All of that pales into insignificance when you understand the real reason I'm so angry - Virgin's apparent lack of understanding for online security.
I phoned Virgin Media customer service this morning, to try and understand why my broadband was disconnected. The agent preceded to ask me a series of security questions: my account number; name; first line of address... my password?! I looked around the room, my wife and son were there. Now, I trust my family, but I don't give my passwords to ANYONE. Did I trust this guy on the end of the phone more than my family? "Oh, I'm only going to use it to verify who you are" he said. An argument ensued.
Over the next few minutes, it became apparent that Virgin have no regard whatsoever for online security. From talking to this agent, I was able to determine that he had my password displayed on the screen right in front of him. When I finally told him what my password was, and without telling him the quirky camel-case I used for the password, he was immediately, without pressing a single key, able to verify that it was indeed my password.
This means 2 things:
1. My password is not secured securely, using a hash algorithm. If Virgin try to argue that it is stored securely, they clearly don't know what they are talking about.
2. Darren, or Bill, or Jen at VM can see my password right there on their screen.
For the uninitiated I'll explain a little about hashing and password security at the bottom of this post. I shouldn't have to explain this stuff to Virgin, but clearly I do.
It gets worse - sometimes the customer service rep will ask you for two or three characters from your password. This gives the illusion of security, as you might get the impression that the service rep doesn't ever get to find out your FULL PASSWORD. However, it's just an illusion, and in fact, only confirms further that they do not hash your passwords before storing them. It's impossible to validate a hashed password with just a few characters.
Actually, number 2 bothers me a lot more than number 1. Not storing my password as a hash is bad. It's really BAD. But giving the customer service team access to my email and password is just unacceptable. I'd be tempted to say that Virgin should enforce a "two character" system, if it were possible to do that without storing unhashed passwords (it isn't). The approach that Virgin SHOULD take, is to implement a different security policy - one that doesn't require me to give my password over the phone. Maybe ask me a security question, or text a unique number to my mobile phone, or ask me for the MAC address on my router, just don't ask me for my RUDDY PASSWORD!
Then the rep tried to feed me a line. "This is a legal requirement, for data protection purposes". I'm afraid at this point he got an earful from me. It's true that VM do need to establish the identity of the caller before they can give out any personal information. However:
1. They weren't about to divulge any personal information
2. There are other ways of establishing my identity, without asking for my password
My BANK don't ask for my password over the phone. NOBODY DOES. Well, except for Virgin Media, and possibly Tesco too. I went on to explain to Darren or Bill, or whatever his name was, that I'm a software engineer, that I actually know a little bit about password security, and that there was no need for him to need to know my personal password. After assuring me that he really did need to know it "for legal reasons", he then preceded to mock me, saying "well, you're the expert!". Actually I told him I was a "security expert", which I'm not, but compared to him I am! Does Virgin even employ a security expert?
I use a different password for every site or service I use. With companies like Virgin Media and Tesco around you really have to, because you have no idea who can see your password. However, passwords are hard to remember, especially if you have to have a different one for every site you visit. If this means that you have to write your passwords down, they are even less secure, because now somebody else could get hold of them. This ultimately means that many people reuse passwords across many sites. It's not recommended practice, but lots of IT professionals do this. This means that companies like Virgin Media have a moral (and probably legal) responsibility to ensure your passwords are stored securely.
Virgin Media engage in so many bad practices regarding security, it's just gone beyond the point of neglegence. Sadly, these companies don't seem to even be aware of their cavalier attitude to security. Normally not until they have been compromised. Virgin even have a forum dedicated to helping users with internet security. Worst of all is the response when you try to point out that they have a problem. "Look, we know what we're doing", they say. We've seen this attitued from both Tesco and Virgin Media.
Just a look at Virgin's password policy should start to ring alarm bells: "8 - 10 characters long, letters and numbers only, no spaces, first character must be a letter". Why limit password entropy? I like to use punctuation characters in my passwords, as it makes them stronger. Why only 10 characters? Most of my passwords for other services use AT LEAST 12 characters. I'll quote Troy Hunt here: "someone’s got themselves a varchar(10) under there somewhere and it’s all sitting in plain text"
Continued pressure and exposure of Tesco has forced them to review their policies, and start to act. I wonder what it will take for Virgin Media to sit up and start taking online security seriously.
So how should it be done?
A little background about hashing (and salting)
Disclaimer: This is for illustrative purposes and not intended to be security advice. You should always observe security practices, such as PBKDF2 iterations, guard against XSS attacks, use expiring tokens, SSL etc.The problem with storing your password is that someone could get hold of it. That could be a disgruntled employee, or perhaps an employee that is a bit short on cash. Your online service could even get hacked. The main key to password security us to be able to validate your password, without actually knowing your password. Surely that's not possible? Enter the "hash algorithm"!
A hash algorithm is a ONE WAY encryption of your password. It scrambles your password up into a bunch of nonsense, in a way that it is impossible to unscramble it. Some hashes are more secure that others - a secure one is one that is cryptographically sound (i.e. it can't be reverse engineered), and preferably it takes time and computing power to generate a hash (this helps to prevent brute-force attacks, by trying every possible password).
