RCN, one of many largest web and cable service suppliers within the US, admitted at the moment on Twitter that it shops customers’ passwords in cleartext, passwords to which its buyer help staff have entry at any time throughout technical help requests.
An RCN spokesperson said that “[customer support] brokers must see this password to confirm account possession when sure adjustments are requested.”
This revelation got here to be after a person who goes on Twitter as Lomgrim known as RCN help over the weekend. Previous to calling, Lomgrim says he used KeePass –a password supervisor application– to generate a random 26-character-long password for his RCN account.
He claims that the RCN worker dealing with his name was capable of view after which learn this password again to him with out verifying that he was talking to the precise account proprietor.
Chatting with ZDNet, Lomgrim pointed this reporter to a Reddit thread he opened over the weekend, the place he vented on the matter.
“Their rep with none validation was capable of see my password that I had simply set on-line, 5 minutes earlier, in plaintext after which straight up READ IT BACK TO ME, OVER THE PHONE asking ‘the password seems very lengthy and odd, are you certain that is what you need?’,” Lomgrim mentioned.
However whereas Lomgrim confirmed this was the primary time it occurred to him, different customers commenting on the identical Reddit menace claimed to have skilled the identical subject previously.
“I simply talked to a customer support rep and so they instructed me the identical factor. They did not appear to grasp why it is likely to be an issue,” a Reddit person said.
The issue that RCN staff did not seem to grasp, because the person put it, is that by not verifying the identification of callers earlier than giving out a password this could result in severe privateness breaches.
For instance, stalkers may discover a new technique to intrude on the privateness of their victims, whereas scammers and fraudsters can exploit this subject to achieve entry to a treasure trove of personally identifiable and monetary info.
TechRepublic: Why 31% of data breaches lead to employees getting fired
In response to Lomgrim, this could result in some severe points, because the RCN account, similar to another account at most US-based ISPS, shops fairly a wealth of private info.
“MyRCN net portal incorporates entry to the billing portal, in addition to to autopay setup,” Lomgrim instructed ZDNet. “Invoice cost historical past is on the market for obtain to your total tenure.
“It’s also possible to modify your safety questions within the portal and the account password itself. Moreover, MyRCN portal means that you can change your RCN Webmail password outright with out having to supply the previous password first.
“It’s also possible to replace your billing tackle. In my opinion, if an attacker has entry to this account, they will pull down all my statements, reset my RCN E-mail password (if I used to be utilizing one), and set my billing tackle to one thing else, and disable paperless billing, to allow them to route my payments to their tackle,” Lomgrim added.
ZDNet reached out to RCN earlier at the moment with a number of questions in regards to the firm’s follow. In an electronic mail, the corporate replied that’s investigating the difficulty.
“RCN takes all our buyer inquiries, considerations and suggestions very significantly. We’re trying into this matter; we’re in touch with the client and are gathering all of the pertinent info,” Invoice Sievers, Senior Vice President of Buyer Service, RCN, instructed ZDNet through electronic mail. “We are going to present updates as they turn into obtainable.”
A fast Twitter search additionally reveals this has been occurring for at the very least 4 years. The corporate has been fairly upfront on this coverage since 2014, based on an older tweet.
“RCN reps have entry to your webmail password and MyRCN password in case you have been to ever overlook them,” an RCN consultant wrote on the official Twitter account in 2014 answering to a person complaining about the identical factor –an RCN name heart worker studying out the person’s password over the cellphone.
And there’s additionally this four-year-old Reddit thread with the identical criticism about RCN staff getting access to clients’ passwords in cleartext.
However RCN is not the primary or the final firm to by accident reveal on Twitter that it shops buyer passwords in cleartext. Just some months earlier than, T-Mobile Austria admitted to the same practice.
Following a number of subsequent person complaints and an extended stream of on-line ridicule and criticism, the corporate finally carried out password-hashing as a technique to cease staff or hackers from viewing the passwords in cleartext.
As for Lomgrim, the person hopes the ISP improves its safety posture with reference to its password dealing with, considerably regretting the media storm he could have precipitated.
“RCN has usually been my ISP of selection,” he instructed ZDNet. “Their customer support is frequently very accountable, and uncommon points that do come up are typically resolved rapidly and effectively. They supply sooner and higher service, together with gigabit, for costs which might be a lot better than Comcast, with none contractual service obligations.”
The difficulty with storing passwords in cleartext shouldn’t be as dangerous as different issues an organization like RCN may face and is definitely one thing that the corporate may repair in a heartbeat if it ever reached the proper determination. There are a lot of different methods of verifying a buyer’s identification or fixing technical issues with out studying again the person’s password and asking if “is that is yours?”.