Dropsafe

by Alec Muffett

Why making a call-centre worker say “poopsy-poo” will strengthen your security » The Privacy Surgeon # HT @owenblacker

Having become heartily sick of arguing the toss over who should provide information first I discussed the dilemma with a helpful call centre manager and we figured a solution.

It turns out that nearly all call centre systems have a “special instructions” field that allows operators to add useful comments about calling times, payment instructions or special customer requirements. Into this field we placed a word. I must say it’s the most hilariously camp and silly word ever to grace an otherwise tedious financial management system, but it is memorable and unique. Now whenever I’m called by T-Mobile I demand that they read out the word before they get any information from me. The mutuality works for both of us, and we all get a giggle.

via Why making a call-centre worker say “poopsy-poo” will strengthen your security » The Privacy Surgeon.

Comments

4 responses to “Why making a call-centre worker say “poopsy-poo” will strengthen your security » The Privacy Surgeon # HT @owenblacker”

  1. Dave Walker

    I’m happy enough to do telephone banking (but not Internet banking), and recognised a hole like this, a few years back. My bank has a big numeric authentication string that they use to authenticate customers, when either party calls the other; the authentication procedure involves a challenge-response where the customer is required to supply two digits from the string, at positions in the string chosen apparently-randomly by the bank.

    This works just fine, if I ring the bank. However, on the rare occasions when the bank rings me, it doesn’t (or, rather, it didn’t); I’d explain carefully that while they had a mechanism to identify who I was, the converse wasn’t true, and therefore I’d ring them right back on the number I had for them.

    Eventually, we got to the point where someone on their security team needed to talk to me (there was a suspicious-looking transaction on one of my cards, which happened in the end to be genuine), and we had a chat about this. We agreed that the big string was a bona fide shared secret, and that it was entirely reasonable for me to require authentication from them, when they called me rather than vice versa – so now it’s all set up such that I can ask them for two digits, by position, and expect correct validating answers. (We actually use a second big numeric string, for reasons which are obvious when you think about it.)

    It’s not as entertaining as “poopsy-poo”, but it works :-).

    Reply
  2. Simon

    Humorous passwords^Wphrases can catch the unsuspecting shoulder surfer too, okay it’s only worked twice but that is better than nothing.

    Reply
  3. Robbie Mackay

    “so now it’s all set up such that I can ask them for two digits, by position, and expect correct validating answers.” .. I’m fairly impressed that a bank could vary their call center procedure enough for that to work..

    Reply
  4. Brad

    I thought about this recently as well, when my insurance company called to verify information. I insisted on calling back a known number, and the first person I talked to told me that the call back number I had been given was not legit (it turns out it was).

    I wanted the same solution: I want to ask them the equivalent of “what’s your mother’s maiden name?” (yes, I know, strings of numbers are better, but…).

    I hadn’t thought to ask them to put it in the notes field. I’ll try that.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts