[IP] Connected: Verizon puts your privacy in precarious position

To: Ip ip <ip@xxxxxxxxxxxxxx>
Subject: [IP] Connected: Verizon puts your privacy in precarious position
From: David Farber <dave@xxxxxxxxxx>
Date: Sat, 16 Jul 2005 19:14:18 -0400
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
Reply-to: dave@xxxxxxxxxx
Sender: owner-ip@xxxxxxxxxxxxxx

http://www.post-gazette.com/pg/05197/538849.stm



Connected: Verizon puts your privacy in precarious position

Saturday, July 16, 2005

By David Radin

Would you give your credit card number to a company if you knew itwas to be used for anything else besides taking your payment? That isexactly what is happening for thousands of people nationwide who havesigned up for Verizon's VoiceWing Voice over IP telephone service.



-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

VoiceWing is different from Verizon's traditional telephone servicein several ways, one of which is that the company only accepts creditcards as payment. It will not direct bill you. So you must provideyour card to get the service. Once you have the service, Verizondebits your card monthly -- and also uses the last four digits ofyour card number to verify who you are when you call for support.

According to Margo Hammar, chief privacy officer at Verizon, usingyour credit card digits this way is just like paying for your gas atthe pump, then crumbling the receipt and throwing it away.

But it's not the same. At the pump, the credit card is inserted for aone-time transaction and not saved by the gas station. It is you whomakes the decision on the spot to provide the card data; and it isyou who decides whether to print the receipt and crumble it (or keepit). In the VoiceWing scenario, your credit card information isplaced into a database at Verizon -- and then the last four digitsare shown to any customer support rep who pulls up your record --even if no transaction is taking place.

Hammar told me that "Verizon takes the safeguarding of clientinformation very seriously" and that the company has created a methodand procedure to be used by employees with a need to know. As the keyprivacy person, she has pushed the company to move away from usingSocial Security numbers for customer authentication, but has not yetprovoked the company to stop using this credit card data for the sametask.

According to Dean Ocampo, product marketing manager for securitysoftware developer Check Point Software Technologies, using only thelast four digits minimizes risk compared to using the entire number,"but ideally you don't want to use any of it." He says the issue goesdeeper than whether the company is using the digits. It involves theprocesses they employ and the depth of security.

In the Verizon situation, your credit card digits are displayed tofirst-tier customer support reps -- people who are not in a "need toknow" position regarding your credit card. In one call that I made toVoiceWing support, I refused to give the CSR my digits, which madehim exclaim that the digits are right in front of him already; it'snot like I'm revealing anything new to him.

That, in fact, is the problem. The digits should not be in front ofhim. He has no reason to see a customer's credit card data, no matterhow ethical he is. Check Point's Ocampo agrees: "The more you putprivate data through the company, the more likely it can be hackedand stolen." He cites instances in which companies have not properlysecured the data at every juncture, even though it thinks it has.Recent news items about security problems at Citibank, ChoicePointand CVS provide examples. Ocampo's examples include points of attachwithin the company, including PCs living around the perimeter of thenetwork that have not been completely secure.

Since businesses make decisions over time, other factors may latercreate security risks. For instance, a move to outsourcing customersupport offshore would put your credit card data in a rep's hands inanother country -- perhaps a country that doesn't have the sameprotection laws that are in force in the United States. Securingcustomer privacy is not a science. What's good for the business isnot always good for privacy, and vice versa. Companies are alwaysdealing with the trade-offs when making business decisions.

Verizon's published privacy policy promises that the company will useSSL (a security mechanism) whenever it transmits your credit card,but it doesn't promise to use your card number only for yourtransactions. As long as Verizon continues to use customer creditcard numbers as authentication, in whole or in part, it is puttingthe customer at risk, no matter how slight.

(David Radin is a Pittsburgh-based consultant whose daily nationallysyndicated radio show can be heard locally on XM and Sirius. You cansign up for his tip letter, contact him and find an archive of hisprevious columns at www.MegabyteMinute.com.)


-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] WSJ and political retaliation from the White House
Next by Date: [IP] Victory in Lafayette!
Previous by thread: [IP] WSJ and political retaliation from the White House
Next by thread: [IP] Victory in Lafayette!
Index(es):
- Date
- Thread