[LINK] Telstra calls and asks for my password
Leah Manta
link at fly.to
Wed Aug 19 20:57:15 AEST 2009
At 07:26 19/08/2009, Robin Whittle wrote:
>He informed me that it was not a sales call and then asked me
>for my password!
>
>I became extremely perplexed. It is systematically insane for
>a legitimate company to call people out of the blue (or email
>them) and request that they provide any personal information
>such as a password.
Robin I find it amazing that it's not just password.
I take calls all the time from "Private Number" that ask for US to
identify ourselves. Name, Date of Birth, Address, and "security codes"
When Asked to be given their name, their employee number and their
address so I can verify they are in fact working for XYZ company
(bank, government etc) I get the same answer all the time "Sorry
under the Privacy Act [or Similar I can't give you that information"
or the other one "It's company policy not to provide the information"
When asking them how do I identify they are who they claim, they have
no answer or its "Well how do you think we called you and know your
details to confirm them"
A Bank recently called me asking for Date of Birth. I suggested we do
it one number a time, me first then them. They refused. I declined
to go further with the call. I got a letter from the bank a week later.
Identity Security is only secure if the information isn't common to
all places. I now change my DOB - everyone tells me it's for
security identity and not other purposes - so I figure if it's
security it needs to be unique.
Works for me! If they said it was for proof of identity at an
initial stage of creating a relationship that might be
different. But they don't.
I keep a spread sheet of everyone we deal with, who had what
information about any of my family members and most important, what
DOB or unique email address I have given them.
As I give a unique email address to every place I deal with, I always
tell them if they have a legitimate reason to communicate with me,
use the email address I have uniquely provided to them as it proves
their identity to me.
I have *NEVER* received an email from anyone except Police. Go figure.
>It is obvious to me, but apparently not to everyone, that this
>encourages ordinary people to give out personal information to
>whoever calls them.
And then the touting of Privacy and data protection, something 99% of
people have no clue about cause when they hear "Act" or "Laws" they
fall into some naive false sense of security.
>I asked for his name, which he gave me. He also gave me a
>reference number (which I later realised was my account number)
>and a number to call: 1800 816 025 which is a Telstra public
>number.
I always ask for department, extension number and location. If they
wont give me an address then I tell them it's fine, I'll call the
companies registered office and let them know an employee refused to
identify themselves to my satisfaction could head office transfer me.
If you make it difficult and annoying for the Administration of these
totally stupid rules, then they might actually wake up and change them.
>He said he was unable to pass the call on to his supervisor.
I get that 99% of the time now. I spent 4 hours on the phone to an
indian call centre for "my bank" two weeks ago. I went through "Four
Supervisors" before one could answer questions with a simple YES or
NO and not a 400 word badly constructed English thesis about why they
might not be able to answer me Yes or No.
After the first two, I specifically asked that the next people NOT be
briefed on the conversation, just transfer me directly. I was
getting tired of the "You called us" situation when THEY CALLED ME.
I have since had contact with the Banks Head Office, and supplied a
copy of the FOUR recordings on my phone (it limits to 1 hour at a time)
They wrote confirming that it was an "error" by the call centre to
say I had called them, when they had called me and the staff
concerned would be "retrained" *sigh*
Apparently the "calls recorded for management and training purposes"
in this four hour event were "not recorded" - Ahuh.
>I was unable to get him to understand how wrong it was to call
>people out of the blue and ask them to give their password.
>
>His response as: "We need to be sure we are talking to the right
>person."
Comes back to my question - how do I know THEY are the right person?
>Are people in Telstra's management so clueless as to fail to see
>the systematic dangers of a legitimate company expecting its
>customers to provide their password to anyone who calls?
>
>It seems so.
Agreed.
>Does it really need to be explained how this encourages people
>to comply with scammers who may then use their password for
>fraudulent and other criminal purposes?
Nope. Because they don't care about the next business or
company. It's your stupid fault if your name, address, phone number,
date of birth and password is the same with each company. Noting
that most companies do NOT have capacity for a 'password' that is in
fact secure. Plain Text on a screen is NOT secure.
We need to encourage "hand shaking" Identification:
Them "The Bird is on the fence"
Me "The cat ate the bird"
Them "Thank you for identifying"
Time to go back to the grass roots of the old CIA and KGB days. Even
they still work extremely effectively today.
One way passwords, regardless of whether they are telephone, logins
or on paper, are useless.
>The banks are wise to this - they would never email or call
>anyone and ask them to divulge their PIN, account number or
>whatever.
Wanna bet? I can name THREE that call me all the time. What's even
more stupid is they often call about my partner. I identify as my
partner all the time and no one batts an eye.
On the random occasion I get my answer sequence wrong and don't
identify who is calling before identifying who they are speaking to,
I have to get my partner to give the information - on one occasion I
just got a colleague to do it fro me whilst I typed the answers on my laptop.
Great system huh!
>I was able to confirm that this call did come from Telstra.
>They had not yet received a BPay payment I made the day before.
Takes 3-4 days all too often.
>This is a perfectly legitimate reason to call, and I understand
>they don't want to disclose anything private about me (such as
>the fact I was late paying my bill) to anyone other than me who
>happens to answer my phone. But asking for my password is crazy.
But this is abut your paying them. THey could just dispense with the
details and the conversaiton could go like this:
Telstra: I'm calling about a payment
You: Sure what did you want to know
Telstra: Has one been made recently?
