31 Jan 2009

Security Issue with Lycatalk

Lycatalk is a popular international calling service offering calls to different countries at a competitive rate. I have been a fairly newish but a happy customer – so far.

But today morning I was on the phone with their customer services and was going through the usual identity checks. I was quite surprised to hear the support person ask me to verify my account password! When i asked him whether he could see my account password, he replied he could (!?!). He was actually able to confirm my correct password for me?

Now, given the fact that most people tend to have the same password for almost all their accounts, it is very disturbing to know that someone can see you account password AND have access to the rest of your personal details such as address, card numbers, etc.

This is also generally against standard security practices. Thinking for the worse, what is to stop a rogue/ex employee using your details on just about any other popular services like Gmail, facebook and even your bank? I will leave the possible consequences to your imagination :-(

Here are a few suggestions for fellow Lycatalk customers:

  1. IMMEDIATE: Please change your Lycatalk password to something that is NOT associated with other accounts.
  2. Consider dropping Lycatalk an email complaining against this situation (i am still trying to find out an email id to do this, the only one I have at present is -- info@Lycatel.com)
  3. When asked for the account password, REFUSE to provide this and ask to be authenticated using alternative means (Cardinal rule of phone-based support - NEVER provide your password to anyone else - EVEN the service provider employees).
  4. If none of the above works, consider switching (anyone has any possible alternatives?)

At the time of writing this post, I have yet to speak to anyone else from Lycatalk or email them about this matter. The last person I have spoken to has been the customer support agent today.

2 comments:

Talkmore said...

This is very un-professional. If I were you I will request that the account be deleted and open another new account with new password.

Anonymous said...

They are still insecure. I forgot my password and they emailed it to me in plain text. Completely unacceptable practice in 2009, never mind in 2015 with 6 years of notice.