I have a mobile phone contract with Three. Recently, they’ve called me about my account. Each time they call, they ask for my account password so they can verify that they are talking to the correct person, as per the Data Protection Act. Yay for security!
But how do I know that this person is from Three? I only have their word for that. It could be anyone on the phone.
However, if I try to verify who they are by asking my own security questions, it seems they can’t give the answers.
Each time they call, I will ask that they provide me with the last three digits of my account number in order to prove that they are who they say they are. Not my phone number, they’ve just dialled that and will know it. I mean my account number – the one that only Three will have. And each time I ask, they refuse.
The last three digits aren’t personally identifiable but are enough to satisfy my security request. Surely they must understand that security works both ways?
Some of their operators are polite about it, some are downright obnoxious – how dare I question them? They think I’m being arsey for the hell of it.
Sometimes they say that if I give them my password, they can confirm if it’s the correct one. Isn’t that what you asked in the first place? “Ah,” they say. “But if you give a wrong password, we’ll be able to tell you it’s wrong.” Um, no. Not happening.
I will not give out any sensitive information to anybody who has called me until I am satisfied that they are who they claim to be.
It’s in companies’ interest to ensure that their customers’ data is as secure as possible. There’s big fines for breaches. And phishing is big business – not just via email. So why can’t large companies with thousands of customers start using two-way authentication?
It’s really quite simple. There are two passwords, one for the company and one for the customer, both set by the customer. The person who makes the call gives their password first, identifying them to the other party. This second party then gives their password, satisfied that the person they’re talking to is legitimate.
“But someone could steal the password!” I hear you cry. Yes, they could. But they could do that now. At some point in the past, there will have been a time when a password wasn’t required – people were able to take a caller’s identity at face value because identity theft wasn’t the huge racket it is now. But then came the fraud. And someone said, “Let’s give people a password. One password is better than no password.” Well, two passwords are better than one password.
I will continue to ask for the last three digits of my account number from Three whenever they call me. And if they can’t provide them, then I will continue to tell them that the call cannot continue.
