Need help for argument with Comcast

JasGot

We have a customer that had Comcast VoIP phone service installed a couple of months ago.

Yesterday they received a bill that shows $600 in voice charges to Taiwan. When they called Comcast to ask what that was all about; Comcast told them Ext #XXX was hacked and they are responsible for the charges because they did not use a strong enough password for their SIP accounts.

Now, there isn't anyone at this office that even knows what SIP or VoIP stand for, and they do not know how the phones are even working with the big 'ol PBX gone from the back room.

So I think it's safe to say, these are lay people who have no idea about VoIP.

Comcast provided the phones, the VoiceEdge Router, and the service.

The people know how to answer calls, dial out, and listen to their Voicemail.

I can see how it is the end user's error that allowed someone access to a SIP account.

I am looking for $500,000 for a 5% stake in my company, Oh wait, that's Shark Tank!

I am looking for the right words, in the right order to tell comcast to shove it and eat the charges. And make them do it.

Thanks.

JaredBusch

@JasGot said in Need help for argument with Comcast:

Comcast provided the phones, the VoiceEdge Router, and the service.

Do you have access to change anything?

JaredBusch

@JasGot said in Need help for argument with Comcast:

So I think it's safe to say, these are lay people who have no idea about VoIP.

While true, and we all know that it is almost certainly not your customer's fault, this is completely irrelevant.

JaredBusch

@JasGot said in Need help for argument with Comcast:

Comcast VoIP

Which service? That will likely matter a lot.

https://business.comcast.com/learn/phone

Dashrender

Who set this up? I mean I can't imagine that the customer set this up - if Comcast set default passwords that were weak, I would say that's on them.

scottalanmiller

@JasGot said in Need help for argument with Comcast:

Yesterday they received a bill that shows $600 in voice charges to Taiwan. When they called Comcast to ask what that was all about; Comcast told them Ext #XXX was hacked and they are responsible for the charges because they did not use a strong enough password for their SIP accounts.

That's kind of how it works. Comcast makes money putting their customers at risk. They are a bad company with bad service and have no business offerings (their phones are a consumer service sold to businesses that don't look into things), I know of no situation where it would be okay to use at home or at work. The cost is astronomic and they make all IT side issues fall on the client, they don't provide support. So it is up to every Comcast user (home or business) to hire and IT department to manage the phones and phone processes and be aware of VoIP.

Sadly, the customer opted to be their own IT department when choosing Comcast and essentially accepted responsibility for these kinds of issues. This is why something like phones should never, ever be handled without IT overseeing it. Trying to bypass IT and get a "free pass" to not pay for that security and knowledge will always result in companies like Comcast taking advantage and hackers targeting them.

In a system like the one that you offer, there are four critical ways that they would have been protected:

1. Good passwords, not easy ones.
2. Firewall and Intrusion Detection mechanisms.
3. Abuse limiting on the phone account.
4. International calling off by default.

That's a LOT of things to have been skipped or to have gone wrong here for this to have happened in this day and age.

scottalanmiller

@JasGot said in Need help for argument with Comcast:

So I think it's safe to say, these are lay people who have no idea about VoIP.

But they opted to be their own IT. What they know or understand doesn't matter because they decided to be their own IT.

It's like going to the pharmacy and just taking medication then finding out it hurts you or doesn't do what you thought - if you don't know your ailment and medications you are supposed to talk to a doctor and a pharmacist. There's nothing wrong with not being your own doctor, and there's no expectation of you being one, but if you opt to take things into your own hands, that's your decision but you are accountable for that decision.

scottalanmiller

@JasGot said in Need help for argument with Comcast:

Comcast provided the phones, the VoiceEdge Router, and the service.

Right, but not the IT, security, consulting, oversight, or knowledge. None of the pieces that provide protection.

scottalanmiller

@JasGot said in Need help for argument with Comcast:

I am looking for the right words, in the right order to tell comcast to shove it and eat the charges. And make them do it.

There really aren't any. They can try, but this truly is 100% on the customer. Why did they choose such a costly, risky service if they weren't looking to take the responsibility that goes with it?

scottalanmiller

@JaredBusch said in Need help for argument with Comcast:

@JasGot said in Need help for argument with Comcast:

So I think it's safe to say, these are lay people who have no idea about VoIP.

While true, and we all know that it is almost certainly not your customer's fault, this is completely irrelevant.

Well, at some point, they opted to not hire someone to oversee this and/or to not learn about it themselves.

Unless they put some security in place that was bypassed, it certainly sounds like their fault. Did they request that International calling be turned off? Did they manage their passwords well?

