Virgin Media (UK) stores passwords in plain text, sends them through the mail
twitter.comI learned a long time ago that the default assumption for non-tech-first companies should be deep, deep incompetence, below the level of an undergrad with a decent CS degree, when it comes to basic security practice. Even having your system be Incredibly Important isn't enough to force basic competence: there were plenty of government and bank systems through the 2000s that were apparently designed and maintained by high school kids (looking at you Citibank).
By 2019, a lot of the industries running more critical systems like finance have figured out that you should take your tech seriously (and it only took them twenty years to figure it out...) ,but it's still a pretty good baseline assumption.
"non-tech-first companies"
Is an ISP not tech first?
Bell labs is an off shoot of a phone company, early computing was based on the efforts of phone companies. Phone companies, which ISPs are the modern variant are the original tech companies.
Edit to add: Virgin maintains a fibre optic network so we aren't just talking about a sales front end to someone else's network.
Despite this, they are completely clueless when it comes to technology. I think only a tiny minority of their staff know that they maintain a fiber network, let alone what that means.
Yea I know, I considered that someone would raise the fact that they're a telco. It's difficult to articulate what I mean by tech-first, and I don't want to lean on "I know it when I see it", but I'm describing a cluster in thingspace that I think is clear to pretty much everyone here.
I’d say that at heart they’re a utility company rather than a tech company.
Is We a tech-first company?
I don't know enough about We. Aren't they a real estate company?
In their S1 they claim they’re SAAS ( “space-as-a-service” )
eyeroll emoji
Virgin Media is profit-first, above all else. It's an error to assume that the part of the company that builds out infrastructure is in any way joined up with the part of the company that keeps customers secure (if indeed, they even have people responsible for that, which they apparently don't).
This is why things like GDPR end up being foisted on us. Corporations have proven themselves capable of simply ignoring legislation designed to protect their customers, and simply paying a fine later. They'll secure when it's convenient to them, and not a minute earlier.
This model wouldn't seem to explain why eg Google and Facebook have world-class security. You can think whatever you want about the stuff they do intentionally, but I don't think leaving yourself open to hacking is that sound a business strategy for anyone, and I don't think it's a coincidence that more technically-competent companies also tend to be more secure.
Google and Facebook both started life as tech companies.
Virgin started life as a one-man job hawking records out of a wheelbarrow.
Virgin is not a tech company. Their model is not centered around technology, but content.
Virgin Media is an ISP, for those who don't know.
Perhaps more shockingly, they have a maximum password length of 10 characters, and the first character must be a letter.
Fun fact: you can actually set a good password when you create a virgin media account but then you won't actually be able to login as the password is rejected by their front-end for being too long. And just in case you thought you could do a password reset, their password reset page doesn't work.
I encountered that problem with the payment system for my city water bill a few years ago, I always hoped it would be a problem restricted to small town stuff with no budget for security.
Last time I checked, the default WPA passphrase for Virgin Media routers was always set to eight capital letters, making it trivially crackable with a reasonable amount of GPU compute.
Talktalk's boxes have the WPA passcode on a removable plastic fob attached to the back of the box.
Great until, like our neighbours, you place the box in your windowsil facing into the room.
My current default Virgin WPA password is roughly of the form lLlllNllllll (l - lowercase letter, L - uppercase letter, N - number), installed about a year ago, and I know from seeing another one that the position and quantity of the uppercase letters and numbers aren't fixed.
For the benefit of people whose fonts render "l" to look like "|", that's:
L U L L L N L L L L L L
(L - lowercase letter, U - uppercase letter, N - number)
Must be a while ago then - it's 12 characters upper, lower and digits. Pretty reasonable.
first character has to be a letter... are they storing them unquoted in yaml files?
Files?
If my experience of Virgin Media is anything to go by, they are probably writing them down in crayon on bits of paper that they keep in a very large box, probably outside and open to the weather.
Actually, it wouldn't surprise me if they just didn't store them at all and just accepted any login attempt.
Given the level of incompetence I have experienced from them, I can only assume they are still in business because of a serious accounting error in their favour.
I found my local cabinet with the doors swinging open and a massive tangled bundle of wires inside. I reported it to them, but they haven't done anything about it for more than a year, other than remove the notice asking you to report it to them if you see it open.
