[cdubzzz]

> After providing the Verizon employee with a fabricated employee Vcode—a unique code the he says Verizon assigns employees—they got the information they were seeking. This included Brennan’s account number, his four-digit PIN, the backup mobile number on the account, Brennan’s AOL email address and the last four digits on his bank card.

There are obviously a _lot_ of wtf moments reading this article, but this one just strikes me as the most egregious - why in the world would a Verizon employee of any kind be able to obtain this information from anyone other than the account holder? The account number, ok maybe, but absolutely none of those other items should be communicated between employees. Absurd.

[kileywm]

That information is internally available within Verizon, to its employees, to (presumably) verify ownership of an account when speaking to a customer. None of that is surprising - that information is commonly used as security challenge questions in phone support situations.

Whether it should be, well that is another matter.

[cdubzzz]

It's understandable that the information is there and accessible. But, again, it should never be communicated between employees, only between employee and account holder. Maybe such policy is not common practice for businesses? It seems like an obvious security measure.

[Washuu]

When I worked for Embarq doing DSL support the procedure for a field technician to obtain customer information was to call into a special phone number provide a technician code.

There are several problems with this:

1.) The phone number can be found on the internet.

2.) The technician code is just noted down as part of the request. It is not verified.

3.) The support employee's validation process that they are a field technician was that they were calling over the special phone number.

Obviously sensitive information was not supposed to be given out, but they hired anyone that was alive enough to answer a phone and tell people to reset their router.

[industriousthou]

Well, it seems like employees should be able to verify that the security information matches what's on file without actually seeing. So, an employee could enter the last four digits of the CC number into a form and then get verification if they're correct, but wouldn't be able to just pull up that info and give it to someone else.

[pbhjpbhj]

>None of that is surprising - that information is commonly used as security challenge questions in phone support situations. //

The PIN at least seems like it should have been hashed, then an employee puts in a form the stated PIN to see if it's correct and the hashes are compared on the backend.

The other info though is needed for initiating contact and to allow customers to perform transactions (verifying card details for example).

[cortesoft]

Hashing wouldn't help much for a PIN (which is usually just 4 digits). You could get a rainbow table for that in like 5 seconds. Even salting wouldn't help, given how tiny the keyspace is.

[azinman2]

The suggestion wasn't about having verizon's database being hacked, but rather that other employees can see this data at all.

[aidenn0]

That's definitely not how the PIN verification happens, as I got a single digit wrong once and the person on the phone told me that fact.