It takes a 10 second google search to find contact numbers.
While that's striaghtforward for anyone who is reading this, that's actually a show-stopped for a number (a significant number I'd bet) of folks for any number of reasons including:
* no reliable internet connection
* just don't "get" the whole Google/internet search thing
* accidentally installed a trojan that redirects internet searches to scammer site so internet searches are useless
And these aren't random excuses I just made up, each of those are situations I've encountered with otherwise well-educated, upper-middle class to higher income individuals in the last few weeks.
So while I agree a better approach to telephone authentication is needed, a solution really needs to address the needs of 100% of customers, which this doesn't.
It's not only non-techsavy customers that are to blame.
There actually seems to be a trend amongst some corporations (for example ISPs/telcos) of a certain size to hide their phone number as well as possible. They'd rather route requests through an online ticketing system that is often of questionable value to the person requiring support. Usually you can find it somewhere in their impressum, but when you click on anything called "contact" or "support" you end up in a maze.
A Google search usually does it, but the phone number really should be easily available from the website.
(typed on my iPhone, where just seein the whole line at once is often bothersome, and where not only are you likely to make typos but the keyboard takes liberties on massive, illogical corrections: please be kind to what may seem like illiteracy, if it shows up ;P)
Having widely available phone support, even with fancy automation, increases the price of the product you are selling, as even at minimum wage, a user calling in and fumbling their way through a poorly-worded and probably-not-even-legitimate complaint simply costs too much.
A lot of companies, even (if not especially) these very large ones that rely on their serious worldwide volume to turn a profit, are operating on margins lower than the food marts attached to gas stations on sticks of cheap gum, and yet customers often expect the level of service you get from an Apple Store.
As an example of this, I will cite my business: I sell software, mostly for $1, and the margin I keep after transaction fees and sales taxes, is on the order of pennies (not even dimes) per purchase; and in some jurisdictions, due to various pricing/taxation policies I should change, is negative.
If a customer asks me a support question that takes 10 minutes just to listen to (that's $1 right there), it's "game over": unless they go on a massive buying spree to get maybe a hundred programs from my store (unlikely), I have now permanently lost money on their account.
That is what tends to happen over the phone. People don't think of ten minutes as very long. Hell, I know I've done it myself: I call some company, and I end up nervous on the spot telling some rambling five minute-long story that only at the end remembers there was a point, and then have to clarify again.
For a concrete instance, I was recently left a voicemail by someone calling me because they purchased a phone from me off eBay and had some questions about the software on it... I don't sell phones on eBay: someone on eBay simply preinstalled a program of mine (this is quite common, btw). Just that part of the subsequent conversation with her (I decided to call her back, which I rarely do) cost $1.
The companies you then mention are textbook examples of ones whose scope customers don't understand: an ISP gets calls from customers saying that their Internet access is offline when really Facebook login is broken, or asking questions about email scams they recieved or tech support on their browser.
The result is that yes: a sane company (not mine: my personal cell phone number is on my website, not that it will help you, or even my friends, get through to me any ore) will make their phone number difficult to find in a way that only smarter people will be able to find it, as a filter on the kind of calls they get.
You should probably actually consider this a feature, not a bug: this means that you, someone "tech saavy" enough to find the number--or to break out of the automated menu that otherwise does nothing but say "did you turn it on and off again" for a half-hour--has a chance in hell of getting actual service on the other-side.
Otherwise, you end up in situations where, as 99% of issues aren't even related to the product, and where it takes forever to listen to and understand the customer's complaint, the only thing you can probably do is get a refund, as sending a full refund is often cheaper than the time spent listening to the complaint.
That's actually pretty much Amazon's phone service: you can call them, and an automated system tells you how to ship your product back and get a refund. Most of the time, though, a refund is nice, but what you want is help: you want the service or product to work, but to make that happen, you need tons of cheaper hurdles to jump before "person on phone".
(By the way, even if you never offer a person, phones are expensive: a toll-free phone number runs you at least 1c/m, and could run you upwards of 2c/min; a good estimate is $1/hr. This puts a hard cap on how long a phone call can go before you start losing money on that customer: the best hurdles start before the phone call.)
The only way any of this is then workable at all is if no one ever needs support, so the few with issues are subsidized by the many who don't; but if you have things like "I forgot my password or username" on the list of things people might call about, almost everyone will call you eventually: every low-margin product needs these hurdles.
Again, I've even done that: I once called eBay from a party (Google I/O; I'm pretty lame: that's the most happening party I can tolerate, and I sat in the corner wearing earplugs), such that the person couldn't quite hear me, as I had a concern regarding the eBay login system: result being that I never had an account (apparently). (In my defense, it was time sensitive to me as I believe I was investigating a case of "phone bought of eBay" again with someone who was angry.)
