Phone company security

Ibix

Working at home today. The phone rings.

"Hello, can I speak to Mr Ibix please?"

"Speaking."

"Mr Ibix, this is [some bloke] from Virgin Media. We've been reviewing your phone usage and we think we can make one simple change to save you money and improve your service."

"Right..."

"So, before I can give you this information, can I just ask you for the first two characters of your password?"

"Um... You are calling me on the phone line that Virgin provides. Shouldn't you be authenticating yourself to me?"

"Yes, I can give you all of that information as soon as you give me the first two characters of your password."

"Do you mean to sound like a phishing scam?"

"..."

I hung up. The sad thing is, from previous experience with futility companies, it will have been a genuine call. I don't object to them trying to confirm that they are talking to me and not a mischevious housemate, but I do think that they ought to convince me that they are who they say they are before asking for my security credentials.

Malenfant

 For a starter, there should be no way for them to know the first two characters of your password.

PJH

@Malenfant said:

 For a starter, there should be no way for them to know the first two characters of your password.

1) Some companies have a "phone password" which is distinct from any online account passwords for precisely this purpose



2) There's no presumption that the person asking does actually know them. They could just have a form on their computer that says "Input the two characters the customer gives you" and it replies yay or nay.



Somewhat akin to banking logins where they ask you for a whole password and then 2 letters from a second password.

Remy

I had a similar issue with a bank a few years back. They called me, and started trying to get me to validate my identity, and I explained- "No, that isn't how this is going to work." I explained to the poor lady why I wasn't going to authenticate myself, and I'm sure she didn't care but she was very surprised.

I dialed the official number for the bank and got things taken care of that way. Here's the thing that annoys me, though: just because I get the number off their website doesn't mean it's accurate. You start thinking about how incredibly insecure doing business by phone truly is.

PJH

@Remy Porter said:

Here's the thing that annoys me, though: just because I get the number off their website doesn't mean it's accurate. You start thinking about how incredibly insecure doing business by phone truly is.

Presuming you have some sort of debit/credit card, does the institution not print the contact numbers on the back?

TheRider

Why don't you look that number up in the official telephone book? That is not so easily scammed.

snoofle

@TheRider said:

official telephone book

Interesting - I get them every year, but haven't opened one in about a decade.

Personally, I use the number on the back of the credit/debit card.

And for those (non-financial) institutions that don't issue them, there's always a contact number on each bill or statement.

 

ASheridan

 I had the similar thing with the Three mobile network in the UK, but they managed to go that extra step to make it a true WTF:

•  They phoned and immediately said they were from Three G. Now, there's a signal type called 3G, or their parent company called Hutchinson 3G, but no company called Three G, which I pointed out to them. They said they'd put a note on my account so that future callers would refer to the company correctly next time they called me. - WTF #1, they didn't even know the name of their own company, WTF #2 they didn't care about referring to themselves by the wrong name to other customers 
• Having got that bit wrong, they then asked me to verify who I was with the usual "security" questions, the usual useless trinity of DOB, address and postcode. WTF #3 they called me on my mobile, on a number that they provided me
• After I refused to co-operate with the dipshit buffoon at the call centre, I told them I'd call them back, so I did, on the number they called from, which turned out not to be in service - WTF #4 this is a fucking phone company, a company whose main business is to handle phone calls, and they can't even get their own outbound number correct?
• Googling that number turned up dozens of forums all with the same question "who does this number belong to?". Turns out it was a legitimate number for Three, but one that was discontinued last year. WTF #5 I could maybe understand if it was a recent development and the various departments hadn't quite caught up, it can happen in any large business, but it can't take a year for a phone company to sort out their own damned phone numbers.

As added fun, despite their careful "note" on my account, they still managed to refer to themselves by the wrong company name continually in later conversations, so that note effectively did sod all.

ClassicKiriyama

@ASheridan said:

As added fun, despite their careful "note" on my account, they still managed to refer to themselves by the wrong company name continually in later conversations, so that note effectively did sod all.

