Verizon Support Wants You To Know That Twitter Is A Perfectly Secure Way To Send Them Your Social Security Number

from the you-need-better-support-reps dept

Hoping to have an errant charge resolved, O'Reilly Media author Jonathan Zdziarski recently reached out to Verizon Wireless on Twitter. While Twitter support can help put a friendly face to a massive, often-times unwieldy conglomerate, anyone that has actually interacted with one of these support agents has likely found the quality of these interactions to be decidedly hit or miss. In Zdziarski's case, the Verizon Wireless support agent in question thought it would be perfectly acceptable for him to prove his identity over Twitter, since the platform is such a "secure means of communication":
Except for the fact that's not remotely true. Back in late 2013 in the wake of reports on the NSA's ballooning skulduggery, Twitter claimed they'd start encrypting direct messages, though by 2014 that initiative appears to have been forgotten. As such, what Verizon's calling a "secure means of communication" is about as secure as a safe made out of paper mache and tin foil. When pressed about this lack of secure transit for personal data, Zdziarski was apparently informed that everything was ok, because "most users are ok with it":
Of course "most users" don't know a gigabit from a garrote, so it's not entirely clear that "most people aren't bright enough to know this isn't a good idea" should be used as a security standard moving forward.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    avideogameplayer, 21 Jul 2015 @ 6:28am

    Another reason not to do business with Verizon...#suckerborn

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Jul 2015 @ 6:35am

    To be fair, it's more secure than unencrypted email.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Jul 2015 @ 6:38am

    Cue the "we take your security very seriously" response statement.

    reply to this | link to this | view in chronology ]

  • identicon
    David, 21 Jul 2015 @ 6:42am

    Well, safe from the NSA anyway.

    They already have your SSN, so if the NSA hacks twitter messages, there's no real risk there...

    reply to this | link to this | view in chronology ]

  • icon
    Miles Barnett (profile), 21 Jul 2015 @ 7:20am

    "because most customers are OK with it"

    When I go to buy something, and they hand me a form to sign, I always read it. I usually get a response from the clerk "Just sign it. Everybody else does." So, because everybody else is a fool, I have to be one too.

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 21 Jul 2015 @ 7:37am

      Re: "because most customers are OK with it"

      Clerks actually say that? I've never had that happen, but if it did, I think I would drop the transaction right there on the grounds that if I'm being pressured to sign something without reading it, then it's clearly a trap.

      reply to this | link to this | view in chronology ]

    • icon
      jilocasin (profile), 21 Jul 2015 @ 8:08am

      Re: "because most customers are OK with it"

      I used to be bothered by various retail clerks insisting that I provide some seemingly random bit of personal information at the conclusion of retail transactions.

      I used to refuse to do so, wade through the gaped mouths, the anger and indignation, and the delay while a manager was called over to explain that providing such information isn't strictly speaking required.

      Often I too would hear the refrain;
      "None of our other customers has a problem providing this information."


      With the implied,
      "So why am I being such a pain...."

      Nowadays I avoid all of that drama by simply
      making stuff up.

      Teller: "We need your Zip Code"
      Me: "Um 23412".
      Teller: "Thank you"

      Teller: "We need your Phone number"
      Me: "Ah 508 990 5678".
      Teller: "Thank you"


      (shrug...)

      reply to this | link to this | view in chronology ]

      • identicon
        Jason, 21 Jul 2015 @ 8:38am

        Re: Re: "because most customers are OK with it"

        When Best Buy started asking for your ZIP code (back when I still shopped at Best Buy occasionally) I would always politely decline, with a "no thanks," or something like that. Most times the clerk didn't care, just typed in something and continued. But every now and then there would be confusion, delays, and general annoyance as I waited to pay for my purchase. Even if I was paying with cash.

        Then places graduated to asking for phone numbers. When our local Circuit City finally closed I happened to find something I wanted in the last of the clearance pile, a pair of noise cancelling headphones that were super cheap. I don't know how long I stood there waiting for the guy to figure out how to let me pay without typing in my phone number. (I wanted to tell him to just use his.) I had finally had enough and opened my mouth to tell them to just keep it and walk out when the manager came over, typed the number 5 ten times, and got things rolling again.

        To this day I don't provide personal information to any store that they don't need to actually process my payment. Sometimes it's a bit of a pain, but so be it... if they can't deal with that, then they really don't need my money.

        reply to this | link to this | view in chronology ]

        • icon
          John Fenderson (profile), 21 Jul 2015 @ 9:41am

          Re: Re: Re: "because most customers are OK with it"

          I do this too. Nobody gets personal info that isn't actually needed.

