[plug] Iinet security
Marcus Holmes
mh at marcusholmes.biz
Wed Jul 30 04:06:56 UTC 2014
I had a slightly unnerving conversation with a customer service rep at an
HBF office a couple of years ago over this.
She asked me for my address and date of birth to prove my identity. I said
I could do better and produced my driver's licence, which has my address
and date of birth on it, together with a photograph. She refused to accept
that and insisted that I verbally confirm my address and date of birth. I
tried to explain that those pieces of information are public knowledge and
that checking my driver's licence was more secure, but she got very short
with me and insisted that HBF's privacy procedures meant that she could
only accept verbal confirmation of my address and date of birth. So I read
my date of birth and address from my driver's licence to her, and she
refused to check the photograph, and we talked about my insurance.
It's a problem not just limited to phone calls, but to idiots designing
business processes.
Marcus
On 30 July 2014 09:45, ıuoʎ <yonjah at gmail.com> wrote:
> Krystin what your saying is very disturbing.
> I have the same issue with Vaya. every time I call the customer service
> they ask me for details anyone can easily find on facebook.
> So I guess its not only IINET who have the issue.
>
> But looking at the Caller ID doesn't make it any better. Caller IDs can be
> easily spoofed and faked it doesn't require any technical knowledge and
> today you have some paid apps that will do it from your smartphone. so if
> anyone will want to take over your customer account this will not stop him.
>
> Also the fact that you find the problem of asking a client password as him
> not knowing it or him being annoyed from the question is also a bit
> disturbing since the fist security measure every user should take is to
> never tell anyone his password especially not to the company service rep.
> and if you save your passwords properly no one in your company will have
> any access to this passwords in the clear not to validate the users by them
> and not to give them back to the users when they are asking them. customer
> reps should only be able to generate new temporary passwords for accounts
> which the client can use to login once to change his password.
>
> To identify users you can ask them to have a verbal code word specific for
> the customer rep or giving the last 4 digits of their credit card
>
>
> On Tue, Jul 29, 2014 at 6:16 PM, Krystin Dix <krystindix at lothar.id.au>
> wrote:
>
>> The only security questions asked were
>> First and last names (This is 1 Point)
>> Address (This is 2 Points)
>> Date of Birth (This is 3 Points)
>>
>> The thing to note here Luke is that they would have had to verify that
>> the Caller Lind ID matched the numbers on the account – Generally if it’s
>> the DSL number or mobile number this satisfy 3 points of our ID Check
>> system. This check would only complete if our Caller Application detected a
>> CLID was present and that it matched the account that the ID check was been
>> passed on (it is not something that can be checked or ticked in our widget).
>>
>> Have a look in the task notes inside toolbox (all customers have access
>> to their notes written by Customer Service). The first few Fields that are
>> formatted will show things like the Callers Name, and then their ID Check
>> Passed / Failed and with which points passed.
>>
>> Having answered those questions iinet provided the account username and
>> password, a list of linked accounts and passwords for all the things.
>>
>> Does anyone have any suggestions on who to contact to get this fixed?
>>
>> As I can see you can ask to have a challenge set or to remove the
>> alternate method of passing the ID check. IE to ask for the account primary
>> password and name of the account holder. This is fine for some clients
>> however for people that do not know or even want to know their password
>> been asked for it as the primary means of passing the ID check can be
>> infuriating. I have found in my calls that I have taken for iiNet that
>> clients are more happy / receptive when ID checked using the Name / Address
>> / DOB / Caller Number ID.
>>
>> I work for iiNet in the Hosting department. If you have any questions
>> you would like to raise off the list please email me
>> kdix at staff.iinet.net.au
>>
>> Regards,
>> Krystin Dix
>>
>> _______________________________________________
>> PLUG discussion list: plug at plug.org.au
>> http://lists.plug.org.au/mailman/listinfo/plug
>> Committee e-mail: committee at plug.org.au
>> PLUG Membership: http://www.plug.org.au/membership
>>
>
>
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://lists.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.org.au
> PLUG Membership: http://www.plug.org.au/membership
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20140730/065dace8/attachment.html>
More information about the plug
mailing list