It's the quest of many corporation to cut costs and one way of doing that is by using automated systems. While I'm not a fan of them, I see automated systems as a necessary evil. However, when my privacy and maybe even my finances are at stake because of a corporation's overuse of automated systems, I feel that the line has been crossed.
Rogers Communications and more particularly their Rogers Telecom unit has crossed that line and this article shows how they have done that.
If you are a customer of Rogers Telecom, you should at least set up your Universal Personal Access Number and at best, you should choose another carrier. The fact that I discovered that identity thieves and other criminal could snoop around in my account if they wanted to was enough an incentive for me to do the change.
Before you think that I'm being some paranoid weirdo geek, consider this.
If a criminal wanted to snoop around one's life. Say by finding out who one has been calling, find their account number and do other damaging things to an account. I found evidence that Rogers Telecom is making it way to easy for criminals to really do damage a victim's account.
First, a criminal would need his victim's phone number and call Roger's toll free customer service number (1-800-980-5464). At that point, he would only need to follow a few prompts before being greeted to enter his telephone number. This is when a criminal would enter his victim's phone number to access the account. At that moment, he would have the option to hear some bill payment details giving him information on how much was spend in the past month and when the last payment was made and for how much.
A criminal's work would start when he would try to follow a prompt like ordering a copy of last month's phone bill or access other more private information.
Rogers Telecom has a security feature to prevent criminals and lowlifes to intrude. The prompt demands that a Universal Personal Access Number (UPAN) be entered.
A UPAN is the basis for nearly everything with Rogers Telecom. It's being used as a PIN in the same way debit cards are. It's being used as the PIN for calling cards (the first part being the phone number). It gives access to a customer's private information at rogers.com/care where changes can be made to an account and copies of telephone bills can be seen.
However, there is a problem when a customer hasn't set up their UPAN. Rogers Telecom, in their infinite wisdom, decided that their automated system was up for the job of setting that up. The reality of it is that the UPAN setup should only be done by a human customer service representative. The reason why is really simple. When the UPAN isn't already set up, the automated system offers you to set one up and the only proof of identity that the automated system requires is a portion of the postal code linked to the phone number
So in theory, a criminal equipped with nothing more than an online reverse directory and an online postal code map could set up a UPAN on a Rogers Telecom account that's not even his.
Another major problem is that a victim would have no recourse for recovering his UPAN. Because it can only be changed by the person knowing it and that the customer service reps cannot reset it or divulge that information.
So there we have it. Potential for a criminal to view someone's phone bill, obtain information for all sorts of purposes including identity theft. Potential to notify of a change of address and potential to make unauthorized long distance calls.
