2007-12-07 email exchange with State Farm

Navigation
State Farm: 2007-12-07 email exchange

Introduction
''This is the main text of an email exchange I had with State Farm. It started when I filled out their "contact us" form, as linked from the emailed version of their latest bill. The message in the bill says: If you are experiencing difficulty accessing your bill, or have received this in error, please call 1-888-559-1922, or click here to send an EMAIL: https://online.statefarm.com/apps/contactSF/pages/technicalQuestionUnAuth.asp

...implying, I should think, that sending an email would be a viable alternative to phoning. As it turns out, however, this is not the case. -.

Messages
Links have been added where appropriate; the original messages were text-only. The time-stamps seem to be in various different timezones; ours are EST.

2007-12-07 web form submission

 * From: email address redacted
 * Date: 12/7/2007 5:17:30 PM
 * To: info@statefarm
 * Subject: Technical Questions/Unauthenticated
 * Operation = Access/Login
 * Form = Technical Questions
 * Topic = Access/Login
 * Date/Time = 12/07/2007 11:17:29 PM
 * name/address redacted
 * How to be contacted = E-mail
 * Prospect/Customer Email = email address redacted
 * Phone Number =
 * Preferred time to be contacted = No preference
 * State Farm Customer? = Yes
 * Type of Operating System = Other
 * Browser = Other
 * First Time Having This Problem = No
 * Problem Description = I've been locked out of my account (message: "We have changed our security procedures since your last login. Please call the 24 Hour Good Neighbor Service?? team toll-free at 1-888-559-1922 to establish new security questions and restore your online access."), and I didn't even have a chance to *set* the new security questions; I certainly never got them wrong when logging in, as I have not logged in since you added this new requirement.
 * I really don't want to call the phone number. Could you please just reset the account so I have my chance to log in and update the security questions? My login name is [redacted]. Thank you.
 * First Time Having This Problem = No
 * Problem Description = I've been locked out of my account (message: "We have changed our security procedures since your last login. Please call the 24 Hour Good Neighbor Service?? team toll-free at 1-888-559-1922 to establish new security questions and restore your online access."), and I didn't even have a chance to *set* the new security questions; I certainly never got them wrong when logging in, as I have not logged in since you added this new requirement.
 * I really don't want to call the phone number. Could you please just reset the account so I have my chance to log in and update the security questions? My login name is [redacted]. Thank you.
 * I really don't want to call the phone number. Could you please just reset the account so I have my chance to log in and update the security questions? My login name is [redacted]. Thank you.

2007-12-07 19:40:56 State Farm's reply
Dear Sandy Hall,

Thank you for contacting State Farm® regarding the process of viewing your State Farm products online. Additional information is needed to complete your request. Please contact us at your earliest convenience at 1-888-559-1922 for Internet technical assistance. Representatives are available 24-hours a day, 7 days a week. To have your customer ID entered for you each time you log in you can check the "Remember my Customer ID" box on the login page. Forgot your password? If you know your customer ID, try the Automatic password reset.

https://my.statefarm.com/apps/portal/portal.asp&appID=primaryHeavy


 * State Farm Insurance®
 * Internet Support Representative

2007-12-07 18:51:53 my reply to State Farm

 * Date: 12/7/2007 6:51:53 PM
 * To: info@statefarm
 * Subject: Re: Technical Questions/Unauthenticated [#321190]

Hi,

As I said earlier, I would really rather not call. No other online account management form I have ever used has required calling.

If there is information you need, please tell me what that information is and I will be happy to provide it.

Thank you.

Sandy Hall

2007-12-07 20:13:47 State Farm's reply
Dear Sandy Hall,

Thank you for contacting State Farm® regarding the process of viewing your State Farm products online. Additional information is needed to complete your request. Please contact us at your earliest convenience at 1-888-559-1922 for Internet technical assistance. Representatives are available 24-hours a day, 7 days a week. To have your customer ID entered for you each time you log in you can check the "Remember my Customer ID" box on the login page. Forgot your password? If you know your customer ID, try the Automatic password reset.

https://my.statefarm.com/apps/portal/portal.asp&appID=primaryHeavy


 * State Farm Insurance®
 * Internet Support Representative

2007-12-07 19:43:42 my reply to State Farm

 * Date: 12/7/2007 7:43:42 PM
 * To: info@statefarm
 * Subject: Re: Technical Questions/Unauthenticated [#321190]

Are you a real person, or an autoresponder?

Nick, on behalf of Sandy

2007-12-07 22:35:30 State Farm's reply
Dear Sandy Hall,

Thank you for contacting State Farm®.We would like to discuss your question. Please contact technical support available 24 hours a day at 1-888-559-1922, choose option # 1 for Internet technical assistance. State Farm Insurance® Internet Support Representative

2007-12-07 23:16 my reply
Judging from the delay between question and answer (on the one hand), plus the fact that you never actually answer my questions (on the other), I'm guessing you are a human but the software you are using does not allow you to type anything original; you have to choose your responses from a list.

Or perhaps you are heavily penalized for actually typing anything.

Either way, it's very poor policy. I'm going to post this entire exchange on the web, so that others may be amused or bothered by it while learning that this sort of treatment is one of the hazards of doing business with State Farm.

If you have the option, you might consider forwarding this to your supervisor, if s/he has the option of actually typing a response.

Looking forward to your next canned text,

Nick, for Sandy

2007-12-08 State Farm's reply
Sandy and/or Nick Hall, The response you received previously was both auto-response and human interaction. Each response given was in accordance to the security rules in place based on the original problem reported. If your customer id is locked out from the website login, you will need to call for support.

Our website has been updated during 2007 for a stronger authentication procedure to ensure that you are protected from online fraud using the www.statefarm.com  (r) website. In the most recent enhancement the strong authentication questions and answers associated to a customer id are utilized to ensure that the person who is logging into the website is the appropriate person that created the customer id and verified their identity during the registration process; upon the website security enhancement, they may be challenged with the strong Q&A options they chose for their customer id.

There is documentation on the website to assist with an explanation on this process. If you did not choose strong questions and answers prior to the most recent enhancement, you are forced to call into support to complete this step.

As you indicate you are locked out from the login options, the only choice you have to access your information using the website is to contact the internet support by phone. Whether Insurance, Banking or Mutual Fund products, you are able to contact our Internet Technical Assistance at the number provided.

While inconvenient the strong authentication was implemented in accordance with federal and industry guidelines. Per your request, I have forwarded the exchange below to another level of support to advise them that the email interaction is not as customer friendly as we would intend for this type of problem being reported using the contact form. They will review for any improvements that we can make to our auto response/canned response to allow a better exchange with our customers. I cannot confirm whether they will contact you in regards to this suggestion. I apologize we cannot meet your needs for assistance using email or a form for contact. To protect your insurance, mutual fund, and/or banking account information, you are forced to call for further support with the website login.

For security reasons we cannot negotiate a compromise or provide further assistance using email. This policy is in place to protect your personal information and the integrity of your product information with State Farm. If you need further assistance please call the 24 hour Good Neighbor Service(r) support line at 1-888-559-1922 using option 1 for Internet Technical Assistance. The Internet Support Representative will be able to use a procedure in place to assist you with the website strong question and answer information and the website login for your product access.

Thanks for your time and understanding.
 * Respectfully Submitted-
 * -corey colburn
 * State Farm Internet Customer Support
 * sfics@statefarm

2007-12-08 my response
So... what you are telling me is that receiving email from the email address we have registered with you online, which is the same email address at which Sandy's password would be received if she were to reset it online, is less secure than if someone were to call you from some random phone number and claim to be Sandy Hall?

Please explain to me how this is a security improvement. (I would also be interested in any web links you may have for the industry standards you mention.)

