[LINK] Telstra calls and asks for my password

Leah Manta link at fly.to
Wed Aug 19 20:57:15 AEST 2009


At 07:26 19/08/2009, Robin Whittle wrote:
>He informed me that it was not a sales call and then asked me
>for my password!
>
>I became extremely perplexed.  It is systematically insane for
>a legitimate company to call people out of the blue (or email
>them) and request that they provide any personal information
>such as a password.

Robin I find it amazing that it's not just password.

I take calls all the time from "Private Number" that ask for US to 
identify ourselves.  Name, Date of Birth, Address, and "security codes"

When Asked to be given their name, their employee number and their 
address so I can verify they are in fact working for XYZ company 
(bank, government etc) I get the same answer all the time "Sorry 
under the Privacy Act [or Similar I can't give you that information" 
or the other one "It's company policy not to provide the information"

When asking them how do I identify they are who they claim, they have 
no answer or its "Well how do you think we called you and know your 
details to confirm them"

A Bank recently called me asking for Date of Birth. I suggested we do 
it one number a time, me first then them.  They refused.  I declined 
to go further with the call.  I got a letter from the bank a week later.

Identity Security is only secure if the information isn't common to 
all places.  I now change my DOB - everyone tells me it's for 
security identity and not other purposes - so I figure if it's 
security it needs to be unique.

Works for me!  If they said it was for proof of identity at an 
initial stage of creating a relationship that might be 
different.  But they don't.

I keep a spread sheet of everyone we deal with, who had what 
information about any of my family members and most important, what 
DOB or unique email address I have given them.

As I give a unique email address to every place I deal with, I always 
tell them if they have a legitimate reason to communicate with me, 
use the email address I have uniquely provided to them as it proves 
their identity to me.

I have *NEVER* received an email from anyone except Police.  Go figure.

>It is obvious to me, but apparently not to everyone, that this
>encourages ordinary people to give out personal information to
>whoever calls them.

And then the touting of Privacy and data protection, something 99% of 
people have no clue about cause when they hear "Act" or "Laws" they 
fall into some naive false sense of security.

>I asked for his name, which he gave me.  He also gave me a
>reference number (which I later realised was my account number)
>and a number to call: 1800 816 025 which is a Telstra public
>number.

I always ask for department, extension number and location.  If they 
wont give me an address then I tell them it's fine, I'll call the 
companies registered office and let them know an employee refused to 
identify themselves to my satisfaction could head office transfer me.

If you make it difficult and annoying for the Administration of these 
totally stupid rules, then they might actually wake up and change them.

>He said he was unable to pass the call on to his supervisor.

I get that 99% of the time now.  I spent 4 hours on the phone to an 
indian call centre for "my bank" two weeks ago.  I went through "Four 
Supervisors" before one could answer questions with a simple YES or 
NO and not a 400 word badly constructed English thesis about why they 
might not be able to answer me Yes or No.

After the first two, I specifically asked that the next people NOT be 
briefed on the conversation, just transfer me directly.  I was 
getting tired of the "You called us" situation when THEY CALLED ME.

I have since had contact with the Banks Head Office, and supplied a 
copy of the FOUR recordings on my phone (it limits to 1 hour at a time)

They wrote confirming that it was an "error" by the call centre to 
say I had called them, when they had called me and the staff 
concerned would be "retrained"  *sigh*

Apparently the "calls recorded for management and training purposes" 
in this four hour event were "not recorded" - Ahuh.

>I was unable to get him to understand how wrong it was to call
>people out of the blue and ask them to give their password.
>
>His response as: "We need to be sure we are talking to the right
>person."

Comes back to my question - how do I know THEY are the right person?

>Are people in Telstra's management so clueless as to fail to see
>the systematic dangers of a legitimate company expecting its
>customers to provide their password to anyone who calls?
>
>It seems so.

Agreed.

>Does it really need to be explained how this encourages people
>to comply with scammers who may then use their password for
>fraudulent and other criminal purposes?

Nope.  Because they don't care about the next business or 
company.  It's your stupid fault if your name, address, phone number, 
date of birth and password is the same with each company.  Noting 
that most companies do NOT have capacity for a 'password' that is in 
fact secure.  Plain Text on a screen is NOT secure.

We need to encourage "hand shaking" Identification:

Them "The Bird is on the fence"

Me "The cat ate the bird"

Them "Thank you for identifying"

Time to go back to the grass roots of the old CIA and KGB days.  Even 
they still work extremely effectively today.

One way passwords, regardless of whether they are telephone, logins 
or on paper, are useless.

>The banks are wise to this - they would never email or call
>anyone and ask them to divulge their PIN, account number or
>whatever.

Wanna bet?  I can name THREE that call me all the time.  What's even 
more stupid is they often call about my partner.  I identify as my 
partner all the time and no one batts an eye.

On the random occasion I get my answer sequence wrong and don't 
identify who is calling before identifying who they are speaking to, 
I have to get my partner to give the information - on one occasion I 
just got a colleague to do it fro me whilst I typed the answers on my laptop.

Great system huh!

>I was able to confirm that this call did come from Telstra.
>They had not yet received a BPay payment I made the day before.

Takes 3-4 days all too often.

>This is a perfectly legitimate reason to call, and I understand
>they don't want to disclose anything private about me (such as
>the fact I was late paying my bill) to anyone other than me who
>happens to answer my phone.  But asking for my password is crazy.

But this is abut your paying them.  THey could just dispense with the 
details and the conversaiton could go like this:

Telstra:        I'm calling about a payment

You:            Sure what did you want to know

Telstra:        Has one been made recently?

