Dave wrote on Nov 29
th, 2010 at 7:15pm:
These organisations are quick to follow Data Protection rules, but they only operate effectively where those receiving calls are happy to divulge sensitive information.
They only follow "rules" to protect themselves.
The rules are designed for their protection, so they can avoid taking serious responsibility. This also enables them to assign important tasks to incompetent staff.
My personal reaction to the electricity supplier scenario would have been quite different. A telephone call can be a more useful way of making contact than an email - it depends on the nature of the transaction.
On being asked a "security question", I would have returned the question - "do you suggest that I answer that?". This could have led to an interesting discussion about the security policy of the company. If they invite customers to give certain information to telephone callers then clearly it cannot be considered as "secure".
We must always be careful to distinguish between "identity" and that which is considered by some to represent adequate "proof of identity" for particular purposes.
If any set of items of information that could be considered to be proof of "identity" are made available to agents of an electricity company then that "identity" has already been stolen by the electricity company. Obviously agents have to handle information that is itself confidential, but they should never have access to a complete set of information that is considered sufficient to prove identity. If this were so, then every past and current agent would have to come under suspicion in the event of any case of fraud - it is quite unacceptable to place employees in such a position.
The other point is to question what information provides an effective assurance of the identity of a person able to provide it. My date of birth (age and birthday), my mother's maiden name, my bankers and my preference for Direct Debit are all items of information that are in the public domain in one way or another. I would certainly expect anyone who is able to answer my home or mobile telephone to be well aware of them from memory. This data may be adequate for the purpose of distinguishing me from someone else with a similar, or identical, name and as such it provides a means of establishing an identity - i.e. which person with a certain name one is talking about. It cannot however offer proof of the status of any person who knows this information, nor any protection against deliberate deceit.
The apparent belief that I am the only person able to present a printed copy of an electricity bill bearing my name and address is quite absurd. If asked to show such a document, it is most unlikely that I would accidentally present that of someone else, so it would provide a useful and convenient means of seeing a printed version of someone's name and address. It is however no protection against fraud.
No company can arbitrarily declare what it believes to be adequate "proof of identity" and expect this to be accepted by the world. It can only do its best to avoid being deceived and then suffer the consequences for any failure. I simply cannot understand how we have allowed ourselves to get into this position where citizens are expected to take action to prevent our identity being stolen by some financial institution to be applied to transactions that we have not personally authorised. It is the same, or similar, financial institutions that try to take money from us to provide
protection against this danger. The explanation is perhaps there for all to see; it is simply a protection racket.
The issue of withheld CLI is raised. CLI is perversely and wrongly seen as being relevant to the issue of Silent Calls, so I will address this briefly, in the context of the case that is being discussed, by posing two questions:
- If the well known customer service telephone number of the electricity company in question had been presented as CLI would this have provided proof of the identity of the caller?
- If invited to call back to the number given as CLI, should that have left one content to go through the normal "security" procedure, when the call was answered?
I must urge everyone to answer "NO" to both of these questions. CLI proves nothing. It has its uses, but they are far more limited than is widely assumed, and are in fact quite different.
Please nobody suggest that scammers should be put under a regulatory requirement not to use fake CLI - they are already. Alternatively, it could be suggested that honest callers be compelled to give CLI and scammers compelled to withhold it. This might seem to be a brilliant idea, because then everyone could be sold caller display devices for each telephone handset and the associated service for the line, so that they would be able to detect scammers without even having to answer their calls.
I am sorry to say that any regulation that has the purpose of forcing those intent on deceit to declare themselves requires a little more thinking through.
Returning to the topic, more directly.
Ofcom provides "rules" so that companies can hang up in silence, whilst being able to say that they are compliant with the "Ofcom persistent misuse policy". This enables them to evade their responsibility to use the telephone properly.
There are some similarities with the data security issue.
Pages: 
Ofcom and Silent Calls (Read 82,371 times)
