Are you with Rogers?Insecure place...

Today, I gave a call to Rogers, my cellphone company, I had to call them to get my password, as usual with all the passwords around I forgot my online billing account, so I gave them a call to see if they can help me out.

After waiting for 30 minutes, a rep picked up the call and asked me how he could help me. So I told him that I dont remember my password and if he could help me. He was like "ya why not" so I thought may be they will go through some verifications to make sure I am who I say I am, but here is how it went and I was surprised.

=====================================================================
Rep - Sir Can I have your Cell Number Please?

Me - Yes >> "I gave him the number"

Rep - Can I have your Postal Code as well please?

Me - Yes >> "I gave him the postal code"

Rep - Can I have your date of birth?

Me - Yes >> "I gave him that"

Rep - Thank you sir, due to security reasons I will give you a temporary password, you will have to log in and change it after wards...

Me - Ok thanks

Rep - Your temporary pass is - "gives me the temp pass"

===================================================================

I was amazed that they only asked me general questions which many people can find out with little research. Not that they can do anything with my account but still, for some their accounts might be full of information, like where they made calls, their incoming calls and stuff and their privacy is at risk.

It means if an attacker gives a call to Rogers, faking as I, all he has to do is provide my cell number, which can be found in all of my domains, then the next is my date of birth, what a big deal, most of our profiles online have date of birth and that's it, the rep will give him the new temporary password.

My question is, why so easy? I was expecting the rep to ask me why I didn't try to get the password through lost password feature and by answering the secret question, but no such thing.

I think Rogers should imply a new rule where anyone who forgets their password they have to identify themselves with some proof, may be a scan of identity or something else. I do not care about my profile over Rogers because there is nothing, but for some this could be a big issue.

I have heard cases where you could actually get months of free PayPerView from Rogers by doing stuff like this, once you are inside someone's account you can basically see all their info and stuff.

Overall I was not happy, they should bring smart people who can actually question. It could be tiresome to the caller but thats how you keep a secure environment.

Say someone knows a person who works in Rogers and their cellphone number and all the info about them, they can easily get in and find all the info about them and then try to get into Rogers Private VPN with that user id and username and damage the system.

The uses are wide, they better make changes before it is too late. It is funny that people take some information for granted.

ps - That is why I always give fake birth date and other fake information. And I keep different passwords for each website...