Security Fail: Why Call Centers Leave Us Hanging

Call centers act too much like they are running phishing scams, and it is hurting customer service and enterprise security.
7 Dirty IT Words: Don't Say These In The C-Suite
7 Dirty IT Words: Don't Say These In The C-Suite
(Click image for larger view and slideshow.)

Everyone has his or her own negative experience with call centers. My recent experience illuminated how we’ve gotten everything backwards with security. Please indulge me while I tell you a quick story so you can see where I’m going with this.

Like many people, my wife and I have all of our bills set to autopay via debit card online. We recently had to switch those cards when our bank swapped our cards because of a breach. No problem, we switched all of the accounts. Except we forgot one.

That service provider called me today and, via an automated voice, and told me my account was past due and I was in danger of having my service cut off. No problem, I just needed to switch the card information. I stayed on the line, following the prompts provided by the robo-call, which eventually took me to a nice woman. In no way do I blame this woman for this situation. But here follows a paraphrased version of our passion play:

Me: I'd like to change the card on my autopay and pay my balance.
Her: No problem. I just need your phone number and customer ID.
Me: Here is my phone number, but I don't know my ID.
Her: I need the ID number to verify your account.
Me: But you called me.
Her: Yes sir, but we need to know who you are.
Me: But you called me. You should know who I am.
Her: (Uncomfortably repeating that she needs to verify I'm me.)
Me: But what's the big deal if I decide to pay someone else's account?

Ultimately this ended in my saying rude things and deciding to pay online. I won't get into that particular nightmare (or the fact that we ended up having to call back) because it is not relevant to the story. Again, this is no criticism of the very professional and patient young woman on the phone. She was very well trained, and did only what she was asked to do.

[ What did the Anthem breach teach us? Read Anthem Hack: Lessons For IT Leaders. ]

The problem comes from IT. Think about the similarities between what this supplier did and what the "bad guys" do. They essentially called me and then asked me to verify myself, when it should have been the other way around.

If I were a criminal on a phishing expedition, I'd call someone, tell him or her I represent a company, tell him or her there was a problem, and  ask him or her for personal information and a credit card. What did this legitimate service provider do? It called me, told me there was a problem, asked me for personal information and a credit card.

The company should actually be demonstrating to me that it knows me, that it is a trusted entity. Instead, the company made it harder for it to get paid, and it put me in an awkward situation in which I could have been forced to give up private information just to pay my bill.

This is not a problem exclusive to this particular provider. I've been called by other companies I was a customer with, and at some point I've been asked to provide information they should already have.

If IT wants to get serious about security, maybe it should start by reviewing company practices in the call center. For starters, call centers should assume that no one is sitting in my house while I'm away at work just hoping a company will call so he or she can pay my bill. Trust me, I wish there was.

Second, call center callers should start by verifying themselves, and showing people how much they know about them, not the other way around. If they must verify the caller (in case they aren't sure if a person moved or whatnot) they should be able to provide information first, before asking the called to do the same.

Last, they should make it easier for professionals to draw the data they need in order to do their jobs without forcing customers to give this information to them either as verification or for the purposes of changing account information. This merely puts the customer in an awkward situation.

No one likes to hear bad call center experiences. It is like a card player telling you he or she had a full house and got beat by someone with four of a kind. But, this isn't about the call. It is about the security practices of call centers. Professionally run, organized call centers are acting like simple con men. It has to stop. Or else we can never expect customers to take security seriously either. Change your best practices and you'll see happier and safer customers.

Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization’s IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing