Home / Software & Gaming / Security / Virgin Media stores phone authentication passwords in plaintext

Virgin Media stores phone authentication passwords in plaintext

You'd think with Sony's big security hiccup last year, where most PlayStation 3 owners had their details stolen by hackers, that companies would have learned their lesson. Virgin, despite having a founder who I heartily agree with on a few things, seems to be one of those companies, as according to an admission on its official Twitter account, phone authentication passwords are stored in plaintext.

This all came about because one Twitter user commented that a phone operator at Virgin had just read his password out to him. A Virgin representative quickly responded that not all passwords are stored in plaintext, just the one for phone authentication. It did admit however in a later Tweet, that perhaps the operator should have asked for a couple of characters from the password and not given out the entire thing.

passwords
“Don't worry your details are safe with us.” – Someone is tempting fate…

While this might not seem like a big problem in context, if you take into consideration the lengths some people go to socially engineer others' identities, it wouldn't be too difficult to gain access to someone's Virgin account details over the phone. If you can do that, then it's not hard to think that you could fob your way into a Virgin online account, which could potentially have details on credit cards, subscriptions to services and even more personal information which could then be used to get into other accounts.

KitGuru Says: Hopefully after a bit of light is shined on this instance, Virgin will tighten its security policies. In the mean time, make sure your Virgin passwords aren't used anywhere else or some nefarious individual might find their way into your account.

Become a Patron!

Check Also

Riot offering up to $100,000 to find Vanguard anti-cheat bugs

When Riot launched Valorant, it also launched a deeply rooted anti-cheat system, Vanguard. This anti-cheat …

One comment

  1. How does the ability of a customer service rep to view phone authentication passwords in plain text lead to the conclusion that they are stored in plain text??

    I’ve run an ecommerce business before, and I could get access to a vast amount of personal customer information through my admin account. That didn’t mean that this information was stored in plaintext, just that the admin account had access to unlock this information and view it.

    Customer service at nearly every online business also has access to your address and email. Does that mean it’s stored in plain text? No.

    In short, end user access to data, whether it be customer or customer service, has no bearing on how the data is stored in a system.

    Of course a hacker can socially engineer a customer service, or maybe even developer account access. That’s a risk at any company regardless of how information is stored, and the security protocols for defending against this are entirely different. It’s worth noting that getting access to a customer service account doesn’t mean that you can parse 5 million passwords with said account… that sets off red flags instantly.

    Claiming that customer passwords are stored in plaintext (which is a real threat, because hackers can sneak this information out through any conceivable backdoor server access), is a serious claim, and drawing conclusions from a Twitter post is absolutely mind-numbingly shortsighted and disingenuous.