Shostack + Friends Blog Archive


Call Centers Will Get More Annoying

There’s an article in “destination CRM,” Who’s Really Calling Your Contact Center?

…the identity questions are “based on harder-to-steal information” than public records and credit reports. “This is much closer to the chest than a lot of the public data being used in other authentication systems,” she says, adding that some companies using public data include Acxiom, ChoicePoint, and LexisNexis. Higginson gives the example of asking someone the birth date of an individual who used to share an address with him. “There is no public data source to have a question like that answered,” Higginson says, arguing that it would take multiple documents to try and piece together exactly who the other individual is, where she lives now, verify that she did at one time share an address with the caller — and then still have to verify her birth date.

A couple of comments:

  • This seems tremendously intrusive. I don’t want some random call center drone to think they know “everything” about me, to quiz me about my life, or to tell me that I’m wrong if I disagree with their database.
  • This perpetuates the idea that we are our data shadows. I’m not a line in a database. I am a living, breathing person.
  • Errors in databases, such as those created by ID theft become more damaging to both the customer and your relationship with them.
  • The data being used is likely something like Choicepoint’s Bridger Insight [link to no longer works] (PDF). Quoting the press release:

    ProID Quiz lets users authenticate customers’ and prospects’ identities with greater certainty. Prior to servicing an account or conducting a transaction, a customer service representative can generate a “quiz” composed of random, multiple-choice questions. The questions are based on “out of wallet” information such as former roommates or one’s previous home builder.

    So access to the Choicepoint database becomes even more valuable to thieves.

A company which deploys these sort of things will lose me as a customer. As Debix points out, your real customer knows who they are. Involve them via multi-factor or multi-channel communications.

More generally, this seems like it would be symptomatic of a company that had lost sight of their customers. Who stops and thinks, “what our customers really want is to be interrogated. That will make them feel better?”

4 comments on "Call Centers Will Get More Annoying"

  • Vox Libertas aka Jim Burrows says:

    Umm… But…
    If the call center or a call center employee can verify such a question from the documents in their database, then another call center or call center employee can spoof the subject by answering based on the same body of information.
    This assumes taht the bad guys have no computer resources. At the very least it is unwise to either assume that the bot herders have no resources or that no call center can be infiltrated.
    This isn’t just intrusive. It is ill considered and stupid.

  • David Brodbeck says:

    This also leads to the possibility of inadvertently creating the impression of bias if the questions aren’t chosen carefully. An example would be the TSA employee who asked someone their political affiliation. They were just checking to see if it matched what was in the computer, but the implication was that Democrats and Republicans might be treated differently.

  • albatross says:

    I wonder how hard it would be to automate (or semi-automate) running the grandmaster’s attack on this kind of scheme.
    Alice calls Mallory, Mallory calls Trent, and then each question Trent asks gets reflected back to Alice from Mallory.
    An even easier version would be to reroute the call (how many people are calling over relatively vulnerable VOIP?), play silent man in the middle until the authentication is done, and then “get disconnected” and do whatever bad stuff is to be done.

  • Douglas Rea says:

    MOBILE TREK (Because In Space No One Can Hear You Dial), is a humorous, zany, off-the-wall lampoon of mobile phone call centres and is currently available in e-book form from For anyone who ever worked in a call centre, or had to phone one and thought they were connected to some spacecraft in the distant future. USS Cellforce 1 is an intergalactic mobile phone call centre, in which Captain Pilchard battles other networks for communications supremacy.
    “Anything resembling anything living…..isn’t???
    Kind Regards,
    Douglas Rea.

Comments are closed.