The phone port scam saga continues

So this AM I called my mobile carrier, the one implicated in the breach I talked about yesterday. I decided to try and authenticate to an agent w/ just the data that was breached.

So the call goes like this… step 1, you get an auto-attendant. Based solely on your caller ID (which is easily spoofed as anyone who has received a CRA-scam type call knows), it reads you out your last account balance, payment, etc.

I then tab through to the agent. The agent asks me for my PIN. I say I don’t want to give a password to a person.

So they ask me… phone #, billing address, postal code. Done. I can now set a new pin and security question. So the info that was in the breach is sufficient to undo the new port-protection.

So, uh, the moral of this is… I dunno, buy some sort of tin-foil-chapeau?

I’ve updated my security question and pin, but its all they have.

Now, question, what sort of 2-factor authentication would we use? The agent for the phone co doesn’t know me personally, so that is not a method. I would be nice to have like a lottery-card of scratch-off-numbers or something. We need a one-time-password that is consumer-simple I think.

Either that, or I need to start lying about my billing address to these folks.

Posted

in

by

db

Tags:

Comments

2 Responses to “The phone port scam saga continues”

  1. Alex Leyn

    Awesome. Trivial human-engineering and it doesn’t sound like you even really need extensive “compromised” personal data at all: name, phone #, billing address/postal code are readily available for almost everyone. They didn’t even ask you Mother’s maiden name? Or even favourite colour (it’s blue: 42% males, 30% females)? Sheesh.

    I’ve personally been lying about my residential address (as a billing address) for years. I literally have a UPS store mailbox account for the specific purpose of being able to lie about it. It’s not as crazy as it sounds and has proven valuable quite a few times already. Next time you move, never ever enter your actual residential address into any machine form, no matter what the form asks or demands, governments and statutes be damned; until the move, it’s too late.

    You don’t think authenticator apps are sufficiently consumer friendly? I guess I don’t either as I haven’t taught their use to family yet, but it really isn’t bad. The use is not hard, the hard parts are a) initial seed setup, and b) secure backup of that seed in case the phone dies.

    Reply
    1. db

      so `authy` is pretty good. But, if you ran a call centre dealing with people who bought a sim card from a kiosk in a mall, would you want to support that?
      The problem w/ lying about your address is it can cause issues w/ the visa-based billing. Also, believe it or not, on my credit record there is exactly one ongoing credit query… from this very same mobile co. That would fail it.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *