Next time you call customer service to manage one of your accounts and they ask you for pseudo-private information like your SSN or Mother’s maiden name, ask them for their name. When they ask why (feel free to prompt since this probably isn’t completely out of the ordinary) let them know that you are keeping track of people who know your private information, just in case your identity gets stolen. Then explain that you want to keep a list of suspects handy for the police and since s/he had access to your information, they will be high on the list.
Feel free to repeat. If you are really ornery about identity theft (I’m not), make up a reason to call. Maybe you can make all CSRs so jittery that they complain.
Guerrilla Identity Protection
Next time you call customer service to manage one of your accounts and they ask you for pseudo-private information like your SSN or Mother’s maiden name, ask them for their name. When they ask why (feel free to prompt…
Similarly, I’d like to hear from people who try this speech on the next server they hand their credit card to when paying for dinner.
Was the goober in your dessert visible or did you have to search for it?
@PaulM -
Thanks for the thoughtful comment. There is a big difference between credit card fraud and identity fraud. Read here for details: http://spiresecurity.typepad.com/spire_security_viewpoint/2005/06/credit_card_num.html.
The flaw in this idea is that CSRs already have access to your identify information — you aren’t telling them anything they don’t already know.
CSRs use the data they request over the phone to authenticate you against on-screen data to which they already have access. When you answer these questions (SSN, mother’s maiden name, etc.), you’re just confirming that you are who you say you are, based on the fact that you know these “identifying details” about yourself. When a CSR calls up your account on their computer, they are looking at your SSN and mom’s old name already – they just want you to confirm it for them so that they know they aren’t letting some other yahoo mess with your account.
If you’re that concerned about ABC Company and all of its employees having access to your identity information, then you shouldn’t create an account with them in the first place. Of course, if that’s the stance you take with most companies, then good luck getting a credit card.
@Bryce -
I know they have the information. What they (possibly) have not internalized is the notion that this puts them at risk of being a suspect in some future identity fraud case.
The point is that (honest) CSR’s should not want the amount of access they are given; they should welcome, even request, more stringent access control and/or auditing.
This is true in enterprises as well – think help desk reps with admin accounts or DBAs with complete access to data.
Investigators look for opportunity first, then motive.