Respectfully,

Nick, for Sandy SC#8227475

2007-12-08 11:43 State Farm's response
A password reset is an available option using the website if the customer id conforms to the strong Q&A standard that was enhanced in May of 2007. The password is not sent in an email. It is completed immediately if the option is available to the customer id, and the login can be accomplished if the reset is successful. This is an automated process that is available for many online customers, but cannot be completed with Sandy's customer id due to the status of the customer id not conforming to the website strong question and answer standard. By calling the website support, a human interaction is available and there is a procedure in place to authenticate the caller's identity. The authentication is not based on email address or a phone number, but a security process to identify the person reporting a problem with the website. We are not able to utilize an automated process for every action on the website, but are working to improve the website and the functionality. Sandy's customer id is an exception in which case, the automation is not an option and she will need to call for further website support.

By conforming these security standards in our interaction with a customer, it does improve the security of your policy and/or account information. The practice and guidelines in place at State Farm and by the industries involved as a whole assist our customer support in ensuring each customer is advised appropriately. Each level of support has their process with which to base their communication. The breakdown in the practice of security can occur, but I have not experienced and am not aware at this time that any customer data has been compromised based on the automation in place or by social engineering. I do not believe that any information that has been shared at this point would pose a security breach. Please be aware that there is a point in communication where email or even a phone call cannot be utilized to advise a customer appropriately. In an extreme case where authentication cannot be performed through the automation in place or by phone, a customer is advised to contact their agent to assist further. There is a process in place where a customer is advised to actually go to the agent's office to communicate they need assistance and the agent's office will be able to contact support for authentication reasons. It would be an extreme, rare case and possibly very inconvenient for a customer to interact this way to gain support. While inconvenient, it is sometimes necessary to go to an extreme measure to protect and secure the personal information of our customers.

You are able to find more information regarding the standards/guidelines in which financial institutions are posing stronger authentication for web based access to information with the Federal Financial Institutions Examination Council's (FFIEC) website. This Council's standards are being adapted by every US banking institution that allows a customer access to their accounts online. A good reference to the guidelines is available from the following link:

http://www.ffiec.gov/pdf/authentication_guidance.pdf

The general website is very informative regarding the banking industry: www.ffiec.gov

The above .pdf file is an acrobat reader file, so I cannot assist if the link does not open on your computer, or you need support of the acrobat reader software. The information was updated by the above government website some time in October of 2005.

Thanks again- -corey State Farm Internet Customer Support

2007-12-10 07:01 my response
Corey,

Thank you for your detailed reply to my questions.

What I still don't understand is why the authentication procedure you use over the phone cannot be applied via email.

Also, I don't understand why Sandy was locked out of her account, as she was never given the opportunity to log in and supply the required questions and answers for your new security standards. If there was a time-window in which she was allowed to do this, she was never informed of this.

It seems to me that you should at least be willing to set the grace period so that everyone has one bill to pay during that window. That way nobody gets locked out without warning, as we did.

We are not comfortable dealing with a company which feels that they can quietly revoke our access, with no warning, and refuse to make an exception when the situation is explained. No other web portal either of us have used, including banking and other financially-related sites, has ever locked us out without warning, even in cases of mistyped passwords.

I recognize that you are trying to improve website security, but this is going about it the wrong way. For example, the short time-window you have set, combined with the lack of warning, is bound to result in a large number of customers needing to use your phone support to have their accounts restored. This places a strain on a part of the system which is more prone to error, being human-mediated. Without knowing your exact security procedures I can't give specific scenarios for failure of this system, but it seems to me that in general you want to *minimize* reliance on human-mediated processes wherever possible. By placing an arbitrarily low threshhold (in this case, the short expiration window) for locking out users, you are moving an unnecessarily large part of the load over to this more strain-sensitive subsystem.

Further, I don't see how any information which could be obtained over the phone could not be obtained with better reliability via email. Both parties would have a written record of the communication (leading to reduced likelihood of the customer losing any important data e.g. passwords which might be conveyed), and there is far less possibility of a transcription error. The only possible security advantages I see to a phone call are:


 * requires the customer to answer in real-time, reducing the possibility that an illegitimate actor might be obtaining the information from the real customer
 * a very limited reality-check in that the gender of the voice must match the gender of the name (but would you reject a male-voiced person claiming to be Sandy Hall?)
 * intuitive checks, e.g. does the person seem furtive or evasive? Is there anything which sets off the agent's warning bells? (However, without any kind of objective evidence, what would you do if there *was* suspicion? What if the genuine customer is herself rather nervous on the phone, and comes across in a way that sounds "suspicious"?)

