This week I had emails from two services I use notifying me that they each had suffered some sort of security intrusion, and suggesting I change my password etc etc.
One was Slack — for a technology company currently raising assets at a reported $2.8bn valuation, discovering that hackers have been poking around in the central database for four days must have been something of an embarrassment, but since they don’t have any financial details for me, I’m not overly concerned.
The other was British Airways and in some ways I found this one more interesting. There doesn’t seem to be an official press release from BA on this subject. The email says simply:
This appears to have been the result of a third party using information obtained elsewhere on the internet, via an automated process, to try to gain access to yourExecutive Club account.
We understand this was login information relating to a different online service which you may have also used to access your Executive Club account.”
Coincidentally, this morning BA cancelled my flight from Jersey to London. I received a text notifying me of this and that I had been rebooked on a flight tomorrow afternoon (as though when you’re going to London for the weekend, it’s not going to make a big difference whether you arrive 9am Saturday or 4pm Sunday). I tried to use my Executive Club account to reject the new flight time, but (inevitably) this was not an eventuality that BA’s coders envisaged and so the website rejected my request. Incidentally, the mobile app still thinks I’m on the 7:45 this morning so beware their systems are not joined up.
Consequently, I had to call BA Executive Club to discuss the flight change. When I got through, I gave them my name, the booking reference and explained the situation. Inevitably they wanted me to identify myself, and asked for my full address and date of birth. And this is what I have an issue with. The argument of the customer service person I spoke to (who was polite but probably a bit fed up I was arguing with him) was that they had to identify me somehow, especially given the hack and that these pieces of information would be stuff known only to me. Furthermore UK’s Data Protection Act obliges them to ensure they are speaking to the right person.
With regards Data Protection, my argument was that actually I wasn’t asking him to reveal any information about me — I’d provided everything (surname, booking reference) that would have been required online (had their systems been working) and just wanted to confirm that the replacement flight wasn’t acceptable to me. His systems though required him to go through exactly the same procedure to confirm my identity regardless of the reason for the call. OK, no big deal.
On security I have a number of issues with BA’s process. Firstly, who’s to say that this guy doesn’t have a little notebook on his desk where he’s writing down my name, DOB and address — enough information to sign up for a lot of online services in my name and almost enough to open a bank account. This type of fraud has been occurring at some call centres for years. Many service providers I speak with still demand I give them a lot of personal data (the verbal equivalent of plain-text emailing a password, as far as I’m concerned) before they will speak with me. It’s all very well encrypting passwords for your customers, but if your call centre workers can collect customer data you have a big hole in your security.
I suggested to the BA guy that best practice was probably to request fragments from a long security passphrase. “Ah”, he said. “But if the hackers are in our database, they’ll know your passphrase too”. But at BA would they not then already have my passport details (because those are stored for APIS) and my address (so BA can send me new luggage tags)? “Errrm.”
Come on BA (and everyone else that asks me for my DOB, address or other plain-text personal information). Get a better system for validating caller identity! And fix your websites so they don’t leak!
This article first appeared on LinkedIn 28 March 2015