[plug] Iinet security

[ıuoʎ]

Krystin what your saying is very disturbing.
I have the same issue with Vaya. every time I call the customer service
they ask me for details anyone can easily find on facebook.
So I guess its not only IINET who have the issue.

But looking at the Caller ID doesn't make it any better. Caller IDs can be
easily spoofed and faked it doesn't require any technical knowledge and
today you have some paid apps that will do it from your smartphone. so if
anyone will want to take over your customer account this will not stop him.

Also the fact that you find the problem of asking a client password as him
not knowing it or him being annoyed from the question is also a bit
disturbing since the fist security measure every user should take is to
never tell anyone his password especially not to the company service rep.
and if you save your passwords properly no one in your company will have
any access to this passwords in the clear not to validate the users by them
and not to give them back to the users when they are asking them. customer
reps should only be able to generate new temporary passwords for accounts
which the client can use to login once to change his password.

To identify users you can ask them to have a verbal code word specific for
the customer rep or giving the last 4 digits of their credit card


On Tue, Jul 29, 2014 at 6:16 PM, Krystin Dix <krystindix at lothar.id.au>
wrote:

>  The only security questions asked were
> First and last names (This is 1 Point)
> Address (This is 2 Points)
> Date of Birth (This is 3 Points)
>
> The thing to note here Luke is that they would have had to verify that the
> Caller Lind ID matched the numbers on the account – Generally if it’s the
> DSL number or mobile number this satisfy 3 points of our ID Check system.
> This check would only complete if our Caller Application detected a CLID
> was present and that it matched the account that the ID check was been
> passed on (it is not something that can be checked or ticked in our widget).
>
> Have a look in the task notes inside toolbox (all customers have access to
> their notes written by Customer Service). The first few Fields that are
> formatted will show things like the Callers Name, and then their ID Check
> Passed / Failed and with which points passed.
>
> Having answered those questions iinet provided the account username and
> password, a list of linked accounts and passwords for all the things.
>
> Does anyone have any suggestions on who to contact to get this fixed?
>
> As I can see you can ask to have a challenge set or to remove the
> alternate method of passing the ID check. IE to ask for the account primary
> password and name of the account holder. This is fine for some clients
> however for people that do not know or even want to know their password
> been asked for it as the primary means of passing the ID check can be
> infuriating. I have found in my calls that I have taken for iiNet that
> clients are more happy / receptive when ID checked using the Name / Address
> / DOB / Caller Number ID.
>
> I work for iiNet in the Hosting department. If you have  any questions you
> would like to raise off the list please email me kdix at staff.iinet.net.au
>
> Regards,
> Krystin Dix
>
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://lists.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.org.au
> PLUG Membership: http://www.plug.org.au/membership
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20140730/4eb9e3f6/attachment.html>