ISP Can't Figure Out How To Automate A Password Reset, But Is Happy To E-mail Your Password In Plain Text

from the cryptography-schmiptography dept

As we've noted, AT&T and Verizon are working hard to dump all of the DSL customers they're too cheap to upgrade to fiber, so they can focus on much more profitable (read: capped) wireless broadband service. A company by the name of Frontier Communications is doing the lion's share of the acquisitions, recently acquiring all of AT&T's customers in Connecticut, as well as all of Verizon's fixed-line broadband customers in California, Texas, and Florida. Unfortunately for these acquired users, Frontier is exhibiting the kind of steep, sustained incompetence that should probably be making these customers very nervous.

As we noted back in May, Frontier recently had to stop selling broadband service via the company's website -- because it apparently couldn't figure out how to get the technology to work. If that didn't make new Frontier customers nervous, last week the company made headlines again after it was discovered the company apparently has no idea how to automatically reset user e-mail passwords or what cryptography is. Apparently, the only way for Frontier users to have their e-mail passwords reset is to e-chat with a support rep named Shawn, who is happy to share your password with you in plain text:
"Silverman had forgotten the password to this little-used account but found that the Frontier e-mail website provides no self-service method for resetting the password. The only option was to chat with a Frontier employee. And that employee, Shawn from tech support, had access to Andrew's password in plain text and was ready and willing to share it."
That the company isn't salting and hashing stored passwords is obviously a red flag, but it gets worse:
"I'm not comfortable giving out passwords. Is there a password reset page?" Silverman asked.

"I'm sorry there isn't," Shawn replied. "Are you OK with me posting the password in chat? It is a secure network and I have the password in front of me."

Silverman pointed out how ridiculous this system is but accepted Shawn's offer and received the password. Before ending the chat, Shawn tried to sell Silverman antivirus software, computer tech support, or "identity protection." Silverman declined. The Frontier system then e-mailed Silverman a full transcript of the chat, including the password in plain text. The only information Frontier obscured was his account number."
So to recap: Frontier isn't capable of building a website that can sell broadband service, or one that allows for automatic e-mail password resets. It also apparently stores the password in plain text making it easy for any Frontier employee to see, and is happy to both post said password into an e-chat platform (which at least uses HTTPS) and over unencrypted e-mail. For good measure, the company will then upsell you on security and "identity protection" services and software. Amusingly, Frontier still insists that its systems are secure:
"Frontier insisted that its password practices are secure but was stingy with details...Frontier also said that it only provided Silverman a password after "we verified identity first through security questions." But as Silverman told Ars, "the only security challenges they posed were to provide the account number OR the landline service number in combination with the last 4 of the social security number."
Of course these kinds of security questions aren't remotely secure either. Earlier this month "The Martian" author Andy Weir noted on Facebook that it was incredibly trivial for his Comcast e-mail account to be hacked after the ISP gave up his password after simply being given the last four numbers of his social security number and his street address. Regardless, the Frontier user proceeds to wonder just how secure Frontier's billing systems are. It also obviously raises questions about the quality of the company's quickly-expanding broadband empire.

So yeah, pro tip: if you're one of the six people still using your ISP's e-mail services, it might be time to stop, since security is pretty clearly a distant afterthought. And if you're one of the millions of monopoly victims customers getting gobbled up by Frontier as AT&T and Verizon sever their ties to unwanted DSL customers, you may want to think about either moving, or building your own broadband ISP with at least a rudimentary understanding of cryptography.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: broadband, customer support, passwords, plaintext
Companies: frontier, frontier communications


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 19 Aug 2015 @ 11:04am

    Step right up to Gmail, so you can be SPIED ON.

    You're worried about the password to ONE email account when Microsoft and Google and Apple all claim to literally OWN everything you do while using their systems?

    ...
    Picture this scene in Jurassic Park:
    (hiding from three-ton raptor when) LOOK OUT, THERE'S AN ANT! RUN FOR YOUR LIVES!

    link to this | view in chronology ]

    • identicon
      That One Other Not So Random Guy, 19 Aug 2015 @ 11:23am

      Re: Step right up to Gmail, so you can be SPIED ON.

      Don't you have to go yell at cars on the highway now?

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Aug 2015 @ 11:30am

      Re: Step right up to Gmail, so you can be SPIED ON.

      Yawn.

      link to this | view in chronology ]

      • identicon
        That One Other Not So Random Guy, 19 Aug 2015 @ 11:37am

        Re: Re: Step right up to Gmail, so you can be SPIED ON.

        Exactly what I thought when I read your childish tirade.

        link to this | view in chronology ]

        • identicon
          Rich, 19 Aug 2015 @ 12:19pm

          Re: Re: Re: Step right up to Gmail, so you can be SPIED ON.

          I don't think he was replying to you, but to the other Anonymous Coward above you.

          link to this | view in chronology ]

          • identicon
            That One Other Not So Random Guy, 19 Aug 2015 @ 12:40pm

            Re: Re: Re: Re: Step right up to Gmail, so you can be SPIED ON.

            My bad.

            link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Aug 2015 @ 11:05am

    Huh???

    So you get a password reset.

    Can't you log in now and change the password again?

    If that answer is no: NOW we have a problem!

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Aug 2015 @ 11:32am

      Re: Huh???

      Can't you log in now and change the password again?


      You can change it again, and it'll be stored in plaintext again, and anybody who knows your phone number + last 4 digits of SSN can just call Frontier and retrieve it again. Not rocket science!

      link to this | view in chronology ]

    • identicon
      A Non-Mouse, 19 Aug 2015 @ 11:49am

      Re: Huh???

      So you get a password reset."

      He didn't get a password reset, he retrieved his EXISTING password. That's a huge difference, and a huge no-no. If someone can retrieve your existing password, then they can log in to & monitor your account without you knowing. Which opens the door to all of your other accounts.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Aug 2015 @ 12:25pm

      Re: Huh???


      Huh???

      So you get a password reset.

      Can't you log in now and change the password again?

      If that answer is no: NOW we have a problem!



      They store your password in plainterxt.

      That means anyone that can hack their system can get it.

      Anyone that has access to the system (maybe that isn't just "Shawn") can also get it - maybe one of them (including possibly Shawn - can he be ruled out? how?) is a bad actor and they can easily "steal" it.

      A good password storage system will not store your password so that anyone can get it. That's what those password reset webpages do - you have to "reset" because no one can read or see your existing password - because they aren't usually stored in plaintext.

      link to this | view in chronology ]

  • icon
    Sheogorath (profile), 19 Aug 2015 @ 11:26am

    But don't you see? Frontier does know about basic security practices, it simply doesn't use them because it wants to give governments easier access to the accounts of terrorists (read 'ordinary citizens') using their service.

    link to this | view in chronology ]

  • identicon
    Jason, 19 Aug 2015 @ 12:13pm

    Sadly Frontier isn't alone in this. I still have my first email account from way back, though the corporate owners of the domain have shuffled around a few times since then. I keep it around only because it's an address I've had for so long and the only one certain long-lost contacts may know of. I don't know how the passwords are stored, but the only way to change it is to call customer service and tell them what I want the new one to be. (Not even their online web mail interface includes a way to change the password.)

    Needless to say, I haven't done that. What I have done, long ago, was transition all of my online accounts to other email addresses.

    link to this | view in chronology ]

  • icon
    Lord_Unseen (profile), 19 Aug 2015 @ 12:18pm

    Are they secure on anything?

    That's... terrifying. What really scares me though, if they can't be bothered to even hash these passwords, what else are they not securing properly. Is credit card information stored in plain text? How about SSNs? If they really are getting this big, this is a news story waiting to happen.

    Watch.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Aug 2015 @ 1:17pm

    Frontier Communications is a wholly owned shell corporation of AT&T.

    basic plan (as grabbed from their internal records):

    1. Irritate customers so the move to a different ISP comes as a relief
    2. Ensure the 'replacement' ISP appears incompetent. This can be established by accidental security breaches, low quality of cust.service
    3. Allow replacement ISP [Frontier] to financially collapse, forcing customers BACK to AT&T as the sole option, but this time on OUR terms.

    link to this | view in chronology ]

    • icon
      Sheogorath (profile), 19 Aug 2015 @ 1:48pm

      Re:

      4. Pitch a fit when former customers say they'd rather do without Internet than be held under AT&T's terms.

      link to this | view in chronology ]

      • icon
        Sheogorath (profile), 20 Aug 2015 @ 12:33am

        Re: Re:

        5. Sue former customers for piracy when they use the internet at the library and over open Wi-Fi connections rather than bend over at AT&T's behest.

        link to this | view in chronology ]

  • icon
    Aquifel (profile), 20 Aug 2015 @ 7:07am

    The worst part about this is that its common. Go to your bank, if its any major bank, they can pull up your online banking password in plain text and the teller can just give it to you.

    link to this | view in chronology ]

  • icon
    nasch (profile), 21 Aug 2015 @ 7:07am

    Hashing

    For any less techy types wondering about hash and salt and if you stumbled on a cooking blog:

    https://en.wikipedia.org/wiki/Cryptographic_hash_function#Password_verification

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.