So this AM I called my mobile carrier, the one implicated in the breach I talked about yesterday. I decided to try and authenticate to an agent w/ just the data that was breached.
So the call goes like this… step 1, you get an auto-attendant. Based solely on your caller ID (which is easily spoofed as anyone who has received a CRA-scam type call knows), it reads you out your last account balance, payment, etc.
I then tab through to the agent. The agent asks me for my PIN. I say I don’t want to give a password to a person.
So they ask me… phone #, billing address, postal code. Done. I can now set a new pin and security question. So the info that was in the breach is sufficient to undo the new port-protection.
So, uh, the moral of this is… I dunno, buy some sort of tin-foil-chapeau?
I’ve updated my security question and pin, but its all they have.
Now, question, what sort of 2-factor authentication would we use? The agent for the phone co doesn’t know me personally, so that is not a method. I would be nice to have like a lottery-card of scratch-off-numbers or something. We need a one-time-password that is consumer-simple I think.
Either that, or I need to start lying about my billing address to these folks.