Thames Water don't get password security


Thames Water seem to love giving me a new account number each month. That would be fine, but each time they do, I have to manually add that number to my online account.

I'm bored of being their data-entry monkey. So, when they rang today, I told them that I expected them to update my account. We had the normal back-and-forth and "let me speak to your manager" that accompanies anything deviating off-script.

A manager called back, we went though account verification, I confirmed I was recording the call, and this is what she said:

We have spoken to our compliance department and if you give us your email address and also your password we can go on and update the new account number for you.

I confirmed - they wanted me to read out my whole password. Not just the 4th and 17th character - the whole thing. I - probably a little too rudely - informed them that wasn't happening and, frankly, I didn't believe that either their data protection team nor their IT security team thought it was a good idea.

To be fair, this isn't the fault of the Customer Service agent. She obviously seems reluctant to ask for the password, but has been given some extremely dodgy advice by someone.

So, we came up with a compromise. They would reset my password, log in to my account, fiddle around with it, and then call me with the new password. And so they did.

Tango hotel alpha mike echo sierra one two three

Foolproof!

Let's count the obvious errors....

  • Don't make your customers do work which you could automate.
  • Don't train your customers to take dangerous risks when it comes to online security.
  • Don't use easily guessable defaults when resetting passwords.

Share this post on…

  • Mastodon
  • Facebook
  • LinkedIn
  • BlueSky
  • Threads
  • Reddit
  • HackerNews
  • Lobsters
  • WhatsApp
  • Telegram

One thought on “Thames Water don't get password security”

  1. Steve says:

    These call centres are the weak link, not just this company but the majority of them, If you ring them and just say you’ve forgotten all the data, I’ve been passed through security check a lot of times with just an address a name and a dob, and proceeded to change all the details to new ones I was legitimate, but if I wasn’t it was super easy to get it changed.

    Reply

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">