“Could you give me the answer to your secret question?”

blackhat In the past couple of weeks I have been contacted by companies I do business with.  The first was 24 Hour Fitness.  The second was Sprint.  In both cases, I could not really tell if they were legit telephone calls.  I’m pretty sure they were, but in both cases there were concerns raised that I think we should all be well aware of.

Let me start with the call from Sprint today.  I was already on a phone call when the call waiting beeps.  I look at the caller ID and it says TOLL FREE CALL and the telephone number.  I am wrapping my call so I click over to see who the latest “DO NOT CALL LIST” lawbreaker is.  The nice lady on the other end says something like, “Is this the Sprint/Nextel business customer?”  Odd I thought.  I replied we have three Sprint accounts and who is she looking for?  She then says my first name.  Not my full name.  Not my middle name which is the one I go by.  I reply, “Speaking.”  She then informs me she would like to ask me some questions.  I informed her I didn’t know if I would answer any.

The next question was, “Could you give me the answer to your secret question?”  I just about fell out of my chair.  I told her I am definitely not answering that.  I informed her I didn’t know her from Adam and that I am not about to answer any more questions along these lines.  She tells me I can contact her at a telephone number.  I inform her that proves nothing.  I then inform her my account is fine and billing me correctly, my Sprint website ID works fine, and my Sprint phone works to my satisfaction.  She responds that is all she really is calling about so we conclude the call. 

Legit or not?

The 24 Hour Fitness call wasn’t much different.  They start off the call asking me questions to try and figure out if they have the right person.  The problem is that right away in that call they indicate my credit card isn’t working and want to know if I would like them to renew my membership with a different credit card number.  Ha!  Yea, I’ll be happy to give an unknown person in some part of the world my credit card and authorize a charge.

Not happening.  I simply couldn’t believe in this day and age companies are outsourcing their customer service operations and allowing question like this to take place without proper security measures.  But what is the proper way to handle this?  I’m inclined to think that most customers are pretty aware of their account status and renewal periods and will take measures to fix things.  I certainly did.

Social Engineering

This is exactly the type of social engineering that real criminals use.  In both cases there is no way for me to know for sure the person on the other end is legitimately working for the company they claim to work for. Reminder: don’t give out your personal information. 

Even if you think the call is legit, what purpose does it serve?  Let’s recap.  In both cases my account is in good standing and I am satisfied with the services I am purchasing.  So the phone calls are interrupting a current customer to what, offer me a discount?  Why is it we never get those calls?

Ok, off my soapbox.  I just wanted to remind everyone to please teach your family and friends what to look for and what not to say.  I know you folks are probably already the CTO’s of your family, friend’s family’s and whole neighborhoods or regions.  Security is still important.  Keep reminding people you care about.

Comments (3)

  1. Daz says:

    I had the same strange calls surposedly from a large Telco in Australia. "Hello, it’s XYZ from (large telco). Can I start with you providing me with your date of birth"… "Ummm, No. I don’t know you from a bar of soap".  (large Telco) "But, we need you to answer this question before we can proceed"  (my response) "Oh, well. This will be a short conversation then" (grin)


  2. Brian says:

    Had the same thing happen to me about 6 months ago.  AT&T called asking me to create a password/pin for my U-verse account.  My response was to the point, "Isn’t going to happen.  I didn’t initiate this call so I’m not giving you any personal information."  Their response was classic, "Well until you do then you can’t get technical support."  My response, "Well I don’t need technical support right now so I guess when I do we can set it up then."  Their response, "Oh, I guess you could do that!"  

    In this day and age you just can’t be too careful.  When I have technicians from the phone or cable company come by to check on something in the backyard and I didn’t initiate a service call I get their badge number and then call to confirm they legitimately should be there.  The techs hate it and their frustration is shown clearly in their faces, but you just can’t be too careful anymore.

  3. Kai Axford says:

    Great catch Keith…or whatever you call yourself.

    I’d also add it’s probably a good idea to notify your local law enforcement officer and telco. Even if you think it’s no big deal, the aggregate total of all these activities is easily compiled by those agencies and they can take action.

    Security. It still matters.

Skip to main content