net.wars: Never mind who I am, who are you?
by Wendy M Grossman | posted on 18 June 2004
The Vodafone guy who called me the other week (later barring my phone for a couple of weeks in a fit of pique I can only call unprofessional) and asked my birth date was only one example of an important phenomenon: one-way authentication. Everyone from banks, retailers, and insurance companies to online media worries that you (or I) might not be who you say you are. They assume, conversely, that their own identity is not in question.
In the case of a bank or credit card company, the risk is that you might be an imposter committing identity theft for fun and profit. In the case of an online newspaper, the risk is that somewhere a subscriber may have shared his paid-for logon information with a million others, crippling the business. Despite the frequent warnings their security departments send out about never divulging your password and saying that the company will never ask for your information, these are apparently never communicated to the customer service people or translated into company policies, and the broad assumption is that it's always obvious that the company is genuine. They don't seem things from our perspective, which is: someone phones, could be anybody. They seem to think all security breaches come via computer.
This used to be a persistent problem with First Direct, which would ring up out of the blue and say, "This is First Direct. Let me take you through security. Your last name and first initial, please."
If you protested that this could be a scam to obtain your security information, the person on the other end was genuinely surprised.
After a few years, they figured this out a bit, and offered to give you a phone number to ring back. This was, of course, still not quite perfect. You want to call the number you already know and ask for a representative by name. Companies, these days, don't you want to know who anyone is. They want employees to be interchangeable and everything to be in the company database.
What needs to happen is for the procedures for opening an account to become a two-way process instead of the one-way process it is now. For every application form that asks you to state your mother's maiden name, your date of birth, your city of birth, and the name of your first childhood pet, there should be one you get them to fill out that asks them to state the mother's maiden name of their corporate founder, their date of incorporation, the city of their registered office, and the name of the person whose bust stands in the lobby of corporate headquarters. There should also be an agreed upon password they use when they call you to identify themselves.
An ancillary problem is that they won't tell you anything. One reason I got so annoyed with the Vodafone guy is that I said, "Is this a marketing call?" and he said, "I can't tell you that under the terms of the Data Protection Act." Impasse.
The Office of the Information Commissioner says, depressingly, that in fact he was technically right although his citing the Act "isn't best practice". The reasoning is that if he admits the call isn't a marketing call, then that is tantamount to telling whoever answers your phone - you, a colleague, a visiting stranger - that you have an account with that company. Best practice, though, they say, is to say "It's a personal matter."
Am I the only one who thinks that saying "It's a personal matter" makes it sound like he's divulging more, not less, information? Doesn't that sound to you like it's code for, "Actually, yes, your friend is a deadbeat and I'm calling to try to collect his unpaid arrears"? Where saying, "No, it's not a marketing call" sounds like it's probably dishonest, but at least leaves the exact nature of the call wide open. (I should add that given that the Vodafone guy who called me then proceeded to bar my phone in a fit of pique, he effectively conveyed to everybody who called my number for nearly three weeks that I was a deadbeat. Even if I hadn't confessed all to the entire public Web right here.)
A decently constructed two-way authentication scheme ought to be able to fix this problem, too. Why couldn't the caller say something like, "I'm calling from Vodafone's Goldfish department"? If Goldfish were an agreed-upon authentication code between you and the company, its use would tell you that the caller was probably genuine. Under the Data Protection Act, the code would have to be variable enough that it didn't convey any particular information to stray strangers who pick up your phone, but I'm sure this is solvable.
Or we could change the codes of practice so that a company could at least answer the marketing question honestly. Though one has to suspect they rather like it this way. They tell you nothing - and they get to blame the government!
Anyway, the code wouldn't unlock everything, but it would start a two-way authentication process. You then reveal one piece of information and choose which one you want from them - and so on. In other words, several iterations of "I'll show you mine, you show me yours."
It would be nice if the company would also authenticate themselves as: responsible, helpful, pleasant to deal with, and providing good service at fair value. But I suppose that's a bit much to ask.
Technorati tags: identity theft
You can discuss this article on our discussion board.
Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, follow on Twitter or send email to netwars(at) skeptic.demon.co.uk (but please turn off HTML).
net.wars: Never mind who I am, who are you?