With a deep bow to Lore Sjoberg's One Word comics, here's what I hope is a recurring feature on what I hope will be a continuing blog.
Security
Today, I got a call telling me that I needed to pay my car payment. Money's been tight, so I had been putting it off. The woman on the phone was sympathetic, even friendly, until the time came to end the call. "So when will you be making a payment? Will it be today? I can take a payment right now, if you'd like . . ."
I declined. I don't like making payments over the phone. I told her I could just log in to the website and pay it, like I do every month.
Would that were the case.
I opened the leaseholder's website and put in my login. It kicked back an error -- either my login or password was wrong. Then I remembered that for increased security, they had made me change my login from a gmail address to a unique login name.
I chose, of course, a login that I use for at least four other sites. It's just easier to remember that way.
They also insisted I make a new password that would be longer and harder for a bot to brute force.
I chose, of course, a password I use for at least four other sites. It's just easier to remember that way.
My memory jogged, I put in the correct login and password. Then, for added security, the site fed me a question I had, apparently, answered at some point: "what's your favorite TV show?"
What is my favorite TV show? What was my favorite show a month ago, when I put in the answer? Was it the X-Files, a rediscovered gem? Star Trek: The Next Generation? Buffy the Vampire Slayer? Did I capitalize, or did I think it'd be easier to remember it was all lower-case? Why didn't they serve up the question about what model my first car was? At least I could have looked that up online.
After several attempts to read my own mind, I was locked out of the account. For my security, I had to re-enter my account number to get back in. The account number that's on all of the paper bills I don't get since I switched to paperless billing.
So I called the help number again. After several prompts to enter my account number, I banged on 0 until the computer hung up on me. I called back and played along until I got a person.
Like the woman who called to urge me to pay the bill, this woman was friendly and sympathetic, until I asked her to give me my account number.
"We cannot give out that information over the phone, for security purposes. I can mail the number to you."
"Can't you just send it to my email?"
"No. We are unable to send email outside our intranet. Do you have a fax machine?"
"No, I do not, because this is not 1975, it's 2010. Please transfer me to someone who can help me."
So she kicked me up the call-center ladder one rung. The next lady was a little less polite to start, and even quicker to shut me down. She would be happy to mail or fax the number, but absolutely could not give it over the phone or email.
"Why won't you let me give you money? I'm trying so hard to give you money. I really don't care if someone else gets my account number and pays my car payment for me. Let's do this."
No dice. I demanded to be kicked up another rung in the responsibility ladder. She said she'd happily transfer me to someone else who would tell me 'no.'
While I waited on hold, I went to a fax-to-email service online. I gave them a credit card for a free trial, and they generated a junk phone number that could receive faxes and email them to me. When I spoke to the next woman, I grumbled about archaic technology, suggested she send it by carrier pigeon, and finally gave her the fax number.
Minutes later, the fax showed up -- as a PDF file in my email.
Here's how tight the car company's security is: in order to get my super-sekrit account number, I gave them the last four digits of my social security number (easy enough to find online), my home address (ditto), and a random fax number. Rather than sending an email to the address they had on file that was associated with the account, they sent a fax out blind to a number that, for all they knew, was in Leroy's Den of Money Laundering and Thievery. It was none of their doing that the fax went where it was supposed to -- my freakin' email.
I've decided that any organization that insists on using a fax machine gets the same double-barreled red-eyed rage usually reserved for companies that don't take credit cards, and people who insist on writing checks for groceries. This is outdated technology that has been replaced by something easier and better, and was replaced over a decade ago.
For my security, next time just text it to my phone, okay?
2 comments:
Oh Josh, this does seem to open up an awful lot of mindfucking prank opportunities.
Oh, apparently I have to read the weird word "querict" (which is actually a very nice random word) and type it in so that this website doesn't say I'm a bad thing.
DANG is what this old teacher lady says. DANG.
For real security they should just require you to have your phone in the first place and implement a sensible two-factor security solution.
http://techcrunch.com/2010/09/20/google-secure-password
Post a Comment