Frankly, I suspect I could build a more reliable link from a bit of string and a couple of plastic cups.
Worst ISP ever.
The actual level of service, speed and response to faults I get from them is pretty good.
The password policy though?
Probably to save money on ink for those envelopes with printed passwords!
Must be a letter and password cannot contain spaces or most punctuation.
I get everyone replying to virgins Twitter account in disgust, but let’s be honest, the person on the other end of that most likely won’t be technical, nor will there be much chance of them relaying it on. They will reply then go home for the day.
This is where things like https://securitytxt.org/ are important. Being able to go through to the team or person who knows what’s going on. But then again, if a company stores plain text passwords they most likely won’t have security.txt
> I get everyone replying to virgins Twitter account in disgust, but let’s be honest, the person on the other end of that most likely won’t be technical, nor will there be much chance of them relaying it on. They will reply then go home for the day.
Then why are they responding to a technical issue? And you may say they will not pass on information, but it is one channel we have of contacting, possible the only one.
The person they hired (in all likelihood many people) represents Virgin Mobile in an official capacity. The people in that thread are primarily talking to their followers (because it's Twitter and not a BBS) and are secondarily addressing Virgin Mobile UK. They are not responding to the person you imagine/are assuming must have come up with the Tweet on their own free accord.
If you are incompetent enough to store passwords in plaintext in your database, the chances that you will be capable of fixing that situation once you find out that's a terrible idea is vanishingly small.
Or even a general security page like https://kloudtrader.com/security
> Posting it to you is secure, as it's illegal to open someone else's mail. ^JGS (@virginmedia)
> There are a number of additional considerations you will need to take account of when designing your password system, such as the use of an appropriate hashing algorithm to store your passwords, protecting the means by which users enter their passwords, defending against common attacks and the use of two-factor authentication. [0]
Well, they're not admitting what they do is in any way unsafe, but it really seems like a cut-and-dried GDPR violation.
They really haven't met even the spirit of:
> Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
[0] https://ico.org.uk/for-organisations/guide-to-data-protectio...
Perhaps users can pay their bills by leaving a bag of cash in the park with "Virgin Media" written on it, as it would be illegal for anyone else to take it.
In my experience it doesn't make much difference whether you pay the bills or not.
They sent me to a debt collector more than a year after I had closed my account, for something I didn't owe them (it was a bill for services after I had closed my account and been physically disconnected). When I tried to talk to them about it, one of their call centre managers eventually admitted to me that there was no public number that could get me through to a call centre that had anyone able to sort it, or anyone they could transfer me to who could sort it, so I might as well stop trying and sue them.
I got it sorted by tracking down one of the company executives home contact information and calling him about it. I harrassed him considerably less than the debt collectors harrassed me.
VM even got the mail law a bit wrong.
The relevant law is the Postal Services Act 2000, section 84(3)
If the letter has already been delivered, maybe to the wrong address, it's only an offence to open that letter if you have the intent to cause detriment and you don't have an excuse to open it.
"Hey this looks important and I wonder who it's for" is a reasonable excuse to open the letter.
https://www.legislation.gov.uk/ukpga/2000/26/contents
https://www.legislation.gov.uk/ukpga/2000/26/part/V/crosshea...
> 3)A person commits an offence if, intending to act to a person’s detriment and without reasonable excuse, he opens a postal packet which he knows or reasonably suspects has been incorrectly delivered to him.
Try telling this to a cop who’s itching to arrest you - back-chat and “being clever” is never appreciated.
My 93 year old neighbour had had people using her address for insurance fraud - I’d spotted the huge pile of unopened envelopes in her kitchen, all sent to her address but with random fictional names. Asked her if I can open one. “By all means,” she says, “I just use them as kindling anyway.” Car insurance policies. Hundreds of them.
So, I did what I thought was the right thing, contacted the fraud line.
A few days later this cop appears, not to investigate the fraud, not to console my neighbour - but to threaten both of us with prosecution for opening letters addressed to someone else - and that was the end of that. Never mind that they were going to her home - if it’s addressed to Miss Xfrjjtgvyes Bstgbfwss then only she can open it. I don’t care that she sounds made up. You don’t know that. How do I know you aren’t made up? Watch that tongue, son.
I ignored him and phoned dozens of insurers on her behalf, didn’t bother the police again. They take opening someone else’s mail, even a fictional person, far more seriously than, say, £30,000 of fraud.
From 2015: "Virgin Media stores user passwords in plaintext?" https://news.ycombinator.com/item?id=9492006
Except now post GDPR implementation it is now illegal to be that incompetent.
Not that I expect Virgin Media to change. They are a massive company with probably a million legacy systems from their NTL, Cable&Wireless and 50 other merges that they will never touch.
This is the same bunch of clowns who MITM you even after disabling their porn-filter, and the "fix" is to install their root cert.
Right now in 2019, companies in the UK who somehow now think that they are 'tech companies' have this attitude when it comes to security. I met one company that recently got funding in the UK that deals with personal insurance and asked them if they write tests and they responded that they don't have tests, because they have no time to write any. In this case, that is like not having a security audit because we don't want anyone knowing the secret sauce.
Unfortunately, The motto here is that 'If it ain't broke, don't fix it.' and these systems don't get updated in a while until it is too late.
> Posting it to you is secure, as it's illegal to open someone else's mail. ^JGS
I can't trust Virgin to mail me anything sensitive then as the person who sent these details could have just seen it and wrote it down beforehand. That is too much of a risk to trust anyone and call that secure, even if it is illegal to open someone else's mail.
Well I'll be expecting the GDPR officers to mail you clowns a huge fine then.
How is it that ISPs are always such awful organisations? I understand that their user base isn’t particularly technical, but there’s no excuse for this sort of public stupidity.
Because the vast majority of them did not start as ISPs. They started as media distribution companies and built an empire based on the value of doing media distribution. Then the Internet came along and made distribution worthless, and the ISP gig was taken up with infinite reluctance.
When you have a problem and call support, they do the "please enter the 4th digit of your account password" thing to verify you (further evidence that they store it in plaintext). This is particularly fun since my password is only in a password manager, which, if my service is offline, I can't access. So whenever my internet goes out, calling VM support to get them to fix it involves an extra 15 minutes of me arguing with them.
I’d say that a password manager with no offline caching capability is also a problem, but yeah, Virgin Media (and Virgin Mobile) are complete monkeys. I’ve ended up leaving them for a commercial-grade connection costing almost 10x more just so I don’t have to deal with this bullshit anymore.
Also in UK, my local ISP is an offshoot of the local Telco (the only one that didn't merge with BT back when), they are on the pricey end of normal but the service is fabulous and I've had maybe an hour's disruption in 4 years on their fiber.
Their engineers are good as well when I've had to deal with them professionally for work.
It's so hit and miss with other companies I've dealt with though.
I’m a bit rusty and could be wrong but doesn’t MSCHAPv2/CHAP require knowledge of the plaintext password on the server side? I think that makes it required to be stored plaintext for any PPP connection and thus most if not all ISPs would be storing plaintext passwords
UCAS used to do a similar thing. I really hope they have fixed this since. https://i.imgur.com/H2gADSX.png
The difference here is that OP is referring to postal mail, not email.
Virgin media have a 'memorable word' that you quote to the phone agents as a proof that it's you talking to them. It's not the password to the online account and it's only one of a few bits of info you get asked to prove you are the account holder.
I think this is what is being talked about. Not the actual account 'password'.
I wouldn't be so sure:
https://plaintextoffenders.com/post/4983474119/virginmobilec...
Don't think this was posted yet, they doubled down on this:
https://mobile.twitter.com/VirginMediaIE/status/116344119354...
Unfortunately Plusnet does the same
Does anyone else think the Virgin group companies are really bad and are simply baded on good marketing ? My read on Branson himself is that he's DT with actual billions.
The Virgin brand means two things: the company is paying 1% of annual turnover to Virgin Group and Branson himself is happy for the company to carry the brand.
Nothing else links the various Virgin companies. By this stage the brand is basically a convenient way for companies to outsource branding while they get on with whatever their business is.
The problem there is that Virgin used to mean something but it's less meaningful now.
Virgin Media has been owned by Liberty Global since 2013
And Branson only owned 3% before that