Feeds

Freeserve does a RedHotAnt

21st century parlour game: Pass the Password

  • alert
  • submit to reddit

3 Big data security analytics techniques

Happily, handing passwords out over the phone is not exclusive to RedHotAnt. On at least one occassion, Freeserve's tech support department was equally content to hand out users password without any confirmation of identity.

This is a rather more serious problem for Freeserve than RHA. RedHotAnt usernames are long numeric codes, prefaced by the letters RHA, and are not usually accessible to the public, so some knowledge of computer systems would be required to do any damage with the password. At Freeserve, however, the username and the email address are usually the same, and the email address is in the public domain.

According to Freeserve's tech support, to retrieve a lost password, a caller must provide a username, surname, date of birth and the phone number the account is usually accessed from.

A reader tells a different story.

A couple of years back, a firm of surveyors dipped its toes into the waters of the Wibbly Wobbly Web with Freeserve. The person who signed them up left the company without telling anyone else the passwords, and rather unfortunately, no one thought to ask him what it was as he left.

Then one day the computer forgot the mailbox password and no one could connect to access their emails. A call was made to tech support, our reader tells us, and the ensuing conversation was along these lines:

Me: We've lost our password. What is the procedure?
Operator: Can you give me your username?
Me: Yeah, it's (username)
Op: Can you tell me the name of the person who set up the account?
Me: No, but I guess the name you might have could be (I take a stab at the name of the founding partner of the firm).
Op: No sir, that's not the name I've got here.
Me: Oh, hang on a minute, I'll have a word with someone and find out the guy's name.
Op: No, that's okay. It would appear that your account has been suspended, as you haven't logged on to it for 90 days.
Me: Okay, fair enough. What can we do about that?
Op: Er, I need to get you to the Freeserve website
Me: That's okay, it's open in front of me ATM.
Op: How?
Me: I'm logged on via another ISP
At this point the operator proceeded to talk me through retrieving the account, to complete which he read me the password over the phone. I said thank-you and goodbye.

The partners of this firm were far from happy once I'd explained exactly what had taken place. At no point was my name or any proof of my identity requested, nor was any proof sought that I was a legit user of the account in question.

When asked to comment on the security lapse, a Freeserve spokesman said: "It would be irregular for a password to be given out without three identifying details being requested. Freeserve takes this report very seriously and further details will enable us to investigate further." ®

High performance access to file storage

More from The Register

next story
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
It may be ILLEGAL to run Heartbleed health checks – IT lawyer
Do the right thing, earn up to 10 years in clink
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.