ISP Can’t Figure Out How To Automate A Password Reset, But Is Happy To E-mail Your Password In Plain Text

As we’ve noted, AT&T and Verizon are working hard to dump all of the DSL customers they’re too cheap to upgrade to fiber, so they can focus on much more profitable (read: capped) wireless broadband service. A company by the name of Frontier Communications is doing the lion’s share of the acquisitions, recently acquiring all of AT&T’s customers in Connecticut, as well as all of Verizon’s fixed-line broadband customers in California, Texas, and Florida. Unfortunately for these acquired users, Frontier is exhibiting the kind of steep, sustained incompetence that should probably be making these customers very nervous.

As we noted back in May, Frontier recently had to stop selling broadband service via the company’s website — because it apparently couldn’t figure out how to get the technology to work. If that didn’t make new Frontier customers nervous, last week the company made headlines again after it was discovered the company apparently has no idea how to automatically reset user e-mail passwords or what cryptography is. Apparently, the only way for Frontier users to have their e-mail passwords reset is to e-chat with a support rep named Shawn, who is happy to share your password with you in plain text:

“Silverman had forgotten the password to this little-used account but found that the Frontier e-mail website provides no self-service method for resetting the password. The only option was to chat with a Frontier employee. And that employee, Shawn from tech support, had access to Andrew’s password in plain text and was ready and willing to share it.”

That the company isn’t salting and hashing stored passwords is obviously a red flag, but it gets worse:

“I’m not comfortable giving out passwords. Is there a password reset page?” Silverman asked.

“I’m sorry there isn’t,” Shawn replied. “Are you OK with me posting the password in chat? It is a secure network and I have the password in front of me.”

Silverman pointed out how ridiculous this system is but accepted Shawn’s offer and received the password. Before ending the chat, Shawn tried to sell Silverman antivirus software, computer tech support, or “identity protection.” Silverman declined. The Frontier system then e-mailed Silverman a full transcript of the chat, including the password in plain text. The only information Frontier obscured was his account number.”

So to recap: Frontier isn’t capable of building a website that can sell broadband service, or one that allows for automatic e-mail password resets. It also apparently stores the password in plain text making it easy for any Frontier employee to see, and is happy to both post said password into an e-chat platform (which at least uses HTTPS) and over unencrypted e-mail. For good measure, the company will then upsell you on security and “identity protection” services and software. Amusingly, Frontier still insists that its systems are secure:

“Frontier insisted that its password practices are secure but was stingy with details…Frontier also said that it only provided Silverman a password after “we verified identity first through security questions.” But as Silverman told Ars, “the only security challenges they posed were to provide the account number OR the landline service number in combination with the last 4 of the social security number.”

Of course these kinds of security questions aren’t remotely secure either. Earlier this month “The Martian” author Andy Weir noted on Facebook that it was incredibly trivial for his Comcast e-mail account to be hacked after the ISP gave up his password after simply being given the last four numbers of his social security number and his street address. Regardless, the Frontier user proceeds to wonder just how secure Frontier’s billing systems are. It also obviously raises questions about the quality of the company’s quickly-expanding broadband empire.

So yeah, pro tip: if you’re one of the six people still using your ISP’s e-mail services, it might be time to stop, since security is pretty clearly a distant afterthought. And if you’re one of the millions of monopoly victims customers getting gobbled up by Frontier as AT&T and Verizon sever their ties to unwanted DSL customers, you may want to think about either moving, or building your own broadband ISP with at least a rudimentary understanding of cryptography.

Permalink | Comments | Email This Story


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s