Smith & Barney case study: how not to authenticate customers

MSFT uses Smith & Barney’s BenefitsAccess online site for administering some employee benefits. (It used to be Schwab in the distant past.) This choice lead to a series of interesting exchanges over the past couple of days.

  • S&B representative leaves cordial voice mail in response to earlier phone inquiry, providing 888 number to follow-up.
  • Call back at the indicated number. Very first ask after language selection: “Please enter your global ID or social security number”
  • Why SSN? Granted they already have this information (because it also happens to be the “TIN” or tax identification number, used for income tax reporting purposes to IRS) but using it for authentication in a cavalier manner is asking for trouble. SSN is an identifier, not a secret intended for proving one’s identity. Over time it became a credential, as various businesses began to make the convenient assumption that if you know the SSN for a person, you are that person. Financial services sector routinely depends on this dangerous repurposing for verifying customer identity when they are on the phone or online. But in this case global ID– whatever that means– is sufficient, so any number of other factors such as company ID, date of birth etc. could be used to uniquely identify somebody. (For comparison 1st Tech Credit Union asks for last 4 digits of SSN.)
  • S&B continues the authentication process by asking for the online trading PIN.
  • Skip through more options, finally reach a person.
  • After explaining the request, her first question: what is your social security number? Where is the connection between the automated phone system and the support ticket system? Why bother authenticating customers up front if the process is going to be repeated manually? For that matter, why not assign a case number or other temporary identifier to track this ticket (since S&B called the customer in this case) instead of requiring the caller to verify their identity each time?
  • More discussion of the particular problem. Ask S&B about wire transfer. It turns out that setting up wire transfer requires faxing in a form– and a copy of driver’s license.

Sadly the appetite exhibited by S&B for personal information, the assumption that users are willing to provide this at will and cavalier attitude towards data security appears to be the norm in the financial services industry. (Earlier posts on this blog covered an earlier American Express debacle.)


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s