« Movies lately | Main | Experimental Facebook friending »

Adventures in phone-tree security

| No Comments

Just called ETrade to check on some financial information. Their automatic phone answering system asked me to enter my web password using the numeric keypad.

I went and found my web password. And realized that, since it contains at least one letter, it wasn't something I could enter using the numeric keypad.

I thought that perhaps they meant I should use the numbers corresponding to letters, like 2 for A, B, or C, and so on. And then I noticed that my password contained at least one letter that isn't part of some numeric keypads (and that thus is mapped to different numbers in different contexts).

So I gave up and pressed zero to speak to an agent, which of course didn't work. Finally it gave me the option to press 1 to change my password, so I did that, figuring it would connect me to an agent. It said it was connecting me to an agent. And then it said "I'm sorry, we cannot complete your call. Call back another time. Goodbye." Or words to that effect. And it hung up on me.

I called back, and pressed zero a bunch of times immediately, and it connected me to an agent, who politely gave me the info I needed. So then I told him about the phone tree problem, and he told me that I was indeed supposed to use the number equivalents of letters, and to use the most common mapping for the unusual letters.

It seems like a bizarre system to me, but maybe people who are used to texting using a numeric keypad would find it more intuitive? Except I would expect that such people would try to enter their passwords by pressing a given number more than once.

Anyway. The main practical problem is primarily that the phone system didn't provide any explicit information about how to enter the password. But the main design problem is that it converts a password in which each character could be any of at least 62 possibilities (uppercase and lowercase letters, + digits, assuming it's case-sensitive and doesn't allow punctuation) to a password in which each character can be any of 10 possibilities (digits).

It's not that this is a serious security flaw; there are still more passwords than can be easily guessed. (I assume/hope they have a limit on the number of attempts you can make.) For that matter, I suppose it's somewhat more secure than systems that have both a web password and a separate 4-digit PIN that you can use to access your account by phone. But it nonetheless seems to me to be a really weird way of doing things.

Post a comment