In yesterday's post, I talked about why you shouldn't share passwords. Today, coincidentally, I had a related frustrating experience with T-Mobile. They insisted they couldn't access my account unless I told them the last 4 digits of my social security number (SSN) to "verify" my account. This being despite the fact that they don't actually know my SSN and therefore telling them the 4 digits would not serve to "verify" anything.
They claim to ask for this in order to protect me. But they don't know what they're doing. The poor understanding of security extends to their web site too. If I forget my t-mobile.com password, I can reset it online by answering a few secret questions. But there are lots of people who aren't me who know where I was born, my mother's maiden name, my dog's name and Paris Hilton's dog's name. And, unfortunately, lots of people have access to my SSN too. So using "secrets" like these to secure my account either online or off makes no sense.
Even better, T-Mobile will send my password to me via text message! Um, they shouldn't store passwords in clear text, and they certainly should never tell anyone (not even me) what my password is.
So their account reps won't talk to me, but their web site will happily send my password to anyone I loan my phone to. Gee, thanks.