SQL Clone
SQLServerCentral is supported by Redgate
Log in  ::  Register  ::  Not logged in

Re-thinking security for customer service

This morning my son woke up to find his eBook reader frozen. It wouldn't unlock. It was fully charged (the green light even came on). It's not the type of eBook reader where you can pop the battery. Since we had gotten the warranty on it, my wife called it in. She reached a customer service rep, walked through the troubleshooting steps, and the rep confirmed it was a brick. We could take it back into a store and the store would swap it. There's only one problem: we had to receive an email to the account on file and print it off. One big problem: we're not at home and we don't have the capability to do any such thing without going to great effort. Needless to say, my wife asked for an alternative. She received none. But then the customer support rep proposed she go into the store, ask an associate to use one of the computers they have there, log in to her email account, and then print out the email. At this point she came and got me.

I explained to the rep that in IT security, we generally warn our end users against logging on to email, etc., on an untrusted computer. You can never know if there is a keystroke logger, etc. on there. Their customer service procedures was going against that well-known practice. I asked if there was any other way. I proposed a case # or a trouble ticket #, because certainly their system had to log cases using some sort of mechanism. I was told that wasn't the case (really?!?) but that everything was logged against the serial number of the device. Aha! Why can't the store, whom you are notifying that we're coming so they can have a eBook reader of the same model pulled, and who has to verify the serial number, just use that? It would be a violation of procedure. I then asked to speak to the supervisor.

After a long wait, I got the supervisor. I explained the situation. She again recommended the email at the store approach. I once again reminded her that standard policy in a lot of companies is to warn end users from doing this, so I couldn't understand why this company was recommending it for their customers! I then asked about the case #. Same answer. Pleading my case, I asked if it was allowed for her to call the store manager and discuss it. After all, we would be turning in the bad device, so they certainly would be able to confirm the serial #. We wouldn't be walking away with new hardware without turning the old one in. She told me she'd call and she'd see what she could do. After a little wait, she came back on the line and indicated that the manager was fine with checking the device's serial number and doing the exchange. With that finally the approach, we headed to the store.

Asking for the general manager, here's what I noticed off to my left:

I guess that whole print your email at the store wasn't a good idea either.

This is a really simple problem to fix. It shouldn't require an email printed out by the customer. It should require:

  • Picture ID
  • The device with the serial number
  • Possibly the case #

Actually, if you can look up cases by the serial number of the device, you only need the first two. The first one is a theft deterrent. If you rip off the device from someone, and you find it gets hosed, you can't turn it in and get a new one. This doesn't require an email. It doesn't require wasted paper and ink. And it doesn't require an insecure procedure where you're asking a customer to type in a username and password on an untrusted system. This is just plain common sense. It's easier on everybody and it's more secure. So why is this the exception and not the norm?


K. Brian Kelley - Databases, Infrastructure, and Security

IT Security, MySQL, Perl, SQL Server, and Windows technologies.


No comments.

Leave a Comment

Please register or log in to leave a comment.