Search this site:


December 27, 2005 12:03 AM

Broken: Orange Mobile customer call

Simon Willison shares a story on his blog about the UK mobile phone company Orange:

I had a call on my mobile phone from a lady claiming to be from Orange, my mobile phone service provider here in the UK, who told me that my contract was about to expire. She then asked me for my password. Alarm bells instantly went off in my head, so I told her (truthfully as it happens) that I didn't know my password. Then, she asked for my postcode instead.

At this point I was pretty sure this was a social engineering attack, so I started to quiz her about why she needed the information. She said it was for a "security check." I told her I was uncomfortable giving out personal information to a cold caller over the phone. Then, she told me that it was nothing to worry about because it was all covered by "the data protection act."

I said that I would rather conduct my business in an Orange shop, and she told me that she would have to put a mark on my record that indicated I had failed a security check. I interpreted this as a threat, which convinced me that the call was an attempted con. I asked for her name and ended the call.

I e-mailed Orange customer support via their website with details of the call and the number it came from. I then received their reply - and it turns out that the call was really from Orange!

Banks and other online services have learned to repeatedly tell their customers that they will never contact them and ask for their account information like a password. Orange are leaving themselves wide open to social engineering attacks. This incredible lack of attention to basic security has given me serious second thoughts about trusting them with my business at all.


That's messed up. Definatly broken.

Posted by: Fayth at December 27, 2005 12:34 AM

Definitely broken. Although, this is probably another tool to get more money.

"You wouldn't give your password to the representative who gave you no conformation of actually working for us. Therefore, you're an insecure customer. Therefore, you just received a 50(U.K. lbs.) fine"

Posted by: OMFG NOT TEH REALZ at December 27, 2005 01:15 AM

If your country has a privacy commissioner contact them, this is a problem waiting to happen.

As well I'd be calling orange regarding the threat she made "I am putting a note on your file that you FAILED your security check". I actually find this insulting as you PASSED every other bank/telco/utility's security check by not giving the information to them. What she should have said is "My name is DUMB CALL CENTER LADY and you can contact oragne using the phone number on your bill and they will verify this call, I will return this call in 24/48/72 hours so we can help keep your service current."

Posted by: Mike at December 27, 2005 01:23 AM

That is bizaar. I would have tore a stip off someone in Orange for this whole process. Especially the 'failed the security' test thing.

Posted by: Eva at December 27, 2005 08:47 AM

Incredibly broken. Terrible. Any reputable company would tell you to call the number on your statement or at least a number to call back. And it sounds like the rep was making a lot of stuff up.

Posted by: JC at December 27, 2005 08:58 AM

That's just stupid. They should never have asked for the password over the phone in the first place.

Posted by: EricJ2190 at December 27, 2005 02:10 PM

Actually this is becoming more of a problem.

The general problem is that although you have ways of authenticating yourself to your service providers, your service providers have no way of authenticating themselves to you. This problem is made worse by call centres: you cannot call them; they can only call you.

I am seeing many legitimate enterprises hung up by this - I have had to refuse both Dun & Bradstreet and Statistics Canada due to their inability to authenticate.

And no, Caller-ID is not sufficient. It can be faked by anyone having an ISDN line, and is done routinely by telemarketers to comply with local laws.


Posted by: David Jones at December 27, 2005 07:35 PM

I've had this with credit card companies - in each case genuinely calling me to ask whether I've made the purchases in question. I simply say I'll call back, hang up and call the number on the back of the card and ask for the security department.

I was very impressed with how good they're getting these days. One day I bought a new suit and then a new camera within an hour about 50 miles apart. They called me before I even got out of the camera shop to double-check I still had my card.

Posted by: Richard at December 28, 2005 08:03 AM

This is incredibly, incredibly... broken.

Posted by: Matej at January 3, 2006 05:36 AM

Seems to be standard practice among mobile telcos. What's even worse is that if they call you on your cellphone the(ir) number is invariably witheld, thus compounding the fear of fraud! What really needs to happen is for the *customer* to allocate *them* a password at the time of registration so that they can quote it back to the customer. Only one more field on a database !

Posted by: peterg22 at January 4, 2006 09:57 AM

Why couldn't this have been handled via postal mail? If your contract is expiring, it's in the best interest of the company to keep your business. A pleasant letter saying they appreciate your business and want it to continue would have been a nice way to handle this. And hey, maybe even a discount offer on a new phone or something would have worked well. No, instead they have to insult their customers and drive them AWAY. Nice job, Orange.

It always amazes me how much effort companies put into acquiring new customers and how little they put into keeping the existing ones.

Posted by: Dawn N at January 4, 2006 01:08 PM

First of all, can you actually FAIL a security check? I don't know how it works in the UK, but if an American Company said that to a customer, the PR disaster to follow would probably be their worst nightmare.

Second, again, a US thing, NOBODY can MAKE you give them your password or security code (if worst comes to worst, you can always say "you're not the boss of me!" which, from what I understand, is valid in all 50 States, Puerto Rico, and the US Virgin Islands).

Finally, if a company with which I had a contract that was due to expire behaved this way with me, I would SO let the contract expire. And then I'd write a SCATHING letter, telling them why.

Warm Regards,


Posted by: Kimo at January 23, 2006 10:02 AM

I would have to say you PASSED the security check

Posted by: caleb at February 26, 2006 11:48 AM

Comments on this entry are closed

Previous Posts: