Thursday, June 25, 2009

No, you can't have my SSN either

In yesterday's post, I talked about why you shouldn't share passwords. Today, coincidentally, I had a related frustrating experience with T-Mobile. They insisted they couldn't access my account unless I told them the last 4 digits of my social security number (SSN) to "verify" my account. This being despite the fact that they don't actually know my SSN and therefore telling them the 4 digits would not serve to "verify" anything.

They claim to ask for this in order to protect me. But they don't know what they're doing. The poor understanding of security extends to their web site too. If I forget my password, I can reset it online by answering a few secret questions. But there are lots of people who aren't me who know where I was born, my mother's maiden name, my dog's name and Paris Hilton's dog's name. And, unfortunately, lots of people have access to my SSN too. So using "secrets" like these to secure my account either online or off makes no sense.

Even better, T-Mobile will send my password to me via text message! Um, they shouldn't store passwords in clear text, and they certainly should never tell anyone (not even me) what my password is.

So their account reps won't talk to me, but their web site will happily send my password to anyone I loan my phone to. Gee, thanks.


  1. From your earlier post:
    > Many people use the same password for multiple sites (don't do that!)

    Could you apply the same principle to this "T-Mobile SSN"?

    There might be some value to secondary secret questions because they're less likely to be phished or keylogged.

  2. One of the universities I attended assigned me a substitute number since I objected to using my SSN as my student ID number. (Clearly I wasn't the first one to object.) They then proceeded to use the fake SSN when they reported my earnings to the IRS. That was fun getting fixed.


Search This Blog