If a customer asks me a support question that takes 10 minutes just to listen to (that's $1 right there), it's "game over": unless they go on a massive buying spree to get maybe a hundred programs from my store (unlikely), I have now permanently lost money on their account.
Support is part of the cost of sales and needs to be factored in. So if you get a lot of support calls, you need to either raise the price to accommodate or you need to eliminate the need for support somehow. Either way, making the support experience worse for the customer is a terrible support cost cutting tactic.
Support is also part of the cost of the product and customers need to take that into account: this is a two-way street, and you can't just blindly assume that support is somehow the most important factor in deciding whether something will be purchased; I will even say it is downright naive (although popular in the entitled Web 2.0 culture) to claim that it is part of the "sales" process: some people just can't afford to pay that much money to get the product with the better support, so it is actually anti-sales.
In fact, it is actually quite often that people don't want to pay that, even if they can: many of my friends do not actually use customer service on their computers and they know enough not to call our ISP about stupid issues that have nothing to do with them. They therefore tend to optimize their purchases of these kinds of products based on other factors, like price, and if someone says "Verizon has terrible customer support" they don't care if it saves them money they can spend on other things.
What you are seriously saying is that the price of gum at the gas station should be higher so that the gas station attendant can have the time to hear every single complaint you might have about it: I'm sorry, but most people just want a cheap pack of gum. It is entirely market-dependent whether people are willing to shell out more money for better support. Would it be cool if everyone everywhere had great support? Maybe, but it certainly wouldn't be efficient, and people would have to buy a lot less.
As a sad logical conclusion of this, my business model simply doesn't work if you have to provide world-class support. You cay say it is part of "sales", but honestly, in the end, you paid $1 for something: maybe all you need right now is a refund. People think it could work as a business, though, because they see Apple doing just that, but Apple makes their money on hardware with multi-hundred dollar margins, and then breaks even selling apps for those devices only because it is an interesting way for them to sell more hardware.
Yet, people want businesses like mine to exist. People go to thrift stores, they buy stuff at $1 stores, they purposely get Dell laptops (and wait until they are on sale with a special offer code), and PriceLine.com finally slumped, but it did so slower than the highly price-competitive airline industry that people complain about bitterly. Some people just don't feel that support is something they are willing to pay for: it is a form of insurance against the future that doesn't harm anyone else if you choose not to buy it, and so often you just don't and live with the consequences.
> Having widely available phone support, even with fancy automation, increases the price of the product you are selling, as even at minimum wage, a user calling in and fumbling their way through a poorly-worded and probably-not-even-legitimate complaint simply costs too much.
Here's an idea for company in this kind of situation: move all call center staff to phone support. And then market the hell out of this fact. Like, "we the company X respect you as a customer, so we moved all our call-center staff to support. We won't call you with useless offers, and you can always call us if you have a problem." It would definitely help getting new customers, as well as keeping the old ones satisfied.
Yes, and some companies do that; this is not, however, a universal aspect of customers: many of them choose on price alone. In fact, there are ISPs who do exactly what you describe: by and large, though, the majority of people (if not always the majority of dollars) just optimize for lower prices, even if the result makes them unhappy due to poor product longevity or crappy customer support. You thereby are choosing your market, which leads to the massive dichotomies that exist between players like Dell and Apple.
You see this in computers (Apple only targets high-end customers for a reason, and you pay for all of those happy people everywhere), you see this in airline tickets (nothing makes me angrier than someone who complains about the food on a flight they optimized down to the penny using a service like PriceLine.com), you see this in food (people get angry that the food they eat is unhealthy, but don't take this into account as part of the price)... you just see this everywhere: people optimize on the one thing that is easy to optimize in the moment, and that is price.
Here's the thing. In current broken model, there is a bank employee who has the time to call the customer up. When calling back, if the call routing is implemented efficiently, the same employee will answer the call. There will be no need to wait for the usual customer service.
For my bank, my response is always "I'll call you back on the number printed on the back of my bank card. Now, who do I ask for when I call?" So far, they've never expressed surprise and it's always been fairly easy to get back to the right department. So at least some banks seem to understand.
I've had people call me, where I explained all this to them and said I would call them back, only for them to say "do you want me to give you the phone number".
So then I have to explain that if I don't trust them to be who they say they are, then I certainly don't trust them to give me a phone number...
Even if the clue sinks in with the person on the phone, I doubt if it would do any good. That person isn't the one deciding who gets called and what gets asked of them.
