Recently I had to contact my mobile provider to help reset my account password. Although the live chat went smoothly, it made me think about how safe it was. I had no way of knowing if the person I was chatting with was a robot or an employee of the company. How could I tell if my personal information was being properly safeguarded? And at the end of the call my password was not reset.
This is what the chat host asked me:
1) What is your mobile number
2) What is your email address
3) What are the x and y numbers of your password
This is of course no different to what I might be asked during a phone call, however given that the live chat host was not verified, this seems like a risky way to reset a user account. As it happens the password reset did not work, and the chat host then asked me if I had a separate email account to try, which seemed very odd. At this stage I became concerned that the mobile operator's security policies had not been properly thought through.
Why should I worry about whether or not the live chat is a safe way to discuss personal information? Imagine if the mobile operator's web site had been hacked, and the live chat was actually being hosted by a hacker? This would be a relatively easy way to glean a lot of personal information which could then be used to communicate with the actual live chat system and exploit other weaknesses in the system's processes. Social engineering would also come into play although I am not going to offer any tips to potential hackers.
Live chat usage continues to grow rapidly since it helps to lower support costs and eventually hackers will look for ways to exploit this communication channel. My recommendation is to be very wary about providing personal information through live chat sessions. There are numerous ways that a chat operator could use to verify their sessions, however I have not yet seen any in use.