ISP wants my wifi password?!?

[Achlucious]

Hello! Long time watcher of the show, first time forum poster.

 

 

I'm just wondering if anyone has ran into something like this with their ISP before. I live in the middle of nowhere so my options are limited. I have the "unlimited" account plan. My account was recently flagged for unusual activity because of how much data I had used, which auto-generated a ticket on my account (screenshots included). I was on vacation the previous month and had the house to myself. It was a stay-cation so I streamed and had downloads going pretty much all day, every day, trying to catch up on some games while I was off. I received notification that my account was flagged on Feb. 4th and that I needed to call to complete a security assessment due to the "unusual activity". I called the following morning and spoke to one of their 'security compliance team' members.

 

 

The questions for the most part were par for the course: How many devices do you have connected to your network? Do you share your password? What model is your router? Do you use your network for online banking? Do you know what may have caused this increased data usage? Which I did explain was because I Was on vacation. Towards the middle of the call I was asked if I have a password set up on my wireless network to which I answered yes. The next question was, 'What is your password?'. To which I replied, 'I will not be giving out any passwords.'.

 

At first I thought maybe they were just testing me to see if I would actually give out my password. As the conversation continued however, things started to get more ridiculous unrolled something like the following:

 

Them: "What are some of the regular things you use your internet for?"
Me: "Normal web browsing, streaming youtube, gaming, downloading video games..."
Them (half interrupting me): "Downloading large files?'
Me: "Video games are large files..."

 

 

And then we came to the most interesting part at the end of the exchange:

 

Them: "Ok, that's all the questions I have. In order to complete the security assessment and close the case we need you to change your wifi password and take a screenshot of the old password and new password and attach them to the ticket for our records."
Me (half flabbergasted): "As I stated previously, I will not be giving out any of my passwords."
Them: "Sir we require this to complete our assessment to close the case."
Me: *reiterates that I will not be giving out any passwords*
Them: "The screenshots are just for our records and are completely confidential."
Me: "Any password that has been shared with anyone has lost any and all confidentiallity associated with it just by that very act and I will NOT be giving out any passwords."
Them: "Ok, I will get this ticket updated and forward it up to the chain and go from there."

 

 

Directly after the call they updated the ticket and had the gall to state that I was the one that did not see the importance of maintaining a secured network to protect my personal and family's sensitive information. I'll let my screenshots and replies there speak for themselves. That was nearly TWO WEEKS ago. They just today finally updated the ticket, again stating that the assessment requires pictures of my current and new password. This time I just made up something bogus to appease them.

 

To top it all off, their site states .png is a valid format but I could not get the uploads to work when my screenshots were .pngs's. I had to convert them to .jpg before their ticketing system would accept them. Luckily I am tech savvy and know how to do this. So would they have terminated my service if I had not supplied them because I could not figure out how to make their system work had I not been?

 

 

The whole exchange leaves a bad taste in my mouth and wanting to find a new carrier, in a rural area where I've already tried or had pretty much all that is available.

 

 

 

 

 

[Gokul_P]

Isnt it scam  to call a plan unlimited and flag you if you use too much. 

[Achlucious]

1 minute ago, Gokul_P said:

Isnt it scam  to call a plan unlimited and flag you if you use too much. 

Every 'unlimited' plan I have had has been this way. They are 'unlimited' with fine print stating either 'your speeds will be slowed once you surpass x GB/MB in x time period' or 'account subject to termination if we deem you are abusing data use'. My previous ISP actually did terminate my account without warning because they deemed I was abusing data use. (without warning in the sense that I was not given a strike or warning that my use was too high, I just received an email one day stating my account was being terminated and I had until X when my service would be cut off and until X date to mail my equipment back).

[Bitter]

Old password "your service sucks"

New password "eat shit"

[Achlucious]

Just now, Bitter said:

Old password "your service sucks"

New password "eat shit"

I can't say I didn't think about doing that.

[TetraSky]

That... Is certainly ridiculous. Huge security issue for sure.

Not only is there no reason to change the wifi password just because you consume a lot of data during your time off, but asking for the NEW password as well? Come on! It's as if they got a bunch of boomers who know nothing about cyber security who made these dumb rules.

