Wednesday, May 26, 2010


Yesterday, my mobile phone rang. I answered the call. There was a pause, Clearly some computer somewhere was waiting for me to pick up before connecting me to someone in a call centre.

"Good afternoon. Am I speaking to Dr Jennings?"
"I am calling from that manages your mobile phone contract with O2"

For odd regulatory reasons, when mobile phones were introduced in the UK, the mobile networks - Vodafone and BT Cellnet (now O2) - were not permitted to sell their own services at retail. Instead, other companies were required to do the actual selling of mobile phone contracts, and were required to manage the customer relationships and provide the after sales service. Later entrants - Orange, Mercury One2One (now T-Mobile) and Three - were never subject to this requirement, and the requirement was dropped for the original two operators in the mid 1990s when the third and fourth operators entered the market. However, some of the odd characteristics of the British mobile market that exist to this day are a consequence of this original policy. The independent mobile phone retail business remains unusually large in this country, and although Vodafone long ago bought out all other organisations managing its customer base, O2 did not completely do so. Thus my customer service relationship with O2 is indirect and via another company.

"Dr Jennings, we have noticed that you are near the end of your contract, and we have analysed your usage patterns and we think we may have different tariffs that might be cheaper for you than the one you are on. So I would like to tell you about those and if you like we could also upgrade you to a new phone"

Basically, they wanted me to sign up for another lengthy contract. They may or may not have actually looked at my usage patterns. The deal they gave me last time was actually so good that I doubt they were going to offer me anything better, but I am usually at least interested to see what companies will offer me.

"Dr Jennings, before I can proceed further I need to check your identity. Can you please tell me your date of birth and mother's maiden name".

I pause for a moment

"Your security system is not acceptable. You cannot simply cold call me and then ask me to give you personal information"
"I have this information in front of me already. I just need to confirm your identity".
"If I were to call you, I would know who you were and that I could likely trust you, because I would have looked up your number somewhere reliable. Therefore it would be reasonable for you to ask me for personal information. When you have called me, the situation is reversed, and it is not reasonable, because I do not know your identity".

Clearly this is not in his script

"This is standard procedure"
"Then it is a very bad procedure. I actually believe you are who you say you are, but having such a procedure in place encourages bad practices. In fact, it is so incompetent that I am tempted to cancel my phone right now. Good bye".

At that point I hung up the phone. I immediately wished I hadn't been so hard on the guy, as he was just working from a script, and the incompetence of his employer wasn't his fault.

This is absolutely terrible practice however. One should never give personal information to someone from who one has received a cold call and whose identity one cannot confirm. Legitimate companies encouraging or requiring customers to do this makes customers used to doing it, and makes it easier for the genuinely dishonest to commit crimes. The fact that large companies with who you trust your personal information are not able to understand that the situation is different when they call you from the situation when you call them is really quite troubling, too.


Rob Fisher said...

This happens to me all the time with my credit card company. Sometimes they call me to validate a transaction, which I suppose if I have just made a transaction is some clue that the call is for real, but it could also just be luck.

As soon as they ask for personal information I ask if I can call them back. The reaction varies from confusion to amused understanding. Somewhere in the middle are the times when they offer to tell me the number to call, which would obviously defeat the purpose. I explain that I will call the number printed on my card. When I call back they usually seem to understand why.

I do wonder why companies seem to be deliberately training their customers to become ripe targets for phishing.

Jim said...

That is incredibly stupid of them. It would give me pause to think that if they were so ignorant of basic information security practices, how well would they actually protect my personal information.

Blog Archive