          But be aware: if you're paying with a card, many processors randomly require the card holder's zip code to be entered as a weak anti-fraud measure. If the clerk is asking for a zip code because of this and you refuse to provide it or provide an incorrect one, you won't be able to pay with the card.

          reply to this | link to this | view in chronology ]

          • identicon
            Jason, 21 Jul 2015 @ 9:56am

            Re: Re: Re: Re: "because most customers are OK with it"

            True, but so far at least I've never had that problem. And if it's verification (however weak) they ought to be able to explain that to me when I ask, too, and not give me the generic "we need that to add to our database" type of answer I usually get.

            When the gas pumps started asking for ZIP codes I went home first and did some reading to find out why.

            reply to this | link to this | view in chronology ]

      • identicon
        Michael, 21 Jul 2015 @ 10:17am

        Re: Re: "because most customers are OK with it"

        I make it up too.

        Whoever actually has the phone number 867-5309 must really hate me.

        reply to this | link to this | view in chronology ]

    • identicon
      PRMan, 21 Jul 2015 @ 12:26pm

      Re: "because most customers are OK with it"

      I have the same problem. One time I crossed out a bunch of it before signing it. Turns out they didn't read it either.

      reply to this | link to this | view in chronology ]

  • icon
    Namel3ss (profile), 21 Jul 2015 @ 7:22am

    Most people don't even know what a rootkit is, so why should they care?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Jul 2015 @ 7:38am

    Last night

    I was twittering Verizon last night to ask when they would support Nomorobo. This is the winner of the FCC Robocall contest.

    Well, I looked at some of the twitter responses, "Yes, let's see what we can do to bring down your bill."

    "With our everything plan, unlimited minutes and texting is included in the plan."

    Dozens of replies like this. It appeared that only the Verizon representative replies were listed, and I don't remember if the recipient was listed.

    If you want to see how the Verizon Customer Service operates, just go to their twitter page for some good reading.




     

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Jul 2015 @ 7:57am

    Sigh... The Verizon rep is asking for the last 4 of the customers SSN, not the entire thing. That still leaves about 77000 different possibilities for the actual number.

    reply to this | link to this | view in chronology ]

    • icon
      Nurlip (profile), 21 Jul 2015 @ 8:16am

      Re:

      74,547

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Jul 2015 @ 10:28am

      Re:

      However...if the Twitter account can be linked to an actual person, you now know a specific user's last 4 digits. It's just a quick Google search to guess locale, what bank they may use, etc.

      So while there *may* be 75,000+ social security number possibilities, using just those last 4 numbers, there's statistically far less possibilities of a person named Jane Doe with the last 4 digits being 1234.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Jul 2015 @ 10:46am

      Re:

      Sigh... The Verizon rep is asking for the last 4 of the customers SSN, not the entire thing. That still leaves about 77000 different possibilities for the actual number.

      It is far less than you might think, at least until very recently the first 5 digits are not just random numbers. The first 3 identify the state of issue, and the next 2 are grouping codes that can be roughly corresponded to the year issued. Only the last 4 were an actual serial number. Once you give those last 4 up that makes for a lot less combinations especially with some basic knowledge of the customer.

      reply to this | link to this | view in chronology ]

    • identicon
      David, 21 Jul 2015 @ 10:51am

      Re:

      Unless the person is older and you know where they lived when they got their SSN. Then you know the first 3 (or small subset of numbers). That leaves you with only 100 different possibilities.

      reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 23 Jul 2015 @ 10:27am

      Re:

      The last 4 digits of a SSN are the ones that really matter: they're the only digits that you cannot figure out through research. Which is why they sorta-work as an identity confirmation.

      If you're speaking in public, those are the most dangerous digits to reveal.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Cowherd, 21 Jul 2015 @ 8:10am

    Using a persistent code like a social security number as "proof" of identity is stupid in the first place. Anyone you've ever "proven" your identity to in that manner subsequently knows your number and can "prove" to anyone else that they're you.

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 21 Jul 2015 @ 9:45am

      Re:

      This. Particularly since the SSN is explicitly, specifically, and legally not intended to be a universal ID # and does not do a good job of it even if it remains completely secure.

      The only legal uses for an SSN is as a taxpayer ID (and you can use an actual taxpayer ID # instead) and to administer social security.

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer
Anonymous number for texting and calling from Hushed. $25 lifetime membership, use code TECHDIRT25
Report this ad  |  Hide Techdirt ads
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.