[Donut417]

 

 

17 minutes ago, Achlucious said:

he whole exchange leaves a bad taste in my mouth and wanting to find a new carrier, in a rural area where I've already tried or had pretty much all that is available.

After researching this ISP. They are an MVNO. Meaning they are leasing network from one of the major cell carriers. According to the communication they are using AT&T. Last I seen AT&T doesnt offer "Home Internet" like T Mobile and Verizon, so that could be the reason. Looking at the plans it looks like they offer 40 Gigs of High Speed data. So Id expect they dont expect lots of data usage. How much data did you use? 

 

T Mobile and Verizon both offer home internet via their cellular networks. Im not sure about Verizon but T Mobile basically has its home internet on the lowest priority on their network, meaning phone subs, MVNO's and such have higher priority data wise on the network. BUT the service is be advertised as home Internet and they intend to compete with wired broadband providers where they can. So higher data usage shouldn't be an issue. 

 

17 minutes ago, Gokul_P said:

snt it scam  to call a plan unlimited and flag you if you use too much. 

You ever heard of an acceptable usage policy? If you are impacting other customers ability to use the network then you are the problem. Even Comcast who charges $25 to $30 a month for unlimited data has its limits. While they dont give a number, I've heard its around 10 TB if the local network is being impacted. With cellular networks they have less ability to handle heavy users. Which is why they clear state in the plans they offer 40 Gigs of high speed data. Plus as stated in the communication they are using AT&T's network and are required to follow AT&T's policies. 

[Poinkachu]

15 minutes ago, Achlucious said:

I can't say I didn't think about doing that.

Sooo did you go to their office and asks about this behavior ? In case it's just a single employee being stupid / planning to be bad actor.

Because it sounds stupid that you have to give wifi password in order to complete security assessment, even if it's just old password.

Or atleast do it by phone with someone higher up the chain or something.

 

Some people still uses same password for various things. If the case is like so, giving the old password may as well mean giving password for other services that person uses.

 

And the same peoples are usually not aware enough that they don't make up something for the old & new password. Nor the risk that may entail by giving old password that are used for some other services as well..

[Spotty]

"Dear Customer [...] Thanking you for being our valued customer"

Not valued enough to bother writing your name, it seems. I'd be pretty suspicious of any "Dear Customer" emails being scams/phishing.

 

 

There may be legitimate reasons an ISP would contact you for this. If you normally download 50GB per month then suddenly download 5TB in a month that might get flagged. Imagine the scenario where you weren't the one using the extra data and unbeknownst to you somebody else had access to your wifi and was using your network; you would want the ISP to inform you and have you secure your network.

I'm guessing the idea behind having you show that you've changed your password is that they can be confident that you actually changed your password (and if you try to later claim you weren't the one using the data they can dismiss it). I'm sure their concern is they'll tell people they need to change their password and people just simply won't do it and lie and say they did it. Regardless it's pretty stupid they would make you show them the password to prove that you changed it though, and you were right to object to showing it.

 

13 minutes ago, Gokul_P said:

Isnt it scam  to call a plan unlimited and flag you if you use too much. 

Even if it's unlimited that doesn't mean you can share your wifi with your neighbours or resell the service. Assuming this is a residential plan there will also be restrictions on using it for business or providing server hosting and so on. There's always limitations with "unlimited" internet plans.

[Achlucious]

3 minutes ago, Poinkachu said:

Sooo did you go to their office and asks about this behavior ? In case it's just a single employee being stupid / wanting to be bad actor.

Because it sounds stupid that you have to give wifi password in order to complete security assessment, even if it's just old password.

Some people still uses same password for various things, and giving the old password may as well mean giving password for other services.

 

 

The service does not have a true 'home office'. Just a web front for ordering the equipment and services. That being said, I censored the customer service names but failed to mention that those replies are actually from two different customer service reps. The initial ticket memo and the most recent are the same rep, the first reply is a different rep, and the one I talked to on the phone.

[Poinkachu]

8 minutes ago, Achlucious said:

The service does not have a true 'home office'. Just a web front for ordering the equipment and services. That being said, I censored the customer service names but failed to mention that those replies are actually from two different customer service reps. The initial ticket memo and the most recent are the same rep, the first reply is a different rep, and the one I talked to on the phone.

I see.

 

Me personally, I'd probably file a complaint or something regarding this. Stating the reason of why I'm calling it a stupid SOP.

While hoping that it's just their "assessment" officers being stupid, and not the whole company being a jerk.

[Somerandomtechyboi]

How about  taking a pic of your old password, the "new" password and then immedeatly after that changing the password again? They wont know your actual password aside from the previous passwords you took a picture of

[Poinkachu]

4 minutes ago, Somerandomtechyboi said:

How about  taking a pic of your old password, the "new" password and then immedeatly after that changing the password again? They wont know your actual password aside from the previous passwords you took a picture of

Yea what he did was just giving them fake old & new password.

 

I'm more concerned about peoples who doesn't have the mind to do it this way.

Old non techy peoples especially, in which they use their password for various things. So an SS of the old password may as well be giving their netflix or whatever's password.

[sof006]

I'd have point blank just refused and then said i'd take matters higher if they threatened me with any further action

[kb5zue]

Easy Peasy.....

 

Old Password:   #oldpassword@1234

New Password:  #newpassword@5678

[aledsav1]

no ones asks for passwords so its just pathetic, its like your bank asking for your card pin number, only time that ever happens is when being scammed.

[Poinkachu]

Thinking VERY positively : It could be that they want to check whether the password is too simple or good enough.

 

But yeah, even basing on that, IMHO, asking for a screen capture of them is not the way to do it.

They can just give hints & idea, like "Changing some letters into numbers is a good idea" or "Make it a minimum X letters / number"

[Gokul_P]

21 minutes ago, Donut417 said:

You ever heard of an acceptable usage policy? If you are impacting other customers ability to use the network then you are the problem. Even Comcast who charges $25 to $30 a month for unlimited data has its limits. While they dont give a number, I've heard its around 10 TB if the local network is being impacted. With cellular networks they have less ability to handle heavy users. Which is why they clear state in the plans they offer 40 Gigs of high speed data. Plus as stated in the communication they are using AT&T's network and are required to follow AT&T's policies. 

 

18 minutes ago, Spotty said:

Even if it's unlimited that doesn't mean you can share your wifi with your neighbours or resell the service. Assuming this is a residential plan there will also be restrictions on using it for business or providing server hosting and so on. There's always limitations with "unlimited" internet plans.

At that point why they cant say 1TB is the Limit. And Knowing the limit users will only use what they have (Or they could buy extensions) . It is not even misleading Advertisement to call it that it is weird. If the data cap is >10TB (at that point 99% wouldn't reach it so it is Kinda unlimited). My ISP has a data cap (Advertised as it is) 6TB for 60Mb up/down The only thing from them "Unlimited" is the gigabit plan.  

[Donut417]

46 minutes ago, Gokul_P said:

t that point why they cant say 1TB is the Limit. And Knowing the limit users will only use what they have (Or they could buy extensions) . I

If you actually read the website they say 40 Gigs of high speed data. So they do set a limit at least for speed. You have to understand a AUP is not a data cap. The AUP is to protect the network from someone causing quality issues for other customers. The fact is some parts of the network might be more robust to handle larger amounts of data being used. Also ISP's look at what an average household uses and decides if the customer in question falls in line. Bear in mind we are talking about LTE/5G networks, they are not like Fiber and Coax based networks where heavy data usage is the norm. On top of that the OP's service is on the AT&T network who last I checked doesnt offer Cellular based home internet like T Mobile and Verizon, so its just a "hotspot", which is meant for more limited use. Where as T Mobile and Verizon home internet is designed for "HOME INTERNET". T Mobile for example has their home internet data set to the lowest priority across their network, meaning that all other traffic gets priority first, so others using the service wont be effected by someone downloading the internet each month and saturating the connection. 

[Achlucious]

21 minutes ago, Donut417 said:

If you actually read the website they say 40 Gigs of high speed data. So they do set a limit at least for speed. You have to understand a AUP is not a data cap. The AUP is to protect the network from someone causing quality issues for other customers. The fact is some parts of the network might be more robust to handle larger amounts of data being used. Also ISP's look at what an average household uses and decides if the customer in question falls in line. Bear in mind we are talking about LTE/5G networks, they are not like Fiber and Coax based networks where heavy data usage is the norm. On top of that the OP's service is on the AT&T network who last I checked doesnt offer Cellular based home internet like T Mobile and Verizon, so its just a "hotspot", which is meant for more limited use. Where as T Mobile and Verizon home internet is designed for "HOME INTERNET". T Mobile for example has their home internet data set to the lowest priority across their network, meaning that all other traffic gets priority first, so others using the service wont be effected by someone downloading the internet each month and saturating the connection. 

