- Account number
- Username, being the service provider's home-grown email address for the customer
- Customer's personal email address
- Customer's full name and home address
- Last four digits of customer's SSN
- Customer's home phone number
- IP address associated with the account (from which the system was already able to find the username)
It's sort of a division of labor anti-pattern. A human an a computer working together end up more obtuse than either alone. Offering the customer the service the customer can't log into and the chat support that didn't help is a nice parting touch.
What follows is an anonymized and lightly edited transcript of an actual customer chat sent by one of my "army of stringers, researchers, fact-checkers and miscellaneous hangers-on."
Problem: Trying to sign in; need password
Hello Customer, Thank you for contacting SomeCompany Live Chat Support. My name is Service Rep. Please give me one moment to review your information. I'm ready to assist you today. How are you doing by the way?
Fine, thanks .
Nice to know that you are doing good.
I was trying to log in to your service
As what I have understood, you would like to have your password for you to sign in right?
Yes. I thought I'd already set up an account and your website found a user name from looking at my IP address, but I can't reset the password . Also, I'd rather choose my own user name rather than use the assigned one (wemadethisup@somecompany.com), if possible.
Oh, I see. I understand that it is very important for you to know the password of your here. I also know that you would like to have your email address personalized and change it. There is no need to worry since as your service representative today, I want you to know I am more than willing to help you today with your issue. I can assure you that we can have a positive resolution since we will be working on this together.
Here’s what I can do, Since your password is not allowing you to log in, and since we do not store our customers’ passwords, I can give you a randomly system generated password would that be okay?
That would be fine, thanks
Alright. Please allow me to pull up your account information so that we can resolve it in the most efficient way possible. I will be verifying security information to protect your account privacy. May I please have the account number, account holder's full name, home address, and the last 4 digits of your SSN?
<Customer gives the information>
Thank you. May you also verify your phone number and the Email address that you are using?
<Customer gives phone number and personal email address>
Thank you. I am referring to the SomeCompany email address that you would like to reset the password.
I don't use SomeCompany for email, so that address is only useful to me as the login ID. I'm not set up to check that account and I would rather not have to be. But I think you mean wemadethisup@somecompany.com.
Thank you. While waiting, I will share with you a feature of SomeCompany that you can truly benefit. Are you aware of the customer self-help on SomeCompany.com? SomeCompany.com has an extensive series of Frequently Asked Questions (FAQs) that cover all of our products. Customers do not have to sign in to access the FAQs. Quick steps to do it...Open a web browser window and go to http://www.somecompany.com/. On the home page, the navigation menus are on the left side of the window and click on Customers then Help and Support.
I have already pulled up your account.
I don't think the FAQ will help. Please just reset the password.
Okay. Now, for the password, since we do not keep it for security reasons, I can reset it and provide you with a randomly generated one. Do not worry about changing it because you would be able to change it to your preferred password once you are able to log in. Would that be okay with you?
Yes, please.
Sure, now for me to push through the process and reset your password, may you please give me your security pin?
I don't remember setting a security PIN.
A security pin is like a password to your account. This will be sent via a postal mail to you, a few weeks after your service is started. It is a 4 digit number. May you please try to check your postal mails?
OK. I might have the mail somewhere. I have no idea where. [time passes] Sorry, I can't seem to find anything.
Since you have not provided the Security pin, in order to push through with this process, I would have to call you right now on your phone number to authenticate. Would that be okay with you?
Unfortunately, no. My kids are sleeping. Perhaps I should try again during the day?
Yes, you may always contact us. We are available 24/7, Customer.
So there's nothing else you can do?
Customer I really know how important it is to have your password. I would like to apologize however, we need to call you to authenticate so that we can reset your password.
OK. I'll try again during daytime hours.
Thank you so much for your time, Customer.
[time passes]
Customer, here’s what we have done on this chat today, I have assisted you with your SomeCompany inquiry on resetting your password however we need to call you to authenticate. Customer, it has been my pleasure serving you today and I truly appreciate your understanding and cooperation. Do you have other concerns for me today? I will be glad to assist you further.
No, that will be all, thank you.
We strive to exceed your expectations and hope that you will take a moment to complete the 3 question survey that will follow our interaction, your feedback will help us to continue improving how we serve you. Do you want to use our service? Go to http://www.somecompany.com. Thank you for choosing SomeCompany as your service provider and have a great day! SomeCompany appreciates your business and values you as a customer. Our goal is to provide you with excellent service. If you need further assistance, you can chat with one of our Customer Support Specialists 24 hour a day, 7 days a week at http://www.SomeCompanySupport.com
* Actually, SomeCompany is probably right to want better authentication. It's quite possible that someone, say, found their neighbor's bill, with the account number, and leeched onto their non-secured WiFi or used other chicanery so as to connect from the right IP address and thence obtain the user name. It's conceivable that such a person also somehow happened to know the customer's personal email address and last four digits of the SSN.
Calling the phone number of record (which the customer was challenged to give and the service rep is able to verify) would raise the bar significantly. Likewise, assuming the snail mail with the PIN didn't also have the account number, the would-be thief would have had to steal two separate pieces of mail, typically delivered on different days.
The annoyance here is that the stronger authentication is strong on its own. That is, "Tell me the PIN we mailed you" is about as secure as "Tell me the PIN we mailed you and several pieces of not-too-hard-to-find information." and "So you want a password reset? Let me call you at the phone number listed on the account." is at about as secure as "Tell me several pieces of not-too-hard-to-find-information and I'll call you on the phone number listed on the account." Unfortunately, Service Reps are generally required to go through the whole account verification cha-cha-cha before doing anything meaningful.
One wonders, though, why this bundle of not-too-hard-to-find information is good enough the let the customer access the account information, but not good enough to let the customer use the service itself.
2 comments:
The reason the CSR is let to access the info and you're not is that he's limited to what he can do and can do this thing only once. If the user gets access to the account though she can do pretty much everything.
The everything may be limited in personal accounts but reach millions in commercial ones. Just read Cyber Thieves Steal Nearly $1,000,000 from University of Virginia College
The scripted politeness and verbosity is really annoying. As you say this can all be done by a computer.
Sure, security is important, though my source assures me that the stakes were pretty low in this particular case.
Thing is, it's important enough to require real authentication, not just a bunch of ceremony giving the appearance of real security. I'll probably have more to say on the subject before too long.
Post a Comment