Sympatico Account Privacy Update
May 20 1999

On April 20 1999 we posted a security alert concerning your privacy as a user of Sympatico services. We will leave the text of the alert below should you wish to read it. Sympatico had initiated an online method of retreiving your account usage, trouble was everyone else could read your account usage quite easily as Sympatico required only your account id number and not your password.

We, at LaurentianWeb brought this to Bell's attention. It took ten days but Bell pulled the online retrieval and has now replaced it with the previous method of mailing an account usage statement to you after you provide your id and password. This corrects the privacy issue but from a user point of view online access is convenient and we hope they will go back to an online system. All that is required is that they request a password in addition to the id number in their cgi routine.

Hopefully they will get around to it!

We have been informed this afternoon (Friday, April 30) that Sympatico has pulled the page described below to correct this security leak.

In a conversation with a Christian Brum of Sympatico he informed us that they implemented this to make it "customer friendly". I'm not really sure of Mr. Brum's official capacity but it was pretty clear this one flew right over their heads. I suggested they use the password and not user id to correct the problem as passwords are not disclosed anywhere. In addition Mr. Brum assured me that they were going to go through training the staff to respond to security inquiries. Let's see if they post anything to their customers about this!

Morover he thought the suggestion of a simple note on the credit card form for online registration about entering card numbers without spaces was a good idea. Yes it is...surprising it took 2 months to get someone to sit up and take notice!

Warning! If you are a Sympatico customer you should be aware that there is a security loophole through which anyone can access your account usage statement.

Up until about a couple of weeks ago if you checked your account usage you provided your userid and your email address and the account usage statement was emailed to your address. No one could really re-direct that email and read it.

Recently the system has been modified where this information is displayed to you online. In fact, the system goes into a secure socket which gives you the impression that it is secure.

It isn't. In fact anyone can access and map your account use easily. All they need is your user id and your email address at Sympatico. Most people using Netscape communicator or Microsoft Outlook express read their email and may not even be aware that the complete routing information of the message is available. If while reading your message you click on File in the toolbar and then on Properties, you will bring up the details of the message. If you click on the details flyout you can read the origin and routing of the message. All Sympatico messages will show the user id before the message as well as the email address of the individual at Sympatico.

This user id along with the email address can then be used to check the individual's account activity on his/her Sympatico account.

While you might not think this information is important to keep private, anyone could determine your pattern of internet usage with this information over a period of time. You are essentially leaving a trail of each connect to the net for anyone to see. This information could be used by someone to map your daily routine. In a sense it is like a stranger can read your habits. Are you a heavy surfer or just an emailer? (long connects/short connects) Do you suffer from insomnia? ( 3am logins) Do your kids play a lot of games? ( 4pm logins 'till supper).

So you should be aware until Bell modifies it's system to remove this loophole that people you have sent messages to can access your account usage statement. Moreover if you have posted messages to newsgroups, anyone can get your user id.

Trying to get it resolved.

I discovered this loophole this morning April 27 when I logged on to have a statement mailed to me as I had done in the past. I placed a call to Sympatico at 9:45am. I was put on hold. I then called Bell Advantage (1-800-785-6547) which is the "business" side of the internet connectivity of Bell. The representative in Ottawa could not direct me to anyone who could "deal with" a security issue. He was a cretin! He didn't even ask for my name or offer to have someone call me. Since it was a Sympatico issue he couldn't have cared less.

This really goes to show how well employees are trained today! All Bell employees dealing with the internet should have a number to call for ANY SECURITY ISSUE.

I then called Bell in Montreal. I asked for Bell Emergis which is the new division that handles internet products and services in an attempt to contact a responsible party. The operator at 1-800-361-0759 had no idea who or what Bell Emergis is. I then asked for Mr. Jean Monty's secretary (Mr. Monty is the top telephone at Bell). This line was answered by voicemail indicating that Sharon Quinn was out on "emergency services" (read replacing operators or otherwise) and I left a message at 10:03am for her to call me.

Not one to give up I called Sympatico again at 310-7873 and managed to get through to a customer service agent who identified herself as Natalie. I asked her if there was someone she could refer me to in security. She didn't know. However upon my insistence she put a Mr. Serge Roberge on the line. He is a supervisor in the call center. He didn't have a number for anyone either. He took my name and number at 10:13 and said he would try and find someone and have them call me.

Interesting.... This really goes to show that if there were indeed a very SERIOUS security breach, none of the employees of Bell know how to deal with it.

Mr. Monty should start earning some of that salary of his as he has 500,000 Sympatico customers across Canada today who can all have their account use statements read by anyone curious.

Fortunately Sympatico requires you to provide your password as well as your user id to access and change your credit card and billing information. Otherwise I suppose I'd be really REALLY steamed!

Bell Emergis isn't all that its cracked up to be. It's attention to detail is lousy. The online registration process has a problem with the credit card numbers as I have previously pointed out.

I'm still waiting for the call at 12:00pm. April 27 1999.

As I have said to everyone who uses the internet either for surfing or email - assume that nothing is private on the net unless you know yourself about network security and how it is set-up.

Back to LaurentianWeb