Sunday, October 11, 2009

Does T-Mobile Want To Steal My Identity?

It can be hard to tell real companies from scam artists sometimes. I got a call the other day from T-Mobile about my bill. They had overcharged me by $24 and I was late paying the bill because I wanted it fixed (and, in this economy, they call the day after it's due!). The discussion of why they would possibly think I wanted text messaging turned off on my account when I switched from a BlackBerry to a MyTouch is a topic for another post in the future

The T-Mobile agent who called me asked for part of my social security number to verify that I was who I said I was. I refused. Hey, you called me! How do I know you're not a scam artist? He told me that he was from T-Mobile and I should believe him, that, if I didn't give him my social security number, he couldn't help me. All things a scam artist would say, of course. The fact remains that I had no proof he was who he said he was.

I tried to explain to the guy that T-Mobile should never, ever ask a question like that because, to the extent that people answer it, you're training them that it's OK to give your confidential information to somebody who calls you on the phone. You're enabling scam artists. Unfortunately, he just didn't get it.

The rules are simple. In the world of client-server architecture, it's known as "never trust the client". In the real world, it's "never trust somebody who calls you."
  • Never, ever give confidential information to somebody who calls you, even an innocuous thing like an account number. You don't know that they are who they say they are.
  • If you call somebody, never, ever ask for confidential information when you call somebody. If you need confidential information, ask them to call you back at a number which is posted prominently on your web site or which is well known (like 1-800-T-MOBILE).