Example:
Using an SHA-256 hash:
mypass123 -> e6e07510d6531af5f403d1e6d0eb997855b6453488aaee6a9dd10ad5133f936a
Try it yourself. Go to http://www.xorbin.com/tools/sha256-hash-calculator and type in "mypass123" and then compare the results.
When you sign up for a website or service, the provider SHOULD store the HASH of your password, not the password itself. This means that they don't know what your password is. If you lose it, they can provide the means for you to reset it, but they can't tell you what it was, and the customer service department certainly can't see it on their screen!
So, how do they validate your password. Well, you go to the login screen and type in your password: "mypass123", this gets sent to the server (hopefully over a secure SSL connection). The server then calculates the hash of the password you typed, and compares it to the hash it has stored in the database. If they match, then you must have typed the password correctly. Nobody is able to take the data from the database and figure out what you password is.
There are still some vulnerabilities associated with using a hash alone. Users with the same password, or a commonly used password, will have the same hash stored in the database. This gives a hacker certain clues that can be used to quickly "brute-force" some of the accounts in the database. This is overcome by included some random "salt" in the hash. A random number is generated for each user, and appended to the password before it is hashed:
mypass123+187456 -> 921e1d21705b45bd710aecadedb3e748e2ad9f1910e9f4b4a112d03e27857823
This salt is then stored in the database along with the hash. When the user types his password, the server adds the salt to it before calculating the hash and comparing with what is in the database. This means that if two users have the same password, providing they have different salt, the hashes will be different.
mypass123+187456 -> 921e1d21705b45bd710aecadedb3e748e2ad9f1910e9f4b4a112d03e27857823
mypass123+223547 -> ecaf0018e016361ac6d48db393489d5abaf8fe3d43ac78e6325c223baa59d202
The ICO are investigating Tesco for their lack of security when storing passwords. Virgin Media are not providing online commerce on the scale that Tesco are, however, security of users' passwords needs to be taken seriously.
Whenever I phone up virgin media they ask for my SECURITY password, which is wildly different to my ACCOUNT password, which is the one I use online to get emails, log into my account, etc. I never use my SECURITY password online anywhere. If yours are the same you should probably ask them to change it... The security password is more a passphrase, similar to 'What is you mothers maiden name' questions and answers.
ReplyDeleteAt least that is my experience with virgin...
Thanks. I just checked in my profile. I have a security question, but no separate "security password". The password that was accepted by the helpdesk was the same randomly generated password I use to login, and not my security question.
DeleteFYI I might have ACCOUNT and SECURITY the wrong way around, but the main point is I have 2 passwords, one for online stuff which I have never had to say over the phone, and one for over the phone stuff which I never use online
DeleteAnd you are on fibre right? I'm on national (ADSL), so maybe it is different for us slow people :D
DeleteYeah, I'm on fibre. Definitely only one password. I believe they have different systems and policies depending on whether you were NTL, Tele, ADSL, etc.
DeleteWell it that case I am angry with you!
DeleteWhy? I mean they only let me have 1 password. There is no place anywhere on my profile for a separate password for over the phone. There's just my security question, which is not what they asked me for.
DeleteSorry, I mean I am angry at virgin, along with you, for not storing some customers password securely, not angry at you! I am also angry at virgin for taking 6 weeks to activate my internet, but that is a different matter
DeleteI don't think Virgin give a damn, to be honest. If the attitude of the helpdesk is anything to go by.
DeleteWRONG. The password on the screen is a security password used to verify your identity and NOT the password you use for your email.
ReplyDeleteIf you chose to use the same password for BOTH your online account and the telephone verification then you are retarded!
Hi Adam. Thanks for the info. I did, of course, check all of the details before writing the article, and have double checked them since. Also, my account is only a couple of months old, so I remember the sign up process pretty well.
DeleteDuring the sign up process I was asked for 2 pieces of security info 1) a password and 2) my mother's maiden name.
ALL of my passwords for all sites I use are different, and are randomly generated strings. No two passwords are the same, so I can be pretty sure that the security hole here isn't a big deal for me personally. The password they asked me for, and that they accepted (the one on the screen) is the same password I use to log into "My Virgin". There is no possibility that I would have used this password twice.
I don't use Virgin email - I'm not foolish enough to become dependent on a provider specific email address.
Like I say, this isn't a problem for me. But not everyone uses a password manager, not everyone is able to remember a different password for every site they use, and many people WILL use their paypal or online banking password with Virgin.
The fact that 2 people have mentioned this same thing suggests that the system is different for different services (possibly different for ASDL/National and Fibre, or maybe different for people who have come in from NTL/Cablewest).
You set up your password when you create you account.
DeleteYour virgin media log in password is created when you activate your broadband
Here is the link
http://activation.virginmedia.com/Activation/
I'm a Virgin Media employee so I know the process rather well too :)
Bah nevermind. The link only works if your broadband is not active otherwise it will just reboot your hub
DeleteYeah, I just discovered that. So, this is all a little bit confusing. Basically a password that I entered on the screen at some point is displayed in the clear on the helpdesk screen.
DeleteI don't remember entering another password when the account was activated. The engineer was on site, and he did most of the setup. I'm guessing I must have thought he wanted my virgin password, so copied it from my password manager.
There doesn't seem to be a way of changing this password. At what point was I told to use a password that I wouldn't mind telling someone over the phone?