A recent call to a client’s managed services provider was a refreshingly pleasant experience. The agent was polite, helpful, and knowledgeable.
After explaining the reason for my call and identifying the client company, the agent greeted me by name and asked me to confirm if that’s who he was speaking with. Once he had confirmation, the agent gave me the setup details, logon credentials, server addresses, and passwords to be able to connect to the client network, and then patiently waited while I tested the connect to make sure the settings I entered worked.
Dealing with a new teller at the bank branch I’ve been going to for more than 10 years was equally swift and painless. As was calling my favorite airline to modify a booking.
All of these organizations assure the public that they ‘take our customers’ privacy seriously’.
But do they?
Each of these cases revealed a simple and fundamental flaw in their process — that reflected a gap in training and understanding: I was asked to confirm my name and other personal information. In each case, enough information was provided that someone with malicious intent (or a warped sense of humor) could simply agree to whatever details they’re asked to confirm — and then have enough information to impersonate me and be able to compromise my bank balance and my client’s systems.
The much safer way to confirm someone’s identity is to ask them to provide the relevant details, and compare that with information you already have.
Doing it the right way takes no longer than doing it the risky way — and it only takes a few phone calls to find out what ‘taking privacy seriously’ means to the organizations you deal with.