Dish Network's Failure in Security

Outline of events that took place.

 

1. My wife and I noticed that we would try to watch content on our laptop mostly in the evenings. We would start a show and the dishanywhere.com site would indicate to us that someone was already using the remote viewer to stream content. It would ask us if we wished to take control of the session. We would select Yes we wish to take control, and the show would start. It would only run for a second before it would say that a remote viewer took control of our session. We would attempt to connect again and be prompted again to take control. This "tug of war" continued typically for 10 to 20 minutes until either we gave up, or would finally stop.

 

2. I attempted to reboot the Hopper and the Joey thinking there was something wrong with it. This did not help. I also thought maybe too many tuners were in use since the Joey takes up a tuner and we were recording some shows on Prime Time as well. This also did not seem to help as we still had to play tug of war.

 

3. This got us thinking that maybe someone had gotten into our Dish Network account or into our WiFi in our home. Since we couldn't figure out any way to stream Dish content just from WiFi without logging into the Dish account, we assumed it was not a hacker logged into our WiFi. I also checked the DHCP reservation list in my router to ensure no one had logged into my WiFi network besides the devices I own.

 

4. Upon investigation of this issue, I browsed around in my Dish Anywhere account settings. Inside I saw a section called Recent. This section indicates shows that have recently been viewed through the Dish Anywhere service. This list was populated with shows that we don't watch. We disregarded again thinking there couldn't be a hacker in our account, and that by just opening the web page and maybe an advertisement or something coming up, maybe that is why they were listed in recent.

 

5. Researching further I discovered a section called Account and Devices. I clicked on this link and this section shows all the devices that are authorized devices. Authorized devices are devices that have logged into your account using the Dish Anywhere application on mobile devices. These devices are allowed to connect to and stream content using the Dish Anywhere service. Dish allows their customers to have a maximum of 5 authorized devices to be connected to their account.

 

6. While looking at this section I saw a device I believed to be my Samsung Galaxy S4 device. I have seen before that the name of my device was SCH-I545, and that is how it was listed in this device list. This seemed normal. It also showed a device called "Troy Osteraa's iPad". Which is what I named my iPad. This also appeared normal. There were two other devices, however, called "XT907" and "Windows" respectively. The Windows device had a Windows logo next to it which made me believe this device was a Windows mobile phone or Windows Surface tablet. I don't own either of these devices. I looked for an area to "Deauthorize" these devices and there was no such area. There was a note at the bottom of the Device list saying "*Devices in this Authorized Devices list become authorized automatically when Premium Content is viewed. Devices in this list can only be deauthorized by being inactive for 30 days."

 

7. Since I was now more convinced someone had accessed my account and I wanted to find a way to deauthorize these 2 extra devices, I decided to change my password. I logged into the Dish Anywhere website and saw a link called Edit Account. Figuring this was where I could change my password and possibly also deauthorize the devices I clicked it. This link opened a new tab in my browser, but the page was blank. The page would not load.

 

7. At this point, I decided to contact Dish to resolve this issue. The date was 11/5/14.  From the Dish Anywhere website the only Contact Us option was the online chat support. I opened a session with Dish chat support. They came online quickly and I began to describe the situation to them. The rep online told me that if I believed my password was compromised I should change my password. I told the rep that I was unable to change it because the Edit Account link would not work. I spent a while troubleshooting the link failure which they were not able to resolve. The rep told me that the Dish Anywhere account and the My Dish account were the same. They sent me a link to www.mydish.com. Here they asked me to perform a Forgot your Password. I clicked the Forgot My Password link. I put in my phone number (the one on file with Dish) and my security code (A PIN number they have you create when you sign up for their service). This allowed me to change my password.

 

8. After changing my password I thought I would immediately test this. I went back to the tab on my browser that was logged into Dish Anywhere. I assumed that since the password was changed the logged is session would immediately fail when attempting to access content. I hit the Refresh button on my browser and it was still logged into Dish Anywhere. I thought maybe this page was cached so I clicked the DVR link and saw my DVR content. I clicked on a show in my DVR list and was able to stream a show. I told the rep that it still works. I then accessed the Dish Anywhere app on my phone and it was also still able to access my content. I hadn't put the new password into my browser or my phone at this point.

 

9. I then clicked Log Out on the Dish Anywhere site. This took me back to the Dish Anywhere home page without being logged in. I clicked Login and it took me straight into my account. I was never prompted to put my new password in. I told the rep I didn't have to put my new password. The rep didn't have anything helpful to say. I told the rep that most likely my browser has a cookie stored that allows me to access my account without my OnlineID and password. I proved this by going into my browser and deleting all cookies then accessed the Dish Anywhere site. When clicking Login, it prompted me for a password. I used the new password and it let me in. I told the rep that this is a problem because this means that if my account was compromised by a hacker, changing my password wouldn't stop them because they simply have to NOT delete their cookies and they will continue to access my content regardless of me changing my password.

 

10. At this time, my home suffered a Comcast internet outage. It was about 10:00 at night and the outage was going to last until 2:00 am. I decided to resume my troubleshooting the next day when my internet was fixed.

 

11. On 11/6/14, I decided to talk to a person rather than chat online. I couldn't find a number on the Dish Anywhere website. I went to www.MyDish.com and found a number there. Hoping that I would have an option to go to Tech support from there I called (800) 894-9131. This is the number listed on the My Dish account for Customer Service. I called this number and navigated through the automated phone system to get to Tech Support. After getting on the line with a Customer Service Rep I explained the situation that was happening and explained what transpired on the chat support the night before. This first rep was nice. She tried to help me. She had me reset my Hopper device. This did nothing.

 

12. The Customer Service rep told me that she had Tier II tech on her chat window and they assured me that changing my OnlineID as well as my password would solve my problem and sever any connection to my content. I walked through with her logging onto my MyDish account and changed my OnlineID and password.

 

13. After changing these I performed the same test. I went to my browser, hit Refresh, accessed my Device list, and DVR content. I was still able to watch shows on the browser. I was unable to test connectivity on my phone as I had called the tech support on my smartphone to which the Dish Anywhere app was installed. I informed the Rep of this. She then told me I had to delete my cookies on my browser and log out of the app on my phone in order to sever the connection to my account. I told her that that wasn't the point. I shouldn't have to log out of the app on my phone because if a hacker had compromised my account he wasn't going to log out of his app. I said there has to be a way to sever the connection rendering the cookies on the browsers and devices useless without having to ask the hacker nicely to please log out of his Dish Anywhere app, providing I could even find out who hacked my account.

 

14. The rep told me that she wasn't a technical IT person and was going to transfer me to "Advanced Tech Support". While waiting on hold to be transferred to Tech Support, I decided to download the Dish Anywhere app on my wife's iPhone so that I could test in case they were able to fix the issue. I downloaded the app and logged in with my new OnlineID and password (since this was the first time I had access Dish Anywhere on this device the cookie didn't exist, so I had to log in)

 

15.  I was transferred to Advanced Tech Support. The rep came on with the impression that my issue was that I was having trouble logging onto my Dish Network account. I told them "No, that isn't my issue. My issue is that it is apparently far too easy to log into my Dish Account because a hacker managed to get in without anyone knowing".

 

16. The Advanced Tech Rep assured me that changing my OnlineID and Password severs all connectivity my Dish account and my content. At this point I started getting quite frustrated so I informed the tech support rep that I worked professionally IT Tech support and I understand (Better than he did) how their system worked. I informed him that it appears their software uses some type of cookie or token authentication to authorize devices and computer browsers. These tokens did not rely on OnlineID's or passwords to provide authentication. I informed him that after once successful login to the app some negotiation is happening between the device and the Dish Anywhere servers that remembers and authorizes the device. I told him that my devices are trusted now regardless if they have right OnlineID and password plugged in anymore. That the app was no longer using the OnlineID and password since it was an authorized device. He told me the software doesn't work like that. I proved it to him.

