virgin Media's "plain text password" problem


1 Like

Yeah, no. This is a misunderstanding. They can’t see your password.

If you read the discussion at Hacker News, they’re talking about a different “password.” This is just a code word that you can use over the phone so the reps know it’s you. It’s not the online password.

Unfortunately for phone-based transactions, your options are

  1. Assume the person is whoever they say they are
  2. Assume anyone calling from that phone number is the number’s owner
  3. Ask for a piece of information that the customer knows and the operator can verify

Most places that care about security do #3. In the case of a bank, you sometimes give your SSN, or tell them about recent transactions. In the case of Virgin, there’s a code word.

Until people can perform hashes in their heads, there’s not a great alternative. (I guess punching in a PIN might be better, but most people remember words better than 8-digit PINs.)

Last time I phoned them, the automatic system asked me to press the phone key with the appropriate character from my password 3 times. I was never asked by a human person any information about my password.

They used to ask, but I haven’t phoned them up in, like, forever, fortunately. They used to have excellent tech support when it was bored-sounding but knowledgeable Scousers, but it’s not so great now it’s been outsourced (the best ISP tech support is, IMO, Be, who use callcentres in Eastern Europe, where everyone is super-helpful, well-trained, and sounds like a cold war-era spy :slight_smile: )

This kind of reminds me of when TalkTalk used to cold call me to try and sell me crap, but demand I’d prove to their satisfaction that I was me, even though they called me. Requests that they prove to me who they were didn’t go over very well.

I just stopped answering the phone.

1 Like

This topic was automatically closed after 5 days. New replies are no longer allowed.