Someone who is serious about security would never do this. The rest of the article falls on its face at this point.
An end to passwords would be awesome. But, I haven't seen a compelling solution to the problem.
It is absolutely worth the time to setup and start using.
Oh, and now the CSR knows his banking password too. Handy.
I personally would never use a banking, brokerage, or charge card [edit: or email] password for any other purpose. But, for other sites, I'm as lazy as he is ..
Fulfillment companies are the companies that magazine publishers hire to handle customer service, charge and ship magazines to you at the right time.
Problem is, when it was time to put these magazines online, magazine companies looked to fulfillment companies to handle billing and customer service for them. These fulfillment companies had worked in 30/60 day cycles and were running software that was created in 1985.
So when the Internet came knocking, they just rigged up some stuff to kinda sorta do it the same way.
Before someone writes the obligatory "someone should create some software to make digital fulfillment for old-school publishing better", you should understand that these fulfillment companies own the customer/user data.
To migrate from one fulfillment company to another, you'd have to re-collect billing information for the entire subscription file, which would require the publisher to contact Grandma Barbara and ask hero to send in another check or get on AOL to add her credit card. Which just isn't going to happen.
I don't buy it. This was asking for a login password.
For example Netflix does this for support where you get the token from the web page (as a number) and enter it when you make the support call. Google business support has it too although it is valid for longer where the admins can get a token that is entered with support requests.
Calm Down.
At most, a paranoid system might be designed to require a second login before a sensitive change, on the theory that a screen might have gone unattended. The outcome of that second logon (success or failure) is all that should be shown to a service rep. The system should immediately destroy the password after hashing it for comparison to the value stored in the database. This technique is decades old.
However, I know of vendors who do store raw passwords. This is because I have been asked to change passwords of long standing that do not stand up to silly new rules about variety of character classes, etc. If they were one-way hashing, they could not have known my old password didn't pass muster.
Someone might have lifted his account password and logged into the website with it impersonating him on the chat, and so it only makes sense to then confirm identity by challenging for that password over the same chat where he is being impersonated... hey wait a second!
I'm not entirely convinced that this customer service agent could see his password. She said she had to enter it in to verify it. She may have been confused about his questions, or just flustered by his attitude.
He is right that it's not secure at all, I forget the sequence of numbers I use every other time I've called them, and they've always let me have a few tries at it...
However, the insecurity of the Billing Code is actually worse than his website account password, as anyone could call up, figure out the 5-digit code (they've given me hints before), and change his service, request billing info mailed, etc. And good luck getting any service changed with the (more secure? Who knows...) site account password (although you do have access to billing records, which could be more valuable).
http://vzwtipsandtricks.blogspot.com/2010/11/i-forgot-my-vzw...
http://support.verizonwireless.com/faqs/My%20Verizon/billing...
Reading the chat log, I failed to pick up the problem, and I am a Verizon customer. A few times talking to a Verizon rep, I've been asked for the last four of my SSN. I have to remember to give 0000. That's because, when I first signed up, I didn't want them storing my SSN post credit-check, and they complied.
However, I don't ever recall being asked for a "billing password". Maybe that's because mine is still the numeric 0000. Perhaps Pranaya set up an alpha one at some point and forgot, then got confused by the word "password".
While I agree, that is more easily said than done for most folks. Looking through my Keychain file, I have almost 850 internet password items. Assuming that about a third are duplicates (www.site.com vs site.com for example) that's still well over 500 different sites I have passwords for. Because I'm comfortable with Keychain, I let it generate strong passwords for me (I frequently associate custom email addresses with those passwords as well since I own aunch of domains). Whenever I try to get others to use various password managers, they get confused and eventually fallback to writing passwords down or using the same password across sites.
Someone needs to get us away from passwords fast.
As an AT&T customer, I know having one of these "passwords" is optional. If you choose to have one as an added level of security (in addition to the last 4 of the account holders social), you can add it to the account. Again, it can be completely different from your online login passowrd and is usually something simple that can be said/understood over the phone.
I found this whole article kind of funny. The rep must have been so confused as to why this customer was getting so hysterical over such a common thing.
After pressing the issue and refusing to provide it, she walked me through the steps needed to resolve my issue. My feeling was, esp after reading this, that they are probably using the same or a similar 3rd party to provide their live support and those 3rd parties are now finding that it's easier to log in as users and fix their issues vs trying to walk users through the various steps to fix it themselves. It probably brings their support times down - I seriously doubt they care about user security.
Or heck, maybe it's a malicious attempt to get passwords... heck if I know, just a theory. Seems like the easiest explanation. Still, unacceptable.