 

17. I told him that while I was on hold waiting for him I downloaded the Dish App and plugged in my new Online ID and password. I told him that I would change the OnlineID and password with him on the phone and show him that the iPhone would still connect. I did so and it did. He again told me that I had to log out of the Dish App and log back in. I explained to him that I was aware that doing so would require me to login again with the new information, but the fact that it didn't sever my connectivity on my device that a hacker would still be able to continue accessing my content until they chose to logout.

 

18. The Tech Rep asked me why I believed I had been hacked. I explained to him about the unknown devices, and the strange content history. He said he had never heard of anyone reporting that their Dish account had been hacked. He then asked me how a hacker could have hacked my account. I said I wasn't sure how he hacked me, but I was fairly confident someone had. I said it didn't matter right now how he got in, I just wanted the devices authorized on my account to be deauthorized.

 

18. At this point I was put on hold while he "researched" the issue. While on hold, I had an epiphany. I remembered that at work we were scrambling to assess our computer systems to discover if were were vulnerable to a Cyber attack called POODLE. This Cyber Vulnerability is a vulnerability in the SSL protocol. SSL protocol is a computer language that secures communication between clients and servers. This attack compromises that secure communication allowing the hacker to become a "man in the middle" and extract secure login information out of SSL traffic. There is a website that performs scans on WebServers to detect their vulnerabilities. I knew that this site could tell me if Dish Network was safe. I went to https://www.ssllabs.com/ssltest/index.html while on hold and plugged in www.mydish.com and it came back clean. I thought maybe that isn't the problem. Then I plugged in www.dishanywhere.com since this is the site I'm using to stream content on my laptop and on the phone most likely too. The results showed two IP address hosting DishAnywhere.com. Both sites came back with a C in Red and Orange color. The results of this scan is attached to this letter.

 

19. Upon investigating the results of the C rating, it indicated that one site was NOT vulnerable to the POODLE attack, but that it was using weak cipher suites, and that it was not using Forward Secrecy with its session tokens. This means that if a hacker compromises one session token, then can keep using that session token to access future communications. The site indicates that using forward secrecy would create new session tokens upon each visit to the site preventing a compromise of a single token to allow unlimited future compromises. This makes sense considering that I was able to keep logging into the site after password changes without having to update my login info.

 

20. The other site's results were far more erroneous. It indicated that not only was it not using Forward Secrecy and using weak cipher suites, that it was also vulnerable to the POODLE attack. This means, anyone accessing the site using SSLv2 or SSLv3 from their browser or mobile device is subject to a "man in the middle" attack from the internet and having their private information stolen during the session. The only two remedies for this is to disable SSLv3 from the browser so that your browser MUST use TLS1.0, 1.1, and/or 1.2 instead. These protocols are safe and not vulnerable to the POODLE attack. I didn't have SSLv3 disabled in my browser to I assumed this might be why my password was compromised. I disabled SSLv3 on my browser to protect my future password changes and traffic, but I was concerned that I had no control of which protocol the Dish Anywhere app uses to connect. This would mean that even if my browser was safe, the connection of my phone to their site was going to be subject to being hacked again.

 

21. When the technician came back on the phone, I informed him of my discovery and that I believe I had an answer to his question about "how I was hacked". After telling him this, he seemed uninterested. He simply kept telling me that he had the "Engineers" online and they assured him that changing my OnlineID and password would prevent access to my content. I told him that was not true because I had repeatedly proved them wrong. I said that is only true if they log out of the app, delete their cookies, or their device becomes deauthorized. As long as they have an authorized device, changing this has no effect.

 

22. I came up with another idea. I asked them to delete my whole Online Account. I figured deleting my whole account and creating a new one would be a fresh new account with no authorized devices on it. He attempted to delete my account and told me that he needed my Dish password to perform that function. I told him that I had called Dish believing my password had been compromised and that I felt funny about having to tell someone I don't know my password to resolve my issue. I told him that you always hear from insurance companies and banks and the like that they will never ask you for your password. That is how you can be sure that your information is safe and that you're really talking to the company and not some hacker. I told him they HAVE to have a way to delete my account without asking me for my password and that I would not give him my password. I asked for a supervisor.

