Trust, But Verify

I’m revealing my computer techie roots.

In computer security, there is a saying: Trust, but Verify. What it means is (in very basic terms), go ahead and trust the user. But before letting the user do something, verify that the user is who he/she says they are. That’s what the whole userid/password combination is for: You’re claiming to be the person “userid”. The password is the verification that you are. Some setups take it a step further, and ask a verification question.

Trust me, folks. This is NOT meant to annoy you. It is meant to PROTECT you, and to protect the rest of US. If you don’t like having to type in a password, either change the attitude or return the computer to the store. If you are one of “those”, then it’s only a matter of time before your computer starts spewing viruses and malware all over the internet… and spattering the reasonable and sane people with the mess.

But back to my topic.

Trust, but Verify also works in other parts of life. Take this real life example of a phone call I received (details changed to protect the obvious):

Me: “Hello?”

Caller: “Hi! This is your water utility company. There’s a mixup in your billing. We want to verify your credit card number.”

Me: “That’s nice. What is my account number at the utility company?” While I waited for an answer, I fired up ye olde computer to pull up the account information.

Caller: “Pardon me?”

Me: “I said, ‘What is my account number at the utility company?'”

Caller: “I just need your credit card account number to verify the automated billing.” Whups. Clue #1 That All Is Not Well.

Me: “That’s nice. I just need you to recite my account number at the utility company – y’know, the one that is associated with the mixed-up credit card information – so that I can verify that your request is legitimate and not a scam.”

Caller: “Well, I don’t have that information. If you do not provide your credit card information, your payments won’t be processed correctly and your water WILL be shut off. Do you really want to pay a $120 re-connect fee?” Whups. Clue #2 That All Is Not Well.

Me: “Well, I can’t give you that information. If you don’t have my water utility account number, then there’s no way you could legitimately know if my credit card information is correct. Besides, according to the laws of this part of the primordial scrub, you guys can’t cut off my utilities without at least a 30 day WRITTEN notice. So, unless you can provide proof that you really are from the utility company, don’t ever call me again.” And I hung up.

Then I pulled the contact number for my water utility from my House Manual (conveniently placed next to the phone) and called them. After giving them my name and account number, followed by the nice lady responding with the correct billing address, I told her what had just happened. Funny, they had no record of any problems with my auto-billing to my credit card. In fact, they’d just processed a payment earlier that week. Clue #3 That All Is Not Well.

The utility thanked me for letting them know that the bad guys were scamming their customers. I pulled up my credit card info on the computer, and let the credit card company know about the scam going on, and requested that they keep an eye on my account. (I set up only one credit card to handle utility payments, so it’s pretty easy to spot anything out of the ordinary.) I logged both calls, noting down the date, time, person talked to, and summary of discussion. Then I put all that info in the computer for easier reference.

I initially trusted the caller. But as soon as I requested verification that the caller was who she said she was, she refused to provide verification. Then the caller made threats – disconnecting my utility – but I was already prepared: I knew what the requirements were for getting a utility cut off in this region. The caller’s information didn’t match – another failed verification. The first one was more than enough reason for me to hang up. The follow-up call to the utility company, using previously vetted contact information, merely confirmed what I already knew (the utility company requested my name and account number – to verify that I was who I said I was – and gave me the billing address when I requested counter-verification). The follow-up call also served as a stop-gap, just in case I’d gotten a legitimate call from a poorly-trained or incompetent out-sourced agency. Calling the credit card company and logging the call, person I talked to, and subject matter was just a precaution on my part, so that if my account was illegally billed, I had more protection for myself.

Leave a Reply