davep@u.washington.edu (David Ptasnik) (03/03/91)
Some weeks ago I found the US Sprint 800 number that gives the balance
of any Sprint customer's bill to any caller with an interest. I
whined to Sprint that I thought this was insecure and a violation of
my privacy. They sent the following reply:
**********************************
Dear Mr. Ptasnik:
I appreciate the time you took to express concerns about the access
method we use in our automated response system. I have forwarded your
complaint to our Corporate office for review and consideration.
The information that can be accessed with the area code and phone
number is balance and payment history. To add a FONCARD to an
account, it is necessary to provide the account number. The
convenience of accessing information with the telephone number is
offered to customers only on non-service affecting transactions.
Besides informational announcements, all other contacts are handled by
customer service representatives. Screening techniques are in place
to ensure that only account holders have access to the most sensitive
information.
I agree with you that the methods we use do not provide "absolute"
security. Unfortunately, even the most elaborate security system can
be penetrated given the right amount of determination and skill.
Please be assured that most local telephone companies and other long
distance carriers utilizing this technology are employing the same
access method.
We value you as a customer and appreciate your business. Your
comments and concerns will be given serious consideration by our
Corproate office. Again, I thank you for taking the time to provide
us with your opinions.
Sincerely,
Kathleen Mc Mahon
Customer Service Manager
********************************
Any typos in the above were my fault.
While I appreciate the response to my complaints, I intend to pursue
it further. I don't want "absolute" security, just some. I really
doubt the idea of AT&T using so insecure a method. It is my general
understanding that AT&T has a call back system, requiring you to be at
a predetermined phone number, ready to enter a security code. I'm not
sure if this is for long distance balances, or just equipment purchase
balances to larger users, but it is more secure than Sprint. The
suggestion that "screening techniques are in place to ensure that only
account holders have access to the most sensitive information" implies
that my account balance is not sensitive. It is to me.
I'm going to write them again, and keep you all informed of the
continuing saga.
davep@u.washington.edupeterm@sumax.seattleu.edu (Peter Marshall) (03/04/91)
It's well that Mr. Ptasnik intends to pursue this matter further, and
it's also reasonable to do so with Sprint, as he plans; and it will be
interesting to see the results posted here.
On the other hand, it's interesting that the choice so far is confined
to communicating with Sprint. Might this reflect an assumption that
this is the only appropriate way to pursue these questions? Are there
others? To what extent does Mr. Ptasnik's approach here resemble that
of those who earlier communicated with Lotus, etc. over Marketplace?
Is there any similarity between the problems identified by Mr. Ptasnik
here and those suggested by this same company's "900 Neighbors"
service, for example?
Peter Marshall
halcyon!peterm@sumax.seattleu.edu
The 23:00 News and Mail Service - +1 206 292 9048 - Seattle, WA USA