She then moved to another computer and tried from there. She was unable to delete my account and told me that she would have to transfer me to the Fraud department. The supervisor came back and told me that she did not need to transfer me to the fraud department because she was able to get them to delete my online account for me. I confirmed with her that my account was deleted and she said yes. I tested my theory again. I refreshed my browser and I could still see my content.
I hung up the Samsung phone that was still on hold for the supervisor and opened the Dish Anywhere app. It still connected. She had me log out of the browser and delete my cookies.
After doing so, I could not log onto the OnlineID. So I told her that is great that after deleting my cookies I can confirm that my OnlineID is deleted but before I deleted my cookies, I could still log in. That means the hacker only has to not delete his cookies and he could still access my content. She then said it sometimes takes up to 24 hours for the account to fully delete.
She then told me that she wanted me to create a new OnlineID since my old one was deleted. She assured me that only one OnlineID can exist per customer account so if it let me create a new one it was proof that the old account deletion was working. I was able to create a new OnlineID and login. I was still concerned that my phone was still able to access my content with the old old old OnlineID and password from a year ago. The OnlineID and password had been changed twice, and now my online account had been deleted and my device still had access to my content.
She assured me the account was deleted but that it takes 24 hours. I agreed to try again 24 hours from the time of this call. I called back the same number. This time I was routed straight to the Fraud department. I spoke to the Fraud rep and recapped the whole transcript of what has transpired. He told me that he had never heard of anyone being hacked at Dish Network. He highly doubted that I was hacked. He said he gets calls from people all the time that THINK they've been hacked and that their financial information has been compromised.
He assured me that my financial data was encrypted on the back end and even access to my online account would not compromise my financial information. I told him that I was comforted to hear that, but that if he had my password to my Dish account, he didn't need my financial info, he could add content, order Pay Per View or anything he wanted because my financial info is already loaded into your system.
Plus I wasn't even broaching the subject of financial security, right now I was just concerned that someone was logged into my account and preventing me from accessing the content that I'm paying for and you seem to have no means to kick him out.
This rep was no help and instead of recognizing their system has a security problem and no functionality to protect me from a cyber threat tried to question me about how I suspected a hacker got my info and why a hacker would go through all that work to get access to my content. Asking why I was so important that he would want to go through all that to get to my content. Plus he could sell the information online for many of your customers and make money off it. That makes it VERY worth his time.
He had no response to that and at this point I asked to be transferred to HIS supervisor. The Fraud department supervisor came on and I again relayed all the information about my situation. I was getting hoarse at this point from having to re-explain over and over again He again assured me that deleting my OnlineID would sever all connectivity to my content.
He told me that it takes 24 hours. I said it had been 24 hours since YOUR department had deleted my online account and it was still working. He said he believed we should not have created a new OnlineID until after the 24 hour period was over to ensure it was purged. I had him delete my OnlineID again. He also had me unplug my Hopper for 20 seconds saying that it would erase the memory my Hopper had of it's connection to my account.
I did so. This time I logged out of the browser, deleted my cookies, and tried to log back in. I told him that this was a good sign that it might be working.
Even though I could not log into my OnlineID, however, my phone could still access my content. I informed the supervisor of this and we discussed for a while. He still seemed to think I had to wait until the 24 hour period. I told the reps, techs, and supervisors several times I believed the way their system worked was that the Authorized devices and information pertaining to my account was linked to my Account Number on file with Dish that was created when I subscribed to Dish, not the OnlineID that was created later to access the Streaming content and that this was proof in that we keep deleting the Online account and all the Devices still show on my account.
I told them Deleting my OnlineID is not removing the Authorized Devices from my account, and thus not preventing those devices from connecting to my account. He kept telling me to wait 24 hours. I then noticed my phone could not access the content. I thought it was fixed. But I also get bad WiFi connectivity sometimes in my house because of my neighbors routers so I figured I would try again later to confirm. I told him that I would wait 24 hours and try again.
I asked if that didn't work could I have my whole Dish Network account cancelled and reinstated with a new Account Number. I figured if all the information about my account was stored in a database entry tied to my account number, cancelling that account and creating a new one would be SURE to sever all connectivity because now that whole account doesn't exist not just deleting the OnlineID which is just a method of logging on to access my account info.
I agreed. He told me that he had never heard of this issue happening before. He said he was going to report it to his superiors. I told him that if he was drafting a report to his superiors about my findings I requested he include the following: a One of your sites is vulnerable to the SSLv3 POODLE attack and needs to be reported to your Cyber Security Division to protect your customers. Most customers do not know how to disable SSLv3 in their browsers and it is Dish's responsibility to disable this proactively to protect their customers from Cyber attack.
This should be a simple code fix to add a button to deauthorize the device and do a simple delete of the object in the database of this device d I was told repeatedly when asked to change my password to use a "secure" password.
The maximum length requirement on the password field for the MyDish account is 12 characters which is already not very secure. They also don't allow the use of special characters, which makes it even less secure and easier to crack. The OnlineID field, however, has a character max limit with small number of special characters allowed. It makes no sense to allow a very complex username when the username is usually sent clear text, and is also visible to the Dish employees and require a simple password.
This is not secure, and allows a hacker to simply log into my account once with the password they easily gleaned from the POODLE attack then continue to access my content no matter what changes I make on my account. A simple change to generate new session cookies each connection or require some other type of authentication in the app and browser is needed to combat this vulnerability.
