NETELLER does not encrypt passwords

[MrBrightside]

this is really, really, bad. I'm a developer, and as is said by other's in this thread, it's just BAD. Just gives me another reason to hate netteller, aside from there crappy interface. I think firepay is 10x easier to use.

[MrMoo]

Here's the latest. I sent an email to Neteller and their response is below. I don't know who to believe. I respect Kurosh as a poster. On the other hand, I can't imagine any financial company would be this retarded. Ugg.

[ QUOTE ]

Dear Mr. xxxxx,

Customer service representatives do not have access to passwords. If you are
entering the wrong password, we can see that. However, we can not see what
the right password is. Additionally, we can see the answer to your security
question which is not/should not be the same as your password.

Please review the following section of our Terms of Use, which you agreed to
when you signed up your Neteller account:

III. Responsibilities of NETeller plc
12. NETeller is responsible for keeping your records and personal
information secure and confidential. NETeller protects your information from
error, loss, and unauthorized access. Our employees who have access to your
information are made aware of this and each employee must sign an agreement
stating that maintaining confidentiality is a condition of employment with
NETeller.

If you have any questions, please contact our Customer Service Department at
1-888-258-5859 and we will be more than happy to assist you. Please choose
option #0 then select option #1 from the phone menu to be connected directly
to an agent.

The following Countries can dial Toll Free +800-7767-6343:.
Austria, Singapore, China, Hong Kong, Portugal, Japan, Australia, Taiwan,
Israel, UK, France. Germany N, Netherlands, Spain, Denmark, Italy, Norway,
Sweden, Finland, Greece, Poland, Macao, Ireland and Belgium.
Other International locations please contact us at +403-233-9466.

Alternatively you may contact us by email (support@neteller.com) or Live
Help (www.neteller.com).

Thank you,


[/ QUOTE ]

[AliasMrJones]

[ QUOTE ]
[ QUOTE ]
[ QUOTE ]
[ QUOTE ]
This is 100% wrong. In most applications

[/ QUOTE ]
Within your first seven words you contradicted yourself. [img]/images/graemlins/wink.gif[/img]

[/ QUOTE ]

No I didn't.



[/ QUOTE ]

If you feel that strongly about being 100% right, you're 100% right. [img]/images/graemlins/smirk.gif[/img]

[/ QUOTE ]

I didn't say I'm 100% right. I said his statement is 100% wrong. Geez, can anyone actually quote me correctly? Maybe I need to use smaller words.

[PLOlover]

You can verify quite easily that neteller can send your password to your email address any time you request it. It's right on the logon webpage.

They can also send your acct# and secid# to your email address any time you request it.

[kurosh]

Ok, let me clarify. I am not positive that they do not encrypt passwords. It was the logical conclusion from what happened. This is what happened exactly.

I gave the wrong password a few times, which was my real password + 3 extra letters. IE, if my actual password was vaginaf, I was typing in vaginaface. My account was locked. I called the security department. They asked me some questions to confirm my identity, then they unlocked the account and the conversation went as follows.
"Do you know what your password is now? It's very close to what you were typing in, only 3 letters at the end are different."
"Yes, I do. Thanks."

I took this to mean that they could see my password and what my failed attempts were.

[kurosh]

[ QUOTE ]
Here's the latest. I sent an email to Neteller and their response is below. I don't know who to believe. I respect Kurosh as a poster. On the other hand, I can't imagine any financial company would be this retarded. Ugg.

[ QUOTE ]

Dear Mr. xxxxx,

Customer service representatives do not have access to passwords. If you are
entering the wrong password, we can see that. However, we can not see what
the right password is. Additionally, we can see the answer to your security
question which is not/should not be the same as your password.

Please review the following section of our Terms of Use, which you agreed to
when you signed up your Neteller account:

III. Responsibilities of NETeller plc
12. NETeller is responsible for keeping your records and personal
information secure and confidential. NETeller protects your information from
error, loss, and unauthorized access. Our employees who have access to your
information are made aware of this and each employee must sign an agreement
stating that maintaining confidentiality is a condition of employment with
NETeller.

If you have any questions, please contact our Customer Service Department at
1-888-258-5859 and we will be more than happy to assist you. Please choose
option #0 then select option #1 from the phone menu to be connected directly
to an agent.

The following Countries can dial Toll Free +800-7767-6343:.
Austria, Singapore, China, Hong Kong, Portugal, Japan, Australia, Taiwan,
Israel, UK, France. Germany N, Netherlands, Spain, Denmark, Italy, Norway,
Sweden, Finland, Greece, Poland, Macao, Ireland and Belgium.
Other International locations please contact us at +403-233-9466.

Alternatively you may contact us by email (support@neteller.com) or Live
Help (www.neteller.com).

Thank you,


[/ QUOTE ]

[/ QUOTE ]
They mentioned nothing about the security department.

[Non_Comformist]

[ QUOTE ]
Ok, let me clarify. I am not positive that they do not encrypt passwords. It was the logical conclusion from what happened. This is what happened exactly.

I gave the wrong password a few times, which was my real password + 3 extra letters. IE, if my actual password was vaginaf, I was typing in vaginaface. My account was locked. I called the security department. They asked me some questions to confirm my identity, then they unlocked the account and the conversation went as follows.
"Do you know what your password is now? It's very close to what you were typing in, only 3 letters at the end are different."
"Yes, I do. Thanks."

I took this to mean that they could see my password and what my failed attempts were.

[/ QUOTE ]


WTF! my password is vaginaface [img]/images/graemlins/mad.gif[/img]

[Pete H]

[ QUOTE ]
[ QUOTE ]
[ QUOTE ]
This is 100% wrong. In most applications

[/ QUOTE ]
Within your first seven words you contradicted yourself. [img]/images/graemlins/wink.gif[/img]

[/ QUOTE ]

No I didn't. The original quote was:

[ QUOTE ]
Even if Neteller were to take an extra security step and store your password on its servers in encrypted form, staff whose job it is to work with passwords would be able to decrypt and view passwords at will.

[/ QUOTE ]

This IS 100% wrong. If Neteller encrypted the passwords there would be no way to decrypt and view the passwords at will. Apparently Neteller doesn't encrypt their passwords. Ask any Windows, Unix or Linux network admin how to decrypt passwords in any of those systems. Even the system admin. YOU CAN'T.

[/ QUOTE ]

You can't actually decrypt passwords, but if you have access to the password file, you can crack every single password on it.

What all cracking tools do, is they encrypt strings (words from dictionary, words close to it like player1, and finally strings with brute force) and compare the hashes.

Only issue is time.

Most passwords will crack in no time as they are too short and easy words.

[AliasMrJones]

[ QUOTE ]
You can verify quite easily that neteller can send your password to your email address any time you request it. It's right on the logon webpage.

They can also send your acct# and secid# to your email address any time you request it.

[/ QUOTE ]

True enough. If they can email your password to you, then it is not stored encrypted on their system. Incredibly stupid. For a web forum who cares, but for a financial system...

[MarkD]

[ QUOTE ]
[ QUOTE ]
You can verify quite easily that neteller can send your password to your email address any time you request it. It's right on the logon webpage.

They can also send your acct# and secid# to your email address any time you request it.

[/ QUOTE ]

True enough. If they can email your password to you, then it is not stored encrypted on their system. Incredibly stupid. For a web forum who cares, but for a financial system...

[/ QUOTE ]

As a test I just clicked the link and got them to email me my password. Sure enough, they sent it to me. That scares the crap out of me now that I think about it.