The last two strike me as extremely un-dependable and hence not really contributing to security, and the first one barely less so -- e.g. what if I (as a customer) don't know or can't remember, off the top of my head, the information asked by the agent? (Sometimes I can't remember my birthday on the phone, much less my social security number.) On the phone, I might be fumbling with my less-than-perfectly-organized filing system trying to find the information under time-pressure, possibly while the agent is asking me further questions; with email, I have the whole list of questions and go about gathering the information in a calm and methodical way.

So I'm still not understanding the need for a phone call, nor how this is more secure than the usual practice, i.e. sending an "activation code" via email. You know the email is the address actually belonging to the customer because they registered it on your site, and you know the correct owner of the email address has received it because only they have the password to that account. Activation codes can be set to be valid for a limited time and one use only, making it impossible to use one to gain access after the initial use and unlikely that an unused one could be misused after falling into the wrong hands.

Perhaps you are guarding against the possibility of a user's email account becoming compromised without their informing you of this -- but in this case, how is a phone call more secure? Any identity-confirming information you might ask over the phone could just as easily be asked via email. When they post their confirmation code via your web site, you would also have their IP address, and (in the case of fraud) could use this to track down the abuser -- while in the case of a phone call, a blocked Caller ID leaves you with absolutely nothing.

If you have already considered all this, I would be very interested in understanding why you nonetheless believe a phone call to be a more secure method of reactivating an online account.

Thank you,

Nick Staddon (for Sandy Hall)

2007-12-10 09:13 State Farm's reply (different person)
Mr. Staddon,

Thank you for your comments and suggestions. I have forwarded them to our development team. That said, the reasons phone calls are used instead of emails is that email is not a secure medium. They can be easily intercepted unless the email is encrypted. That is why State Farm does not email confidential information to customers.

Have a good day.
 * Alex Kost (bh3t)
 * State Farm(r) Internet Customer Support
 * 1-888-559-1922 ext. #1,then #2
 * SFICS@statefarm

2007-12-10 11:16 my reply
Do you have any data on the frequency of interception/abuse of sensitive email information versus that of information spoken over the phone (e.g. overheard by someone in the same office, or listening on another extension)? I would be skeptical of the possibility of any studies accurately reflecting the real world -- e.g. if someone overheard a credit card number and abused it, unless you track down the abuser and get a confession, how would you ever know that this is what had happened? -- but I would be interested in the results if anyone has actually done such a study.

Saying something "is not a secure medium" is placing an absolute requirement on an imperfect world; *no* medium is completely secure. The question is which method is *more* secure -- or, more to the point, less likely to result in loss due to abuse of sensitive information.

It seems to me that by saying "email is insecure" while overlooking the fact that the phone is also insecure, you are settling for a comfortable sound-bite which plays well in promotional literature but does not really improve security.

(A side note on encryption... it would be nice if there was a central registry of certified/signed personal public keys which you, as a business, could use to public-key-encrypt sensitive information before sending it to customers. This would essentially eliminate the risk of interception. Do you know of any initiatives to create such a thing for business/consumer use? That would certainly be more secure than either email or phone, in situations such as this.)

We will take our payment down to the local office, and see if they can have the lockout lifted while we are there (so as to avoid this nuisance next year). If they cannot, we will be looking for another insurance company. While we recognize the need for security in financially-oriented web sites, we feel strongly that the latest round of "personal question-and-answer" requirements has gone too far, and is more for show than it is any real improvement in security. Accessing a web site should not feel like walking through metal detectors accompanied by bomb-sniffing dogs.

More to the point: If a customer makes a specific request to conduct business through email, you should look towards finding a way to work with them. Don't go implementing these things that people don't want and then claiming you're doing it for their benefit.

Respectfully,

Nick Staddon, for Sandy Hall