[exelius]

This drives me mad. My health insurance company tries to call me on a regular basis, but because they have to verify they’re speaking with me for HIPAA, they ask for the last 4 of my social.

To which I reply “You called me. I don’t know that you are who you say you are. I’m not giving you anything.” And hang up. What moron thought this was a good idea?

[wolfgang42]

The first time my insurance company did this to me, the woman who called me (from a random phone number that didn't belong to the insurance company) sounded confused about why I wasn't going to give some random person my PII. When I called their 800 number, I was on hold for 20 minutes before they finally tracked down the entry in my account explaining why they had called.

Apparently, every time I order medical supplies they call me to tell me that they've sent a Very Important Letter, but they can't say what it is. When it arrives the next day, it informs me that they've approved my request for the supplies, which by this point have already arrived a week and a half ago.

It's gotten to the point where the calls now go like this:

    Them: Hi, this is [insurance company], can I have your date of birth please?
    Me: Is this about the letter you've sent?
    Them: ...Yes?
    Me: OK, I'll keep an eye out.
    Them: Erm... right. Have a nice day!

I have no idea what the moral of this story is.

[lostlogin]

This is so awful. I once got randomly selected to be a survey participant by a government agency while I was building a path. It was on the effect on my life of an earthquake thousands of kilometres away (there wasn’t any). They claimed I was legally obliged to participate or would be prosecuted. ID was produced etc. He sat and fired random questions at me while I broke concrete with a sledgehammer for an hour. I’d give the shotest possible answer, because I was breathless and the time between swings wasn’t long. Then they did follow up calls once every week for a year at the same time each week. These were were never answered and the messages were not returned. I have no idea why your story reminded me of this, but it triggered the same rage centre.

[jandrese]

Unless that was the census I would be extremely dubious of "you must take this survey or go to jail, trust me I'm from the government".

[lostlogin]

It was The Ministry of Statistics census people doing some work post the Christchurch earthquake.

[Thriptic]

It's because tech has a long tail. You have to remember that there are people who still aren't online, who are technologically illiterate, who don't use email or secure messaging etc. A lot of regulated companies (especially health care entities) are MANDATED to send and receive stuff insecurely so they can make sure that Jane Doe grandma in rural Wyoming actually gets the correspondence.

[Stratoscope]

Just the last four? You're lucky.

One time my own bank scammed me into giving them my full seven digit SSN over the phone when they called me. And all they had to do was ask me for it!

The worst part was that I fell for it. Of course, no harm done, because it really was my bank, but what an idiot I was.

At least I knew better when the Windows Support people started calling me a year later!

[DalekBaldwin]

I've run into the opposite situation making me hesitant to trust legitimate correspondence with my own banks. The past few times I had to take care of something over the phone, they did not ask for anything that could reasonably confirm my identity or account. One bank only asked for the last four digits of my account number. When I called another bank in response to an email alert about a fraudulent transaction, the representative asked for a phone number to text a verification code that I had to repeat back to them ("You want me to give you a ten-digit number?" "Yes"). Looking back on it, the first bank may have figured that few people will ever have the same account status problem at the same time and would ask for more information in the event of a collision, and the second one may have required me to name one of the phone numbers they already had on file (I'm used to representatives telling me a few digits of the number they're going to text based on what they have on file). But without knowing the entire workflow ahead of time, it seemed just as likely that this was a bunch of meaningless ceremony meant to give the appearance of bank-scale IT infrastructure in action so that I'd feel more comfortable revealing sensitive information later.

[himom]

7 digits? It’s 3+2+4=9 digits in the US.

[Stratoscope]

Thus proving that I can't count past seven!

You've seen off by one errors, this is twice as bad.

[shkkmo]

Would have been funnier if you said "thrice"

[AlexCoventry]

Which would be three quarters as bad.

[hinkley]

My credit union’s fraud department contact information isn’t listed on their website and they called me several times before I finally called the main switchboard and had someone patch me through. No I’m not giving my account information to someone who called me.

You’re the fraud prevention department for chrissakes. Act like you’re preventing fraud, not participating.

[stordoff]

That's why I was pleasantly surprised recently when my bank called me about some fraudulent transactions, and the entirety of the conversation was: "Do you recognise this transaction?" "No" "OK, your card has been blocked and a new one is on its way".

Even if it had been a fraudulent call, they weren't asking for anything (so I didn't have to bother verifying it was legitimate), and even if they got the wrong person there is limited damage they could do.

[daveFNbuck]

What if they got the person who just redirected your mail to their own address?

[stordoff]

I'd notice there was a problem when I stopped receiving mail and my current card stopped working. Even then, even if they DID get the new card, I could report any subsequent transactions as fraudulent (honestly, my mail being redirected would be a much bigger issue to me than someone having access to my card, so that doesn't add much to the attack potential).

Also, at some point, it becomes infeasible enough (that someone would have redirected my mail, hijacked my phone number or managed to change it with the bank, triggered a call from my bank, and managed to line them all up so I hadn't noticed there was a problem) and more trouble than it's worth to be worried about it happening.

[jandrese]

You would probably notice when your card suddenly stopped working.

[apricot]

And let's not even get started about using the SSN as a form of ID.

[bmarquez]

A while back, Anthem Blue Cross' automated phone number was flagged as "Scam Likely" by T-Mobile Scam ID. Can't blame me for ignoring those calls.

[tim333]

I can kind of see how it happened though. People want their data protected so they pass laws that you have to check who it is and not someone else in the building who happened to pick up the phone.