Security-minded

Hey there; Long-time reader, first-time submitter. About 4 years of helpdesk experience while doing secondary and now tertiary studies.

I work at a small ISP in Australia. It is SOP to confirm usernames and passwords of end users when they call in. Today’s Saturday though, and I’m trying to get end users fixed and gone so I can catch up on tickets and emails. As a result, I asked a user to confirm their password at the end of a call rather than the beginning.

EU: Hi, I’d like to purchase [x service that we offer]

Me: Certainly, what is your credit card number?

EU: [Provides CC details, name, expiry, and address for good measure].

Me: That’s been purchased on your account now. Could I also confirm your password please?

EU: What? Why would you need to do that?

Me: It’s standard procedure to confirm username and password. You told me your username and other details before, could you confirm your password?

EU: I don’t like giving out my password, for security reasons.

Me: You know that we are who we say we are because you called us.

EU: Yes, but I still don’t like to give it out, for security.

Me: …For security reasons, you don’t want to confirm your internet password to an agent from your internet service provider, even though I am currently looking at your password on your account, and have direct control over your account functions regardless of you confirming that you know it also.

EU: Yes, that’s right.

Me: Even though you had no issue about giving me all of your credit card, personal, and address details.

EU: Yes.

Me: …Have a good day.