Thursday, October 13, 2011

Telstra's Terrible Security

I pre-ordered an iPhone 4S with Telstra in the middle of last night, and got a call from 0883081023 this afternoon to confirm the order. This is when I had such a bad experience that I decided to coin some terms:

telstrible [telstr-uh-buh'l] adjective

shockingly insecure
The person who called me asked for all my details, which is telstrible security.
2011; post-Modern English < Telstra + Terrible

telstribly [telstr-uh-blee] adverb

performed terribly by Telstra
Telstra telstribly connected my phone line, because it took ages and they messed up the account..
2011; post-Modern English < Telstra + Terribly

Firstly, the person on the other end told me they were calling about my iPhone 4S pre-order. He asked me to confirm my name and date of birth. Not thinking particularly securely, I gave him these details. He then asked for my driver's licence number. This is where my skepticism kicked in.

I told the caller that I had no way of validating who he was. He told me that if he weren't from Telstra, he wouldn't know that I'd pre-ordered an iPhone 4S. This is not really true, when looked at in aggregate. By all accounts, the level of pre-orders have broken all records for phone pre-orders, so there is a decent chance that by knowing a bit of demographic information about a sample of people, you could make a feasible number of calls and find someone who has ordered the phone.

The accent was Australian, so I doubted it was an overseas scammer, but I still asked if he could tell me 4 of the digits in my licence number and I would tell him the rest. He said no, and that if I wouldn't given him my licence number, he would cancel my order. I asked whether he could give me the last digit if I gave the other 8 digits. The same response that if I didn't give him my licence number, he would cancel my order.

I was on a busy train at the time, and had told him of this, so I wasn't particularly comfortable giving out this information in public, with the threat of having my order cancelled, but I managed to delay until I was at least walking along the platform, so I capitulated and told him my licence number.

Then he wanted to verify my delivery address. By this point, I'd decided to just give him the info and write this post to publicly shame Telstra for their telstrible security practices.

For all I know, Telstra is not actually as telstrible as I'm assuming. Maybe I was actually phished.

But I doubt it.


  1. I've had this problem with my bank. "...there's been some suspicious activity on your account we'd like you to verify, if you could first confirm your identity..." by giving away some key information about myself. I told them they're essentially doing by phone what they tell me to ignore by e-mail- phishing. No dice, I'm told- they won't ID themselves to me. So I deliberately give a wrong answer to the next question. "That's not what I've got written here", my bank replies.

  2. See Telstra's iPhone 4S support forum for an update on how the iPhone 4S roll out has been screwed up by Telstra, and how they refuse to communicate effectively, truthfully, or transparently with people.