I wanted to make people fully aware of a problem I encountered today with Time Warner Telecom because it flies in the face of good privacy and security practices.
So here’s the background. I paid my cable bill online through Time Warner the other day. I typically pay through their web interface rather than use ebills like I do for everyone else. However, something happened this time, evidently, and my payment didn’t get processed.
Because my bill was now late, Time Warner gave me a “courtesy call” to tell me. Here’s how the conversation went (not exact, obviously, but this is the gist):
Me: "Hello, this is Tobin." Time Warner: "Yes, is Mr Titus in?" Me: "That's me, how can I help you?" Time Warner: "We were calling to tell you that you are now past due on your cable bill." Me: "Really? I paid you the other day online." Time Warner: "On our website?" Me: "Yes, ma'am. Let me check my bank account to see if it processed." ::I then checked online :: Me: "You are absolutely right, it didn't get processed. I'll go ahead and try to pay it online again." Time Warner: "Sir, you don't have to do that. We can accept your credit card payment over the phone right now." Me: "I don't make a habit of giving my credit cards over the phone, particularly when someone calls me."
The fact that these guys offered to take my payment over the phone is bad enough. It should be the policy of every company to NOT accept payments when THEY call YOU because that opens up the door to fraud. If everyone knew that a company would not call you to ask you for your credit card information, there would be less Phishing attacks. This is why AOL specifically puts notices in their IM and Mail windows that says they will NEVER ask for your credit card information through those means.
So offering to take my payment right then and there is a huge problem already, but
here is where it get’s more interesting.
Time Warner: "Sir, we can prove we are who we say we are. We have your last four digits of your social, your address, your phone number, etc"
!?!?!?!?!?!! WTF !!??!?!?!!!?
Me: "So do all of my creditors. With all of the recent ID theft lately, my informaiton is all over the place. Anyone could have that. But do you mean to tell me that you would give me the last four digits of my social and my address to verify that you are who you say you are? How do you know that I'm really Tobin and you wouldn't be giving that information out to just anyone??"
I could hear this representatives wheels turning in her head. She finally tried to back track.
Time Warner: "No, uhh, I , umm, I meant that you could give me your social and we could tell you if that's right or not." Me: "How would that prove anything to me. You'd say 'ok, what's your social?', I'd say '1234' and you'd say 'yep, that's it, now give me your credit card number!'?" Time Warner: "No sir, that's not what I meant." Me: "You were going to read my social to me--a guy who you can't prove is Tobin Titus." Time Warner: "No sir, we didn't read your social security number." Me: "But you were going to!" Time Warner: "No sir." Me: "Either you were going to read my social or I was going to blindly give it to you which would have proved nothing to me. Which is it?"
At this point, I finally told the lady “nevermind”and asked for her supervisor’s name. This was unreal. I can’t believe in this day and age people non-challantly ask for or provide information like this over the phone with untrusted and unverified individuals. It affects anyone that uses Time Warner and I feel if they don’t see the problems associated with this practice, then their customers need to know that their personal data is in the hands of bumbling idiots.
So how can companies solve this problem? Its fairly simple and I have some rules I think should be implemented by every company that keeps private data. They are as follows.
- Never ask for data when you contact a customer – This is just common sense. Hundreds of thousands of people have been suckered into giving up personal information in so-called phishing scams. If companies, as a general rule don’t ask for information when they contact you, people would be more sensative to thistype of attack.
- Never display sensative personal information to CSRs. – 80% of all “hacks” come from inside a company according to the 2003 CSI/FBI Computer Security Survey. If the CSR is to validate information, it should be typed in. For instance, instead of seeing the full address on the screen, a CSR should be prompted to type in the street number for the address. If the data matches that stored in the database, then and only then should the CSR get to read any of the account information.
- Never use a social security number as an identifier! – This is a pie-in-the-sky sort of request, but it is ultimately necessary if we are ever going to fix identity theft. Anyone who’s been alive since the original Andy Griffeth was on the air should know that Social Security numbers were never meant to be used as identifiers for ANYTHING other than for the social security program. The problem is that this has now become the closest thing to a federal ID we have. Sure its convenient, but this is the direct cause of so much identity theft. I have an entire post dedicated to how we can fix this later, but its out of place here. More to come…
- Hire competent people – Information is only as secure as the people who have access to it. If you are hiring the cheapest labor you can find (and that includes outsourcing your records off-shore — YIKES!), you are sure to have chinks in your armor. Case and point. if Time Warner had competent employees, they would think to themselves “Hmm, maybe I shouldn’t offer to give out this man’s personal data so he knows who we are.” In retrospect, I wonder what this employee would have done had I asked her to prove they were Time Warner by giving me her social security number.
Again, I have more to come, but this should cover the basics. Keep your data on a short leash. If someone asks for data you don’t think is appropriate to give out (particularly on applications), then don’t give it out. Verify the need for the data as well as the intent of use of the data before giving it out to anyone.