Challenge Questions … a tale from reality

Last weekend I was in a shop buying a new subscription for my mobile phone. As usual I was hit by an avalanche of questions asking for my name, address, shoe size … One question in particular caught my attention …

The shop attendant asked me “for a password”, a password I could use if I couldn’t go to one of their shops and had to call their call center. By supplying the password to the call center they could verify it was really me.

I don’t know about anyone else but I personally call my mobile subscription provider about once every 5 years. The service they offer just works, rarely needs change and if it does need change, they often have a website to help you out. Chances are high I would have completely forgotten the password by the time I had to call them.

The conversation with the shop attendant went like this:

  • Attendant: “You have to choose a password, a password you can use when calling our call center
  • Me: “Oh … hmm … how many times can I guess when I am calling in?
  • Attendant (realizing I was afraid of forgetting the password): “We will give you hints if you forgot it
  • Attendant (still aiming to give excellent customer service): “People often choose the PIN code of their credit or debit card ...”
  • Attendant (now realizing not everyone liked this idea): “… but of course you don’t have to, you can pick any word

At that moment I tried not to, at least not obviously, show my emotions about this conversation.

This method to verify who is calling is flawed to say the least. Due to the very low frequency people have to call in, most people will have forgotten their password. Unless of course they used their PIN code, which they hopefully still remember. Since call center employees can obviously read the password (they need to verify it) they have clear text, and probably unnoticed, access to a lot of PIN numbers. Do I need to add that call centers employees are not the most loyal employees you can find?

The fact they give hints when you call in, is stupid as well. Not only do they admit their system is flawed by design, they also help in under mining it themselves. Imagine this conversation when a hacker calls in:

  • Hacker: “Hi, I am John and I need to change my subscription plan
  • Call Center: “Hi John, could you give us your password please
  • Hacker: “Oh, I forgot it … could you give a hint?
  • Call Center: “It looks like your birth year or perhaps your PIN code
  • Hacker (after a quick look on Facebook): “My year of birth? That should be 1975.
  • Call Center: “Sorry John, that is not correct, perhaps it’s your PIN code?
  • Hacker: “No, I would never give my PIN code to you, could you give me the first number? Perhaps I recognize it
  • Call Center (re-assured it could not be his PIN code): “It starts with 5 John

I am sure someone much more experienced in social engineering (I have virtually none) can get someone’s PIN code this way.