You: Yes it was.
Telstra: Could you tell me was it the amount paid or or how
much is paid?
You: $10 and fifty cents.
Telstra: and how was that made?
You: Yes/No and by Bpay yesterday
Telstra: And the last three digits of your account?
You: 123
Telstra: Do you have a receipt number
problem solved. BPAY receipt numbers aren't useful for anything anyway.
You don't need to get anything ID from them, they don't need any from
you, - the issue is about a payment. They have divulged nothing and
you have only divulged what the Post Office or BPAY has provided and
it's useless to anyone.
>If they don't feel they can divulge anything to whoever answers,
>then they should instruct me to call a number which is publicly
>listed as being a Telstra number (and provide some easy way I
>can verify this) regarding an unspecified matter. But that in
>itself gives something away about me to whoever answers my phone
>and is not me. Also, it would encourage people to comply with
>instructions by anyone who calls them to make a call to someone
>else.
Not all companies have FREECALL numbers that customers can call back
on! And if someone knows they ar ebeing debt collected, they aren't
usually going to call back!
>I don't consider whether Telstra thinks I am late paying my bill
>to be such a private matter as to require me to divulge a
>password to whoever calls me with such a pretext.
Exactly.
Just as I don't consider the bank calling me to say that 6
transactions have been stopped as part of their fraud prevention, and
did I authorised them. The transactions were from a Government
Agency. I don't know too many criminals that pay Government
agenecies using my name! (Or are we up to the point we no longer care
about the identity of who pays the bills by credit card?)
Lets face it, if someone has my mobile phone and my credit card -
then something is seriously wrong.
I had a child's phone go missing some months ago, called the phone
company, gave them the EIMI and Phone number and that was it. SIM is
blocked and the phone will never work on a network again in the world.
Bank won't be calling me on that phone!
>I understand that if a person calls with cellphone number and
>the matching password they can get Telstra to do pretty much
>what they want with the service.
If you call with a phone number and a date of birth you can discuss
anything you want.
You: Hi Telstra, my ex and I are in bad times and the ex is going
around changing my address and stuff or getting my mail, can you
change my details to a friends place ..
Telstra: Sure, what's your account number or phone number ... DOB, name ...
Telstra: And what's the new details ...
Bang!
And then passwords are all too often shared with partners so might as
well change that too - right!
I know all my partners 'security' and 'pins'
>I understand security will be worse in the new billing system,
>which all services are being moved over to at present. In the
>new system there are no passwords. Date of Birth and a drivers
>licence number together apparently constitute sufficient ID for
Right, so when you hire a car, you give them a photo copy of your
DL. Wen uo apply for a job, or a bank account or go into a CLUB or
VEBUE where they now SCAN your Drivers licence, you're secret is safe?
BTW, on the NSW RTA Drivers Licence, TOP RIGHT HAND CORNER is a card
number. That Number is used by the RTA to allow you to securely
ACCESS the RTA web site and change your personal details.
From canceling a licence/Rego to changing address, to changing your
name, upgrading to a new licence, and more.
How many of you have had your Drivers Licence copied or scanned and
given your SECURITY code to everyone else?
I carry spare copies around with the number blacked out. I also have
the number covered with tape on the card itself. If necessary it can
be removed by police, but as the number is useless to them and anyone
else, other than ME LOGGING INTO THE RTA site, it's of no benefit to anyone.
RTA only uses your licence number, not the card number.
>At least a password can be changed. DoB and licence number can
>be known by other people and can't be changed. DoBs in
>particular can be very widely known.
Many DOBs are published on Myspace, Facebook, personal web sites, in
the media, on ASIC records in fact it's not hard through an hours
work to obtain from a range of sources enough ID material to pass
anyone over the counter, so it's even easier over the phone.
Not to mention I have databases that have tens of thousands of names
and DOBs in them. Yes there are a lot of 1 January in there, but not
as many as I had ever expected.
Oh and NSW BDM issues a 1/1/year DOB for anyone, eg. refugee, who is
uncertain of their real DOB.
>So the new system will probably be even less secure.
The more secure it is made the easier it is to get into.
>People are less likely to object to giving out their DoB or
>licence to whoever calls them pretending to be from their phone
>company than they would be, or should be, regarding divulging a
>password.
Well the phone company doesn't have my DL, and as long as I never had
to produce it in person, I'd make up a suitable code and record it.
And I wouldn't even hint I was making one up. It would be unique to
say Telstra: NSW Licence 0820TC (a nice old style one!)
>Another matter is the increasing tendency for automated voice
>systems to be programmed to respond as if they were a person.
I hang up.
>The closer these things come to mimicking a real person, the
>more there will be two corrosive effects at least:
>
> 1 - The caller finds it harder and harder to discover whether
> they are talking to a real person.
But in the case you gave (I cut out) the customer IS CALLING them
billing service. So the customer SHOULD feel pretty safe making the
call and to be honest, I'd feel a lot better typing numbers and
things into a phone that giving them to a person - today. 10 years
ago maybe not.
One bank has a great PIN system. You have a minimum 8 digit number.
They only EVER ask you for 3 random digits.
Anyone in the bank has to enter the digits to access your account
details. They can't access your records, or even verify your name
till that number is entered.
Another bank uses similar, but it accesses your records and then
enter the random digits to get a "YES" or "NO" popup. Not anywhere
near as secure.
More information about the Link
mailing list