topic Re: Security Stupidity in Get Support

Security Stupidity

jlangdale — Wed, 05 Jan 2022 09:36:14 GMT

I just want to say I think it's highly stupid of Public Mobile to have customers giving their information to "Moderators" on a forum system to address issues, where by identity/authentication information will be kept in PM messages that could be hacked one day.

This is a good way to screw over your company if you're hacked.

Re: Security Stupidity

Luddite — Fri, 13 Apr 2018 00:19:32 GMT

If you have security concerns just pay for service with vouchers. Except for whatever you entered when activating, Public Mobile then has no info about you at all.

Re: Security Stupidity

jp2 — Fri, 13 Apr 2018 00:30:14 GMT

Is it really that much different than having personal information on any other site such as Google, Bell, etc. If the company gets hacked your info is out at risk. FYI Bell has been hacked twice recently

Re: Security Stupidity

srlawren — Fri, 13 Apr 2018 00:39:44 GMT

@jlangdale you're welcome to voice your opionions, as you have been doing. I'm going to go ahead and voice mine and say that I think you might want to look around for another provider. It doesn't seem you're happy with much/anything about how PM operates. This is the support model they've gone with. You don't really get a vote, sorry. If you don't like it, vote with your wallet, and move on.

That said, do you think that online chat offered by some wireless brands, or Facebook messenger offered by some, or Twitter DMs, are any better off than the public messaging system here in terms of security? PM didn't roll their own community software, they're using the Lithium system, which is a fairly mature online community system. I'm not saying it's impervious to attack--there's no system on the planet that is. But this is the model being used here. If you're not comfortable with it, look at other carriers where you can call them up and give them your personal info by phone instead when you need support.

Re: Security Stupidity

jlangdale — Fri, 13 Apr 2018 00:48:14 GMT

After reading the comments, I have to say I disagree with them. I think the point I raised is still a very good one. I think having "moderators" pass on user information raises issues that would be best avoided.

Just my two cents for what it's worth. I'm just a customer giving feedback. But I get the sense that your online group is some sort of clique fan club of "power customers."

Re: Security Stupidity

srlawren — Fri, 13 Apr 2018 00:50:38 GMT

@jlangdale are you aware that they are PMs official support staff?

Re: Security Stupidity

jlangdale — Fri, 13 Apr 2018 00:59:57 GMT

I wasn't sure. Are Moderators on this service official salaried employees of Public Mobile? Or are they something else?

Regardless, it's not a good idea to keep copies of this authentication information in the PM messages. It cannot be deleted.

Re: Security Stupidity

srlawren — Fri, 13 Apr 2018 01:04:45 GMT

@jlangdale here's what we know: http://productioncommunity.publicmobile.ca/t5/Knowledge-Base/All-you-need-to-know-about-our-Community-Moderators/ta-p/76452

Regarding your concerns about lingering private messages, I would again say it's no less secure than old Facebook Messenger, Twitter DM, or proprietary live chat history used by other providers. The main difference is at least with those providers, you do have other avenues such as a call centre.

Re: Security Stupidity

jlangdale — Fri, 13 Apr 2018 01:07:35 GMT

Right, I typically use the online chat for basic things and questions. But if they want to verify my identity, I tyipically call in so the information is given verbally and not stored.

Re: Security Stupidity

srlawren — Fri, 13 Apr 2018 01:13:29 GMT

@jlangdale seems a sensible precaution. However, not an option given PM's support model. There is a reason the plans are more affordable, and it's not the network quality. Something has to give.

Re: Security Stupidity

jp2 — Fri, 13 Apr 2018 01:28:07 GMT

@jlangdale wrote:
Right, I typically use the online chat for basic things and questions. But if they want to verify my identity, I tyipically call in so the information is given verbally and not stored.

If u think about it when u call a call centre, who knows where in the world, the only way they can confirm your ID is by comparing the info you give them over the phone to what they already have on their computer/network.

It is definitely good to be cautious online though.

