I want to thank everyone for your insightful comments. I think we may have hit a vulnerable spot on the security landscape. Now I need your help with some follow-up. Brian McWilliams, a reporter with SecurityFocus Online, has picked up on this story and is trying to run with it. Here is what he gathered from Earthlink's PR spokes person. A. She confirmed that they do store customer passwords and that reps have access to the passwords. B. She claimed there is no security or privacy threat because reps' access to customers' accounts would be logged. C. She acted surprised to hear that other major ISPs doesn't follow this same practice, or that security experts thinks it's dangerous. Brian is trying to contact other top ISPs (see list below) to confirm their practices regarding password security. If you can speak officially or can put him in contact with someone please contact him off list. His email is on the CC line in this post. Top U.S. ISPs by Subscriber: Q1 2002 [Updated May 29, 2002] http://www.isp-planet.com/research/rankings/usa.html 1. America Online (Dial-Up) 2. MSN (Dial-Up) 3. United Online (Dial-Up) [NetZero + Juno Online] 4. EarthLink (Dial-Up) 5. SBC/Prodigy (SBC& Prodigy DSL & Dial-Up) 6. CompuServe (Dial-Up) [AOL Owned] 7. Road Runner (Cable) [AOL Owned] 8. AT&T Broadband (DSL) 9. AT&T WorldNet (Dial-Up) 10. Verizon (DSL) I'll keep this group posted as the story develops. Your comments are always welcome. -Lyle
This archive was generated by hypermail 2b30 : Thu Jun 13 2002 - 11:39:41 PDT