[plug] Iinet security
Krystin Dix
krystindix at lothar.id.au
Wed Jul 30 03:51:12 UTC 2014
anyone can easily find on facebook.
To me as a technical minded person worrying about security I am not sure why you would not have this hidden with Facebooks privacy settings? Yes I understand that a lot of people don’t but it does not stop you from doing so.
Caller IDs can be easily spoofed and faked
Same can be said for any of the other methods for falsifying other points for an ID check. It can be easy if you take someone’s wallet to get their last 4 digits of their credit card as you mentioned. Nor does it take much to overhear a verbal code either.
To identify users you can ask them to have a verbal code word specific for the customer rep or giving the last 4 digits of their credit card
At iiNet we are always working on new ways to both keep security at mind and ease of access for people that are validated on the account. We are currently in the process of finishing off a trial for Voice Biometrics for the purposes of ID checking clients onto their accounts. https://iihelp.iinet.net.au/Auto_ID-check_FAQ
We require a total of 9 points to provide ID and to gain access for billing purposes on the account for inbound calls. The following can be used.
Customer contact name (1 Point)
CLID (3 Points)
Biometrics voiceprint (8 Points)
Password (8 Points)
Billing address (2 points)
Date of Birth (3 Points)
Last payment method and amount paid (2 points)
Last Invoice number and Amount Paid (3 Points)
For outbound calls calling a listed number on the account counts as 3 points of ID.
Passwords stored in the clear?
Passwords are stored in a secure manner – however yes they are retrievable. This is so that we can setup DSL services on clients modems or other devices that require the same username without having to change both the device (mail client) and the modem. Having to change both would be a great hindrance and especially if they got the setup wrong they will be offline until they got the issue sorted. To ID check using the supplied password we have to type the password into a text box and it gets a tick when the password matches the stored one. So we can’t see the password until the ID check has been passed. This has been raised many a time before online. If you want to read more have a look at these Whirlpool threads.
http://forums.whirlpool.net.au/forum-replies.cfm?t=55197
http://forums.whirlpool.net.au/forum-replies.cfm?t=387871
http://forums.whirlpool.net.au/forum-replies.cfm?t=371080
http://forums.whirlpool.net.au/forum-replies.cfm?t=308539
Of particular note is this post by MM: http://forums.whirlpool.net.au/forum-replies.cfm?t=308539&p=3&#r43
The short answer is, it just would not be feasible for the password not be viewable. It would make troubleshooting a connection, or setting up a customer's modem very, very difficult.
For the purposes to see passwords a logged event is lodged on each account of the time and along with the reason for accessing the password.
I work for iiNet in the Hosting department. If you have any questions you would like to raise off the list please email me kdix at staff.iinet.net.au<mailto:kdix at staff.iinet.net.au>
Regards,
Krystin Dix
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20140730/aaeb36f6/attachment.html>
More information about the plug
mailing list