Security Fail: Why Call Centers Leave Us Hanging - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IT Life
05:16 PM
David Wagner
David Wagner
Connect Directly

Security Fail: Why Call Centers Leave Us Hanging

Call centers act too much like they are running phishing scams, and it is hurting customer service and enterprise security.

7 Dirty IT Words: Don't Say These In The C-Suite
7 Dirty IT Words: Don't Say These In The C-Suite
(Click image for larger view and slideshow.)

Everyone has his or her own negative experience with call centers. My recent experience illuminated how we’ve gotten everything backwards with security. Please indulge me while I tell you a quick story so you can see where I’m going with this.

Like many people, my wife and I have all of our bills set to autopay via debit card online. We recently had to switch those cards when our bank swapped our cards because of a breach. No problem, we switched all of the accounts. Except we forgot one.

That service provider called me today and, via an automated voice, and told me my account was past due and I was in danger of having my service cut off. No problem, I just needed to switch the card information. I stayed on the line, following the prompts provided by the robo-call, which eventually took me to a nice woman. In no way do I blame this woman for this situation. But here follows a paraphrased version of our passion play:

Me: I'd like to change the card on my autopay and pay my balance.
Her: No problem. I just need your phone number and customer ID.
Me: Here is my phone number, but I don't know my ID.
Her: I need the ID number to verify your account.
Me: But you called me.
Her: Yes sir, but we need to know who you are.
Me: But you called me. You should know who I am.
Her: (Uncomfortably repeating that she needs to verify I'm me.)
Me: But what's the big deal if I decide to pay someone else's account?

Ultimately this ended in my saying rude things and deciding to pay online. I won't get into that particular nightmare (or the fact that we ended up having to call back) because it is not relevant to the story. Again, this is no criticism of the very professional and patient young woman on the phone. She was very well trained, and did only what she was asked to do.

[ What did the Anthem breach teach us? Read Anthem Hack: Lessons For IT Leaders. ]

The problem comes from IT. Think about the similarities between what this supplier did and what the "bad guys" do. They essentially called me and then asked me to verify myself, when it should have been the other way around.

If I were a criminal on a phishing expedition, I'd call someone, tell him or her I represent a company, tell him or her there was a problem, and  ask him or her for personal information and a credit card. What did this legitimate service provider do? It called me, told me there was a problem, asked me for personal information and a credit card.

The company should actually be demonstrating to me that it knows me, that it is a trusted entity. Instead, the company made it harder for it to get paid, and it put me in an awkward situation in which I could have been forced to give up private information just to pay my bill.

(Source: PublicDomainPictures via Pixabay)

(Source: PublicDomainPictures via Pixabay)

This is not a problem exclusive to this particular provider. I've been called by other companies I was a customer with, and at some point I've been asked to provide information they should already have.

If IT wants to get serious about security, maybe it should start by reviewing company practices in the call center. For starters, call centers should assume that no one is sitting in my house while I'm away at work just hoping a company will call so he or she can pay my bill. Trust me, I wish there was.

Second, call center callers should start by verifying themselves, and showing people how much they know about them, not the other way around. If they must verify the caller (in case they aren't sure if a person moved or whatnot) they should be able to provide information first, before asking the called to do the same.

Last, they should make it easier for professionals to draw the data they need in order to do their jobs without forcing customers to give this information to them either as verification or for the purposes of changing account information. This merely puts the customer in an awkward situation.

No one likes to hear bad call center experiences. It is like a card player telling you he or she had a full house and got beat by someone with four of a kind. But, this isn't about the call. It is about the security practices of call centers. Professionally run, organized call centers are acting like simple con men. It has to stop. Or else we can never expect customers to take security seriously either. Change your best practices and you'll see happier and safer customers.

Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization’s IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.

David has been writing on business and technology for over 10 years and was most recently Managing Editor at Before that he was an Assistant Editor at MIT Sloan Management Review, where he covered a wide range of business topics including IT, ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
3/5/2015 | 7:56:14 PM
Re: Call Center Hell
The one thing about call centers that drives me absolutely crazy is when they ask for all my contact info multiple times. Most caller profiles, as Dave explained, are totally idenfiable simply by phone number. But you talk to the intro person first who then sends you to the specialist and if the issue is not resolved you go to a manager. All ask for verification of phone and mailing address. So annoying.
Thomas Claburn
Thomas Claburn,
User Rank: Author
3/5/2015 | 3:59:10 PM
Re: Call Center Hell
I find that you can pretty much hang up on any company that calls you without any repercussions. The exceptions are so rare as to be not worth mentioning.
User Rank: Ninja
3/5/2015 | 1:51:36 PM
Re: Similar problem when my credit card company calls to say there is fraudulent charges
I agree, it's bad enough that many consumers deal with a huge influx of robo dials about free trips, but if you call me about my account, from a random 1-800 number, ofcourse I will be suspicious.  The last thing I am going to do is answer security questions unless I can prove that you are calling from the company you claim to be.  It's amazing that many companies haven't thought about these risks and made changes to better improve how they communicate with customers to ensure that customers especially, are satisfied the right security controls are in place.
User Rank: Apprentice
3/5/2015 | 9:18:25 AM
Similar problem when my credit card company calls to say there is fraudulent charges
My credit card company has called to ask me about suspicious charges. I never answer calls from random toll-free numbers, as nothing good can come from most of them. What irks me is that they leave a message saying to call back on a number other than the one on my card. I won't do that, as I don't know their fraud number by heart, so I call the number on the card, just a few more steps. But why, when they transfer me around do they have to ask the same account verification information.

I'm not looking forward to when all calls go via VOIP, and even our outgoing calls can't be trusted to go to who we called.
User Rank: Apprentice
3/5/2015 | 1:34:34 AM
Companies and their policies
Today we can see every other company with its own unique policies going on asking information after information from clients although they have got them all in their systems. I have gone through long conversations from bank customer centres keep enquiring the same things they have already got. At online help service | i have found many such pieces of information facing the same problem from some customer centres. On the other hand there are call centre agents who at least once or twice a week calls and sell their items, irrespective of the fact that one is getting disturbed. These things should get stopped some how.
User Rank: Ninja
3/4/2015 | 7:33:19 PM
Call Center Hell
I get called CONSTANTLY by call centers trying to get me the change my electricity provider. Judging by the accents, the calls originate in Pakistan or India. The faked caller ID suggestes they are calling from a local area code. The ask for my account ID from my current supplier, so they can "check my rate." What I learned from the real electric company is that once they have that number, they can assign my electric bill to their company, at whatever rate they choose, for any number of years.

Unless it's a reverse 911 from local authorities about a local emergency, I always assume anyone calling on an automatic dialer is up to NO GOOD.
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
White Papers
Register for InformationWeek Newsletters
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll