[LINK] Telstra calls and asks for my password

Robin Whittle rw at firstpr.com.au
Wed Aug 19 16:26:11 AEST 2009 

I received a call on my cell-phone this morning from someone who
claimed to be from Telstra.  The display on the phone at the
time of the call was "Private Number".  He addressed me by my
name, and since my cellphone number is known to very few people,
I figured it probably was a Telstra person, or someone working
for a company doing outbound calls for Telstra.

I said I don't want any sales calls like this - and I don't
think I have had any for a long time from Telstra on my cell-
phone.  (This number is on the Do Not Call list, as is my
landline's.)

He informed me that it was not a sales call and then asked me
for my password!

I became extremely perplexed.  It is systematically insane for
a legitimate company to call people out of the blue (or email
them) and request that they provide any personal information
such as a password.

It is obvious to me, but apparently not to everyone, that this
encourages ordinary people to give out personal information to
whoever calls them.

I asked for his name, which he gave me.  He also gave me a
reference number (which I later realised was my account number)
and a number to call: 1800 816 025 which is a Telstra public
number.

He said he was unable to pass the call on to his supervisor.  I
was unable to get him to understand how wrong it was to call
people out of the blue and ask them to give their password.

His response as: "We need to be sure we are talking to the right
person."


Are people in Telstra's management so clueless as to fail to see
the systematic dangers of a legitimate company expecting its
customers to provide their password to anyone who calls?

It seems so.

Does it really need to be explained how this encourages people
to comply with scammers who may then use their password for
fraudulent and other criminal purposes?

The banks are wise to this - they would never email or call
anyone and ask them to divulge their PIN, account number or
whatever.


I was able to confirm that this call did come from Telstra.
They had not yet received a BPay payment I made the day before.

This is a perfectly legitimate reason to call, and I understand
they don't want to disclose anything private about me (such as
the fact I was late paying my bill) to anyone other than me who
happens to answer my phone.  But asking for my password is crazy.

If they don't feel they can divulge anything to whoever answers,
then they should instruct me to call a number which is publicly
listed as being a Telstra number (and provide some easy way I
can verify this) regarding an unspecified matter.  But that in
itself gives something away about me to whoever answers my phone
and is not me.  Also, it would encourage people to comply with
instructions by anyone who calls them to make a call to someone
else.

I don't consider whether Telstra thinks I am late paying my bill
to be such a private matter as to require me to divulge a
password to whoever calls me with such a pretext.


It turns out that only mobile services on the "old" billing
system have passwords.

I understand that if a person calls with cellphone number and
the matching password they can get Telstra to do pretty much
what they want with the service.  I think that various things
can be done with just the person's name and the password which
in certain settings amount to extreme and dangerous breaches of
security and privacy.


I understand security will be worse in the new  billing system,
which all services are being moved over to at present.  In the
new system there are no passwords.  Date of Birth and a drivers
licence number together apparently constitute sufficient ID for
Telstra to do all sorts of things regarding a phone account,
mobile, landline or I guess Internet.

At least a password can be changed.  DoB and licence number can
be known by other people and can't be changed.  DoBs in
particular can be very widely known.

So the new system will probably be even less secure.

People are less likely to object to giving out their DoB or
licence to whoever calls them pretending to be from their phone
company than they would be, or should be, regarding divulging a
password.


Another matter is the increasing tendency for automated voice
systems to be programmed to respond as if they were a person.

Telstra's IVR at, for instance, 125 111 (billing enquiry number
printed on the bill) has a recorded voice of a woman referring
to itself as "I", asking me questions, saying thanks in a caring
voice, apologising for not understanding something I said etc.

The closer these things come to mimicking a real person, the
more there will be two corrosive effects at least:

  1 - The caller finds it harder and harder to discover whether
      they are talking to a real person.

  2 - The caller is more likely to ignore the fact they might be
      talking to a real person and respond with the frustration
      and contempt which many people have for these smarty-pants
      IVR systems.


   - Robin

More information about the Link mailing list