# XM is violating their privacy policy



## Combat Medic (Jul 27, 2007)

So, I'm having a problem with my XM account. I called and the representative wanted to verify that I was using the correct account information. I verified the username and then she wanted me to tell her my password. Since I'm a computer security professional I refused to do so. She then read off my password. I cannot believe that they store the passwords unhashed.

The reason why I say this is a violation of their privacy policy is that policy states "Our security measures for your personally identifiable information, and for the data about your online activities, are at least as secure as the security we use to protect our own information." I guarantee that all of the passwords for their computers are hashed since that is the default of every operating system made in the past two decades.

Then when I asked to speak with a manager she hung up on me. So, now I've been lied to and hung up on. I've still got my original problem and have to sit on hold for another seventeen minutes.

This is great.


----------



## brant (Jul 6, 2008)

oh yeh same thing happened with me. 

i was having trouble logging in to my BB online app after dropping one of my radios (sold the vehicle). 


guy i was talking to not only knew my password, but then proceeded to change it.


----------



## xzi (Sep 18, 2007)

You consider your password "personally identifiable information"?


----------



## djlong (Jul 8, 2002)

Passwords are the KEY to "PII". They are NOT supposed to be something you can read and, supposedly, an XM representative should NEVER ask you for your password.


----------



## harsh (Jun 15, 2003)

djlong said:


> Passwords are the KEY to "PII". They are NOT supposed to be something you can read and, supposedly, an XM representative should NEVER ask you for your password.


I've visited a number of support sites where the technician could see all or part of my password. I occasionally include expletives to see if I can trick them into asking me to say the password.

Just because they can see it on the computer screen doesn't mean that it isn't stored long-term in a secure manner.


----------



## Combat Medic (Jul 27, 2007)

harsh said:


> I've visited a number of support sites where the technician could see all or part of my password. I occasionally include expletives to see if I can trick them into asking me to say the password.
> 
> Just because they can see it on the computer screen doesn't mean that it isn't stored long-term in a secure manner.


The only secure way is a one way hash and even that isn't 100%. If they can read it then it isn't secure. Do you think your bank teller can see your ATM pin?


----------



## xzi (Sep 18, 2007)

Hashing a password is irreversible, encrypting the storage it is on is not. The storage may very be encrypted and hidden behind authentication mechanism to prevent theft while still being available to authorized personnel.

I wouldn't worry too much about it.


----------



## Jeremy W (Jun 19, 2006)

I was floored a few years ago when I called Sirius support, and when the call was over, the agent said "By the way, your username is xxx and your password is yyy, you can manage your account online!"

I can't believe they're still doing this. Hashing a password is Security 101. There is simply no excuse for not doing it aside from sheer incompetence.


----------



## Jeremy W (Jun 19, 2006)

xzi said:


> The storage may very be encrypted and hidden behind authentication mechanism to prevent theft while still being available to authorized personnel.


It's displayed on their screen. All they need is a pen and paper, or even just a good memory, and whatever methods SiriusXM is using to "secure" this information have been defeated. I don't know how anyone with any background in computer security can even begin to defend this brain dead design.


----------



## runner861 (Mar 20, 2010)

Many people will use the same password everywhere. So even though it may not matter much if someone gets into your Sirius/XM account, it will matter a lot if someone uses that same password to get into your bank account. That can be a huge problem.


----------



## xzi (Sep 18, 2007)

Jeremy W said:


> It's displayed on their screen. All they need is a pen and paper, or even just a good memory, and whatever methods SiriusXM is using to "secure" this information have been defeated. I don't know how anyone with any background in computer security can even begin to defend this brain dead design.


Right, but hashing a password is irreversible--meaning they cannot use it to "share" with say the SIRIUS login system if you were an XM subscriber back to 2004 so they may have a reason for not hashing it.

It doesn't mean it's not encrypted though, which is a whole different animal. If the CSR's systems have the private key, they can "see" the password, doesn't mean it's stored insecurely. It's the basis for all bank transactions in a browser (TLS/SSL for example).

The IT folks at companies know more than you wish they did, that's just the way it goes. As long as they don't share it outside of their own systems and approved partnerships, they probably are not violating their privacy policy either which is what the OP implied.