Sure, Comcast could have done these things, but Comcast's whole selling point is that they are high cost and don't look after you at all. That's their service offering. If customers opt for that and there isn't any false claims, it really would be their fault.

scottalanmiller

@Dashrender said in Need help for argument with Comcast:

Who set this up? I mean I can't imagine that the customer set this up - if Comcast set default passwords that were weak, I would say that's on them.

Maybe. And one can hope. BUT, any system with passwords it is up to the end IT department to not accept default passwords. It's never the hardware vendor's job to do that. Comcast doesn't do the end point support, that's past their demarc. So unless Comcast doesn't allow them to set passwords, then it's not Comcast's job to secure the passwords because that's not on their portion of the support.

We deal with Comcast every day. Customers choose them primarily because they think that they'll get some magic deal without having to learn anything, pay anyone for advice, and without shopping around and doing their due diligence. None of those things are things that make it Comcast's fault. Is Comcast's service bad? Yeah, it's the worst. The absolute worsts. High cost, no support, no features, not even a business class product. Just consumer lines sold to businesses. It's a bare bones service that isn't good for anyone. But customers flock to it. So really, Comcast is delivering the service that their customers demand. They are voting with their wallets. Why? No idea, but they do.

So unless Comcast has somehow not provided what they said that they would do, and I've never had them claim that they provided security, support, IT, etc. to date, then no, it's not Comcast's problem.

JasGot

@JaredBusch said in Need help for argument with Comcast:

o you have access to change anything?

Only their VM password.

JasGot

@JaredBusch said in Need help for argument with Comcast:

While true, and we all know that it is almost certainly not your customer's fault, this is completely irrelevant.

It's not irrelevant from the stand point I said this so you would understand they have no knowledge. That statement was for your benefit in this discussion.

scottalanmiller

@JasGot said in Need help for argument with Comcast:

@JaredBusch said in Need help for argument with Comcast:

o you have access to change anything?

Only their VM password.

If you can't change the extension passwords, then everything changes. If Comcast demands that the customer handle IT and truly doesn't allow them to, then you are all set.

Then the conversation goes like this "I'm sorry Comcast, but you and only you control the IP, firewall, IDS, passwords, and other security mechanisms. Your allowance of third parties to use my phone system without my consent is a violation of my contract and of the law and now only can you not charge me for this, but we need to immediately discuss my compensation for your security breach of the system I paid you to provide."

scottalanmiller

@JasGot said in Need help for argument with Comcast:

@JaredBusch said in Need help for argument with Comcast:

While true, and we all know that it is almost certainly not your customer's fault, this is completely irrelevant.

It's not irrelevant from the stand point I said this so you would understand they have no knowledge. That statement was for your benefit in this discussion.

Yes, definitely we'd expect no end user to have knowledge of these things. But the only piece that really would matter is if they understand passwords. And, of course, if they were given the ability to change/set those passwords.

JasGot

@JaredBusch said in Need help for argument with Comcast:

Which service? That will likely matter a lot.

I'm not sure. I won;t see the bill until morning. Most likely it is: Comcast Business VoiceEdge. An I see the "Self Managed" part

JasGot

@Dashrender said in Need help for argument with Comcast:

Who set this up? I mean I can't imagine that the customer set this up - if Comcast set default passwords that were weak, I would say that's on them.

Comcast did everything from porting, to providing the hardware, to installing the service and the hardware and providing training.

JasGot

@scottalanmiller said in Need help for argument with Comcast:

But they opted to be their own IT. What they know or understand doesn't matter because they decided to be their own IT.

I would have to side with the customer here. Their expectations were that since Comcast was the provider for each and every aspect of the phone system, with a three year contract that includes support; that the IT side of it was Comcast's job.

I'm not saying they weren't mislead, I'm saying, based on their expectations from the rep, this should be Comcast's problem.

scottalanmiller

@JasGot said in Need help for argument with Comcast:

@Dashrender said in Need help for argument with Comcast:

Who set this up? I mean I can't imagine that the customer set this up - if Comcast set default passwords that were weak, I would say that's on them.

Comcast did everything from porting, to providing the hardware, to installing the service and the hardware and providing training.

Well they have to do the porting, there's no way around that for them

What kind of training? End user training, or IT training, though?

JasGot

@scottalanmiller said in Need help for argument with Comcast:

Right, but not the IT, security, consulting, oversight, or knowledge. None of the pieces that provide protection

I would say this is not what Comcast led them to believe.