You:            Yes it was.

Telstra:        Could you tell me was it the amount paid or or how 
much is paid?

You:            $10 and fifty cents.

Telstra:        and how was that made?

You:            Yes/No and by Bpay yesterday

Telstra:        And the last three digits of your account?

You:            123

Telstra:        Do you have a receipt number

problem solved.  BPAY receipt numbers aren't useful for anything anyway.

You don't need to get anything ID from them, they don't need any from 
you, - the issue is about a payment.  They have divulged nothing and 
you have only divulged what the Post Office or BPAY has provided and 
it's useless to anyone.


>If they don't feel they can divulge anything to whoever answers,
>then they should instruct me to call a number which is publicly
>listed as being a Telstra number (and provide some easy way I
>can verify this) regarding an unspecified matter.  But that in
>itself gives something away about me to whoever answers my phone
>and is not me.  Also, it would encourage people to comply with
>instructions by anyone who calls them to make a call to someone
>else.

Not all companies have FREECALL numbers that customers can call back 
on!  And if someone knows they ar ebeing debt collected, they aren't 
usually going to call back!

>I don't consider whether Telstra thinks I am late paying my bill
>to be such a private matter as to require me to divulge a
>password to whoever calls me with such a pretext.

Exactly.

Just as I don't consider the bank calling me to say that 6 
transactions have been stopped as part of their fraud prevention, and 
did I authorised them.  The transactions were from a Government 
Agency.  I don't know too many criminals that pay Government 
agenecies using my name! (Or are we up to the point we no longer care 
about the identity of who pays the bills by credit card?)

Lets face it, if someone has my mobile phone and my credit card - 
then something is seriously wrong.

I had a child's phone go missing some months ago, called the phone 
company, gave them the EIMI and Phone number and that was it.  SIM is 
blocked and the phone will never work on a network again in the world.

Bank won't be calling me on that phone!


>I understand that if a person calls with cellphone number and
>the matching password they can get Telstra to do pretty much
>what they want with the service.

If you call with a phone number and a date of birth you can discuss 
anything you want.

You:  Hi Telstra, my ex and I are in bad times and the ex is going 
around changing my address and stuff or getting my mail, can you 
change my details to a friends place ..

Telstra:  Sure, what's your account number or phone number ... DOB, name ...

Telstra: And what's the new details ...

Bang!

And then passwords are all too often shared with partners so might as 
well change that too - right!

I know all my partners 'security' and 'pins'

>I understand security will be worse in the new  billing system,
>which all services are being moved over to at present.  In the
>new system there are no passwords.  Date of Birth and a drivers
>licence number together apparently constitute sufficient ID for

Right, so when you hire a car, you give them a photo copy of your 
DL.  Wen uo apply for a job, or a bank account or go into a CLUB or 
VEBUE where they now SCAN your Drivers licence, you're secret is safe?

BTW, on the NSW RTA Drivers Licence, TOP RIGHT HAND CORNER is a card 
number.  That Number is used by the RTA to allow you to securely 
ACCESS the RTA web site and change your personal details.

 From canceling a licence/Rego to changing address, to changing your 
name, upgrading to a new licence, and more.

How many of you have had your Drivers Licence copied or scanned and 
given your SECURITY code to everyone else?

I carry spare copies around with the number blacked out.  I also have 
the number covered with tape on the card itself.  If necessary it can 
be removed by police, but as the number is useless to them and anyone 
else, other than ME LOGGING INTO THE RTA site, it's of no benefit to anyone.

RTA only uses your licence number, not the card number.

>At least a password can be changed.  DoB and licence number can
>be known by other people and can't be changed.  DoBs in
>particular can be very widely known.

Many DOBs are published on Myspace, Facebook, personal web sites, in 
the media, on ASIC records in fact it's not hard through an hours 
work to obtain from a range of sources enough ID material to pass 
anyone over the counter, so it's even easier over the phone.

Not to mention I have databases that have tens of thousands of names 
and DOBs in them.  Yes there are a lot of 1 January in there, but not 
as many as I had ever expected.

Oh and NSW BDM issues a 1/1/year DOB for anyone, eg. refugee, who is 
uncertain of their real DOB.

>So the new system will probably be even less secure.

The more secure it is made the easier it is to get into.

>People are less likely to object to giving out their DoB or
>licence to whoever calls them pretending to be from their phone
>company than they would be, or should be, regarding divulging a
>password.

Well the phone company doesn't have my DL, and as long as I never had 
to produce it in person, I'd make up a suitable code and record it.

And I wouldn't even hint I was making one up.  It would be unique to 
say Telstra:  NSW Licence 0820TC (a nice old style one!)

>Another matter is the increasing tendency for automated voice
>systems to be programmed to respond as if they were a person.

I hang up.

>The closer these things come to mimicking a real person, the
>more there will be two corrosive effects at least:
>
>   1 - The caller finds it harder and harder to discover whether
>       they are talking to a real person.

But in the case you gave (I cut out) the customer IS CALLING them 
billing service.  So the customer SHOULD feel pretty safe making the 
call and to be honest, I'd feel a lot better typing numbers and 
things into a phone that giving them to a person - today.  10 years 
ago maybe not.

One bank has a great PIN system.  You have a minimum 8 digit number.

They only EVER ask you for 3 random digits.

Anyone in the bank has to enter the digits to access your account 
details.  They can't access your records, or even verify your name 
till that number is entered.

Another bank uses similar, but it accesses your records and then 
enter the random digits to get a "YES" or "NO" popup.  Not anywhere 
near as secure.





More information about the Link mailing list