Data Protection - Biz ... Talk to .. forums

enigmatical

I am just a little concerned about the potential for a data protection breech on the Talk to ... forums.

I was looking for technical support on the Three forum and they asked me to PM them including my :

Phone number, full home address and DOB. This seems to be their standard way of verifying a customer account.

It's not just Three, but other users of that service are requesting similar information by PM.

I am just a little concerned as there's no guarantee of total security of communications on any bulletin board and if PM mailboxes are full of interesting data like that, it could encourage someone to attempt a hack.

Is there no way that you could come up with some kind of a registration system for the Talk to.. forums to allow people to verify their ID safely without all that private information?

All they would need to do is allow users to create a password that's stored on their systems, rather than asking for very personal information like DOBs and home addresses.

Myrddin

enigmatical wrote: »

Is there no way that you could come up with some kind of a registration system for the Talk to.. forums to allow people to verify their ID safely without all that private information?

All they would need to do is allow users to create a password that's stored on their systems, rather than asking for very personal information like DOBs and home addresses.

Would that too, not encourage someone to attempt a hack?

enigmatical

EnterNow wrote: »

Would that too, not encourage someone to attempt a hack?

Not if there wasn't a constant ad hoc request for personal information via PM.
You should be able to register a password with their help-desk or via their own websites first.
I just find the whole thing of "oh just send us a PM with all this private info" a bit much.

Three asked for:

• Full name
• Phone no
• DOB
• Full home address

to be PM'd to them.
That just seems to be asking for trouble to me.

I'm just raising it as feedback. Take it on board or don't take it on board, it's entirely up to you.
Personally, I'm just not comfortable with that kind of data being PM'd around a forum. Maybe that's just me.

Dav

Our PM system (and indeed the rest of the security of the site) has been vetted by the Data Commissioners office as being safe and secure.

The legal and security teams of our various Talk To clients have all taken a close look at how we operate and are happy with how it works - the only company that doesn't use our PM system for account verification is Bank of Ireland as the laws and regulations surrounding financial services are different and they only ever deal with customers' account queries over the phone.

I like your suggestion, but implementing something like that is a big job for any company to take on and when it's in may ways not strictly necessary, it's hard to justify the time, effort and cost of such a project. I'll have a think about it though, there might be ways and means for us to to incorporate something like that, but I can't make any guarantees. The knock on effect of us controlling something like that means we're potentially making ourselves responsible for data beyond our remit as operators of this website, so that's a legal can of worms that may need to be kept firmly closed.

Myrddin

Nothing is up to me, I'm just making the point that you are asked for all that information whether you ring them, email them, or use their help-desk. You will always need to verify your identity in some form, & using a master-password is far from secure/good practice.

I would ask though, when a case is closed when dealing through Talk-To, are all relevant pm's deleted by the reps?

enigmatical

EnterNow wrote: »

Nothing is up to me, I'm just making the point that you are asked for all that information whether you ring them, email them, or use their help-desk. You will always need to verify your identity in some form, & using a master-password is far from secure/good practice.

I would ask though, when a case is closed when dealing through Talk-To, are all relevant pm's deleted by the reps?

That's a good question, and also deleted from sent items.

Well, it's still common practise in Ireland to use personal information (which isn't always difficult for someone else to have access to) to verify ID which isn't really much use either.

The problem is that the information being used to verify security is a security risk in itself as it's usable for far more than just entering someone's online account for a utility company. It's actual personal information.

A master password for a utility company would at worst let someone look up your phone records or pay your bill or something.

Perhaps, something like a password + a random character from your account number would make sense.

The_Morrigan

It is more than just those details being requested & not everyone is going to be on the ball to refuse to hand over information at times.
I recall being asked for my password to the log-in system (02) before, I refused to give it as the reps should not need my password to find my account on their system - but that is not to say that any other members wouldn't fall foul of that request.

Myrddin

enigmatical wrote: »

The problem is that the information being used to verify security is a security risk in itself as it's usable for far more than just entering someone's online account for a utility company. It's actual personal information.

A master password for a utility company would at worst let someone look up your phone records or pay your bill or something.

Perhaps, something like a password + a random character from your account number would make sense.

Yeah I see your point. However, that'd need to be done on the company's end would it not? Ie:

UPC would need to generate a password that corresponded with all my account details. Then when asked by a UPC Rep for my credentials, I would simply pm them the password they generated for me, plus a letter/number from my account too. It would be a good system actually, & something like that would keep Boards out of harms way. But as Dav said, it'd be something the company themselves would have to do & could be costly...

enigmatical

I just think that there should be some kind of minimum code of practise for handling that kind of information through this kind of medium.

It's up to the companies themselves how they decide to implement their own security.

However, I just think asking for loads of personal information by PM is sloppy practise from a security point of view.

...

A lot of them already have such systems in place and don't seem to use them.

E.g. Three has a pair of passwords for each customer which you set through their website.
They don't seem to be using them on here though.

Anyway, it's just something I thought I'd raise as feedback.

Lovely Bloke

enigmatical wrote: »

I just think that there should be some kind of minimum code of practise for handling that kind of information through this kind of medium.

There is, and the Data Protection people have told Boards.ie that they meet it.

Did you not read Dav's post?

enigmatical

I don't necessarily mean boards.ie code of practice, just generally.

Anyway, just thought I'd raise it.

However, I suppose the bigger concern really is that many companies still rely on asking people for loads of personal information to confirm security over the phone and other media too.

I can see why boards.ie would want to avoid being anything other than the neutral carrier in this situation though. Makes sense.

I suppose the use of DOBs, addresses etc is more of an industry-wide problem for the companies actually storing the data rather than boards.

Thanks for the info / feedback too.

returnNull

enigmatical wrote: »

many companies still rely on asking people for loads of personal information to confirm security over the phone and other media too.

and what would you have them do?insist they call into the office in person?

enigmatical

returnNull wrote: »

and what would you have them do?insist they call into the office in person?

They should set up a password of some sort.

it's ridiculous asking people for information like their DOB.
We are going off topic though as that's more of a general data protection issue than a boards one.

Femme_Fatale

They have to, due to data protection legislation (as in, ensuring they are speaking with the right person) which is pretty strict in this country.

I wouldn't say they're fans of having to do it either.

enigmatical

Femme_Fatale wrote: »

They have to, due to data protection legislation (as in, ensuring they are speaking with the right person) which is pretty strict in this country.

I wouldn't say they're fans of having to do it either.

They have to ensure they're speaking to the right person. They don't have to do that using their DOB etc. Data protection requirements to confirm identity are completely satisfied using a password.

hullaballoo

I'm really confused by the title of this thread. There's no compliance issue with regard to the DPAs and boards.ie. The Commissioner has advised boards.ie Ltd. that they have certain obligations and they have complied with those. The reality is that the Commissioner is overstepping the provisions of the Acts, but I suppose it's in the interests of privacy, so I'm not complaining.

So, the DPAs aren't an issue; then what's this thread about?

Are you afraid boards.ie will be haxX0red? Is that it? Because, you know, it may be hacked. That's the risk you run when putting your personal information on the Internet. Boards.ie can only protect its users to a certain extent and I believe that the security is quite strong on this site. In its entire history, it's only been successfully compromised once. It was spotted very quickly and dealt with appropriately.

Am I missing something else?

enigmatical

Well, sorry for raising an issue that genuinely concerned me as I was asked for a lot of personal details via PM by a company rep using this system.

I won't bother raising any in future as I'll just be shot down.

All the best!

Dav

I'm disappointed that you've closed your account - I think you've raised a very interesting discussion and you're right, it doesn't just relate to Boards, it relates to how your privacy is protected by everyone you do business with (and I was about to move this to a more appropriate forum to continue the discussion with you and anyone else who was interested).

I'm a Bank of Ireland customer, I have an online banking account number (that's separate to my actual bank accounts), it has verification by means of either my DOB or the last 4 digits of my phone number and then it has a 6 digit pin, of which I'm only ever asked to input 3 at a time. I like this system, it means key loggers on a computer or an interception of the dataz in transit are not going to give away full access to my pin over the tubes. Similarly when I call them, I go through the same process. I'd love to see more companies adopt a similar approach to interacting with them for anything.

I am also a Meteor customer, whenever I have to call them, they ask for the PIN on my phone as a means of verifying who I am and this is a pretty reasonable and safe means of managing security I think.

Asking for a DOB and phone number (for example) for someone and using it as a means of "securely" identifying them, is not exactly safe I think, so I think to be fair, the OP has a point in that it's not the best means of doing business. I'd much prefer the idea of a customer service password myself.

The_Morrigan

Dav is there a 'how to/best practice guide' from Boards given to the Reps on here as to how they should be requesting personal information to identify customers and accounts or do Boards just let them follow their own company procedures?

