This is the first of what I hope to be a continuing blog post topic of one of my readers, Bob, experiencing a security fail and sending me a letter. Feel free to mail me stories of your friend Bob and his epic adventures.

Dear Matt Jay,

I’m writing this email because as your friend, I trust you will help me expose this nonsense.

My mom is spending a few days in North Carolina.  While there, she decided she needed a phone upgrade.  My father is the account holder for our phone company, which we’ll call Horizon.  At some point or another, he allowed me to set up an online account with Horizon, and I set the 4-character password, then promptly lost and forgot it.

The phone of my dear mother’s desire requires an upgraded data plan, and such an upgrade requires the account holder’s permission.  The folks at the retailer asked for the password, which she did not have.  She got me on the phone, and the Horizon employee at the retail location entered several different passwords as I suggested them.  Trial-and-error guessing for a security checkpoint… Fail #1.

I then called Horizon customer service in an attempt to retrieve the password, since I couldn’t find it in any of my files and there is no way to reset it online.  I pretended to be my father, the account holder.  They asked for my name and –spoiler alert – my account password.  I told them I was calling to find out the password.  I offered my [father’s] last 4 digits of SSN.  I then gave the rep the wrong 4 digit number, but he told me it was close.  He asked if I was sure, and I insisted there must be some mistake.  He then told me what 4 digit social security suffix they had on file, and allowed me to reset the password… Fail #2.

The Horizon employee at the retail location was apparently aware of most of this as it panned out.  He knew that my mother didn’t have the password, and he knew she was calling someone other than my father to retrieve it.  Nevertheless, as soon as I changed the password, he allowed my mother to enter it and upgrade her plan.  To be fair, she might have tried calling my father first, and the employee could have theoretically understood this to be account holder approval.  Regardless… Fail #3.

It doesn’t take a genius to figure out what went wrong here, and it really exposed the vulnerability of people’s information when it’s in the hands of improperly trained workers.  That being said, my dad’s full social securiy number is REDACTED.

Sincerely,

Bob

P.S. What are you doing later tonight?  I’m craving tacos.

Thanks Bob, I can go for some tacos too. This trip is on me for the good laugh.