The time has come, the walrus said..

‘To talk of many things:
Of shoes – and ships – and sealing-wax –
Of cabbages – and kings –
And why the sea is boiling hot –
And whether pigs have wings.’
As of Friday, I’m no longer working at ThoughtWorks. After 2 and 1/2 years of working in consulting, I’ve decided that it’s not a career I want to continue with.
ThoughtWorks is a great place, with great people, but basically consulting sucks.
I wish everybody there the best.

Dual Authentication

I had an interesting experience today. I recieved an SMS message telling me to “Please call Telstra on 1800XXXYYY (this is a local call in Australia) regarding this mobile service”.
I looked at the return number, and it was kinda weird but I didn’t recognise it (52xxx) as anything from the telco. So, I rang the number and was greeted with Telstra hold announcement, and a happy operator “Hello, this is Telstra, please can I have your phone number and password”.
At this point, I’m guessing the conversation went quite different from other calls that person received during the day. My response was “Prove it”. I got an unsolicited SMS from a number I didn’t recognise telling me to call a number that I didn’t know. This seems like the hallmarks of a classic scam to me.
The poor operator was a little confused with an “erm, this is really Telstra, you’ll need to give me your details”. I refused (guessing at this point that it probably was Telstra, but I wanted to see where this would go). I said, you’ll have to prove to me that you’re really Telstra.
This is the real crux of the problem. There is no way they could do that without leaking information about customers given the way that most large corporates deal with information. All of it is protected by the business, so that can lead to very successful scams. You never know if you’re actually talking to the people that you think you are.
Anyway, I asked what this was about, and they said it was likely I hadn’t paid a bill which is why I got the SMS. (They were right, I’d forgotten to pay it) When I got home I paid it, but still refused to give them any information about me.
However, companies need to start to investigate dual authentication schemes where they can prove they are the company when on the phone to consumers. It will only be a matter of time when scammers start to use the phone system to do these sorts of “man-in-the-middle” attacks.
Interesting, no ?