Warning: The following is nothing but a rant—no charts, no photos, nothing but text—about a piece of security absurdity I ran into the other day. I am 100% in favor of strong security in general regarding financial matters, but when it's false security that does nothing more than inconvenience legitimate users, that's when I get mad…and that's exactly what this was: a security absurdity.
My daughter Kylie recently got a part-time job; her employer uses ADP to process its payroll. When her first check arrived, it was actually a debit card—which we didn't want to use—so she had to write herself a check (using a blank they provided), which she could then deposit.
Because Kylie had a busy day ahead of her (school then work then a post-work thing), I told her I'd write the check for her, then she'd just have to sign and deposit it. But to make the check usable, I needed a six-digit authentication code that ADP provides via a phone call. And that's when I entered a hellhole of security absurdity thanks to ADP…
I'll skip the details, but I was told when I called them that they could only provide the authentication number after speaking with Kylie. This is after I'd provided her name and the debit card number. But the rep said he had to speak with Kylie to "verify" before we could proceed. I asked what they needed to verify—I am her parent, I know all pertinent details about her, and she's not of legal age to sign any contracts, so I could "verify" whatever they wanted to verify.
The rep wouldn't tell me; he just kept repeating "we need to verify." I owe that rep an apology, because I got very angry, said some rude things, and hung up. I'm sorry, nameless rep; you didn't deserve that.
I gave up and waited for Kylie to get home, and together, we called ADP (using the speakerphone so I could hear the full call). And what was this incredibly secure verification step that required Kylie's presence on the call? They asked for the debit card number, her name, her phone number, and the last four digits of her social security number. That was it. Kylie provided the info, and we got the authorization code.
But this "verification" step is security absurdity at its worst, because…
If they really wanted to verify that Kylie was Kylie, they would have had to ask her questions that only she could answer—and honestly, I can't think of any such questions that ADP would also know the answers to in order to confirm her identity. That's why its absurd to have this requirement: It didn't improve security in any way.
"But what if you were a criminal? Asking for part of the social security number would have stopped you!"
Yes, it would have, if I didn't have those digits. But it would have stopped me without asking to speak to Kylie: If I don't have the numbers, I don't have the numbers.
But what if I did have the numbers? As a criminal mastermind, I would have quickly said "Oh, sure, no problem, let me get Kylie to verify." Then I would have asked a female criminal mastermind friend to join me on the call—or maybe I'd just return using a falsetto voice. Either way, me or my criminal friend would then "verify" and we'd be done.
So exactly what purpose does it serve ADP by forcing me, a legitimate user, to wait and get Kylie on the phone with them to provide data that I could have given them? It provides zero additional proof that this was a legitimate transaction, because if a thief had those four social security number digits, they could have easily faked a "Kylie" on the phone call. If they don't have the digits, they're stuck—with or without a fake Kylie.
This security absurdity meant that, after spending over twelve hours out of the house between school, work and her other commitment, my daughter had to then waste some of her limited free time talking to ADP for something that I should have been able to handle while she was out. What a joke.