FYI, the last four digits of your SSN are the only ones that are difficult to guess. The first five digits can be guessed pretty accurately based on your date and location of birth.
That was a really bad move on your part. Could be social engineering. Collections agencies don't need to confirm your social before making a collections call.
I actually make them tell me my ssn. I took a call like this from a collector once. There is another person with my name who skipped on his verizon cell bill. I've never had a verizon cell. I was polite; he was a bit aggressive, but I simply explained the fact that it couldn't have been me. I didn't reveal anything about my info.
I then called verizon and confirmed with them that they didn't have a record of me (but yes had someone with my name). They confirmed he had a different ssn.
I then wrote a letter to the agency telling them that a 2 minute call to verizon would confirm that I wasn't their man. I told them that I consider their failure to do so was negligent, and I would hold them entirely responsible for any damage to my credit rating.
My credit rating was not affected- but it may have had nothing to do with my letter.
Exactly, what's the point of a security check if
they keep asking you until you pass.
I had a similar experience when I tried to redeem some Travelers Cheques.
Clerk claimed signatures wouldn't not match, and wanted me to sign again at the back of the Cheques. She handed me slip of paper and asked me to practice before I tried again.
I was baffled but certainly preferred that over being
arrested;-)
My dad hadn't signed his credit card, so she handed it back to him, told him to signed it, took it back -- and _compared_ the two signatures.
The only reason this kind of behaviour makes any kind of sense is if she (and the clerk in your example) were just going through the motions and didn't actually care about the security.
If a card is invalid (i.e. no signature), the cashier can ask for identification to verify your identity, and watch you sign. If the card is already signed, cashiers may not ask for ID as a condition of the sale, the transaction is considered valid if the signature on the card matches the signature of the receipt.
If your dad had simply signed the card prior to walking up to the counter, that's all the cashier would have been able to verify. So yes, card security is rather lax if it's not signed by the owner of the card immediately upon receipt.
I know this random information because I was a bit miffed that Walmart rejected my girlfriend's transaction because she did not produce ID with a signed card. The above applies to the Visa merchant agreement, I'm not sure about Mastercard or American Express.
Also -- "SEE ID" is not a valid signature, though you can write that over your signature and the card is valid. However, cashiers are not required to honor it.
> the transaction is considered valid if the
> signature on the card matches the signature
> of the receipt
In the example above, both the receipt and the card were signed at the register. It would be extremely odd if they didn't match, even if the person paying was a fraudster, therefore it's odd for her to verify them.
Why did you give out those 4 digits? Really, I would have never ever done that. If they want to confirm and they're calling you then they should authenticate themselves, not you!
When I declined to give them my details as they'd called me they proposed I give my date of birth with one number changed, and they'd tell me which one was changed and what the true value was.
That's obviously not a completely secure system, but validating by birth date isn't very secure anyway.
Figure 1/3rd of people will change the month, then you have 11 possibilities for the true value, so a scammer would be able to get about one correct answer for every 33 people they called... probably enough to make it worthwhile for them.
The best way around this is to end the call and then call the company back at their publicly listed phone number.
I typically do one of two things if I don't feel like calling them back.
1. Give them a wrong piece of contact information, like the wrong house address on the correct street. A scammer without this information would probably accept it; a company that already has this information will point out that that it's wrong.
2. Only give them a part of the information, like the last digit of my house number, and ask them to supply the rest - this assures both of us that we're the person we're expecting to talk to.
Neat. Problem is that I would not consider my birthday private data, so I must assume that an aspiring scammer can get hold of it. (If for nothing else, just because I broadcast it on facebook.)
They solved the first half of the puzzle: That is how to verify the knowledge of an information without any of the parties leaking too much of it. But they did this with an information, which knowledge is not worth verifying.
The whole verification of somebody over a phone without a previously agreed non-personal identification code has always bemused me.
The difference between "Hello MR X this is your bank, before we talk any further we need to ask you a few security questions about you" and "Hello, what you wearing" are not that far apart.
I recall one long conversation with my mobile telco provider at the time becasue they called from a number I did not recognise and ended up in a you move first in the quest to verify each other. I asked ok so you want my date of birth, tell me the year and I will confirm the rest - you see the stalemate that ensured. For them to prove they were who they said they would of had to devuldge private information they can only devuldge to me after they have proven that I am me, yet you see the lament of it all.
The focus is all about individuals having the abiulity to prove who they are to people who do not prove who they are and then cause both stress with fraud and the like wondering how can this happen.
