28 comments

[ 3.4 ms ] story [ 50.2 ms ] thread
At work we had privacy training videos shown one was an employee who spoke about the mobile phone company he has service with, no names but he'll call it "Mogers".

When he signed up for service with "Mogers" they messed up his name on his bill, instead of e.g. "John Smith" they put "J ohnSmith".

Then a week or so later he starts getting junk mail addressed to a "Mr J ohnSmith".

Totally agree that this isn't a great idea on Rogers part. But it strikes me that there is a relatively easy way to detect social engineering in this case. Just give the caller ridiculous answers in response to their first few queries and see if they balk. Only someone who knows the correct answers will challenge you.

It would be really nice if there was a better way to ensure the identity of parties on either end of a phone call. In my case, an inability to remember dates causes a headache every time I try to do telephone banking where it seems to be the only type of security questions they use.

"Just give the caller ridiculous answers in response to their first few queries and see if they balk."

Sure, you me and many others on HN could try this or be defensive when we get asked for our information but the common customer wouldn't balk. They would just rattle off the information and continue the conversation.

The point of the article is that this style of marketing is training customers to feel comfortable with giving out personal information when they're on the receiving end of a call.

Crazy. Are there any news articles where these type of social engineering scams have been successful?
I remember when it was a big deal on AIM and other IM services. You'd get a message from an official sounding screen name asking you to verify your password.

These types of attacks are why you typically see messages like "we will never ask for your personal information" from service providers.

"we will never ask for your personal information"

It's a nice first step, but then they break the security model by sending emails with a link to click on.

Every single service provider, bank, credit card, airline, or utility that sends me email, sends it with embedded links.

Customers have now been trained to click on links and give their passwords to login screens if they look halfway authentic.

At least in this case, I'm calling the bank. Meaning, I'm vising their page and I can confirm that it's actually the bank that I'm communicating with.

Browsers have been getting better about protecting users when it comes to online bank phishing attacks. Secure connections are emphasized more and getting rid of basic auth in the URL helps defend the customer from spoofing tactics.

"Just give the caller ridiculous answers in response to their first few queries and see if they balk."

Except that you know what happens when you give ridiculous answers to (secondary) security questions when signing into a bank account or credit card online? You get locked out of your account.

I don't think that Rogers' telemarketing system would behave the same way, but just be prepared to have to call Rogers back--answering yet more questions--to re-activate access to your account.

Canadian cellphone companies are pretty much a oligopoly with 3 big players, Rogers, Telus, and Bell. All 3 of them are super expensive and locks people in on super long 3 year contracts. These companies are so shady they create multiple "discount brands" to make consumer feels like they have more choices. It's not till recently that Canadian government realized the need to create competition and auctioned off some AWS spectrum to a couple "startups", namely Wind and Mobilicity and couple other ones.
I had to talk to rogers about getting some money back after finally cutting all of my services with them.

Because my old cellphone number was the account number, they started giving me information about the Department of National Defense employee who now owns my old cell phone number.

Hows that for a security failure on Rogers' part?

Would have been interesting if you wrote that persons information down and gave him a call to let him know what just happened. It's make a great story for the press and could pressure Rogers to stop this information leak and otherwise poor security policies.
I experienced another security failure on Rogers' part: Just a few weeks ago I was able to reset the passcode on my Rogers cell phone account by supplying just my cell number and date of birth. This was through an automated system and no other information was requested. I wasn't even phoning from the cell phone; I was phoning from a landline that isn't associated with my Rogers' account in any way.
I had the same thing happen with my bell account, I got a voice mail saying a representative was coming to my house to install a cable box, which I hadn't ordered, the number that was left wasn't the traditional bell 310 number, so I called the bell number on my bill, only to find out that they had not left that actual message - I never called that number because I didn't want to get more spam. These types of calls from tel comm have become so prevalent, once for cable, once for mobile, once for my internet, that I've become numb actually listening to what they are actually saying anymore; I'm sure if my parents were left this message they would have easily given personal information no problem.
Rogers is actually pretty ridiculous. I was about to make a post about this, but:

Rogers also sends text message spam every month. You can't opt out. I have called on 4 separate occasions and spoken to a manager, asking to be opted out of the spam. The first few times, they apologized and told me I'd be taken off the list. After I wasn't, I asked to speak to a manager, who called me back.

He told me, "Sir, that isn't spam. Those are Rogers marketing messages." After I told him that I, the customer, considered it spam and would no longer like to receive them, he told me, "I will forward your request to our marketing department, and they will determine whether it is spam."