 

23. I was put on mute for the supervisor for about 15 or 20 minutes then heard hold music, then the hold music stopped. I waited another 20 minutes with no indication of being still on the phone other than the fact that my phone was still counting up that I was on a call. I left that phone on hold, and called back in from my wife's iPhone. They set me up to go right back to the last rep on their system in the back end. When I called in from the iPhone, I was sent straight back to the same department. I told them I was on hold for the supervisor. They sent me straight to the supervisor. She had me explain the whole situation again including all that had transpired. After this I asked to have my online account deleted and that her rep asked for my password. I told her I was not going to give out my password on the phone, and that they MUST have nother way of deleting my account without asking me for my password. She attempted to delete my account, but her computer froze and could not access my account. She then moved to another computer and tried from there. She was unable to delete my account and told me that she would have to transfer me to the Fraud department.

 

24. The supervisor came back and told me that she did not need to transfer me to the fraud department because she was able to get them to delete my online account for me. I confirmed with her that my account was deleted and she said yes. I tested my theory again. I refreshed my browser and I could still see my content. I hung up the Samsung phone (that was still on hold for the supervisor) and opened the Dish Anywhere app. It still connected. She had me log out of the browser and delete my cookies. After doing so, I could not log onto the OnlineID. So I told her that is great that after deleting my cookies I can confirm that my OnlineID is deleted but before I deleted my cookies, I could still log in. That means the hacker only has to not delete his cookies and he could still access my content. She then said it sometimes takes up to 24 hours for the account to fully delete.

 

25. She then told me that she wanted me to create a new OnlineID since my old one was deleted. She assured me that only one OnlineID can exist per customer account so if it let me create a new one it was proof that the old account deletion was working. I was able to create a new OnlineID and login. I was still concerned that my phone was still able to access my content with the old old old OnlineID and password from a year ago. The OnlineID and password had been changed twice, and now my online account had been deleted and my device still had access to my content.

 

26. She assured me the account was deleted but that it takes 24 hours. I agreed to try again 24 hours from the time of this call. I waited until the next day (11/8) and my device was still able to stream my content. I called back the same number. This time I was routed straight to the Fraud department. I spoke to the Fraud rep and recapped the whole transcript of what has transpired. He told me that he had never heard of anyone being hacked at Dish Network. He highly doubted that I was hacked. He said he gets calls from people all the time that THINK they've been hacked and that their financial information has been compromised. He assured me that my financial data was encrypted on the back end and even access to my online account would not compromise my financial information. I told him that I was comforted to hear that, but that if he had my password to my Dish account, he didn't need my financial info, he could add content, order Pay Per View or anything he wanted because my financial info is already loaded into your system. Plus I wasn't even broaching the subject of financial security, right now I was just concerned that someone was logged into my account and preventing me from accessing the content that I'm paying for and you seem to have no means to kick him out.

 

27.  This rep was no help and instead of recognizing their system has a security problem and no functionality to protect me from a cyber threat tried to question me about how I suspected a hacker got my info and why a hacker would go through all that work to get access to my content. Asking why I was so important that he would want to go through all that to get to my content. I explained to him that it wasn't that much work and that the hacker would do it because I pay over $100 a month for access to this content and that the hacker is doing it so that he doesn't have to pay the $100 a month to you if he steals it from me. Plus he could sell the information online for many of your customers and make money off it. That makes it VERY worth his time. He had no response to that and at this point I asked to be transferred to HIS supervisor.

 

27. The Fraud department supervisor came on and I again relayed all the information about my situation. (I was getting hoarse at this point from having to re-explain over and over again) He again assured me that deleting my OnlineID would sever all connectivity to my content. He told me that it takes 24 hours. I said it had been 24 hours since YOUR department had deleted my online account and it was still working. He said he believed we should not have created a new OnlineID until after the 24 hour period was over to ensure it was purged. I had him delete my OnlineID again. He also had me unplug my Hopper for 20 seconds saying that it would erase the memory my Hopper had of it's connection to my account. I did so. He then told me that I had NO OnlineID. This time I logged out of the browser, deleted my cookies, and tried to log back in. I told him that this was a good sign that it might be working.

