Security consultant Paul Moore, who only last year did a good job of exposing a number of lax security standards at major UK broadband ISPs (here), has caused Virgin Media to retrain some of their outsourced workers after the agents gave fundamentally poor advice.
Moore, an active customer of Virgin’s, was contacted by the provider after it detected that his connection was vulnerable to the POODLE (Padding Oracle On Downgraded Legacy Encryption) exploit, which is a man-in-the-middle attack that can force your browser to downgrade its security to SSL (instead of the more secure TLS) and then hijack your browser sessions.
Advertisement
The vulnerability is more of a risk to those who use public WiFi than home networks, but it’s still a threat. In any case VM’s agents informed Moore that his setup was vulnerable and recommended a £20 “premium technical support” (Gadget Rescue) service to get the issue fixed.
According to The Register, Moore then contacted Virgin’s outsourced (India) Gadget Rescue service on six occasions (each with a different agent), but not once were they able to explain what the problem was (somewhat of a basic requirement).
The agent(s) then tried, and repeatedly failed, to resolve the vulnerability by remotely installing Java, Adblock+, Silverlight, FLASH and various other software on to Moore’s computer. At one point an agent even decided to disable his F-Secure anti-virus software.
A VirginMedia Spokesman said:
“We strive to maintain high levels of customer satisfaction with our Gadget Rescue service and ensure that agents are able to handle all enquiries. In this case, we apologise that a Gadget Rescue agent did not meet our usual high standards. We have ensured that all agents are fully equipped to offer advice on the Poodle vulnerability.”
Virgin’s statement ignores that several different agents all demonstrated an inability to understand or fix the problem, although Moore has at least been promised a refund.
Advertisement
However there are also other concerns with this approach, particularly in light of the recent TalkTalk situation where people claiming to be support agents for the ISP were able to trick customers into installing Malware on their computers (here). Suffice to say that ISP customers are now a lot less trusting of such requests, no matter how official they might seem.
Comments are closed