Security-minded

Hey there; Long-time reader, first-time submitter. About 4 years of helpdesk experience while doing secondary and now tertiary studies.

I work at a small ISP in Australia. It is SOP to confirm usernames and passwords of end users when they call in. Today’s Saturday though, and I’m trying to get end users fixed and gone so I can catch up on tickets and emails. As a result, I asked a user to confirm their password at the end of a call rather than the beginning.

EU: Hi, I’d like to purchase [x service that we offer]

Me: Certainly, what is your credit card number?

EU: [Provides CC details, name, expiry, and address for good measure].

Me: That’s been purchased on your account now. Could I also confirm your password please?

EU: What? Why would you need to do that?

Me: It’s standard procedure to confirm username and password. You told me your username and other details before, could you confirm your password?

EU: I don’t like giving out my password, for security reasons.

Me: You know that we are who we say we are because you called us.

EU: Yes, but I still don’t like to give it out, for security.

Me: …For security reasons, you don’t want to confirm your internet password to an agent from your internet service provider, even though I am currently looking at your password on your account, and have direct control over your account functions regardless of you confirming that you know it also.

EU: Yes, that’s right.

Me: Even though you had no issue about giving me all of your credit card, personal, and address details.

EU: Yes.

Me: …Have a good day.

  • Someone

    Why would an ISP let their employees see someone’s user name and password? That is a horrible practice. Now the employees can give that info out to other people, or use it themselves, to spoof the person and even get them into legal trouble. Horrible horrible practice.

    • http://thefreewarejunkie.com Rob Dunn

      It’s probably the overall account password – Verizon has something just like it (account PIN), it’s not an uncommon practice at all.

    • http://www.facebook.com/profile.php?id=616222648 Marat Sverdlov

      Not sure if serious or trolling…

  • http://dpmeyer.myopenid.com/ Darren M

    > you don’t want to confirm your internet password to an agent from your internet service provider, even though I am currently looking at your password on your account

    Sorry, but… you fail here. Your caller is right; one should NEVER share their password with anyone, and if your company is storing user passwords in a reversible form (instead of using a salted one-way hash), then they fail security. If employees can see a password, so can an attacker — this practice is what led to last year’s big Gawker breach.

    • CHABI

      Schoooooooled.