 

28. Even though I could not log into my OnlineID, however, my phone could still access my content. I informed the supervisor of this and we discussed for a while. He still seemed to think I had to wait until the 24 hour period. I told the reps, techs, and supervisors several times I believed the way their system worked was that the Authorized devices and information pertaining to my account was linked to my Account Number on file with Dish that was created when I subscribed to Dish, not the OnlineID that was created later to access the Streaming content and that this was proof in that we keep deleting the Online account and all the Devices still show on my account. I told them Deleting my OnlineID is not removing the Authorized Devices from my account, and thus not preventing those devices from connecting to my account.

 

29. He kept telling me to wait 24 hours. I then noticed my phone could not access the content. I thought it was fixed. But I also get bad WiFi connectivity sometimes in my house because of my neighbors routers so I figured I would try again later to confirm. I told him that I would wait 24 hours and try again. I asked if that didn't work could I have my whole Dish Network account cancelled and reinstated with a new Account Number. I figured if all the information about my account was stored in a database entry tied to my account number, cancelling that account and creating a new one would be SURE to sever all connectivity because now that whole account doesn't exist (not just deleting the OnlineID which is just a method of logging on to access my account info). He told me I should contact Dish on Monday if I wanted to do that (This was late Friday night.) I agreed.

 

30. He told me that he had never heard of this issue happening before. I told him the POODLE vulnerability was only released in to the wild on 10/14 so was relatively new and that maybe I'm just the first to notice it. He said he was going to report it to his superiors. I told him that if he was drafting a report to his superiors about my findings I requested he include the following:

a) One of your sites is vulnerable to the SSLv3 POODLE attack and needs to be reported to your Cyber Security Division to protect your customers. (Most customers do not know how to disable SSLv3 in their browsers and it is Dish's responsibility to disable this proactively to protect their customers from Cyber attack.

b) Both sites are allowing weak ciphers that can be easily cracked and not using Forward Secrecy allowing a hacker to compromise a secure session and continually compromise that session despite any changes on the customer's account.

c) There is no method to deauthorize a device on your web page or for your Support Personnel. This should be a simple code fix to add a button to deauthorize the device and do a simple delete of the object in the database of this device

d) I was told repeatedly when asked to change my password to use a "secure" password. The maximum length requirement on the password field for the MyDish account is 12 characters which is already not very secure. They also don't allow the use of special characters, which makes it even less secure and easier to crack. The OnlineID field, however, has a 100 character max limit with small number of special characters allowed. It makes no sense to allow a very complex username (when the username is usually sent clear text, and is also visible to the Dish employees) and require a simple password.

e) The way that their system works it allows session cookies on browsers and some kind of token on the mobile phones that bypasses the OnlineID and password once authenticated once. This is not secure, and allows a hacker to simply log into my account once (with the password they easily gleaned from the POODLE attack) then continue to access my content no matter what changes I make on my account. A simple change to generate new session cookies each connection or require some other type of authentication in the app and browser is needed to combat this vulnerability.

 

31. At each step of the way of listed the above suggestions that I wanted reported to his superiors he kept arguing with me and disputing the facts of my suggestions. I told him that he might have a lot of knowledge about Fraud because he works in Fraud, but I have a lot of knowledge in IT because I work in IT as a System Administrator protecting servers from threats like this. I told him we could debate and argue all night about my suggestions, but instead I would rather you just forward them on for me. He agreed, but told me that in all honesty I was "Only one voice" in his words and that suggestions come from customers all the time and they may not do anything about it. He said he's sure they'll test my theories and investigate to see if these vulnerabilities exist but that he couldn't guarantee they would do anything about it because they have to also make sure their service is "easy to use". I said I understand your application has to be easy to use for the general public, but more importantly it needs to be safe and protect their private information. I also urged him and their IT department and developers to test my theory out. I said it wouldn't be hard for them to connect to a dummy account with a mobile device, then delete the OnlineID and see that the content is still accessible. Plus, the developers that write the app have to know how it works and can look at the code and see that I'm right. He took my notes and told me to call Dish back on Monday if it still wasn't fixed to have my account deleted and recreated. Later that night I tried the Dish app on my phone again and it was working after a reboot of the Hopper and my WiFi router.

 

30. I left my OnlineID deleted all weekend long periodically accessing the phone app on my phone to see if I could access my content (without even having an Online Account). I could still access the content even though I could not log on with ANY of my OnlineID's.

 

31. On Monday evening  (11/10/14) I could still access the content on my phone so I called Dish again. I didn't have myself routed to the Fraud Department because I wanted instead to go to some other Cancellation or Account Services department to have my account cancelled and reinstated. They sent me to another department (sorry I don't remember what that department was called. It was similar to Cancellations. It was like the Loyalty department or something) They had me troubleshoot again. I told them that I did not have an OnlineID anymore it was deleted 3 days ago. I proved this by attempting to login with every OnlineID and password I had created including the old original one from before all this happened. None of them let me log on on the Dish Anywhere website. I then opened the Dish app on my phone and played a show for her from my DVR on the phone and turned the volume up loud so she could hear I was watching a show on my phone. I informed her the OnlineID and password loaded into this phone was the one from 1 year ago and has never been updated and that I no long had an OnlineID.

 

32. She then told me she believed the hacker had access to my email account and that when I recreated my new OnlineID last time that since I used the same email address, that is why it still works. She said that all the hacker has to do is go to the site, and do a Forgot Your Password and it would let them log into my account if I changed it. I said that doesn't make any sense because a) my device with the old information can still log in. (If the hacker had changed the info on the account my phone shouldn't connect. If the hacker had created a new OnlineID, my phone still wouldn't work because the info wouldn't be accurate. b) I had deleted my account, you should be able to look on your system and see that my Dish account has no OnlineID created (she never confirmed for me that she couldn't see any online account associated with my Dish account).

 

33. I then proved that theory wrong by telling her that I was told by Dish employees that only ONE OnlineID can exist per customer account. She agreed this was true. I said then if the hacker did have access to my email and created a new account after I deleted it then it shouldn't let me create a new OnlineID right? It would say there is already one in use on this account. She agreed. I went to create a new OnlineID she told me to assign a different email address for the account. I did one better. I went to Gmail and created a brand new email account. I then created a new OnlineID on my account using the newly created Gmail address. It let me create it, and I still had access on my phone to my content.

 

34. I tried to tell her that it had NOTHING to do with my OnlineID, but my Account Number. All my data was stored under my Account Number on their back end. She told me "No, it's tied to the email address" Even though I just proved her wrong.

 

35. I told them I was done troubleshooting the issue because I didn't believe they had a way to FIX the issue, and that I wanted to simply to cancel with no penalties for early cancellation of my contract and have it reinstated as a new account. I simply wanted my Account Number changed and that I wasn't trying to pull something over on them. They told me that they could not do that. I said "You're telling me that you cannot delete and recreate my account?" She said I can cancel your account for you. I said and then recreate it? She said no, I can't do that. I said that's fine, if you're just the cancellation person and you can't create accounts. You can either find me somebody who can do both, or you can get some supervisor to approve the cancellation with no penalties and I'll call in and recreate my account with the right department. She said we couldn't do that. I said "You're a multi-billion dollar company. Somebody there can delete and recreate my account!" She said "No, there isn't." I said "Let me make sure I heard you right, there is no one in all of Dish Network that can delete my account and create a new one?" To which she said "No sir, there isn't"  I asked for a supervisor.

