Pin Hacking: How stupid is Sky!

Discussion in 'Sky Digital TV Forum' started by zappo, Feb 7, 2009.

  1. zappo

    zappo
    Active Member

    Joined:
    Nov 7, 2005
    Messages:
    683
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    31
    Ratings:
    +47
    You might have noticed recently that Sky has changed the way the PIN is changed; previously you went to the parental control, entered your existing pin and selected change pin.

    Sky has now removed this and replaced it with a completely insecure method. First you select interactive, then go to Sky Customer Services, then select pin reminder, it then asks you to enter the last 6 digits of your credit card or bank account number and then it will remind you of your pin.

    Can you imagine being reminded what your logon password is at work? It is a fundamental no no in security; you don't even tell the user whether the login or password was wrong as it helps hackers.

    Anyone who has anything to do with security knows you NEVER remind someone of their pin. IF they can provide SECURE information then you make them choose a new one. This way if they are not authorised the legitimate user will find out the next time they try to use the pin.

    Can you imagine using the pin to restrict content to a teenager, do Sky really think that a bank account number or credit card number are beyond their reach?

    If a customer cannot remember a pin then they should be forced to ring Sky, confirm ID with a password and then get their pin changed, the old system was more secure as you had to enter the existing pin. I suspect this change has been implemented to cut down the number of calls and let Sky sack a few more people.

    It is bad enough that there is only one pin for all services from ordering a movie to restricting PG. Now Sky makes the pin worthless but it gets worse. Not only does it make it ridiculously simple to find out the pin BUT it actually advertises it too. Yes it’s true, Sky has had run adverts telling people about how easy it is to get a pin reminder AND it has explained how to do it on the default channel after rebooting a Sky plus box.

    So what are your options, well you could hide all your bank statements in a safe and constantly have to be alert. A determined teenager might just intercept your bank statement and you would be no wiser. Of course one could say that the little angel would never do such a thing but in that case why do we need a pin in the first place.

    Perhaps you could unplug your Sky box from the phone line but then Sky would charge you double if you have Sky multiroom.

    We all have to remember pins for out debit cards, in my workplace there are 7 or eight different door codes I have to remember. Does Sky really think we can't manage a simple 4 digit pin?

    If you think this is as ridiculous as I do please call Sky and tell them or remove your sky box phone line cable and tell them that you will not put it back until they get serious about security.:nono:

    I have asked Sky if I can opt out of being able to get a pin reminder but they said they did not think so.
     
  2. 961

    961
    Well-known Member

    Joined:
    Oct 13, 2006
    Messages:
    4,675
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    136
    Location:
    Berwickshire
    Ratings:
    +667
    take your Sky Card to work?:devil:
     
  3. zappo

    zappo
    Active Member

    Joined:
    Nov 7, 2005
    Messages:
    683
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    31
    Ratings:
    +47
    Could do that but then te Sky+ box would not record my programmes during the day.
     
  4. The_1_And_Only

    The_1_And_Only
    Active Member

    Joined:
    Nov 8, 2007
    Messages:
    207
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    18
    Ratings:
    +15
    Take your dish, Sky+ box and tv to work then you will be able to record programmes during the day.
     
  5. zappo

    zappo
    Active Member

    Joined:
    Nov 7, 2005
    Messages:
    683
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    31
    Ratings:
    +47
    What the one in the bedroom too! Bit OTT me thinks.
     
  6. Miss Chief

    Miss Chief
    Well-known Member

    Joined:
    Jun 12, 2007
    Messages:
    7,823
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    136
    Ratings:
    +1,187
    First of all the pin change is still the same. If you know your existing pin then it can be changed through Parental Control, although this change is only allowed if the box is calling back regularly and connected to the phone line. If you don't then surely only yourself or possibly your partner/wife/husband should know or have access to your bank details? Leaving them lying around is asking for trouble.
    Secondly there is a credit limit, normally £35 that prevents anyone from ordering more than this amount of PPV content without a monthly callback.
    Thirdly, there are ways around this even without the pin number. A dedicated teenager could easily manufacture a simple fault with their Sky and listen into the conversation to obtain the password on the sky account then phone Sky, claim to be either the account holder or partner/husband and if they know the password then they'll be able to either change the PIN or be told what it is. yes, it's not especially secure but to implement a mor secure system would only confuse many people, especially older customers and result in many more calls to Sky, which Sky are trying to reduce in order to cut back on the number of foreign outsource staff which people who phone Sky always complain about! Besides, most people's passwords on their Sky account aren't very secure at all. Children's, partners and pets names are far more common and easily guessable than is secure.
     
