boakes.org

Last week I received a replacement credit card. Attached to the card was a sticker, telling me that I had to call the company so that they could register it’s safe arrival and enable it for my use.

I called them immediately and we went through the usual security shenanigens (inside leg measurement, favourite adverb, etc) and the card was activated.

A couple of minutes after my activation call I received a phonecall from a lady who claimed to be from the same credit card company, saying that she had to confirm who she was talking to before she could tell me something very important about my credit card.

She asked me all the security questions, and this time I refused to answer.

I explained to her that she could have been anyone, so I asked her to prove her identity by telling me something that only the two of us could know, something from my account or something about my previous phonecall. She said she couldn’t because of the data protection act. So I took her name and extension number, and called her back on the standard company number.

Telephone security in this credit card company is fundamentally flawed. Their policy of calling customers without a means of self authentication whilst asking customers to provide personal information as an authentication token results in an overall reduction in the security of their cardholders.

The recent spate of phishing has led to many banks and credit providers issuing warnings about not giving out your personal details online, yet this is an example of a company that’s normalising the process of giving away your credentials to an unauthenticated party through their own actions.