The Insanity of Phone Authentication “Security Processes”

For the second time in a month, a vendor says to me, on the phone:

I’m sorry, sir, but that account is under your wife’s name, and only she can cancel the account.

What was particularly annoying about this call (with Verizon, oh how much I loathe them), is that my wife had granted me “full access” to the family account we opened in her name. (It was opened in her name because of some odd discount we got in one case but not the other…) Apparently, full access doesn’t quite mean full access: some actions still require the account owner.

So I decided that, since I had a few minutes to kill, I would waste their time and make them pay for their stupidity. After all, I had, in front of me, my wife’s social security number, her actual mobile phone, and any other authenticating information they might have asked for. And she’d granted me full access!

Me: My wife is a medical intern. She is never home, certainly not at times when your customer service desk is open, and if she is home for a few minutes, she’s usually catching up on sleep.

Verizon: Sir, you must understand, we have security processes in place.

Me: Well those security processes are idiotic.

Verizon: We have to protect our account owners, maybe you and your wife are estranged.

Me: Seriously, you think that my wife and I are estranged even though she granted me full access to the account? I think it’s more likely you just want to find some way to make more money by delaying this account closing.

Verizon: Why would I do that? I don’t make more money from this call. In fact, this call is costing my company a lot of money!

Me: I know. That’s why I’m still on the line with you. Hopefully this line item will trickle up and merge with other line items of similarly annoyed customers. If this costs Verizon enough money, maybe you’ll consider changing this idiotic policy.

Verizon: We have to protect our customers.

Me: Do you realize that I have full access, that I have my wife’s SSN, that I even have her phone in front of me? Do you realize that, if I really wanted to “get back at my estranged wife”, I could easily ask a female friend to speak to you on the phone? In other words, do you realize the only thing you’re preventing, really, is an honest attempt at closing an account? A malicious attempt would succeed quite easily given all of the information I have.

Verizon: Well, I don’t know if you want to do that, sir, that would be against the law!

Me: Not for me, it wouldn’t, I have my wife’s permission to do this for her! I’m not dealing with the Federal Government here, I’m talking to a wireless phone company!

Verizon: I’m sorry sir, but there is no way anyone in this chain of command is going to approve an account closing without talking to the account owner.

Me: Ok, but before I go, I would like you to send the following email to your supervisor:

Customer believes security policy is idiotic. Given that you’re already checking all sorts of personal information and that I have “full access”, you’re only placing obstacles in the path of legitimate customers doing legitimate things. You’re not really preventing malicious acts.

That was fun.

In fairness to Verizon, there’s a small reason why their approach might be okay: forcing someone with malicious intent to commit a felony in order to succeed… well that may be a useful thing to do, or at least it’s an interesting theory. I wonder if it really makes a difference, though. I doubt it. An estranged husband with evil intentions likely won’t stop at this small obstacle.

What really gets to me is that none of these places seem to be set up to handle one person handling a couple’s affairs. What does it mean to be granted full access to an account, then? Do I have to put all services in my name, including my wife’s cell phone?

At the end of the day, this is about using “security for the customer” as an excuse. It’s not really security for the customer. It’s Verizon being able to claim they do security, thus covering their own ass. The customer’s true security is hardly affected by this policy.

This is yet more proof that if you want to make things more secure, you have to align corporations’ own interests — financial and legal — with real customer security. Anything else, and security becomes just another excuse for behavior that helps the company but not the customer.






4 responses to “The Insanity of Phone Authentication “Security Processes””

  1. Pierre Adida Avatar
    Pierre Adida

    I am glad to see that you are still able to argue with stupid agents of stupid companies who are not even empowered to make some sensible decision. The system is desastrous, people are acting like robots because the system doesnot allow them to think, and finally, people do not think anymore, and that makes a justification for companies to make people acting like robots. Vicious and dangerous cycle. When the People of America are going to stand up against this destruction of their personality?

  2. Philip Jacob Avatar
    Philip Jacob

    Two possible solutions:

    1) get a female voice

    2) sign up for the service as “Pat Adida” (like the SNL character) or another genderless name and they’ll never know if you’re supposed to be male or female

    In fact, can you simply retry this with a female voice to see if it works?

  3. ben Avatar

    Phil: in fact, I mentioned to them I could try this with a female voice, and they said “that would be illegal!” It’s exactly my point about how there’s no real obstacle for folks who aren’t afraid of a little impersonation, but there are for folks who are upfront and honest….. but I like the “Pat Adida” idea, if only I had a SSN that matched 🙂

  4. jabbett Avatar

    The real lesson: never open any accounts in a physician’s name 😉

%d bloggers like this: