Thames Water seem to love giving me a new account number each month. That would be fine, but each time they do, I have to manually add that number to my online account.
I'm bored of being their data-entry monkey. So, when they rang today, I told them that I expected them to update my account. We had the normal back-and-forth and "let me speak to your manager" that accompanies anything deviating off-script.
A manager called back, we went though account verification, I confirmed I was recording the call, and this is what she said:
We have spoken to our compliance department and if you give us your email address and also your password we can go on and update the new account number for you.
I confirmed - they wanted me to read out my whole password. Not just the 4th and 17th character - the whole thing. I - probably a little too rudely - informed them that wasn't happening and, frankly, I didn't believe that either their data protection team nor their IT security team thought it was a good idea.
To be fair, this isn't the fault of the Customer Service agent. She obviously seems reluctant to ask for the password, but has been given some extremely dodgy advice by someone.
So, we came up with a compromise. They would reset my password, log in to my account, fiddle around with it, and then call me with the new password. And so they did.
Tango hotel alpha mike echo sierra one two three
Let's count the obvious errors....
- Don't make your customers do work which you could automate.
- Don't train your customers to take dangerous risks when it comes to online security.
- Don't use easily guessable defaults when resetting passwords.