Warning: The following is nothing but a rant—no charts, no photos, nothing but text—about a piece of security absurdity I ran into the other day. I am 100% in favor of strong security in general regarding financial matters, but when it's false security that does nothing more than inconvenience legitimate users, that's when I get mad…and that's exactly what this was: a security absurdity.
————————————————
My daughter Kylie recently got a part-time job; her employer uses ADP to process its payroll. When her first check arrived, it was actually a debit card—which we didn't want to use—so she had to write herself a check (using a blank they provided), which she could then deposit.
Because Kylie had a busy day ahead of her (school then work then a post-work thing), I told her I'd write the check for her, then she'd just have to sign and deposit it. But to make the check usable, I needed a six-digit authentication code that ADP provides via a phone call. And that's when I entered a hellhole of security absurdity thanks to ADP…
I'll skip the details, but I was told when I called them that they could only provide the authentication number after speaking with Kylie. This is after I'd provided her name and the debit card number. But the rep said he had to speak with Kylie to "verify" before we could proceed. I asked what they needed to verify—I am her parent, I know all pertinent details about her, and she's not of legal age to sign any contracts, so I could "verify" whatever they wanted to verify.
The rep wouldn't tell me; he just kept repeating "we need to verify." I owe that rep an apology, because I got very angry, said some rude things, and hung up. I'm sorry, nameless rep; you didn't deserve that.
I gave up and waited for Kylie to get home, and together, we called ADP (using the speakerphone so I could hear the full call). And what was this incredibly secure verification step that required Kylie's presence on the call? They asked for the debit card number, her name, her phone number, and the last four digits of her social security number. That was it. Kylie provided the info, and we got the authorization code.
But this "verification" step is security absurdity at its worst, because…
Nothing that ADP "verified" in any way proved Kylie was Kylie. All they proved was that another voice on the line—it could have been anyone—knew her phone number and the last four digits of her social security number.
If they really wanted to verify that Kylie was Kylie, they would have had to ask her questions that only she could answer—and honestly, I can't think of any such questions that ADP would also know the answers to in order to confirm her identity. That's why its absurd to have this requirement: It didn't improve security in any way.
"But what if you were a criminal? Asking for part of the social security number would have stopped you!"
Yes, it would have, if I didn't have those digits. But it would have stopped me without asking to speak to Kylie: If I don't have the numbers, I don't have the numbers.
But what if I did have the numbers? As a criminal mastermind, I would have quickly said "Oh, sure, no problem, let me get Kylie to verify." Then I would have asked a female criminal mastermind friend to join me on the call—or maybe I'd just return using a falsetto voice. Either way, me or my criminal friend would then "verify" and we'd be done.
So exactly what purpose does it serve ADP by forcing me, a legitimate user, to wait and get Kylie on the phone with them to provide data that I could have given them? It provides zero additional proof that this was a legitimate transaction, because if a thief had those four social security number digits, they could have easily faked a "Kylie" on the phone call. If they don't have the digits, they're stuck—with or without a fake Kylie.
This security absurdity meant that, after spending over twelve hours out of the house between school, work and her other commitment, my daughter had to then waste some of her limited free time talking to ADP for something that I should have been able to handle while she was out. What a joke.
I go through this hell a few times a year when I have to deal with a medical bill for my wife. Between the insurance and provider, I often need her to get on the line to verify herself. I always ask, what if she just had a deep voice? (I am a man). Or, how do you know it is her and not some random person I pull?
Unfortunately, this kind of "security" is pretty rampant!
On a similar vein, what also drives me nuts is crazy complex security protocols. Enforced password changes, ridiculous requirements, odd things like "choose the image you previously selected" and stuff like that. I use LastPass so it is manageable but still drives me nuts! I can confidently say that it is harder to log into my water bill than my bank accounts!
Just out of curiosity, really I’m not asking this to bash.
I’m actually surprised by something else you mentioned, that actually started all of this.
Why wouldn’t your daughter want to use the debit card?
Here in Europe checks are “so back to the 90s”, companies and people have moved on to using just debit cards. At the end of each month the employer transfers the salary to the employee’s bank account and then he/she uses their debit card to pay for everything you buy in a store.
So why use antiquated checks in the first place?
We have nothing against her using a debit card—in fact, she has one already through her bank. What we object to is having to use a second debit card, meaning she'd have to memorize another PIN code, and there would be two cards to keep track of.
We don't use checks on a regular basis, but that was the easiest way to get the money off the payroll-supplied debit card and into her account so she could use it with her debit card. (Going forward, she's signed up for auto-deposit, which will put the money directly into her account; no debit card/check stuff will be required again, though it sometimes takes two payroll cycles to go into effect.)
-rob.
Ahh that makes sense, then I stand corrected, I was wrong in my assumption.
Take care..
You should not use debit cards (associated with a personal bank account) at all. See, for example, https://clark.com/personal-finance-credit/never-use-debit-card-pay or https://www.nj.com/advice/2020/01/pay-at-the-pump-heres-why-you-shouldnt-use-a-debit-card.html. If you like to get money from an ATM, use an ATM card (one that doesn't have a Visa or Mastercard logo on it, i.e., not a debit card).
I don't—I actually mention in the write up that I'd never used my debit card, which was one of the things that confused me (and should've gotten me to hang up) during the conversation. For the new account, we've ordered ATM-only cards, too.
-rob.
It's not about security. It's about all the people who call and try to do this for their over-18 kids. It's about the fact that they're not going to make an exception to their policies for "a parent" that they don't know about any more than a stranger. It's about the fact that they are, as reps at every other company, trained not to give any information unless the person on the line says they are them.
It's not about security, it's about liability.
Interesting perspective—but I think even from a liability perspective, they didn't do much to protect themselves. All they proved was they spoke to someone who sounds female. I would imagine any decent lawyer could walk all over that one...
-rob.
Comments are closed.