Performative Data Security is Bad Data Security
Most of us have been there. In these days of GDPR and scams, when you call large companies you will usually be told you need to answer some questions to prove who you are before they will discuss your account or case. This makes perfect sense.
Most large companies, on the rare occaision they have to originate a call, will still insist on you, their customer on verifying who you are before explaining why they are calling you. Even this is understandable, they have to account for the possibility that someone other than you answered your phone.
The problem is - when they call you - they should absolutely prove to your satisfaction that they are representing said company before asking you for a single piece of your sensitive information.
The Culprits
For many years now, I have been called by large companies, other companies, and even banks, who have demanded I give them sensitive information before they will continue the call - sometimes on totally unsolicited calls.
Five years ago I didn't find this so surprising, but the fact that this is still prevalent practice in 2023 is not just amazing, it's downright dangerous. In the main the banks have got the message, but in this year alone both Sky and Amazon are still demanding the person called verifies themselves before they do.
When the Script goes wrong
When I routinely refuse to give out information, the reaction is usually shock and confusion. When I explain I have no way of knowing if the call is from company X, usually the stock response is nothing better than "but I am calling from company X". I do feel sorry for these callers who are not trained to handle this correctly. You are often mildly threatened that you won't be helped or they can't tell you why they have called. I tell them that's fine but I still won't give out my information - after all, it's reasonable I prove who I am when I call them, surely they should see the need to do the same when they call me.
On some occaisions the matter gets argumentative. One representative told me that their company took the security of my data very seriously and that's why they do it. I explained that, as to this article title, this was just performative data security - the appearance of data security. In fact what they are doing is conditioning their customers to reveal account details to unverified third parties. That's not looking after my data. It's the opposite.
Yes, it's a point of principle, but more seriously, I don't usually know for sure the caller is from company X, and authorised to call me. And I do receive scam calls, quite frequently in fact, like many of us.
When a call is expected from a company, you might think this is less of an issue, but many scams are predicated on the possibility of some coincidence lowering your guard. Think for instance, of the many "you have been in an accident" scams. Maybe nine times out of ten, you haven't been in an accident, so know immediately this is a scam - but the scammers are betting on the fact that on the one time out of ten, this coincidence will itself feel like a confirmation of validity.
These strategies from attackers work - that's why they do it. It's vitally important then, that companies that really want to practice good data security protect their customers from such attack vectors.
The Solution(s)
Perhaps the most frustrating thing is that it's not like the solutions to this problem are very complex.
First and foremost companies should train their staff to understand that it's actually dangerous practice to demand account details before they have verified themselves. If they do this, then scammers will know this is an attack vector. Most banks have got their head around this and routinely caution customers never to reveal information in advance of such verification.
Companies should supply a call back number. For instance, they should tell the customer they can call in on a number that is easily verifiable as valid on their corporate website, and cite a case number to continue the conversation. It is still important for customers on landlines to ensure that the original call has terminated before dialling the number. So company representatives should give them this advice.
Another easy solution is a second account password, though this might not be for everyone. For instance, Sky set a password that users can speak when calling to verify they are the account holder. If they allowed me to, I would give them a different password that they could give me when they call me to prove they genuinely represent the company and have access to my account details.
Data security is indeed a real and serious issue, but it's important companies have well thought out policies that really protect user data rather than performative procedures that look like good practice but are actually the opposite.