I used to work for support team where all the notes (from all the different departments added over the years) would pop up with essentially a "next" button, like those ones you just keep clicking on during installations when you can't be bothered reading the EULA...

MeesterTurner

This happened to me when I was with Virgin. The guy was calling from an Indian call centre, and (sorry to tar them all with the same brush) I thought it might be a scam, so said I'd call back on the sales number listed on their website.



Caller: "But sir, you can only take this wonderful offer if you sign up right now. Please can you give me the two characters from your password?"



Me: Got suspicious, hung up, called BT, got a much better deal than Virgin had me on already (and probably better than they were offering).

nullptr

@TheRider said:

Why don't you look that number up in the official telephone book? That is not so easily scammed.

I had to think back to the last time I saw one. I think there's one in my garage holding up one end of a shelving unit...

Zemm

@Remy Porter said:

I had a similar issue with a bank a few years back. They called me, and started trying to get me to validate my identity, and I explained- "No, that isn't how this is going to work." I explained to the poor lady why I wasn't going to authenticate myself, and I'm sure she didn't care but she was very surprised.

I dialed the official number for the bank and got things taken care of that way.

My bank called me to ask about some suspicious activity on my account (all legit, I'd transferred out all but $2). She was not surprised I didn't want to authenticate myself to a caller, and just said "call us back, using the number on the website and ask for [name]" - I did and the guy who answered could handle the query. Nice to see such a good system for a small bank.

@Remy Porter said:

Here's the thing that annoys me, though: just because I get the number off their website doesn't mean it's accurate. You start thinking about how incredibly insecure doing business by phone truly is.

I didn't think about that. Imagine intercepting a website to change the phone number (to another special six-digit 13xxxx number which are not cheap) just to scam me out of my last $2? :) But then so much stuff relies on my DOB (I just say 1/1/year to things that don't matter) it's scary what someone can do to you with a small amount of information.

TwelveBaud1

@ASheridan said:

I had the similar thing with the Three mobile network in the UK, but they managed to go that extra step to make it a true WTF:

Tweet tweet.

ASheridan

@TwelveBaud said:

@ASheridan said:

I had the similar thing with the Three mobile network in the UK, but they managed to go that extra step to make it a true WTF:

Tweet tweet.

 

Oh believe me, I'm well aware of their Twitter account, and their Facebook one. I've used them both a lot to contact them when their call centres were being their typical useless selves. Oddly enough, Twitter gets a better response than Facebook, despite Three telling me that it's the same team who deals with both. Something gives me the impression they're telling porkies...

Remy

The phone book, if you have one, is the best choice. The number on the back of your card is okay, but it depends on how old your card is. Theoretically, the phone company doesn't recycle numbers very quickly, but mistakes have been made. Further, it's not implausible that a malicious user might try and camp out on a commonly misdialed number- if your bank is 1-888-555-4656, they might grab 1-888-555-4566, or something similar- something easily mistyped on a keypad.

Now, realistically, I just use the number on my card, and don't worry about it too much. But phone numbers are an incredibly exploitable addressing system.

da_Doctah

@ASheridan said:

 They phoned and immediately said they were from Three G. Now, there's a signal type called 3G, or their parent company called Hutchinson 3G, but no company called Three G, which I pointed out to them. They said they'd put a note on my account so that future callers would refer to the company correctly next time they called me. - WTF #1, they didn't even know the name of their own company, WTF #2 they didn't care about referring to themselves by the wrong name to other customers 

I once had the opposite problem back when I was going through a spell of being late on credit card payments.  Would come home to find a message on the answering machine from "CitiBank" telling me to call them regarding my card, account number or other information not specified.  First time I tried to call, I was told to enter some portion of the account number on the touch-tone pad to route the call to the appropriate desk.  Problem is that I didn't have an account at CitiBank.  I did have a gas card from Citgo, and a Sam's Club credit card, both of which were issued by CitiBank, but I had been given no information about which card they were calling about.  Eventually it turned out it was some other random department store card that was also issued by CitiBank, and the problem was on their end because they had credited some payments to the wrong account.