Re: Security Stupidity

koimr1 — Fri, 13 Apr 2018 01:35:40 GMT

@jlangdale wrote:
Right, I typically use the online chat for basic things and questions. But if they want to verify my identity, I tyipically call in so the information is given verbally and not stored.

I get the concern as well but given that for most people there's no number to call what would be a good alternative?

I think if it were up to me I'd have all requests that require moderator intervention be done via Self-Serve and leave the forums for more general questions. Not 100% secure (nothing is as @srlawren rightfully says) but might be a bit better security-wise.

Re: Security Stupidity

jlangdale — Fri, 13 Apr 2018 01:37:25 GMT

Oh wow, I must have maybe pissed off someone or something. Because now I no longer see an "Amount due," nor do I see the ability to change my plan. I think one of these moderators may have ended my service or something.

Or this is an error with the site.

Re: Security Stupidity

kav2001c — Fri, 13 Apr 2018 04:39:21 GMT

@jlangdale maybe I am misreading this but... your concern is that someone would waste their time to hack into each users private mailboxes on the hope they might have sent personal info (name / date of birth / address ... nothing else is important on Public system)

Its totally not worth it

Far easier (and more lucrative) to hack the carriers servers themselves (eg look at the Bell data breach that effected 1.6 million customers or the Freedom data breach that effected 800,000 customers in past year)

By hacking the system itself you not only get the basic stuff (name / dob / addy) but also access to the good stuff (credit card numbers, SIN numbers, other credit identifiable sources)

*edit as I tagged wrong poster lol

Re: Security Stupidity

jp2 — Fri, 13 Apr 2018 01:43:13 GMT

@jlangdale I really don't think they would do that or can do that. They are very good to deal with from my experience

Re: Security Stupidity

jlangdale — Fri, 13 Apr 2018 01:45:27 GMT

Ah maybe it's just Firefox. I had to use Firefox because they said that different browsers may work better with the payment form.

What a hassle!

Re: Security Stupidity

kav2001c — Fri, 13 Apr 2018 04:40:11 GMT

@jlangdale who is "they"?

All 4 of the major carriers have had breaches over the years exposing MILLIONS of Canadians credit information, credit cards, passwords (you know lazy/old people re-use same password everywhere, even banks) etc

That's why I am puzzled by your assertion against Public

The odds that any 1 given username has requested support are low (at best 10% of users) and even then to hack it nets no really usable info

If you want to be a script kiddie to steal info for mailing lists the website for Freedom Mobile is FAR easier to hack and will net you thousands of IDs in the time it takes you to break a single Public account (there is an entire debate raging over Freedom's lack of concern with privacy and security, at least here we REQUIRE an email / password for log in. Freedom forces all subscribers to use phone number + 4 digit pin which is easy to brute force crack)

*edit as I tagged wrong poster in error

Re: Security Stupidity

srlawren — Fri, 13 Apr 2018 01:46:44 GMT

@jlangdale is your plan renewing tonight? That's probably why

Re: Security Stupidity

jp2 — Fri, 13 Apr 2018 01:47:43 GMT

@kav2001c wrote:
@jp2 maybe I am misreading this but... your concern is that someone would waste their time to hack into each users private mailboxes on the hope they might have sent personal info (name / date of birth / address ... nothing else is important on Public system)

Its totally not worth it

Far easier (and more lucrative) to hack the carriers servers themselves (eg look at the Bell data breach that effected 1.6 million customers or the Freedom data breach that effected 800,000 customers in past year)

By hacking the system itself you not only get the basic stuff (name / dob / addy) but also access to the good stuff (credit card numbers, SIN numbers, other credit identifiable sources)

@kav2001c Are you meaning to ask this to me?

I'm trying to make the point that it doesn't matter which company you are with or how you contact them they all store your info online so it is vulnerable to hackers. I also mentioned the Bell hacks further up in this thread.

Re: Security Stupidity

jlangdale — Fri, 13 Apr 2018 01:48:38 GMT

No, not for a couple days. I've always tried to pay ahead of time and keep some money on the account. Looks like Firefox totally doesn't work with the plans page, but Chrome works.