At each step of the way of listed the above suggestions that I wanted reported to his superiors he kept arguing with me and disputing the facts of my suggestions. I told him that he might have a lot of knowledge about Fraud because he works in Fraud, but I have a lot of knowledge in IT because I work in IT as a System Administrator protecting servers from threats like this.
I told him we could debate and argue all night about my suggestions, but instead I would rather you just forward them on for me. He agreed, but told me that in all honesty I was "Only one voice" in his words and that suggestions come from customers all the time and they may not do anything about it. He said he's sure they'll test my theories and investigate to see if these vulnerabilities exist but that he couldn't guarantee they would do anything about it because they have to also make sure their service is "easy to use".
I said I understand your application has to be easy to use for the general public, but more importantly it needs to be safe and protect their private information. I also urged him and their IT department and developers to test my theory out.
I said it wouldn't be hard for them to connect to a dummy account with a mobile device, then delete the OnlineID and see that the content is still accessible. Plus, the developers that write the app have to know how it works and can look at the code and see that I'm right. He took my notes and told me to call Dish back on Monday if it still wasn't fixed to have my account deleted and recreated.
Later that night I tried the Dish app on my phone again and it was working after a reboot of the Hopper and my WiFi router. I left my OnlineID deleted all weekend long periodically accessing the phone app on my phone to see if I could access my content without even having an Online Account. I didn't have myself routed to the Fraud Department because I wanted instead to go to some other Cancellation or Account Services department to have my account cancelled and reinstated.
They sent me to another department sorry I don't remember what that department was called. It was similar to Cancellations.
It was like the Loyalty department or something They had me troubleshoot again. I told them that I did not have an OnlineID anymore it was deleted 3 days ago. I proved this by attempting to login with every OnlineID and password I had created including the old original one from before all this happened.
None of them let me log on on the Dish Anywhere website. I then opened the Dish app on my phone and played a show for her from my DVR on the phone and turned the volume up loud so she could hear I was watching a show on my phone. I informed her the OnlineID and password loaded into this phone was the one from 1 year ago and has never been updated and that I no long had an OnlineID. She then told me she believed the hacker had access to my email account and that when I recreated my new OnlineID last time that since I used the same email address, that is why it still works.
She said that all the hacker has to do is go to the site, and do a Forgot Your Password and it would let them log into my account if I changed it.
I said that doesn't make any sense because a my device with the old information can still log in. If the hacker had changed the info on the account my phone shouldn't connect. If the hacker had created a new OnlineID, my phone still wouldn't work because the info wouldn't be accurate.
She agreed this was true. I said then if the hacker did have access to my email and created a new account after I deleted it then it shouldn't let me create a new OnlineID right? It would say there is already one in use on this account. She agreed. I went to create a new OnlineID she told me to assign a different email address for the account. I did one better. I went to Gmail and created a brand new email account.
I then created a new OnlineID on my account using the newly created Gmail address. It let me create it, and I still had access on my phone to my content. All my data was stored under my Account Number on their back end. She told me "No, it's tied to the email address" Even though I just proved her wrong. I told them I was done troubleshooting the issue because I didn't believe they had a way to FIX the issue, and that I wanted to simply to cancel with no penalties for early cancellation of my contract and have it reinstated as a new account.
I simply wanted my Account Number changed and that I wasn't trying to pull something over on them. They told me that they could not do that. I said "You're telling me that you cannot delete and recreate my account? I said and then recreate it? This is safe and legal for all decoder users.
Jacob is a home remodeling guru having worked over 15 years in construction in Reno, NV, mainly focused on home renovations.
He likes taking ideas from his clients and making them a reality. Save my name, email, and website in this browser for the next time I comment. To know up to date tips and tricks on home improvement, keep reading and enjoy. Do you have a question? Simply reach out to us: thefreemanonline [at] gmail. Jacob Lindsey May 8, Download the Dtb firmware on your mobile device like cell phone, tablet, or personal computer.
The firmware will most likely be in a zipped folder. Unzip it by double-clicking on it. Copy the firmware onto a memory card SD or a flash disk. Turn on your decoder the go to settings, and select the option to upgrade from USB. A screen will come up, uploading all the necessary data; allow this process to go all the way through. Do not switch off your decoder. When the process is done, your decoder will restart and scan for the new channels.
Once the scan is done, you will get all the channels, and they will work perfectly if you have a good signal. There will be no scrambled channels. Four packages are offered at different prices as follows; 1. Dish Network Apps You could want to watch a channel on your TV, but you are traveling, or someone else is using it at the time. Go to the menu and click on the settings button.
In the next window, click on the internet button to see the network on which your hopper is connected. After confirming the network is similar, launch the DISH anywhere app on your device.
Log into your account and select the on-screen pairing option. Related Articles. Time Warner Cable comparison January 19, What about iptv providers. You should talk more about them. Leave a Reply Cancel reply Your email address will not be published. Also why not check out:. Share Pin Tweet 5. Notify of. Inline Feedbacks. Sue Malloy. Reply to billy.
Reply to Kim. Wanda Cummings. Pamela McAlister. Judy Steward. Can I get dish welcome pack I have the z receiver and dish tail getter antenna. Rebecca Davis. Reply to Rebecca Davis. Bubble Head.
0コメント