By 2019, a lot of the industries running more critical systems like finance have figured out that you should take your tech seriously (and it only took them twenty years to figure it out...) ,but it's still a pretty good baseline assumption.
Is an ISP not tech first?
Bell labs is an off shoot of a phone company, early computing was based on the efforts of phone companies. Phone companies, which ISPs are the modern variant are the original tech companies.
Edit to add: Virgin maintains a fibre optic network so we aren't just talking about a sales front end to someone else's network.
This is why things like GDPR end up being foisted on us. Corporations have proven themselves capable of simply ignoring legislation designed to protect their customers, and simply paying a fine later. They'll secure when it's convenient to them, and not a minute earlier.
Perhaps more shockingly, they have a maximum password length of 10 characters, and the first character must be a letter.
Great until, like our neighbours, you place the box in your windowsil facing into the room.
If my experience of Virgin Media is anything to go by, they are probably writing them down in crayon on bits of paper that they keep in a very large box, probably outside and open to the weather.
Actually, it wouldn't surprise me if they just didn't store them at all and just accepted any login attempt.
Given the level of incompetence I have experienced from them, I can only assume they are still in business because of a serious accounting error in their favour.
I found my local cabinet with the doors swinging open and a massive tangled bundle of wires inside. I reported it to them, but they haven't done anything about it for more than a year, other than remove the notice asking you to report it to them if you see it open.
Frankly, I suspect I could build a more reliable link from a bit of string and a couple of plastic cups.
Worst ISP ever.
This is where things like https://securitytxt.org/ are important. Being able to go through to the team or person who knows what’s going on. But then again, if a company stores plain text passwords they most likely won’t have security.txt
Then why are they responding to a technical issue? And you may say they will not pass on information, but it is one channel we have of contacting, possible the only one.
> There are a number of additional considerations you will need to take account of when designing your password system, such as the use of an appropriate hashing algorithm to store your passwords, protecting the means by which users enter their passwords, defending against common attacks and the use of two-factor authentication. [0]
Well, they're not admitting what they do is in any way unsafe, but it really seems like a cut-and-dried GDPR violation.
They really haven't met even the spirit of:
> Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
[0] https://ico.org.uk/for-organisations/guide-to-data-protectio...
They sent me to a debt collector more than a year after I had closed my account, for something I didn't owe them (it was a bill for services after I had closed my account and been physically disconnected). When I tried to talk to them about it, one of their call centre managers eventually admitted to me that there was no public number that could get me through to a call centre that had anyone able to sort it, or anyone they could transfer me to who could sort it, so I might as well stop trying and sue them.
I got it sorted by tracking down one of the company executives home contact information and calling him about it. I harrassed him considerably less than the debt collectors harrassed me.
The relevant law is the Postal Services Act 2000, section 84(3)
If the letter has already been delivered, maybe to the wrong address, it's only an offence to open that letter if you have the intent to cause detriment and you don't have an excuse to open it.
"Hey this looks important and I wonder who it's for" is a reasonable excuse to open the letter.
https://www.legislation.gov.uk/ukpga/2000/26/contents
https://www.legislation.gov.uk/ukpga/2000/26/part/V/crosshea...
> 3)A person commits an offence if, intending to act to a person’s detriment and without reasonable excuse, he opens a postal packet which he knows or reasonably suspects has been incorrectly delivered to him.
My 93 year old neighbour had had people using her address for insurance fraud - I’d spotted the huge pile of unopened envelopes in her kitchen, all sent to her address but with random fictional names. Asked her if I can open one. “By all means,” she says, “I just use them as kindling anyway.” Car insurance policies. Hundreds of them.
So, I did what I thought was the right thing, contacted the fraud line.
A few days later this cop appears, not to investigate the fraud, not to console my neighbour - but to threaten both of us with prosecution for opening letters addressed to someone else - and that was the end of that. Never mind that they were going to her home - if it’s addressed to Miss Xfrjjtgvyes Bstgbfwss then only she can open it. I don’t care that she sounds made up. You don’t know that. How do I know you aren’t made up? Watch that tongue, son.
I ignored him and phoned dozens of insurers on her behalf, didn’t bother the police again. They take opening someone else’s mail, even a fictional person, far more seriously than, say, £30,000 of fraud.
Not that I expect Virgin Media to change. They are a massive company with probably a million legacy systems from their NTL, Cable&Wireless and 50 other merges that they will never touch.
Unfortunately, The motto here is that 'If it ain't broke, don't fix it.' and these systems don't get updated in a while until it is too late.
> Posting it to you is secure, as it's illegal to open someone else's mail. ^JGS
I can't trust Virgin to mail me anything sensitive then as the person who sent these details could have just seen it and wrote it down beforehand. That is too much of a risk to trust anyone and call that secure, even if it is illegal to open someone else's mail.
Well I'll be expecting the GDPR officers to mail you clowns a huge fine then.
Their engineers are good as well when I've had to deal with them professionally for work.
It's so hit and miss with other companies I've dealt with though.
I think this is what is being talked about. Not the actual account 'password'.
https://plaintextoffenders.com/post/4983474119/virginmobilec...
https://mobile.twitter.com/VirginMediaIE/status/116344119354...
Nothing else links the various Virgin companies. By this stage the brand is basically a convenient way for companies to outsource branding while they get on with whatever their business is.
The problem there is that Virgin used to mean something but it's less meaningful now.
