This topic

'You'll need to answer a few security questions ...'

Firefox1701 — Mon, 25 Apr 2022 14:41:09 GMT

How many times have we all heard that? - When companies ring us and expect us to prove who we are before they'll continue - and I'm not talking about scammers - I'm talking about perfectly legitimate companies ( including BT! ).

This is as much a topic for discussion as it is a question, I guess, but I'm curious to know other people's take on this. At a time when I've literally received more scam calls in the last 48 hours than I have from my family since New Year, my stance, for better or worse, is that the onus isn't on me to prove who I am by providing personal details such as address, e-mail etc.; quite the opposite, in fact. I've heard it argued that you can always ring the company back on a known safe number, and so you can - if you don't mind spending any amount of time going through recorded messages and listening to music, almost certainly not to end up with the person who called you in the first place. This forum alone is replete with adjurations never to give out personal information on the strength of nothing more than who a caller claims to be - in fact, I've never heard of a telephone service provider who would recommend otherwise.

Thoughts and observations, anyone?

Re: 'You'll need to answer a few security questions ...'

-Richie- — Mon, 25 Apr 2022 17:53:28 GMT

It's a fine line to balance security but BT have to take protecting customers data seriously, although in most cases of being called back, it's the result of you calling in so it shouldn't be unexpected to be called and asked to verify.

Re: 'You'll need to answer a few security questions ...'

Anonymous — Mon, 25 Apr 2022 18:07:49 GMT

I never do it, including my bank (Nationwide) who called recently to discuss a complaint. Indeed that pushed me to switch to another bank.

As for BT, they generally have a different take by texting a code that you repeat back. Happy with that as I'm not disclosing anything.

Re: 'You'll need to answer a few security questions ...'

Les-Gibson — Mon, 25 Apr 2022 18:23:20 GMT

I have one golden rule, if an unsolicited caller asks me for personal or financial information or to install software on one of my machines then I hang up and block them, no exceptions and I've yet to find out that I missed an important call.

Re: 'You'll need to answer a few security questions ...'

gg30340 — Mon, 25 Apr 2022 19:20:12 GMT

@Anonymous wrote:

I never do it, including my bank (Nationwide) who called recently to discuss a complaint. Indeed that pushed me to switch to another bank.

As for BT, they generally have a different take by texting a code that you repeat back. Happy with that as I'm not disclosing anything.

BT only use the one time PIN code if you have called them.

If you get an unsolicited call "from BT" and they tell you that they will send you a PIN code and you have to repeat it back to them it means they have probably used the "forgotten password" route which generates a PIN number being sent to you. They will have obtained your email address from any number of places. Once you give them that number they have access to your MyBT or email account depending on which one they used.

See link

BT's One time pin process - BT Community

Re: 'You'll need to answer a few security questions ...'

Firefox1701 — Tue, 26 Apr 2022 05:40:02 GMT

A couple of further observations ...

Firstly, the 'one-time PIN code' thing is fine on the assumption that you have a mobile phone ... which my partner doesn't, and to be honest my one only ever comes out of the drawer once in a blue moon.

Secondly, the fact that the call may be a follow-up to my having called them ( 'them' being any given company, not just BT ) is neither here nor there. As an example, scam calls are easily prolific enough now that a phoney caller ( pardon the pun ) might well happen to call at a time which happens to coincide with my having contacted my bank. But even when it's a genuine call from a company in response to my having contacted them first, the principle still applies: why should I have to prove my identity to someone calling me? In fact, if anything, that's even more applicable in this scenario - if a company is in fact calling me in response to my having contacted them, then they presumably know in advance exactly who I am - that's why they're calling me. Even if you look at the outside chance that someone else is answering my phone - if they're in my house, it's a pretty fair bet that they know my address, so that doesn't prove anything; if they're there with criminal intent ( even disregarding the chances that they would stop to answer the phone ), it's equally possible that they might know my e-mail address. I'd be curious to know from any given company - BT or any other - exactly how many times they've actually caught someone out with the security questions and prevented some kind of fraudulent or criminal activity from taking place.

Re: 'You'll need to answer a few security questions ...'

gg30340 — Tue, 26 Apr 2022 08:14:05 GMT

@Firefox1701 wrote:

A couple of further observations ...

Firstly, the 'one-time PIN code' thing is fine on the assumption that you have a mobile phone ... which my partner doesn't, and to be honest my one only ever comes out of the drawer once in a blue moon. If you do not want texts or have not supplied a mobile number they send the PIN by email to your previously registered email address.

Secondly, the fact that the call may be a follow-up to my having called them ( 'them' being any given company, not just BT ) is neither here nor there. As an example, scam calls are easily prolific enough now that a phoney caller ( pardon the pun ) might well happen to call at a time which happens to coincide with my having contacted my bank. Unlikely and even if it did happen it would be a very lucky scammer to have picked the correct bank name to use and be able to quote the reason for the call as a follow up to trick you into believing that it was genuine. But even when it's a genuine call from a company in response to my having contacted them first, the principle still applies: why should I have to prove my identity to someone calling me? In fact, if anything, that's even more applicable in this scenario - if a company is in fact calling me in response to my having contacted them, then they presumably know in advance exactly who I am - that's why they're calling me. The reason that you are asked is so that your private information is not given just to anybody who happens to answer your phone. If for instance it was your bank, your doctor or some other company that holds information that you would not want somebody else, even a family member to know, how else would you suggest that the company identify that they are speaking to you. Even if you look at the outside chance that someone else is answering my phone - if they're in my house, perhaps that would be the case in your house but not everybody lives in your house or have the same circumstances as you. I'm pretty sure that there will be many house holds who do have more than one person answering the phone such as multi occupancy flats it's a pretty fair bet that they know my address, so that doesn't prove anything; if they're there with criminal intent ( even disregarding the chances that they would stop to answer the phone ), it's equally possible that they might know my e-mail address. It is not always your address, post code or email address that is asked for I'd be curious to know from any given company - BT or any other - exactly how many times they've actually caught someone out with the security questions and prevented some kind of fraudulent or criminal activity from taking place. That is an imponderable question. People, with no criminal intention, can and do forget security questions and as such they do not get access until a further security check has been completed.

In any event the best advice it to be vigilant and if you are in any doubt or you are not wanting to deal with callers on the phone you should ask them what the call is about and that you will call the company back using a phone number that you know is a safe number and not one supplied by the caller.

Re: 'You'll need to answer a few security questions ...'

Firefox1701 — Tue, 26 Apr 2022 09:01:29 GMT

Wow! I feel like that should have concluded with the words: 'the defence rests'!

But if that's what this has turned into - which it wasn't meant to:

'If you do not want texts or have not supplied a mobile number they send the PIN by email to your previously registered email address.' Great. As long as I happen to be in front of my computer at the time, fair enough.

'... it would be a very lucky scammer to have picked the correct bank name to use and be able to quote the reason for the call as a follow up to trick you into believing that it was genuine.' Sorry, but no. First of all, we've had scammers call here claiming to be from four different major banks; by the sheer law of numbers, they will get it right sometimes. Other people on this forum have told that exact story. And the whole point is that they usually don't quote the reason for the call until you've answered their questions. This, not to mention the fact that it is by no means only banks that I'm talking about; energy providers, telephone / internet service providers, the list goes on. If you believe that the coincidence of timing is unlikely, I would suggest that you're luckier than many of the other contributors to this forum - it being the case that scam calls are one of the most frequently-discussed topics on here.

'The reason that you are asked etc.' For a start, if the 'one-time PIN' solution is so effective, then why don't other companies, including banks, use it also? Although I personally tend to eschew mobile phones, I recognise that I'm in the minority, and this presumably works for most people without there being a need to divulge any personal information to what is for all intents and purposes a completely anonymous caller.

'It is not always your address, post code or email address that is asked for ...' No; but if, as you suggest, it was another family member or co-occupant, it's still entirely possible that they may know the answers to the security questions. Not guaranteed, I grant you; but possible - which in itself means that for a company to stand on the principle that it will only continue the conversation if you answer security questions to which other members of your household may know the answer, is meaningless.

'I'd be curious to know from any given company - BT or any other - exactly how many times they've actually caught someone out with the security questions and prevented some kind of fraudulent or criminal activity from taking place.' / That is an imponderable question. People, with no criminal intention, can and do forget security questions and as such they do not get access until a further security check has been completed. Thank you for making my point for me. I suggest that it isn't so much the case that the question is imponderable; rather, that the companies involved would not choose to ponder the inadequacies of a system they've had in place for so long. Instead, precisely because they do not question their own system, people who, as you rightly say, have no criminal intention and are legitimately entitled to be having a conversation with the company in question, are prevented from doing so through no fault of their own.

'In any event the best advice it to be vigilant and if you are in any doubt or you are not wanting to deal with callers on the phone you should ask them what the call is about and that you will call the company back using a phone number that you know is a safe number and not one supplied by the caller.' Refer back to my original post. It is precisely the fact of being vigilant - as everyone rightly should be - that creates the problem. Yes, you can call the company back using a known safe number; it will very likely be an 08 or 03 number or similar, it will almost certainly go through a recorded menu ( or a tree of them in many cases - up to seven is not uncommon ), you may well have to listen to music for an indeterminate period of time, and if you do succeed in getting through to the correct department, the chances of actually speaking to the same human being who called you in the first place are minimal - far more likely, you will speak to someone who has no prior knowledge of you or your circumstances and who will have to look the case up from scratch. Yes, you can take this course of action if you have nothing better to do with your time ... should you have to?

My argument is that in this day and age, when institutionalised scamming has existed for at least the last couple of decades or so and is now more rife than ever, the onus is upon the corporate sector to come up with better alternatives than this, not on the already-beleaguered members of the public who have their hands more than full enough dealing with scammers in the first place - again, as witness countless posts on this very forum.

Re: 'You'll need to answer a few security questions ...'

gg30340 — Tue, 26 Apr 2022 09:20:04 GMT

I thought this was a discussion where you asked for "thoughts and observations, anyone?"

Obviously I was wrong!

I don't have an argument but you obviously do and would appear to only want comments that suit you narrative so I'll leave you to it.

Re: 'You'll need to answer a few security questions ...'

Firefox1701 — Tue, 26 Apr 2022 09:32:05 GMT

I have to say that your blow-by-blow dissection of the previous post did not immediately strike me as having come from someone who 'did not have an argument'. However, contrary to what you suggest, creating or sustaining an argument was never my aim, and I do welcome any and all contributions, whether they subscribe to my point of view or not - in fact I would be very interested to see whether the majority of people do or don't agree with me.

Re: 'You'll need to answer a few security questions ...'

Carlusha — Tue, 26 Apr 2022 09:58:18 GMT

@Firefox1701wrote:
Wow! I feel like that should have concluded with the words: 'the defence rests'!
'... it would be a very lucky scammer to have picked the correct bank name to use and be able to quote the reason for the call as a follow up to trick you into believing that it was genuine.' Sorry, but no. First of all, we've had scammers call here claiming to be from four different major banks; by the sheer law of numbers, they will get it right sometimes. Other people on this forum have told that exact story. And the whole point is that they usually don't quote the reason for the call until you've answered their questions. This, not to mention the fact that it is by no means only banks that I'm talking about; energy providers, telephone / internet service providers, the list goes on. If you believe that the coincidence of timing is unlikely, I would suggest that you're luckier than many of the other contributors to this forum - it being the case that scam calls are one of the most frequently-discussed topics on here.

Ah, I hope the defence had a good rest!

If you are referring to your mobile, then for a 'phone that spends most of its life hiding in a drawer, the number of hits you have had is amazing!

Re: 'You'll need to answer a few security questions ...'

Firefox1701 — Tue, 26 Apr 2022 10:03:35 GMT

I'm assuming that by 'hits' you mean scam calls. I should perhaps clarify that the scam calls to which I'm referring are all on the landline. On the odd occasion that I do check the mobile, there will usually be an assortment of missed calls from anonymous or unknown numbers, but I don't really care about that, because it lives in a drawer ...!

Re: 'You'll need to answer a few security questions ...'

MissBeatty — Sun, 15 May 2022 21:30:26 GMT

What’s your bright idea to solve it?

Re: 'You'll need to answer a few security questions ...'

MissBeatty — Sun, 15 May 2022 21:31:06 GMT

How do you solve it original poster. Send

Re: 'You'll need to answer a few security questions ...'

Andy005 — Mon, 16 May 2022 06:41:41 GMT

BT sent me an 8 digit password, two characters of which I have to quote if either I call them or they call me. The problem is that if we follow the advice of having unique passwords, security questions etc, it's impossible to remember them.

An option would be for the customer to give BT for example, a word that they must quote when calling us to prove it's them. The problem is that it's yet even more words to remember.

Where BT is lacking is with the My BT app, there is no calling option as far as I can see from within the app, which would negate the need for security questions. It doesn't get around the problem of them calling us though. When they do call us they could quote what services you have, last payment amount, payment date etc, but the assumption is that we have to take it for granted that they are who they say they are.

Even the 8 character BT supplied password doesn't work because if a spoof caller calls me and asks me for characters 3 and 7 for example, they could just say yes that's correct and move on to discussing bank details etc.

The simple thing to do is ask yourself why they are calling you in the first place, unless you have an ongoing issue they shouldn't be contacting you.

Re: 'You'll need to answer a few security questions ...'

Firefox1701 — Mon, 16 May 2022 06:50:02 GMT

To be clear: I didn't set myself up as having any 'bright ideas to solve it', far less did I expect to be pressed into providing them. As I understand it, the thread was moved from a different forum to this one precisely because it is a subject for discussion. However, this, I feel, throws into still sharper relief a point which I've made elsewhere, which is that we as consumers have been lulled into believing that it it our responsibility to come up with solutions to problems such as this, whereas in fact it isn't.

Back in the day, this was never an issue. If you got a phone call from any major company with whom you were dealing, telephone / utility provider or otherwise, you answered the phone and cracked on with the conversation. If - and I do say 'if' - there is any official record of the extent to which that practice led to detrimental results for the customer, I would very much like to see it. But even then - bearing in mind that this is a telephone provider's forum - does it not seem contradictory that the same company who are asking us for our personal information in order to 'verify who we are' when they called us, are telling us in the next breath never to give out personal information unless we are 100% certain that the caller is legitimate?

I would go further: the reason we are advised to be cautious about giving out personal details, is because of the vast assortment of scam calls that many of us receive on a several-times-daily basis. There are an assortment of methods of addressing that problem, all dealt with in greater depth elsewhere on this forum; but once again, the reality is that it really shouldn't be our problem to address. We as consumers, in general, do not possess the technical nous to be able to truly combat this issue, and why should we?

If, despite the warnings, despite the countless different varieties of scam call, you are quite comfortable giving out your personal details to someone who may or may not be who they claim to be - telephone provider or otherwise - then by all means do just that. I don't have any 'bright ideas' to solve the problem, except to say that if enough people persistently refuse to give out their details in response to 'security questions', the various companies involved will eventually have to do what they should have done in the first place and come up with bright ideas of their own to solve the probem, if indeed there is actually a problem to solve. As regards a practical alternative, the only currently workable one I know of is to obtain the caller's name and extension number and call them back on a known safe number - as long, as I mentioned above, as you don't mind waiting in a queue of indefinite length and even then very possibly not getting through to the right person. Alternatively, let them deal with the issue by e-mail, if that's a viable alternative. Other than that, since I'm not on the payroll of BT or any of the other telephone providers, I'm happy to entertain 'bright ideas' from anyone else who may have any - ideally, those who are on the payroll.

Re: 'You'll need to answer a few security questions ...'

mispeltyuoth — Tue, 17 May 2022 12:37:59 GMT

"Even the 8 character BT supplied password doesn't work because if a spoof caller calls me and asks me for characters 3 and 7 for example, they could just say yes that's correct and move on to discussing bank details etc."

The logical next step should be that the caller then repeats, say, character 4 and 8 back to you. That way both parties, in theory, may be trusted.

Re: 'You'll need to answer a few security questions ...'

Andy005 — Tue, 17 May 2022 14:28:50 GMT

@mispeltyuothwrote:
"Even the 8 character BT supplied password doesn't work because if a spoof caller calls me and asks me for characters 3 and 7 for example, they could just say yes that's correct and move on to discussing bank details etc."
The logical next step should be that the caller then repeats, say, character 4 and 8 back to you. That way both parties, in theory, may be trusted.

I might be wrong here @mispeltyuoth but my understanding is that the caller is only shown 2 out of the 8 characters at random, for security reasons. So they cannot do as you suggest. If the person being called is suspicious they could at first give two incorrect characters to see if the caller can acknowledge the error but then it's starting to get silly.