Sun, 09 Nov 2008

Network operators and security theatre

I initially failed the security test of a network operator because I don't know my age!

I just called my mobile network operator to order a Porting Authorisation Code (PAC) from a phone, registered with this account, with the SIM I wanted the PAC for. I have been with this network operator since it started operating. After being asked, and successfully answering, questions such as two letters of the security password, my name, my date of birth (that, I remember by heart), the name of my family member using this SIM, the customer service representative then proceeded to ask for my age. I explained I needed to calculate it as it changes every year and I don't do birthdays, and after some rapid mental arithmetics gave her the requested number. This however didn't satisfy her as she considered that everyone must know their own age. She went on to volunteer that she does know her age, of course - though she didn't reveal it to me! That meant she had to ask me further security questions. It took a little while for her to figure out what other 'security' questions she could ask: how do I pay our bill, what's my sort code, what's the bank's name... I answered these as fast as she fired them.

Eventually she was satisfied enough to accept to send me a PAC to the registered address for the account (SMS to the phone was not possible). A PAC has a lifetime of 30 days starting from the request time, not from when it is received by the customer. If it is not used during this short window, nothing happens; the accounts remain with the original network as if nothing had ever been requested. I.e., the risks for sending a PAC to an address registered with the account is nil.

When/if the National Identity Register becomes a reality I expect all network operators to interface to it so their customer representatives can ask ever more detailed and intrusive questions.

websiteblogblog archivenews feedfeedback