I just received this email from a senior executive working in the mobile industry. Have a read. It is pretty shocking:
I just called 3UK *Business support* from a random landline and got the PIN on my voicemail changed, using just the info on my business card.
All they asked for was my mobile number and address/postcode. And what I’d like the PIN reset to, of course. How kind of them.
So anyone finding my business card, or a colleague’s phone, or a vendor/customer’s phone – with my name, my number and my place or work/address, CAN ACCESS MY VM.
And because the PIN is not needed when checking the VM from my mobile, I’d have no idea the PIN had changed until I tried to remotely access it. Which is never, so far.
My name is out there. I am ‘public’, I have a profile on social networks. Who I work for and the address/postcode is 15 seconds on Google away.
Fisher-Price security? More like zero security.
I then called O2 business. I have another phone with them, again on a business account. Completely, utterly different experience.
They insisted on the company details as well, but crucially, they required me to pass through a security procedure involving knowing the business account password, or detailed info like the last billing amount etc.
No matter how much I pleaded, making up a story about urgently needing access to just one VM, etc – no dice. They were adamant. No security, no PIN reset.
3UK, in topical parlance you come a News Of The World last to O2’s shining Guardian. Their CEO should be getting this process changed TODAY.
This comes from a highly technical-savvy mobile industry executive known to me personally.
What were 3UK Business Support thinking? I trust this is an isolated example and not par-for-the-course?
Update: I wrote some more on the wider issues.