Verizon Support Wants You To Know That Twitter Is A Perfectly Secure Way To Send Them Your Social Security Number
from the you-need-better-support-reps dept
Hoping to have an errant charge resolved, O’Reilly Media author Jonathan Zdziarski recently reached out to Verizon Wireless on Twitter. While Twitter support can help put a friendly face to a massive, often-times unwieldy conglomerate, anyone that has actually interacted with one of these support agents has likely found the quality of these interactions to be decidedly hit or miss. In Zdziarski’s case, the Verizon Wireless support agent in question thought it would be perfectly acceptable for him to prove his identity over Twitter, since the platform is such a “secure means of communication”:
Seriously. This just happened. pic.twitter.com/odM80wMO4r
— Jonathan Zdziarski (@JZdziarski) July 15, 2015
Verizon defended asking social security numbers over Twitter "because most customers are OK with it": teaching customers to become victims.
— Jonathan Zdziarski (@JZdziarski) July 16, 2015
Filed Under: customer support, jonathan zdziarski, security
Companies: verizon
Comments on “Verizon Support Wants You To Know That Twitter Is A Perfectly Secure Way To Send Them Your Social Security Number”
Another reason not to do business with Verizon…#suckerborn
To be fair, it’s more secure than unencrypted email.
Re: Re:
Would you care to explain how, or was this a joke that I’m not getting?
Re: Re: Re:
Option 3: just plain wrong.
Cue the “we take your security very seriously” response statement.
Well, safe from the NSA anyway.
They already have your SSN, so if the NSA hacks twitter messages, there’s no real risk there…
"because most customers are OK with it"
When I go to buy something, and they hand me a form to sign, I always read it. I usually get a response from the clerk “Just sign it. Everybody else does.” So, because everybody else is a fool, I have to be one too.
Re: "because most customers are OK with it"
Clerks actually say that? I’ve never had that happen, but if it did, I think I would drop the transaction right there on the grounds that if I’m being pressured to sign something without reading it, then it’s clearly a trap.
Re: Re: "because most customers are OK with it"
Ohh it’s a trap whether you take the time to read it or not.
Re: "because most customers are OK with it"
I used to be bothered by various retail clerks insisting that I provide some seemingly random bit of personal information at the conclusion of retail transactions.
I used to refuse to do so, wade through the gaped mouths, the anger and indignation, and the delay while a manager was called over to explain that providing such information isn’t strictly speaking required.
Often I too would hear the refrain;
With the implied, “So why am I being such a pain….”
Nowadays I avoid all of that drama by simply making stuff up.
Teller: "We need your Zip Code"
Me: "Um 23412".
Teller: "Thank you"
Teller: "We need your Phone number"
Me: "Ah 508 990 5678".
Teller: "Thank you"
(shrug…)
Re: Re: "because most customers are OK with it"
When Best Buy started asking for your ZIP code (back when I still shopped at Best Buy occasionally) I would always politely decline, with a “no thanks,” or something like that. Most times the clerk didn’t care, just typed in something and continued. But every now and then there would be confusion, delays, and general annoyance as I waited to pay for my purchase. Even if I was paying with cash.
Then places graduated to asking for phone numbers. When our local Circuit City finally closed I happened to find something I wanted in the last of the clearance pile, a pair of noise cancelling headphones that were super cheap. I don’t know how long I stood there waiting for the guy to figure out how to let me pay without typing in my phone number. (I wanted to tell him to just use his.) I had finally had enough and opened my mouth to tell them to just keep it and walk out when the manager came over, typed the number 5 ten times, and got things rolling again.
To this day I don’t provide personal information to any store that they don’t need to actually process my payment. Sometimes it’s a bit of a pain, but so be it… if they can’t deal with that, then they really don’t need my money.
Re: Re: Re: "because most customers are OK with it"
I do this too. Nobody gets personal info that isn’t actually needed.
But be aware: if you’re paying with a card, many processors randomly require the card holder’s zip code to be entered as a weak anti-fraud measure. If the clerk is asking for a zip code because of this and you refuse to provide it or provide an incorrect one, you won’t be able to pay with the card.
Re: Re: Re:2 "because most customers are OK with it"
True, but so far at least I’ve never had that problem. And if it’s verification (however weak) they ought to be able to explain that to me when I ask, too, and not give me the generic “we need that to add to our database” type of answer I usually get.
When the gas pumps started asking for ZIP codes I went home first and did some reading to find out why.
Re: Re: "because most customers are OK with it"
I make it up too.
Whoever actually has the phone number 867-5309 must really hate me.
Re: Re: Re: "because most customers are OK with it"
Whoever actually has the phone number 867-5309 must really hate me.
Jenny certainly does.
Re: "because most customers are OK with it"
I have the same problem. One time I crossed out a bunch of it before signing it. Turns out they didn’t read it either.
Most people don’t even know what a rootkit is, so why should they care?
Last night
I was twittering Verizon last night to ask when they would support Nomorobo. This is the winner of the FCC Robocall contest.
Well, I looked at some of the twitter responses, “Yes, let’s see what we can do to bring down your bill.”
“With our everything plan, unlimited minutes and texting is included in the plan.”
Dozens of replies like this. It appeared that only the Verizon representative replies were listed, and I don’t remember if the recipient was listed.
If you want to see how the Verizon Customer Service operates, just go to their twitter page for some good reading.
Sigh… The Verizon rep is asking for the last 4 of the customers SSN, not the entire thing. That still leaves about 77000 different possibilities for the actual number.
Re: Re:
74,547
Re: Re: Re:
74,547 possibilities for your SSN.
0 other possibilities for your Verizon identity verification.
Re: Re:
However…if the Twitter account can be linked to an actual person, you now know a specific user’s last 4 digits. It’s just a quick Google search to guess locale, what bank they may use, etc.
So while there may be 75,000+ social security number possibilities, using just those last 4 numbers, there’s statistically far less possibilities of a person named Jane Doe with the last 4 digits being 1234.
Re: Re:
Sigh… The Verizon rep is asking for the last 4 of the customers SSN, not the entire thing. That still leaves about 77000 different possibilities for the actual number.
It is far less than you might think, at least until very recently the first 5 digits are not just random numbers. The first 3 identify the state of issue, and the next 2 are grouping codes that can be roughly corresponded to the year issued. Only the last 4 were an actual serial number. Once you give those last 4 up that makes for a lot less combinations especially with some basic knowledge of the customer.
Re: Re: Re:
The first 3 identify the state of issue,
The office where the number was issued, not just the state.
Re: Re:
Unless the person is older and you know where they lived when they got their SSN. Then you know the first 3 (or small subset of numbers). That leaves you with only 100 different possibilities.
Re: Re: Re:
http://www.mrfa.org/ssn.html
Re: Re:
The last 4 digits of a SSN are the ones that really matter: they’re the only digits that you cannot figure out through research. Which is why they sorta-work as an identity confirmation.
If you’re speaking in public, those are the most dangerous digits to reveal.
Using a persistent code like a social security number as “proof” of identity is stupid in the first place. Anyone you’ve ever “proven” your identity to in that manner subsequently knows your number and can “prove” to anyone else that they’re you.
Re: Re:
This. Particularly since the SSN is explicitly, specifically, and legally not intended to be a universal ID # and does not do a good job of it even if it remains completely secure.
The only legal uses for an SSN is as a taxpayer ID (and you can use an actual taxpayer ID # instead) and to administer social security.