Cassidy

Had a similar issue with British Telecon: they rang me and asked if it was okay to verify my identity, so I asked them outright what the last 2 digits of my registered bank account number was (for providing payments). They responded they couldn't give out that information over the phone, due to security reasons.

So then they asked me a similar question... and got their response right back. It took a bit for the penny to drop.

The missus has taken to asking cold-calling ISP sales-doids if they can provide us with a static IP.  One actually asked what that meant (impressedwiht the product knowledge there, lass), others have said they can for a business account, which is 2-3 times the price for what I'm paying currently for a domestic account. Ultimately, many of the ISPs tell me about these wonderful deals they can offer but once I specify my requirements they can't price-match what I'm currently receiving.

One ISP told me about new kit they're installing into exchanges that is supposed to give the fastest speed possible, and when asked what speed I'd receive quoted a lower figure than I'm currently getting. So then he changes his tune to say it was possibly faster than what I'm getting, but couldn't guarantee it. For some reason he couldn't understand why I wasn't willing to commit to a 12-month contract on something that he thought they could possibly deliver.

Other rants can keep until later.

Zemm

@Cassidy said:

once I specify my requirements they can't price-match what I'm currently receiving.

 

Most ISP reps (IME) know their basic competitors. Once I mention the name of my current ISP they immediately say "we can't match them" and leave. Except the biggest one, they can't match price or features (static IP, free uploads) but they provide much better speed (100Mbps cable vs ~6.5Mbps ADSL2+). Speed that is a little out of my current budget.

@Cassidy said:

One ISP told me about new kit they're installing into exchanges that is supposed to give the fastest speed possible

There's a lot of confusion around our NBN salespeople tricking people into signing up now - since the big two get paid when they transfer customers from legacy systems to FTTP so they are grabbing as much as possible now.

@Cassidy said:

Other rants can keep until later.

Vodafone keep asking me to move to them. No.

ekolis

@ASheridan said:

WTF #3 they called me on my mobile, on a number that they provided me

I still don't understand why that's a WTF - is it some security issue I'm missing? Or just that it's incredibly rude of them to rack up your airtime charges with phone company business? You'd think they could easily add their own number to their list of "don't charge for calls" numbers, sort of like Verizon's "friends & family" plans...

fennec

@ekolis said:

@ASheridan said:

WTF #3 they called me on my mobile, on a number that they provided me

I still don't understand why that's a WTF - is it some security issue I'm missing? Or just that it's incredibly rude of them to rack up your airtime charges with phone company business? You'd think they could easily add their own number to their list of "don't charge for calls" numbers, sort of like Verizon's "friends & family" plans...

The WTF was that they called him on that number and then asked him for his phone number. Context. :)

Cassidy

@Zemm said:

Most ISP reps (IME of living in NZ) know their basic competitors.

FTFY - it seems your ISP's sales droids are better-trained than the script-reading twunts in UK:

@actual call said:

Them: Hello. This is $ISP. Is Mr or Mrs Cassidy there?

Wife: Yes.

Them: Great news, Mr or Mrs Cassidy! We have a very special offer exclusively for you!

@Zemm said:

Once I mention the name of my current ISP they immediately say "we can't match them" and leave.

TL;DR version: our ISP's reps aren't just unaware of their competitors' offerings, they're not even too clued-up with their own products.

• I left an ISP (PlusNet) at a previous address when they began traffic shaping in the evenings and it affected traffic on non-standard ports (I bind SSH to a higher port number, and also experienced plenty of packet loss during evening online gaming). When giving my reasons for leaving, they asked "can't you game at different times?" Oh, yes, I'll take the day off to game when traffic shaping isn't on then expect my clients to return to their workplace in the evening for my consultancy, shall I?
  
• Eventually said ISP became absorbed by BT. And a few months later - at my new address - I began to get calls from BT trying to flog me PusNet. When explaining my traffic shaping experiences, one droid was unaware what the term meant, and after conferring with their colleague confirmed that they don't perform throttling or shaping of ANY kind. I just told them to try a web search involving the terms "Plusnet traffic shaping".
• Also had Sky try to poach me - after the ACS:Law fracas I asked for a good reason I should entrust my business in their hands. The droid wasn't even aware it had occurred, but then again Sky were one of the few news outlets that kept silent when the ACS story broke, so their staff were probably in denial.
• TalkTalk have also tried to poach me. The poor girl making the sales pitch wasn't aware that they've had the biggest number of complaints three years running. To be fair, of those I know currently with TalkTalk, when it works it works well. Those I know who have had problems have reported botched installs, delayed migrations to them, continuous billing by them after migrating from them, etc. Once the pipe is in and working, there's no issues - it's the peripheral stuff that has given headaches.

@Zemm said:

Vodafone keep asking me to move to them

Ask if you can have your service tax-free.

boh

@ASheridan said:

 I had the similar thing with the Three mobile network in the UK, but they managed to go that extra step to make it a true WTF:

•  They phoned and immediately said they were from Three G. Now, there's a signal type called 3G, or their parent company called Hutchinson 3G, but no company called Three G, which I pointed out to them.

Over here, they call themselves "3", but the company name is actually Hi3G. Maybe that causes confusion?

ASheridan

@boh said:

@ASheridan said:

 I had the similar thing with the Three mobile network in the UK, but they managed to go that extra step to make it a true WTF:

•  They phoned and immediately said they were from Three G. Now, there's a signal type called 3G, or their parent company called Hutchinson 3G, but no company called Three G, which I pointed out to them.

Over here, they call themselves "3", but the company name is actually Hi3G. Maybe that causes confusion?

Quite possibly, but the very fact that they could get so confused over their own company name does not do anything to inspire confidence that they had the competence to get other, more technical, things correct. This was reinforced by them then continually referring to my phone losing signal as it going into airplane mode (it wasn't, and I did patiently explain to them that I still had a wifi connection, so airplane mode wasn't it). This was one of the many WTFs I endured whilst I was a customer for them, I'm just glad now I no longer have to deal with such a useless company.

 

Cassidy

@ASheridan said:

This was reinforced by them then continually referring to my phone losing signal as it going into airplane mode

 

Only one cure for association fallacy: ClueBat.

This goes double for computer store droids that keep "correcting" me with the "system" disk? We call that the "C: drive", and those refer to PC power cables (terminating in IEC connectors) "kettle leads".

Zemm

@ekolis said:

Or just that it's incredibly rude of them to rack up your airtime charges with phone company business?

 

All but a few countries have incoming free on mobile phones. So they are just wasting battery.

@Cassidy said:

@Zemm said:

Most ISP reps (IME of living in NZ) know their basic competitors.

FTFY

NZ? I've never even visited New Zealand!

@boh said:

@ASheridan said:

They phoned and immediately said they were from Three G. Now, there's a signal type called 3G, or their parent company called Hutchinson 3G, but no company called Three G, which I pointed out to them.

Over here, they call themselves "3", but the company name is actually Hi3G

 

And here Vodafone and Hutchison have merged and they are phasing out the "3" brand. Still a lot of Vodafail around though, even though they seem to have the most amount of spectrum of all the carriers. Vodafone is the worst of the three mobile phone companies in Australia, in all respects: coverage, call dropouts, data speed, customer service and even price these days! They don't even have an LTE network yet, while the other two do (albeit limited).

Cassidy

@Zemm said:

NZ? I've never even visited New Zealand!

 

Bollocks, I thought you were NZ rather than AU for some reason. My bad.

(I even thought "don't get them mixed up, it's quite insulting to many of the natives there". Doh with a capital "F".)

Lorne Kates

@Ibix said:

Virgin Media

 

Oh, you mean the same Virgin where you can [url="http://www.virginmobile.ca/en/members-lounge/index.html?itcid=NAV:31"]log into an account[/url] using a subscriber's phone number (known, public information) as the username, and a forced 4-digit PIN as the password?

I haven't tried it, but I would hazard a guess that their anti-brute force technology is a cookie.  It might even be an HTTP cookie.