Dav

It's a mixture of both. We provide training for the reps and work with their team to form a plan that works within their own organisation's structure and policies as well as our own. Often times this is after several meetings with their legal, technical, security, marketing, customer service, customer retention and social media teams The process of setting a Talk To forum up takes a minimum of 3 months, but it usually closer to 6.

The_Morrigan

Dav wrote: »

It's a mixture of both. We provide training for the reps and work with their team to form a plan that works within their own organisation's structure and policies as well as our own. Often times this is after several meetings with their legal, technical, security, marketing, customer service, customer retention and social media teams The process of setting a Talk To forum up takes a minimum of 3 months, but it usually closer to 6.

Thanks for that Dav.
On the few occasions I've used the forums I've always been surprised when I'm asked for my full log in details, as in username & password (and always refused to give them). To me that just seemed odd so I was curious as to whether Boards.ie had an influence on the system & processes used.

Cody Pomeray

*in theory*, and I know it's been emphasized before that privacy is well respected on this site (clearly it is), how difficult would it be for a boards.ie employee to access user PMs?

Not talking about mods here, but actual staff.

hullaballoo

Cody Pomeray wrote: »

*in theory*, and I know it's been emphasized before that privacy is well respected on this site (clearly it is), how difficult would it be for a boards.ie employee to access user PMs?

Not talking about mods here, but actual staff.

Admins don't have access. That goes for staff too: staff are in the Admin usergroup with different coloured stars. There are 2 exceptions:

1. Only people with access to the database could theoretically view PMs - I'm not a techie, but I think that would involve querying the db for a users PMs. Unless there is a lawful reason for doing that, it would be a breach of the DPAs for someone to do this;

2. Admins can see reported PMs. Obviously, PMs are only reported where there is something that requires Admin attention, usually harassment or spam.

That's my understanding of the situation but I'm sure a CM can give an official response.

Dav

That's pretty much on the money. Unless you have direct access to our database, you don't have access to the PM's, so only our tech team can get at them.

There is obviously a record of all activity on the database and this includes who has accessed the PM table. Unless one of the tech team has a specific reason for looking at it, they don't upon pain of disciplinary action being taken by the company.

keith16

Dav wrote: »

Asking for a DOB and phone number (for example) for someone and using it as a means of "securely" identifying them, is not exactly safe I think, so I think to be fair, the OP has a point in that it's not the best means of doing business. I'd much prefer the idea of a customer service password myself.

Dav, you have witnessed first hand a number of O2 reps requesting my web login details (including password).

Are boards.ie really comfortable with these types of requests? It would seem not, so it would be good if something could be done.

EDIT: I'm not sure what could be done, but perhaps it could be better defined (maybe it is) what the purpose of the "talk to" forums is? Is it technical support? Is it signposting? Is it information only?

whitebriar

I gave my dob and home address yesterday to the O2 reps and don't see a problem.
I did not give them my mothers maiden name (though some digging might bring it up...)
What use or abuse is that info going to cause these days anyhow?

They won't access my bank a/c with it or open one either even if they walked into a branch to open a new one with a fake id.

Banking is too detailed a process now.
Also my wallets been stolen many times containing all that info and more somewhere in it and by people obviously a lot dodgier than O2 reps

Also,if one doesn't trust talk to reps here,how are you ever going to ring a customer care line for anything? What's the difference?

Skid X

Could the reps be asked to delete the personal information (Date of Birth, Mother's Maiden name etc) from their Boards Private Messages once they have established the identity of the Boards Member they are dealing with?

It's not an elegant solution but if the Reps cleared their inbox regularly it would at least reduce the amount of personal information which could potentially be hacked into.

Drift

Skid X wrote: »

Could the reps be asked to delete the personal information (Date of Birth, Mother's Maiden name etc) from their Boards Private Messages once they have established the identity of the Boards Member they are dealing with?

It's not an elegant solution but if the Reps cleared their inbox regularly it would at least reduce the amount of personal information which could potentially be hacked into.

Could a system be set up where Inbox PMs for company reps automatically delete after a certain amount of time?

MadsL

Dav wrote: »

Our PM system (and indeed the rest of the security of the site) has been vetted by the Data Commissioners office as being safe and secure.

Dav, could you expand on this a little? My understanding is the the DPC may audit the Data Protection practices of an organisation and the Data Protection Acts require personal information to be kept securely. However, whilst the DPC recommend IT Security standards it is my understanding that they do not audit against such standards, nor are they qualified to do so.

Now my info may be out of date, and I would be delighted if the DPC has started hiring IT Security auditors to do more robust audits, but I'm undr the impression that they do not delve too deep on the IT side of things.