Sure you can use a different email address for every secure contact and even phone numbers and address's to some level of protection. But you only get one date of birth, one mothers maiden name, one my first pets name and with that I like to vary the pet and maiden names in that I never devuldge the true actual answears. Nothing at all saying your mothers maiden name is "Joan of arc" or other random answears that you will remember.
I do advicate getting a preium number or a number that pays you be it some mobile service that gives you minutes for every minute people call you or some payback premium number. Then let that spam out and enjoy all the cold calling and sales calls you like knowing you gain from it.
But when you get a call from somebody who has to ask you security questions then ask yourself, how do they prove who they are to you before you give them private confidentual information.
>Assume everyone asking for such things are scammers.
That's excellent advice, and everyone should follow it. Unfortunately some banks disagree and will cancel your credit cards when you fail one of their fraud check phone calls.
> And guess what, the only way to be sure that it’s your bank you’re talking to, is to call them yourself. Period. Some callers tell you details of your account as a way of identifying themselves.
There's a scam in the UK where they call you, and ask you to call them back. You hang up, then pick up the phone and dial the number. But because they initiated the first call the line doesn't clear until they hang-up, and they don't hang up while you're dialling the number. (And the sometimes play recorded ring tones before they "answer").
That seems like an odd way to run a phone system. Couldn't I keep someone from making any outgoing calls just by calling them once, and leaving my phone off the hook?
It varies a lot, or at least it used to. Keeping the phone line open and expecting a callback is a scam so classic it's even in the first edition of "Practical Unix (now "and Internet") Security" in the section on securing your modem pool.
> Call charging ends when the telecoms company disconnects the call. This is usually but not always when the caller hangs up and the call appears to end.
> Voice calls The caller originating the call must hang up for the call to end. The person receiving the call may hang up, but this will not end the call unless the originating caller also hangs up. Only when the originating caller hangs up then will call charging end. You should always check you've replaced the receiver correctly. If you have any concerns that your call has not ended, you should check that you have a dial tone - this indicates the previous call has ended.
---
Here's a story from the shitty Register about this method of scamming people:
Wow, thanks for the clarification. That's incredibly stupid, I can't see the upside in that, aside from the telecom being able to charge more minutes per call (which is likely why it still functions that way.)
Sure, we just walk to the other extension and pick it up first. The minor amount of time saved sounds like a poor trade-off considering the potential for harassment.
The potential for harassment is greatly ameliorated by the fact it's the caller who pays -- receivers don't pay anything in the UK, ever. And while you're harassing, you can't use your phone.
I don't think I've ever heard of anyone being harassed in this way. A few pranks, maybe.
My credit union does this in the other direction (I have a pre-established secret word that they ask for in order to prove I'm myself; I think there's even another one I'm supposed to use if I'm under duress, but I can't recall).
Possibly overthinking but... Bank calls my phone, someone other than me answers, bank says "plugh", that someone else can then at a later date call me and I will believe they are my bank.
We've created Discourse ( https://www.discoursehq.com ) to let big corpo have a direct link with their customers so they don't have to call them - instead they just send a message and nature of our channel is that customer can engage in a conversation, get more details etc. Would you, dear HNers, use it? We will launch first big brand customer in December.
My bank recently asked for my password on the phone in order to identify me. They literally wanted me to tell them the password I use for my online banking account. I made a scene of course, then we settled for the birthdate.
There's a valid point in this, but the article seems to miss it when he says "In fact, if I hear the caller telling me personal details about myself, I hang up even faster."
On the contrary, that's perfectly valid. They've already partially validated that they're talking to you. The attack scenario of stealing identities by getting banks to call someone while you intercept the phone call isn't plausible.
Back in 2008, Wells Fargo called me up and asked me to verify myself via a similar system. I refused and called the number on the back of my credit card and identified myself to their fraud department that way.
This year, same scenario (suspicious purchases), but this time the fraud department just asks if they are speaking to me and then asks me whether I recently bought two tickets to China and a new car stereo. So learning has occurred.
The reason calling a company back at a listed number doesn't work is that companies very rarely operate their own call centers, and they very often outsource functions to more than one call center at a time, and they very often shift work between these call centers over time.
For example, the call center you reach when you call the number on the back of your credit card is not the same one that calls you when the bank flags a suspicious transaction on the card. The first is an inbound call center hired and trained on service scripts, the second is an outbound call center that only handles the fraud checks and is probably serving multiple banks.
They're possibly not even in the same country. They're possibly not even the same depending on what time you call -- Comcast, for example, has inbound call centers in the US open during business hours, but routes calls to the same number to Indian call centers during late night hours.
Each call center has different training and different access to the customer accounts. The inbound tech support call center doesn't have access to the company's billing systems, while the outbound fraud verification call center doesn't have access to support tickets.
Having everyone a company tries to reach by phone call back at the company's phone number would lead to a phone menu with more options than buttons on your phone.
The way my bank does it is to ask me to confirm details. So they will give me a choice of 3 months, 3 days and 3 years for my date of birth and I have to pick the correct one. They also ask me to confirm recent transactions (though there has never actually been a fake one). It's not perfect and I agree a ticket/reference code I could ring back and give them would be better, but it's better than just flat-out asking for details.
My bank insists on checking personal details when they ring me. My protocol is to answer incorrectly the first time, and if the caller doesn't realise my details are incorrect, they didn't know them in the first place!
When they ask you to identify the correct date, they're validating you. Either way, you're giving them your birthday just the same (a malicious caller could use that technique to confirm a date).
Yeah. These practices are plain stupid and I do the same. YOU tell me who you are and I'll call you. Don't even give me your number because it could still be a trap. For example, if it's a credit card company, if I can't call back at the number on the back of the card to know what's this about, they're doing something wrong.
I agree this is very annoying, as are the conversations with the call-centre staff who can't believe you won't give out this information freely "I'm sorry sir, you have to, it's company policy". I generally challenge them to provide 3 half-pieces of non-critical information to verify who they are, but there must be a better way?
Surely this is ripe for disruption - can't the telcos provide a "Verified Caller" service is the same way as browsers now do to prevent phishing?
So let's say HSBC call me, their name will be in red on my iPhone with "verified caller" listed below, having confirmed their details with the telco beforehand. That would solve the problem, and provide a little extra revenue for telcos...
> Call the customer and give them a reference/ticket number and ask them to call you back quoting that number.
I'm not sure what would that accomplish.
What would prevent someone else than me that they reached by accident from calling them back with the ticket number that they gave him when they assumed it was me?
IMHO everybody should have government issued keypair with public part easily checkable on government site.
When they want to confirm your identity they just ask you to sign something random with your key. "To confirm your identity sir please enter the following into your government issued identity card and read to me back what you see on the display of the card."
The ticket number isn't to confirm your identity -- it's just so that you can pick up whatever message they need to deliver.
Before giving you that message, they might ask you security questions, etc., which you'd be able to answer (because you called them back at their listed phone number and you know it's them).
I'm not sure how it goes in USA but in the countries I know when the child is born his/her name gets registered at government office and when the child reaches 18 he/she gets plastic card that is his/her proof of identity.
I think this id card should contain private key securely embedded and public key easily readable and that government should publish public keys. To avoid leaking of private key this ID card should be able to cryptographically sign given data without revealing private key.
I needed to reset my Comcast password, the support person asked me what was your last password? and he was upset that I didn't tell him/her! unbelievable,
A - the bank, asking for some details, is trying to confirm the identity of the customer.
B - the proposed protocol - calling back with a ticket number - is trying to confirm the identity of the caller.
both seem to be trying to solve reasonable problems, but they're not equivalent.
maybe the point [aha! - see reply - also, hi leif, i think i knew you on quora] is that you should not give personal details (A) until the company identity is clear (B). that makes sense. but that means that you need both - you call back and then they ask for personal details (B then A).
[and i am not convinced the original author understood all this.]
The problem is that authenticating the customer is harder than authenticating the bank. If I call my bank, I can pretty well trust (within reason) that I've reached my bank. Once that happens they can authenticate me by asking for my private information, which I am not comfortable with unless I authenticate them first. Calling back with a ticket number doesn't solve both auths, but it does order them in a secure way.
Been here, my wife too. I will not respond to calls like this nor phone offers for financial services. Especially not when they say they do not have any info that can send to me beforehand.
It seems though that the problem is that even if reliable companies discontinued this practice, people truly attempting to scam you could be mistaken for tactless companies.
I had pretty good luck with http://www.trapcall.com/ when I had a phone stolen and the thief called me back. Didn't get the phone back, but the system worked as promised.
If you use a internet phone system, you can easily put the name you want on the caller id. Which make it alot easier to fool people. So, just like he said, I think its better to just say I will call back. ;-)
While that's striaghtforward for anyone who is reading this, that's actually a show-stopped for a number (a significant number I'd bet) of folks for any number of reasons including:
* no reliable internet connection
* just don't "get" the whole Google/internet search thing
* accidentally installed a trojan that redirects internet searches to scammer site so internet searches are useless
And these aren't random excuses I just made up, each of those are situations I've encountered with otherwise well-educated, upper-middle class to higher income individuals in the last few weeks.
So while I agree a better approach to telephone authentication is needed, a solution really needs to address the needs of 100% of customers, which this doesn't.