[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] CompTIA Security+ and its insecure support system
From: <user09990 () tuta ! io>
Date: 2016-09-30 17:02:20
Message-ID: KSw1yeM--3-0 () tuta ! io
[Download RAW message or body]
I was signed up CompTIA account with a fake name for a privacy reason. Later on, I wanted to \
update my name in CompTIA account because I was planning to take their Security+ certificate. \
The problem is I cannot update my name directly from the profile menu, it told me to create a \
support ticket (this is a good idea I guess). However, the support guy asked me to upload a \
copy of a legal ID (driver's license or passport) to the support ticket system.
The real bad thing is the CompTIA's support ticket system can be logged in by using just an \
"email address". If you know email of someone who holds a CompTIA certificate, you can freely \
access his/her support tickets at:
http://newsupport.comptia.org/ics/support/mylogin.asp
You can fill anything in 'first name' field. Only a valid email address is required to access \
anybody support ticket.
So I tried to explain to them that this is not a good security practice to ask me to upload my \
passport to such an insecure system but the support guy cannot do anything about it.
I think the Security+ certificate creators need to learn how to secure a system containing \
sensitive information like the copy of customer's passports with at least a pair of username \
and password.
rgds,
CISSP wannabe
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic