One of the things that I often advise my clients on is computer and network security – after all, no-one wants unauthorised people to be able to access their data. But the interesting thing about security is that when we are “offline” in the real world, we are often less careful than when we are online.
This was really highlighted by a phone call this week from Talk Talk, who provide my broadband and phones at home. The phone call went something like this:
HER: “Can I speak to Mr Seaton Please”
ME: “Speaking”
HER: “Hi, this is Claire calling from talk talk, I am calling to talk to you about renewing your contract with us, but before I do can I please ask you some Data Protection questions – firstly your address”
ME: “Erm … OK … my address is (I gave her my address)”
HER: “And next can I ask you to confirm your date of birth, and the bank account that is setup to pay this account”
ME: “Hold on, I am not prepared to divulge that information over the phone – Can I ask you how I know that you are from talk talk”.
“HER: {Pause} … well I can assure you that I am”
ME: “Ok … can you confirm back to me some details on my account”
“HER: Yes, once you have passed the Data Protection questions …. so can you please confirm your date of birth, and the bank account that is setup to pay this account”
ME: “But you could be anyone …. ringing up from anywhere asking me to verify my details”
HER: “If you could just please confirm your date of birth, and the bank account that is setup to pay this account so I can verify your details ….”
At this point here I told her that I wanted her full name, and direct telephone number (neither of which she was prepared to give!) … and after a long conversation with her supervisor everything got sorted.
The strange thing was that no-one seemed to see that what they were asking was a strange request – that it was normal for them to ask customers to verify who they were. I then asked them what the system was for customers to verify who they were, no-one seemed to know.
If I was a criminal, then imagine the conversation “Hi, this is Claire calling from Llloyds TSB, I am calling to talk to you about your bank account, but before I do can I please ask you some Data Protection questions – firstly your address” … and so on….
The point?
Firstly, companies need to think of a good system for customers to verify who they are, and secondly, “offline” security is as important as “online” security.
