At one of my jobs I worked at an internal call center that had somewhat lax security procedures for identifying people. All that changed
when the hacker nation attacked after someone impersonated a worker and accessed private files for an unknown period of time.
We were recently given a written directive from the person in charge of security that the date of birth was the minimum acceptable point of validation and no one could refuse to give that if they wanted service. While a lot of mid-level managers were still somewhat lax on procedures in my view (you could “recognize” people and skip the authentication process), I’m a very by-the-numbers kind of guy and treated everyone evenly, so would ask the challenge question every time. This brought up other fun drama where one of my coworkers tried to report me to my boss for asking a challenge question when she thought I should just have skipped it because she thinks I knew the person “well enough” and thus was a bad person for making them answer the tough, difficult question.
We had other, more secure means of validating someone but they were only to be used if the date of birth was missing for some reason. I’ll point out that I feel like the date of birth as a means of protecting one’s identity is a bit naff considering that Facebook is a thing now, but that’s not my call.
So, I get contacted by this lady, Stacey. To be clear, I had never spoken with her before.
Stacey as born on January 1st, 1847. (Details changed.)
I know this.
She knows this.
She knows I know this.
She won’t tell me the date of birth because “it’s private information.”
Carter: “Well, yes, it is Stacey, but I need to validate who you are.”
Stacey: “I don’t want to say it, because if I say it, then it will be recorded and people will know it and that’s not safe!”
Carter: “Okay, but I have it right in front of me.”
Stacey: “I won’t say it.”
Carter: “Then I can’t proceed with your password reset.”
Stacey: “Just ask me another question.”
Carter: “I need to ask you this one.”
Stacey: “I refuse.”
Carter: “Then I’m afraid that I can’t reset your password.”
Stacey: “Who can I speak to?”
Carter: “You can contact your manager or the person in charge of Security Governance for the company. His extension is xxxx and his e-mail is firstname.lastname@example.org.”
Four. Hours. Later.
Woman: “Hi, I want a password reset please.”
Carter: “Okay, what is your name and date of birth please?”
Stacey: “Stacey, and do I really need to give your date of birth?”
Stacey: “But I didn’t before!”
Carter: “Well, I need it.”
Stacey: “But I don’t want to get recorded saying it, because if you record it and I say it then people will know! And if people know, they might use it!”
Carter: “We don’t do call recordings here.” [We don’t.]
Stacey: “Yes they do, it says it at the beginning of the call, I heard it!” [She didn’t.]
Carter: “I’m sorry, we don’t. And I can’t skip this.”
Stacey: “Well, if you are sure… January 1st, 1847.”
Carter: “Here’s your new password. Have a good day.”