Verizon Support Wants You To Know That Twitter Is A Perfectly Secure Way To Send Them Your Social Security Number

from the you-need-better-support-reps dept

Hoping to have an errant charge resolved, O'Reilly Media author Jonathan Zdziarski recently reached out to Verizon Wireless on Twitter. While Twitter support can help put a friendly face to a massive, often-times unwieldy conglomerate, anyone that has actually interacted with one of these support agents has likely found the quality of these interactions to be decidedly hit or miss. In Zdziarski's case, the Verizon Wireless support agent in question thought it would be perfectly acceptable for him to prove his identity over Twitter, since the platform is such a "secure means of communication":
Except for the fact that's not remotely true. Back in late 2013 in the wake of reports on the NSA's ballooning skulduggery, Twitter claimed they'd start encrypting direct messages, though by 2014 that initiative appears to have been forgotten. As such, what Verizon's calling a "secure means of communication" is about as secure as a safe made out of paper mache and tin foil. When pressed about this lack of secure transit for personal data, Zdziarski was apparently informed that everything was ok, because "most users are ok with it":
Of course "most users" don't know a gigabit from a garrote, so it's not entirely clear that "most people aren't bright enough to know this isn't a good idea" should be used as a security standard moving forward.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: customer support, jonathan zdziarski, security
Companies: verizon


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    avideogameplayer, 21 Jul 2015 @ 6:28am

    Another reason not to do business with Verizon...#suckerborn

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Jul 2015 @ 6:35am

    To be fair, it's more secure than unencrypted email.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Jul 2015 @ 6:38am

    Cue the "we take your security very seriously" response statement.

    link to this | view in chronology ]

  • identicon
    David, 21 Jul 2015 @ 6:42am

    Well, safe from the NSA anyway.

    They already have your SSN, so if the NSA hacks twitter messages, there's no real risk there...

    link to this | view in chronology ]

  • icon
    Miles Barnett (profile), 21 Jul 2015 @ 7:20am

    "because most customers are OK with it"

    When I go to buy something, and they hand me a form to sign, I always read it. I usually get a response from the clerk "Just sign it. Everybody else does." So, because everybody else is a fool, I have to be one too.

    link to this | view in chronology ]

    • icon
      John Fenderson (profile), 21 Jul 2015 @ 7:37am

      Re: "because most customers are OK with it"

      Clerks actually say that? I've never had that happen, but if it did, I think I would drop the transaction right there on the grounds that if I'm being pressured to sign something without reading it, then it's clearly a trap.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 21 Jul 2015 @ 11:45am

        Re: Re: "because most customers are OK with it"

        Ohh it's a trap whether you take the time to read it or not.

        link to this | view in chronology ]

    • icon
      jilocasin (profile), 21 Jul 2015 @ 8:08am

      Re: "because most customers are OK with it"

      I used to be bothered by various retail clerks insisting that I provide some seemingly random bit of personal information at the conclusion of retail transactions.

      I used to refuse to do so, wade through the gaped mouths, the anger and indignation, and the delay while a manager was called over to explain that providing such information isn't strictly speaking required.

      Often I too would hear the refrain;
      "None of our other customers has a problem providing this information."


      With the implied,
      "So why am I being such a pain...."

      Nowadays I avoid all of that drama by simply
      making stuff up.

      Teller: "We need your Zip Code"
      Me: "Um 23412".
      Teller: "Thank you"

      Teller: "We need your Phone number"
      Me: "Ah 508 990 5678".
      Teller: "Thank you"


      (shrug...)

      link to this | view in chronology ]

      • identicon
        Jason, 21 Jul 2015 @ 8:38am

        Re: Re: "because most customers are OK with it"

        When Best Buy started asking for your ZIP code (back when I still shopped at Best Buy occasionally) I would always politely decline, with a "no thanks," or something like that. Most times the clerk didn't care, just typed in something and continued. But every now and then there would be confusion, delays, and general annoyance as I waited to pay for my purchase. Even if I was paying with cash.

        Then places graduated to asking for phone numbers. When our local Circuit City finally closed I happened to find something I wanted in the last of the clearance pile, a pair of noise cancelling headphones that were super cheap. I don't know how long I stood there waiting for the guy to figure out how to let me pay without typing in my phone number. (I wanted to tell him to just use his.) I had finally had enough and opened my mouth to tell them to just keep it and walk out when the manager came over, typed the number 5 ten times, and got things rolling again.

        To this day I don't provide personal information to any store that they don't need to actually process my payment. Sometimes it's a bit of a pain, but so be it... if they can't deal with that, then they really don't need my money.

        link to this | view in chronology ]

        • icon
          John Fenderson (profile), 21 Jul 2015 @ 9:41am

          Re: Re: Re: "because most customers are OK with it"

          I do this too. Nobody gets personal info that isn't actually needed.

