"For the security and protection of your details we are unable to deal
with your change of address by e-mail. You can provide the information
either by contacting us on [....] or you can write to us at [...]"

Because phoning and writing are so much more secure.

Am I missing something here, or is this just standard bureaucratic
nonsense that is perpetuated because no one with the power to change
things looks at the rationale behind these decisions?

Sylvia.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Sylvia Else:

"For the security and protection of your details we are
unable to deal with your change of address by e-mail. You
can provide the information either by contacting us on
[....] or you can write to us at [...]"

Because phoning and writing are so much more secure.

Perhaps they are, considering how careless the majority of
people are with their e-mail accounts. I wish, however,
businesses continued to use this very convenient means of
communication and let clueless users deal with the
consequences. Large internet shops (such as Amazon) used to
provide tolerable to good technical support over e-mail back
when I started using them, but then dropped it one by one
inn favour of phone calls and chat, which (being
synchornous) are colossalluy inconvenient, making client to
wait for answer on the phone or in a browser window.

Am I missing something here, or is this just standard
bureaucratic nonsense that is perpetuated because no one
with the power to change things looks at the rationale
behind these decisions?

E-mail may be the next clean and free protocol to die out of
general use after Usenet. I for one am positively outraged
when modern e-mail providers become unusabe unless you give
them your mobile number and (or) use some new-fangled client
with 2FA.

--
() ascii ribbon campaign -- against html e-mail
/\ www.asciiribbon.org -- against proprietary attachments

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Anton Shepelev <anton.txt@gmail.moc> wrote at 11:46 this Thursday (GMT):

Sylvia Else:

"For the security and protection of your details we are
unable to deal with your change of address by e-mail. You
can provide the information either by contacting us on
[....] or you can write to us at [...]"

Because phoning and writing are so much more secure.

Perhaps they are, considering how careless the majority of
people are with their e-mail accounts. I wish, however,
businesses continued to use this very convenient means of
communication and let clueless users deal with the
consequences. Large internet shops (such as Amazon) used to
provide tolerable to good technical support over e-mail back
when I started using them, but then dropped it one by one
inn favour of phone calls and chat, which (being
synchornous) are colossalluy inconvenient, making client to
wait for answer on the phone or in a browser window.

My guess is that they can use more tricks to market to you on a phone
call.

Am I missing something here, or is this just standard
bureaucratic nonsense that is perpetuated because no one
with the power to change things looks at the rationale
behind these decisions?

E-mail may be the next clean and free protocol to die out of
general use after Usenet. I for one am positively outraged
when modern e-mail providers become unusabe unless you give
them your mobile number and (or) use some new-fangled client
with 2FA.

At least you can still use IMAP.. for now..
--
user <candycane> is generated from /dev/urandom

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Sylvia Else <sylvia@email.invalid> wrote:

"For the security and protection of your details we are unable to
deal with your change of address by e-mail. You can provide the
information either by contacting us on [....] or you can write to us
at [...]"

Because phoning and writing are so much more secure.

Small correction, at least for the phone: it /was/ previously more
secure.

Am I missing something here, or is this just standard bureaucratic
nonsense that is perpetuated because no one with the power to change
things looks at the rationale behind these decisions?

It's one part of each.

For a good long time, email was trivial to forge, and expecting a lowly minimum-wage boiler room worker to know how to read email headers with sufficient detail to detect a forged email was a no-go.

This was the original source of the "don't do X via email" rules. And,
much like the use of Fax in the medicial environment (at least in the
US) once something like "email is too easy to forge, don't use email
for account changes" filters into the burearacy such that it makes a
rule, then the rule remains stuck long past the time when the rule no
longer applies (email with DMARC, DKIM, and SPF is reasonably
authenticated, in fact likely a better authentication than the usual
"who are you, where do you live" questions used to authenticate. over
a phone call).

As to "phone" -- a similar issue applies, only the reverse situation.
In days long ago, when phone service was from one very regulated
monopoly (in the US, AT&T), the "phone" was very secure (ignoring the
issue of "how do I make sure the voice I'm hearing belongs to person
X). At that time the phone network was both closed, quite proprietary,
and due to the high regulation, also quite secure (to an extent).
Enough such that the various bureaucracy's formulated their rules that
"phone calls are secure -- so making this change over the phone is ok".

However, today, the phone network is effectively as "open" as the
Internet, and no more secure than any other very "open" system. But,
because the bureaucracy's long ago set in stone their rule of "phone is
secure" they continue to operate as if it is just as secure as it once
was, even though for mere pennies one can obtain phone numbers at will
and forge just about everything related to a phone call.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Rich <rich@example.invalid> wrote:

For a good long time, email was trivial to forge, and expecting a lowly minimum-wage boiler room worker to know how to read email headers with sufficient detail to detect a forged email was a no-go.

This was the original source of the "don't do X via email" rules. And,
much like the use of Fax in the medicial environment (at least in the
US) once something like "email is too easy to forge, don't use email
for account changes" filters into the burearacy such that it makes a
rule, then the rule remains stuck long past the time when the rule no
longer applies (email with DMARC, DKIM, and SPF is reasonably
authenticated, in fact likely a better authentication than the usual
"who are you, where do you live" questions used to authenticate. over
a phone call).

One key thing here is that the bank/etc doesn't have any insight into your email system. It might say that you truly sent the message, but maybe your sysadmin forged it?

Also, email generates a record. If they ask you for your security passcode, that will be recorded in your 'Sent Mail' folder. Any attacker just needs
to look in there and they have enough to impersonate you. The bank might record phone calls, but they can store the recordings securely and may
disable the recording for the security information.

Finally email is asynchronous, which makes it slow to deal with. Some companies like it for long running issues since the agent can go back and
read the history, but for simple one-off transactional things having to back-and-forth to establish identity makes it slower than a phone call.

As to "phone" -- a similar issue applies, only the reverse situation.
In days long ago, when phone service was from one very regulated
monopoly (in the US, AT&T), the "phone" was very secure (ignoring the
issue of "how do I make sure the voice I'm hearing belongs to person
X). At that time the phone network was both closed, quite proprietary,
and due to the high regulation, also quite secure (to an extent).
Enough such that the various bureaucracy's formulated their rules that
"phone calls are secure -- so making this change over the phone is ok".

In general, banks often don't pay a lot of credence to the phone metadata -
the number you're calling from, etc, they only look at the content of the
call. When they ask for security information it's often of the nature of 'please tell us the 5th digit of your security number' which means anyone intercepting the call (or looking at your phone screen) doesn't get your
full credentials. They would have to record you making several calls, which implies a (virtual) wiretap rather than just something transient like overhearing a call.

In other words the process is designed on the basis that phone *isn't*
secure, and can cope with limited levels of leakiness.

However, today, the phone network is effectively as "open" as the
Internet, and no more secure than any other very "open" system. But,
because the bureaucracy's long ago set in stone their rule of "phone is secure" they continue to operate as if it is just as secure as it once
was, even though for mere pennies one can obtain phone numbers at will
and forge just about everything related to a phone call.

Web and email are also easier to do in bulk (see Nigerian Princes passim), while phone is typically harder to fake at scale and easier to spot trouble. Generative AI may change the game on that one, alas.

Theo

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)