Actually it's an AX4 Netgear Nighthawk. AT&T does offer fixed wireless internet for rural households now.

[Donut417]

7 minutes ago, Achlucious said:

Actually it's an AX4 Netgear Nighthawk. AT&T does offer fixed wireless internet for rural households now.

Yeah with a 350 Gigs data cap. Which is the only plan listed. T Mobile and Verizon offer "Unlimited" with the asterisk that your data could and probably will be deprioritized but they dont charge you more. Also unlike AT&T the two others offer services in more than "Rural" areas. I live in Metro Detroit and I can get T Mobile home internet if I choose. Which is nice if Comcast decides to piss us off. 

 

Quote

W/qualifying AT&T wireless svc . Incl 350GB data/mo., overage chrgs apply.  Ltd. avail/areas in U.S. See offer details

 

 

You also dont have service with AT&T you have service from a company who leases network resources from AT&T. Which is why your ISP is bitching, because AT&T doesnt like your data usage. They are required to rein you in or have their costs hiked or their service interupted. 

[ApolloX75]

Oooh ISP story time!

 

We used to be with a cable internet provider in our area. Let's just say they are called the opposite of WestLink. For about 10 years or more we were on an unlimited 40U/40D plan started in 2002ish. And from about 2006-2012ish (they were called Persona during that time), maybe a little into 2013, we never tracked our monthly usage but it always jumped year to year of course as Steam gained momentum and more games became download intensive. All of a sudden we get a bill in the mail from CrapLink (Persona had been retired) stating we owe $1000 in data overages for one month, and it states our agreed upon cap is 40 GB. I think we were averaging 400-500GB per month for the two or three years previous, mostly since my brother had moved back home and was lounging in the house downloading anything and everything. 

 

That was an absolute fight and a half. We had just bought the house outright and now had a massive out-of-the-blue internet bill to tackle? We ate a lot of ramen after that to pay that shit off and we cut bEastLink off right quick, they told us we were notified several months before by mail which was bullshit, as I keep track of these things.... but anyways. We switched to Teksavvy DSL for a couple years, it was slow since our small town just had basic old lines, but they were unlimited and they're a damn good company to deal with. 

 

I think about December of 2016 or maybe 2017 Bell trucks were rolling through our sleepy little town like crazy. They laid a gigantic fiber network and we've been rocking 1GB/1GB unlimited ever since, and I think we average more than 2TB a month now with all the streaming and constant Steam updates. That's what happens when you pile four adults who hate going out into a house with fiber.

 

Moral of the story is... even if it's in your agreement ISPs can change or do whatever the hell they want, whenever they want as long as they can provide "proof" of a letter they "sent" you "notifying" you of the change, they don't even require proof that you received such letter. There's really no repercussions when you've got a limited choice for what really is an essential service in a rural area. It sucks, I know.

 

Plus here in Canada, any internet provider charges through the nose. Bell doesn't complain, but they also make a pretty penny from us. We are paying about the same per month that we paid for EastLink's shit service though, so that's something at least. And they keep bumping my speeds up.

[Erioch]

That would've just been a flat out "no" from me.  No way, no how.

[Mark Kaine]

This sounds like a scam. you never fact checked with your isp either ? 

[Needfuldoer]

7 hours ago, Poinkachu said:

In case it's just a single employee being stupid / planning to be bad actor.

They probably hit a step in their flowchart that tells them to recommend the customer change their passwords, but either misinterpreted it or it was poorly written, and they weren't allowed to go off-script or skip that step. Call centers are... interesting, and they're not going to get any better once AI language models and machine learning voice synthesis are sufficiently developed to take over that space. (Maybe someone will sneak a cheat code in somewhere...)

 

You did exactly what I would have done to work around that bug in the system; change to a burner password, then a new burner password, then to a new "real" password once the call is over.