          But be aware: if you're paying with a card, many processors randomly require the card holder's zip code to be entered as a weak anti-fraud measure. If the clerk is asking for a zip code because of this and you refuse to provide it or provide an incorrect one, you won't be able to pay with the card.

          link to this | view in chronology ]

          • identicon
            Jason, 21 Jul 2015 @ 9:56am

            Re: Re: Re: Re: "because most customers are OK with it"

            True, but so far at least I've never had that problem. And if it's verification (however weak) they ought to be able to explain that to me when I ask, too, and not give me the generic "we need that to add to our database" type of answer I usually get.

            When the gas pumps started asking for ZIP codes I went home first and did some reading to find out why.

            link to this | view in chronology ]

      • identicon
        Michael, 21 Jul 2015 @ 10:17am

        Re: Re: "because most customers are OK with it"

        I make it up too.

        Whoever actually has the phone number 867-5309 must really hate me.

        link to this | view in chronology ]

        • icon
          ltlw0lf (profile), 21 Jul 2015 @ 7:47pm

          Re: Re: Re: "because most customers are OK with it"

          Whoever actually has the phone number 867-5309 must really hate me.

          Jenny certainly does.

          link to this | view in chronology ]

    • identicon
      PRMan, 21 Jul 2015 @ 12:26pm

      Re: "because most customers are OK with it"

      I have the same problem. One time I crossed out a bunch of it before signing it. Turns out they didn't read it either.

      link to this | view in chronology ]

  • icon
    Namel3ss (profile), 21 Jul 2015 @ 7:22am

    Most people don't even know what a rootkit is, so why should they care?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Jul 2015 @ 7:38am

    Last night

    I was twittering Verizon last night to ask when they would support Nomorobo. This is the winner of the FCC Robocall contest.

    Well, I looked at some of the twitter responses, "Yes, let's see what we can do to bring down your bill."

    "With our everything plan, unlimited minutes and texting is included in the plan."

    Dozens of replies like this. It appeared that only the Verizon representative replies were listed, and I don't remember if the recipient was listed.

    If you want to see how the Verizon Customer Service operates, just go to their twitter page for some good reading.




     

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Jul 2015 @ 7:57am

    Sigh... The Verizon rep is asking for the last 4 of the customers SSN, not the entire thing. That still leaves about 77000 different possibilities for the actual number.

    link to this | view in chronology ]

    • icon
      Nurlip (profile), 21 Jul 2015 @ 8:16am

      Re:

      74,547

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 21 Jul 2015 @ 8:26am

        Re: Re:

        74,547 possibilities for your SSN.

        0 other possibilities for your Verizon identity verification.

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Jul 2015 @ 10:28am

      Re:

      However...if the Twitter account can be linked to an actual person, you now know a specific user's last 4 digits. It's just a quick Google search to guess locale, what bank they may use, etc.

      So while there *may* be 75,000+ social security number possibilities, using just those last 4 numbers, there's statistically far less possibilities of a person named Jane Doe with the last 4 digits being 1234.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Jul 2015 @ 10:46am

      Re:

      Sigh... The Verizon rep is asking for the last 4 of the customers SSN, not the entire thing. That still leaves about 77000 different possibilities for the actual number.

      It is far less than you might think, at least until very recently the first 5 digits are not just random numbers. The first 3 identify the state of issue, and the next 2 are grouping codes that can be roughly corresponded to the year issued. Only the last 4 were an actual serial number. Once you give those last 4 up that makes for a lot less combinations especially with some basic knowledge of the customer.

      link to this | view in chronology ]

      • icon
        nasch (profile), 21 Jul 2015 @ 2:48pm

        Re: Re:

        The first 3 identify the state of issue,

        The office where the number was issued, not just the state.

        link to this | view in chronology ]

    • identicon
      David, 21 Jul 2015 @ 10:51am

      Re:

      Unless the person is older and you know where they lived when they got their SSN. Then you know the first 3 (or small subset of numbers). That leaves you with only 100 different possibilities.

      link to this | view in chronology ]

    • icon
      John Fenderson (profile), 23 Jul 2015 @ 10:27am

      Re:

      The last 4 digits of a SSN are the ones that really matter: they're the only digits that you cannot figure out through research. Which is why they sorta-work as an identity confirmation.

      If you're speaking in public, those are the most dangerous digits to reveal.

      link to this | view in chronology ]

  • identicon
    Anonymous Cowherd, 21 Jul 2015 @ 8:10am

    Using a persistent code like a social security number as "proof" of identity is stupid in the first place. Anyone you've ever "proven" your identity to in that manner subsequently knows your number and can "prove" to anyone else that they're you.

    link to this | view in chronology ]

    • icon
      John Fenderson (profile), 21 Jul 2015 @ 9:45am

      Re:

      This. Particularly since the SSN is explicitly, specifically, and legally not intended to be a universal ID # and does not do a good job of it even if it remains completely secure.

      The only legal uses for an SSN is as a taxpayer ID (and you can use an actual taxpayer ID # instead) and to administer social security.

      link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.