Re: CRIME ISP Password Security Practices at Earthlink

From: Kim Schaffer (kimsch@private)
Date: Wed Jun 12 2002 - 13:14:46 PDT

  • Next message: Zot O'Connor: "CRIME [Fwd: [Biztech-hillsboro] Re: [C.r.i.m.e.-announce] ATM SCAM]"

    From the design perspective, I've had clients that demand both (different
    clients.) Since some users see it as a shell game, they don't want you to
    pretend that you can't get to it (sniffers, backup, crack, file access, and
    other ways smart guys can figure it out.)
    
    Some however users want the assurance that there are procedures in place
    that don't allow admin and customer service to view the password. These
    service providers tend to focus on more sophisticated users who also realize
    the employees could get the passwords if they had access, (like most of this
    audience.) Since most of the good places have also done background
    investigations on those touching critical information and may even bond
    those employees, some see this as overkill, others as part of the structure
    necessary to deliver a good product.
    
    Either way there's a social engineering aspect that someone can call and
    prevent you from gaining access to your information, if not taking over the
    account. Bottom line is that neither showing or hiding tells you whether you
    are safe from hackers or rogue employees, they are just trying to give you
    the service you expect.
    
    Kim
    
    I still remember when Unix geeks were offended when there were passwords on
    a system.
    
    ----- Original Message -----
    From: "Lyle Leavitt" <lylel@private>
    To: "CRIME" <crime@private>
    Sent: Tuesday, June 11, 2002 5:13 PM
    Subject: CRIME ISP Password Security Practices at Earthlink
    
    
    >
    > I recently discovered during a tech support call that my ISP
    > (Earthlink - one of the largest in the US), has a practice regarding
    > passwords which I find alarming. The technicians and other service
    > personnel have full visibility to the passwords on my accounts. Is
    > this a common practice among ISPs? My past experience has been that
    > network personnel have the ability to reset passwords but not openly
    > view them. Nowhere in their privacy statements does it explain this
    > practice. Doesn't this leave them open for liability if a disgruntled
    > Earthlink employee should decide to take advantage of this access in
    > order to created problems for a lot of accounts or to profit buy
    > selling the passwords to someone else like a competitor?
    >
    > Any comments?
    >
    > Lyle Leavitt
    >
    



    This archive was generated by hypermail 2b30 : Wed Jun 12 2002 - 14:25:50 PDT