Dennis Hackethal’s Blog

My blog about philosophy, coding, and anything else that interests me.

Quick Security Tip

Published · revised · 1-minute read · 2 revisions

Follow this tip at your own risk.

When you call a company's customer service, the rep usually needs to verify that you are indeed the customer you claim to be. To do so, they may ask you for certain pieces of sensitive information that you have previously provided and that only you should know.

The only problem is that you also need to verify that they should have access to that information. Otherwise, a disgruntled customer representative may gather (and potentially share) information about you that you did not need to provide. Do you remember if you ever gave your dental insurance your social-security number? Maybe you never did. But would you even remember which kinds of sensitive information you have shared with which businesses?

Say they ask for the last four of your social – 1234. If they have this number on file, they will notice when you make a mistake.

I recommend that you purposefully make a mistake that's small enough that even someone authorized to have it – you – could make it. It needs to be the kind of mistake that you could make because you were momentarily distracted or absent-minded, say. For example, you could simply swap two numbers – 1324 – or increase one of the numbers by one – 1235 – or swap a 1 for a 7 and vice versa since they're fairly easy to confuse.

Now, does the rep complain? If they do, say, 'my bad' or, 'did I say 1324? It's 1234'. If they do not complain, they had no way of verifying this information in the first place, and luckily you didn't just leak the correct number. You should hang up.

Although you have divulged some information, the attacker won't know how to fix the mistake. Even if they suspect you made a mistake on purpose, they won't know which digit(s) you changed by how much.

Keep in mind however, that the mistake has to be small enough to seem innocent. If the rep suspects you're a hacker, they may (and should) take appropriate action. For example, if you call your bank and make a big enough mistake, they may lock you out of your online banking.

And to be clear, this tip is for when you call them. Never divulge any information when somebody calls you and claims to represent some company. In that case, hang up and call the company's official number from their website, then ask for confirmation that they just called you. If they did not, report a phishing attempt.


What people are saying

What are your thoughts?

You are responding to comment #. Clear

Preview

Markdown supported. cmd + enter to comment. Your comment will appear upon approval. You are responsible for what you write. Terms, privacy policy
This small puzzle helps protect the blog against automated spam.

Preview