Re: CRIME ISP Password Security Practices at Earthlink

From: Kim Schaffer (kimsch@private)
Date: Wed Jun 12 2002 - 13:14:46 PDT

Next message: Zot O'Connor: "CRIME [Fwd: [Biztech-hillsboro] Re: [C.r.i.m.e.-announce] ATM SCAM]"

Previous message: Todd Ellner: "CRIME Amusing sting reported in the Register"
In reply to: Lyle Leavitt: "CRIME ISP Password Security Practices at Earthlink"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From the design perspective, I've had clients that demand both (different
clients.) Since some users see it as a shell game, they don't want you to
pretend that you can't get to it (sniffers, backup, crack, file access, and
other ways smart guys can figure it out.)

Some however users want the assurance that there are procedures in place
that don't allow admin and customer service to view the password. These
service providers tend to focus on more sophisticated users who also realize
the employees could get the passwords if they had access, (like most of this
audience.) Since most of the good places have also done background
investigations on those touching critical information and may even bond
those employees, some see this as overkill, others as part of the structure
necessary to deliver a good product.

Either way there's a social engineering aspect that someone can call and
prevent you from gaining access to your information, if not taking over the
account. Bottom line is that neither showing or hiding tells you whether you
are safe from hackers or rogue employees, they are just trying to give you
the service you expect.

Kim

I still remember when Unix geeks were offended when there were passwords on
a system.

----- Original Message -----
From: "Lyle Leavitt" <lylel@private>
To: "CRIME" <crime@private>
Sent: Tuesday, June 11, 2002 5:13 PM
Subject: CRIME ISP Password Security Practices at Earthlink


>
> I recently discovered during a tech support call that my ISP
> (Earthlink - one of the largest in the US), has a practice regarding
> passwords which I find alarming. The technicians and other service
> personnel have full visibility to the passwords on my accounts. Is
> this a common practice among ISPs? My past experience has been that
> network personnel have the ability to reset passwords but not openly
> view them. Nowhere in their privacy statements does it explain this
> practice. Doesn't this leave them open for liability if a disgruntled
> Earthlink employee should decide to take advantage of this access in
> order to created problems for a lot of accounts or to profit buy
> selling the passwords to someone else like a competitor?
>
> Any comments?
>
> Lyle Leavitt
>

Next message: Zot O'Connor: "CRIME [Fwd: [Biztech-hillsboro] Re: [C.r.i.m.e.-announce] ATM SCAM]"
Previous message: Todd Ellner: "CRIME Amusing sting reported in the Register"
In reply to: Lyle Leavitt: "CRIME ISP Password Security Practices at Earthlink"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 12 2002 - 14:25:50 PDT