| In my case we had a security code on an internal system that was updated in real-time. So the protocol was: "Hi I'm an employee calling from [X]"
"OK, can I get the security code?"
(caller gives security code) Any employee in the company could also request a no-questions-asked reset at any time. I actually had cause hit the big red button once when the call went: "Hi, this is [employee] calling from [branch]"
"All right, can I get the security code?"
"Oh, (mutters "security code"), it's $foo" See, that counted as a compromise because someone in the lobby may have overheard her. A couple other fun stories: - Once I called a branch and got transferred to someone else. The conversation at the other end: Him: "Did you give the code already?"
Me: "...are you seriously going to believe me if I say 'Yes'?" - Apparently there was a phishing attempt where people would call our center opening with: "Hi this is [person] from the fraud department, before we begin can I get the security code?" I don't know if it ever worked, but we got several memos warning us not to fall for it. |