I just got off the phone with AT&T wireless. for some reason, i cant pay my bill online. i think its cause i signed up when they were just getting their "next generation" thing going. basically, my account has been hosed in the past and has never been right since.
aaaanyways. the point to this post (besides me liking this blog thing) is that when i told the customer service woman about my problem, she asked me for my userid and my password.
...
now think of back in 6th grade when AOL first came out and it was cool and you actually used it. do you remember the email / message you got weekly saying "AOL employees will never ask you for your password under any circumstance" ?
well, i do.
basically, asking a user to divulge his/her password is horrible computer security. i like to think i know a little about computer security, but who knows. anyways, the service agent was actually quite open about how this is the only way she has to look at my account when it comes to the website. apparently this is the same with some internal duties she does as well. when someone inside at&t calls her about something, often she has to ask for their password. this is just bad. i suppose i should quote bruce schneier or something, but nothing comes to mind.
anyways, i thought that was totally lame.