Best company.

It's pretty amazing when you think about it. Not only do they already have you on the hook for at least 50 bucks a month (on the low end for most people) but they are also pushing you advertising to make even more.

You are completely just the commodity to them since they've had such a huge opportunity to control the market in Canada. They know it's hard for you to go somewhere else, so they have zero incentive to offer a quality user experience.

I've passed up the 4S, the 5, and the S3 just so I can let my contract run out in December and not have to deal with them anymore. What I wouldn't give for some real competition in the mobile provider space.
If only there were something even resembling competition in the Canadian mobile space. I'm not sure if Rogers is better or worse than Bell or Telus, because to me they're all pretty bad.

Recently, Bell customer service called my other out of the blue and talked her into getting a new package for her long distance on her land line. She's a senior citizen on a fixed income and she was under the impression that this was a cheaper plan. It turns out this wasn't a better plan at all. When she tried to cancel the plan she was told that she was on a contract and would have to pay an early termination fee.

The really great part is that she was never told that she was under contract and she never signed anything. There was apparently something in the fine print of the paperwork they sent her after the phone solicitation that said "we sent you this, so consider yourself as having agreed to a contract".

I couldn't believe it, so I called Bell customer service myself and I got the same response. She switched providers and refused to pay the fee (over $100), but Bell debited her bank account anyway, since she had set up pre-authorized billing. Nice way of doing business.

You have up to 60 days to dispute anything taken out of your bank account via ACH. If I were you, I would pursue that route.
You can also file a complaint with the CCTS: http://www.ccts-cprst.ca/

They've helped me in the past with stupid things Rogers and Bell have done, but they don't have any legitimate power. I'm usually for deregulation, but this market is too highly monopolized. What I'd give for a FCC

I once lived in an apartment building that had a special deal going with Rogers. Although the building had no soliciting in general, Rogers was the exception. I learned from the management that they kept a list of tenants who were not customers and their goal was to convert every single one.

Monthly flyers under my apartment door were annoying. Visits from actual Rogers reps to my door were also annoying. But once they even resorted to having a crude printout shoved under my door with "NOTICE FROM MANAGEMENT" on it. Sure looked like a notice from the landlord, but turned out to be another Rogers ad.

They also once tried to call me. I asked to be taken off their list and the guy actually had the audacity to argue with me about why I would want that and why I don't want their service. The only way out was for me to resort to repeating "Take me off your list" over and over until he finally did.

It's really an awful company.

Haha I remember getting my first spam text message from them, and wondering to myself, "What is this garbage? Why am I paying over $65 a month, only to be sent more messages about how I can give them more money?"

This year however, Rogers got a student internet plan which is almost equivalent to TekSavvy (~$5 more expensive, but it's 300GB of bandwidth). At least they're getting the message, albeit very slowly.

The same thing happened to me, but in the US. I think it was one of my credit card companies calling me, and they started asking me to identify myself. I refused, and I asked them for a number I could call in to. They gave me a number, I googled it to ensure that it was legitimately them, and then called the number.
Full disclosure: I work for the aforementioned. Much of this stuff doesn't appear to make any sense from the outside, and sometimes puzzles those on the inside. I'm not company PR nor am I trying to be. Actually, to be honest as I'm disgusted by the company for how they are handling things. Morale is in a slump and pressure from above to cut costs and increase profit is insane.

But to get back on topic: The policy this blogger has encountered deals with how a dealer must authenticate a customer before making any financially-impacting decisions or contractual obligations. As far as the lawyers are concerned this is to protect the company. If we mail out a new iPhone 5 and charge an account $100, then when it turns out you are not who you said that's simply too bad for us. We just lost an expensive phone. Arguably, it appears to make no sense in some scenarios like the one mentioned (where one could reasonably assume they are speaking to the correct person) but the reality is the person calling you has no bloody clue who you are. The account likely came up on their screen and the system dialed your number. You could be the account holder or a kid holding the phone.

The poor sucker calling you is likely sitting in a mile-long row of phones tethered to the desk by cords forced to listen to people complain all day long. Really, that's no different than just about every call centre. You asked for a manager... now guess what? You (if you're lucky) just got transferred to another call centre. Go figure.

Sales and service isn't all about money but that's all these big blind companies are able to see. You can complain about it all day long and it doesn't change a thing. Call up and cancel your service, perhaps then one of the dolts overseeing operations will see the light.

(comment deleted)
Just redirect calls from Rogers and other toll-free numbers to your voice mail