 

32. The supervisor came on. He asked me to explain the situation again. I did so including the entire coversation I had the the rep that transferred me to him. He told me that the only thing he could do would be to delete my Online account. I informed him that we had already done that on Friday. He then said well, then the hacker can't access your content. I proved to him that he would be able to by opening the app on my phone and streaming a show for him. I played the show loud enough for him to hear over the phone. He only rebuffed that by saying he had no way of being sure I was accessing the content I was talking about and that I was even access DVR content from my account. I told him unless you give me your address or the address of a Dish office I can drive down and show you, how am I supposed to prove it to you? I played the show for you. What would I gain by lying to you about the fact that I'm accessing my own content on my own device on my own account? I simply trying to prove to you that changing your OnlineID doesn't prevent access.

 

33. He told me again that it takes 24 hours to delete and account and that he could delete my account for me (the account that I created with his rep on the phone with the new email address) and try back the next day. I told him that doesn't work and that the Fraud department already deleted my account on Friday and I left it deleted for 3 days before trying my content again.

 

33. He then accused me of lying to him again by recapping the story of the weekend saying that I told him I did not create any new accounts after the deletion on Friday but that I had him delete an account today, so I wasn't being truthful. I was furious! I told him I just relayed to him that I had left my account deleted all weekend long and didn't create it back again until instructed to do so by his employee on the phone shortly before being transferred to him.

 

34. I explained that I wanted my account cancelled and recreated under a new number because it seemed to the only way to kick the hacker out of my account. He said he could not do that. He said they could cancel my account if I wished to do that. I said I don't want to cancel my account, I want to deauthorize the devices on my account, but you guys say you can't do that. All I want to do is prevent a hacker from continually accessing my content. You've left me no choice but to cancel my account and recreate. He told me that I could cancel but lose my promotion I was qualified for and would have to sign up fresh again with whatever promotions were running now, and would have to wait 60 days for my account to be reinstated. I said then maybe I should just cancel my service and go back to DirectTV. He told me that was an option.

 

33. I then asked if I cancel my service now, it will be without any early cancellation penalties. He told me that no, I would be subject to any and all early cancellation penalties. I told him there was no way I would pay early cancellation penalties when I am only cancelling because a) Dish allowed my account to be hacked by using weak ciphers and outdated SSL protocols on their external facing web servers, b) has no way of deauthorizing devices on peoples' accounts, c) has no way to delete someone's account to prevent access to a customer's account, and d) requires no further authentication on websites or mobile devices after the first authentication even after deletion of one's account and password changes.

 

34. I told him that I wasn't cancelling my account because I couldn't afford it, changed my mind about the service, or any other reason why the contract exists. I was cancelling it because they were in breach of basic measures to protect my secure identity and secure content. I tried every method possible to stay with them and use their service even though I was calling into question their security practices and customer service knowledge (or lack thereof), but that the only option left to me to protect my identity is to cancel my service. And I told him that I would not pay an early cancellation fee simply because this basic security was not in place and no measure was put in place to rectify it. I also originally suggested the cancellation of my account to not be a permanent one, but a temporary cancellation to simply create a new account number for me, not to leave my contract. The only reason I suggested permanent cancellation was because I began losing even more faith in them to protect my identity and content.

 

35. I asked to speak to his supervisor and he said that his supervisor does not talk to consumers. I was lead to believe this was as high as I could go up the chain. This was my last step to escalate to get my identity protected and no one at Dish was capable of solving my problem other than to cancel my account and pay the penalties, or just allow a hacker to access my content unchecked.

 

36. He kept saying I needed to check back in 24 hours after HIS account deletion. I said the fraud department did it on Friday and it didn't work. To which he said he had no proof that it is doing what I say it's doing. I said then what would waiting 24 hours do? First of all you're saying you have no faith in your own Fraud department and their ability to delete and account, and second if you don't believe me now that I'm accessing my content with a deleted account, why would you believe me tomorrow? He said again sir, you need to wait 24 hours.

