Who’s protecting your identity?
So I found myself in the middle of an issue with a company who provides a service for me. This company has all of my important information including date of birth and social security number, but the way it interacts with its customers makes it very easy for somebody to hijack the accounts of its customers. I am very concerned that this company is exposing its customers to identity theft by forcing customers to violate all sorts of common sense security rules.
First off, they send me an urgent notice which is a PDF attachment. This means that I need to open an attachment with no way to verify the sender. Well that violates my concepts of first line of defense against malware. I submitted a complaint on the company's website. A couple of days later I get a call from a representative of this same service provider. He said he was calling about my complaint, but that he needed to verify my identity before he could talk to me about it. He asked for my PIN. I advised that security requires that I never give this information to somebody who initiates contact. The caller suggested I could take his employee ID, but he had no way for me to verify the number until after the call. He then asked for my date of birth. I gave the same response. He then asked for the answer to my secret question. Huh?
Now most companies are very explicit and state that they say they will never contact you and ask you for this type of information. This company on the other hand asked for 3 different pieces of this information. When I would not provide it, the rep then said "So, you're refusing to provide the information I am requesting?" In effect he was trying to convince me that I really should give all of this information. I advised that he was violating all security rules by calling and asking the questions and that he was making their customers very susceptible to identity theft by getting them used to answering these questions on the phone.
Imagine what happens when the unsuspecting customer who is used to this behavior gets a similar call from a phisher. The phisher says he is from this company and that there is an issue on the account. He then asks for this private information. The customer who is now used to going against all common sense in regards to security ends up giving out his PIN, date of birth and answer to the secret question to an unknown caller.
Companies need to be aware that this kind behavior encourages sloppy security. Rather than try to force me to give the information, they should have listened to my response and reconsidered the security hole they are creating for each of their customers.
As a consumer, it is critical to stand by the principle of never giving information to somebody who calls you. No matter what the caller ID shows and no matter what the caller says do not give any information. You are your first line of defense against fraud and identity theft. When asked to give this information please tell the caller that giving the information violates standard rules for protecting against identity theft. Request that the caller submit a case for the company to change its policies. You have no way of being sure the person calling is a legitimate business. The best course of action is to always assume the caller is not legitimate. If somebody walks up to you on the street and says he needs your date of birth to verify your identity you would never give that information. Treat people who call or email with the same level of skepticism.