Thursday, September 24, 2015

Identity Theft Made Easy

So, I call $company. The automated system guides me through the hoops, in particular, asking for my "secure credentials", normally "the last four". Then it connects me to a representative.

And the first thing the representative says is: "What are your last four"?

WHAT?

I just identified myself to your automated system.
It authenticated me.
Why do *you* need to hear it again?

If this is a part of the $company's protocol, it's redundant.
If this is an unscrupulous employee harvesting personally identifiable information, it's a vulnerability.

The problem is, you cannot distinguish between the two. So either way, we're screwed.