 

37. I came up with a solution. I said to him "You say that you have no way to prove that I'm actually accessing my content without the existence of an OnlineID because I'm on the phone and you can't see what I'm doing right?" I said I have a way to prove it to you. I said" I will create a new OnlineID right now with a new email address. I will give you my password to this new OnlineID. You can log onto a browser or mobile device of your choice with my OnlineID. You can confirm that you can see MY content and stream something from my DVR. Then you can delete the OnlineID. I will hang up with you and call back in 24 hours. You can then try and access the content again and I will prove to you that YOU, not I, can access my content still, 24 hours after the account deletion. That way you will know I'm not lying. (while trying to get this proposal out, I was interrupted several times with him trying to shut me down by just repeating over and over again that he had already told me what to do. This was his suggestion to simply delete my account and have me try again 24 hours later, even though he already said he didn't believe me when I said I could still access my content.) To this proposal he said "But then I'd have to wait 24 hours to see the results of this test" to which I said "I've had to wait 24 hours, then 72 hours, now 24 hours again, the least you can do to help me prove I'm right is wait 24 hours for me and see if it works." He would not agree to do this.

 

38. This conversation was left by telling him that since he obviously doesn't trust his fellow Dish employees' ability to delete an account I would allow him to delete this latest account and call him back exactly 24 hours (even though that is going to be at 10:24 PM on Veteran's Day) and prove to him that I can still access my content on my phone (even though he already indicated once that he didn't believe me even when I gave him audible proof). I then indicated that after I hang up with him I am going to draft a letter to Dish Network's Corporate office complaining of this issue and their staff's treatment of me, and one letter to my local news affiliates about Dish's a) grave misconduct in protecting their customer's accounts, b) ineptitude in managing their software, c) breach of contract and regulatory requirements to protect consumer PII (Personally Identifiable Information), d) attempts to force me to stay in a contract even though my PII is not safe, or risk paying early cancellation fees.

 

39. I'm sure if a lawyer were to look at this case, they could prove that Dish is in breach of contract in providing me my content (since I cannot access my content sometimes because the hacker steals away the stream from me), and that I have a justifiable reason to cancel my account since I am choosing to leave because they have lacking Cyber Security measures and I don't feel my information is safe and they are refusing to eject a current cyber attack happening on my account right now.

 

40. Appendix: The only other solution besides cancelling my service and paying the fee, is to disable the network interface on my Hopper (the WiFi adapter that is responsible for streaming the data up to the internet) for 31 days. Since the only way to deauthorize a device is to have it not connect for 30 days. This would deauthorize all devices because it would sever the connection to my Hopper, but I would be without this service for 31 days. I am still paying full price to have access to this feature and I'm being told the only way to avoid cancellation fees is to choose to forgo that feature without getting compensated for the fact that a feature (one of the main features that lead me to leave DirectTV and come to Dish by the way) is being taken away from me for a whole month.

11/11 Called HQ and was about to be transferred back to Fraud dept. I told them I did not want to go back to the same people. Then told me they could not guarantee I wouldn't go.

Christina Operator ID F1S 18662402347 x72124

I was told by Christina in the Office of the President after explaining the whole situation and how I either want the problem fixed or my account cancelled and the penalties waived. She told me she was going to transfer me back to the Fraud dept. I told her I would not talk to them again as they were unable to help me unless it was the Head of the Fraud Dept, and not the Customer Service level. They already had no way to help me. She placed me on hold and came back and told me the only thing they could do for me is cancel my service and waive the penalties. I asked if I could then call back and open a new account. She said that I could after waiting a 60 day reinstatement period. I said "The only reason I'm forced to close my account at all is because you provide no option for me to eject a hacker logged into my account, and protect my private information, and you're not going to let me reopen my account for 60 days?!" I had her process the cancellation and informed her that I would be speaking to my local news broadcasters about this issue and consulting with a lawyer for advice about how to proceed because just because I'm out of your system now doesn't mean the rest of your customers are safe and this needs to go public. I also informed her that everytime I come up with a solution, they shoot it down. I think the reason they shoot it all down is because then someone would have to admit that I'm right and their Cyber Security and application design was to blame, and they don't want to accept the blame. I feel I'm the first of many to be attacked until Dish takes my requests seriously and locks down the security of their system.