I know they have the information. What they (possibly) have not internalized is the notion that this puts them at risk of being a suspect in some future identity fraud case.

The point is that (honest) CSR’s should not want the amount of access they are given; they should welcome, even request, more stringent access control and/or auditing.

This is true in enterprises as well – think help desk reps with admin accounts or DBAs with complete access to data.

Investigators look for opportunity first, then motive.

CSRs use the data they request over the phone to authenticate you against on-screen data to which they already have access. When you answer these questions (SSN, mother’s maiden name, etc.), you’re just confirming that you are who you say you are, based on the fact that you know these “identifying details” about yourself. When a CSR calls up your account on their computer, they are looking at your SSN and mom’s old name already – they just want you to confirm it for them so that they know they aren’t letting some other yahoo mess with your account.

If you’re that concerned about ABC Company and all of its employees having access to your identity information, then you shouldn’t create an account with them in the first place. Of course, if that’s the stance you take with most companies, then good luck getting a credit card.

Thanks for the thoughtful comment. There is a big difference between credit card fraud and identity fraud. Read here for details: http://spiresecurity.typepad.com/spire_security_viewpoint/2005/06/credit_card_num.html.

Was the goober in your dessert visible or did you have to search for it?

Next time you call customer service to manage one of your accounts and they ask you for pseudo-private information like your SSN or Mother’s maiden name, ask them for their name. When they ask why (feel free to prompt…