I agree it's not a great idea and insecure--but it doesn't mean it doesn't happen and it doesn't mean they are doing anything "wrong" either.


----------



## xzi (Sep 18, 2007)

Hell think about it, any website that can email you your password after answering your security questions, is clearly not hashing it. Hopefully they are encrypting it though in case of database theft. Ask SONY if they had encrypted credit card numbers on the Playstation Network


----------



## Jeremy W (Jun 19, 2006)

xzi said:


> Right, but hashing a password is irreversible--meaning they cannot use it to "share" with say the SIRIUS login system if you were an XM subscriber back to 2004 so they may have a reason for not hashing it.


Do you have any sort of programming and/or security background? Or are you just computer savvy, and assume that you know what you're talking about because of that? You are making some absurd statements.


----------



## Jeremy W (Jun 19, 2006)

xzi said:


> Ask SONY if they had encrypted credit card numbers on the Playstation Network


What does that have to do with anything? Hashing is meant for passwords, and that's it. You can't hash a credit card number.

I deal with much more sensitive information than satellite radio account passwords on a daily basis, so I am *very* well-versed on technical security measures. You're not going to win this argument.


----------



## RasputinAXP (Jan 23, 2008)

Jeremy W said:


> Do you have any sort of programming and/or security background? Or are you just computer savvy, and assume that you know what you're talking about because of that? You are making some absurd statements.


Gotta agree with that. In my line of work I hash and unhash passwords all the time.


----------



## Jeremy W (Jun 19, 2006)

RasputinAXP said:


> Gotta agree with that. In my line of work I hash and unhash passwords all the time.


 You can't unhash a hashed password, that's the point.


----------



## xzi (Sep 18, 2007)

Encrypting and hashing are NOT THE SAME THING. "Unhashing" is hacking, whereas decrypting is a process.

That was my point. You don't have to hash something to make it secure. With encryption which is different and can be reversed by an authorized user (the CSR) after they have authenticated and still adhere to any privacy and security policies. This means they would be able to "see" your password if this is what they choose to do with it. No reason you can't do that with a credit card either, but just because a CSR can see your password doesn't mean it isn't securely stored and protected from unauthorized use. It certainly doesn't mean they are sharing it with third parties, which is what a privacy policy is for--and has nothing to do with encryption or hashing at all which makes all this VERY off topic from the OP.

It's simple--"hashing" (with or without a salt) is used to COMPARE an input with a stored version of a password for authentication (a login typically).

Encryption uses a key that authorized users can use to decrypt the contents BACK to it's original state for security from unauthorized users (people who don't have the key)

And yes, I am a Sr. Systems Architect so I know what I'm talking about. Nothing absurd about what I'm saying I promise you.


----------



## xzi (Sep 18, 2007)

Jeremy W said:


> What does that have to do with anything? Hashing is meant for passwords, and that's it. You can't hash a credit card number.
> 
> I deal with much more sensitive information than satellite radio account passwords on a daily basis, so I am *very* well-versed on technical security measures. You're not going to win this argument.


I didn't say hashing of credit cards, I said encryption of credit cards. If you're going to hash a credit card, why save it? It's useless.


----------



## xzi (Sep 18, 2007)

Jeremy W said:


> Do you have any sort of programming and/or security background? Or are you just computer savvy, and assume that you know what you're talking about because of that? You are making some absurd statements.


My point was if SIRIUS decided to hash everyone's passwords, but then needed to "pass" it along to the XM system to login to their systems for any reason after the merger for example, maybe they decided it would it be "easier" to just not hash them.

I was most CERTAINLY not implying that would be a good idea! But it doesn't mean it doesn't happen


----------



## Jeremy W (Jun 19, 2006)

xzi said:


> My point was if SIRIUS decided to hash everyone's passwords, but then needed to "pass" it along to the XM system to login to their systems for any reason after the merger for example, maybe they decided it would it be "easier" to just not hash them.
> 
> I was most CERTAINLY not implying that would be a good idea! But it doesn't mean it doesn't happen


Sirius hasn't hashed passwords since well before the merger.


----------