  7. zappo

    zappo
    Active Member

    Joined:
    Nov 7, 2005
    Messages:
    683
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    31
    Ratings:
    +47
    Mine IS connected, I have multiroom and if it were not connected then I would be charged double, so I always keep it connected.

    Well I have a study and a file with bank statements, credit card statements etc. I don't want to have to get a safe for these. As I said new ones arrive twice a month and I am not always going to be there when they arrive. It is like companies using your date of birth as secure information. Anyone working in security as I do will be able to tell you that there are numberous public sources for this information. This is why the temp workers who work for the post office can get money for credit card and bank statements as they help criminals with identity theft.




    The last time I checked the setting of this credit limit was done via the same pin (one of my complaints), I have mine set to £0 but with a pin reminder this can be changed. By the time you find out the deed is done and you have to pay. Again anyone who is involved in security will tell you that you NEVER remind someone of a password/Pin.



    Well you make my point for me, Sky is lazy and wants to cut staff, sadly they have moved more and more jobs out to India. Your example is easily avoidable, for example asking customers the third and sixth character of their password. I use a password that is not obviously a password and that is easily disguised in conversation e.g. "I think so". Moreover, I would not set a password or pin in the presence of another person.

    If someone sets a weak password that is THEIR fault, the issues you raise are not an excuse for Sky to completely undermine the security with the Reminder system, advertising it begs belief. Implementing this daft reminder system puts the responsibility at Sky's door.
    [/QUOTE]
     
  8. Miss Chief

    Miss Chief
    Well-known Member

    Joined:
    Jun 12, 2007
    Messages:
    7,823
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    136
    Ratings:
    +1,187
    The credit limit is set at Sky's end, not within parental control. I had the same argument when i worked for an agency with british gas. Their idea of data protection was asking questions that could be answered directly from a gas bill. You could get your hands on one and raise merry hell with them without even being the account holder. When i raised this point I was basically told 'we know'.
     
  9. zappo

    zappo
    Active Member

    Joined:
    Nov 7, 2005
    Messages:
    683
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    31
    Ratings:
    +47
    One of the worst case of security stupidity I have come across is Nationwide building society, they print your customer number (which is your login) on direct mail labels. They have additional measures but how daft is that.

    The other classic web site flsw is emailing a password reminder, most sites have stopped this now.

    Getting back to Sky, is the £35 credit limit for a month?

    To me the issue is that there is now no security at all and that the single pin is the password for everything. I would like to see a matrix of passwords which may default to same pin initially (for the confused) but allow some flexibility.

    For example if I want to give a teenager a pin for PG or 12 films but restrict them from 15 and above. Right now we lock complete channels like MTV one because of content. We even lock disney from our younger children as the programming encourages what I would call bad attitudes.

    Another "bug" in the sky plus system is the ability to remove series link on a programme that has KEEP selected. This feature should be protected when a programme has KEEP in the same way that deletion is protected.
     
  10. Leveller

    Leveller
    Standard Member

    Joined:
    Nov 3, 2009
    Messages:
    1
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    1
    Ratings:
    +0
    I found this post really useful, though not for the OP's intended purpose. I can't find my PIN, as I've not been prompted for it for ages. An update must have blanked my preferences as I now need it to watch anything I had recorded.
    I phoned Sky, but their phone lines are down (a friendly voice assures me they're really, *really* sorry, but I don't believe them).
    I searched high & low, tried the usual defaults (last four digits on the viewing card, or 1234, etc), all to no avail.
    Then I came across this post, highlighting Sky's brilliant PIN-reminder service!
    Just goes to show, one man's poison and all that...
    Anyhow, thanks!
     

Share This Page

Loading...