Serious flaw in ATO security protocol

Please be careful...

A few weeks ago I got a call from someone claiming to be from the ATO (Wait, if you've seen the first series of Underbelly, don't get ahead of me just yet).

Now, I'm sure more than 99% of the time a call like that IS actually going to be coming from the ATO and not some fraudster, but I ALWAYS make sure even on my laziest of days.

So after introducing himself, the caller says "Firstly for security purposes, I just need to confirm your name, date of birth and address".

So I say, "Before I can do that, for my own security, I need to confirm your full name, and confirm that you're actually calling me from the ATO. Is there an extension I can reach you on?"

Hey says "Okay, well I'm calling from a department that can only make outgoing calls, but my name is Patrick and I work in the Melbourne call centre in Team B". If you call the ATO, you can confirm that, then I'll give you a call back in about 15 minutes, okay?".

So I said, "I could call the ATO and ask them, but all that would confirm would be that they have a Patrick working for them in the Melbourne call centre in Team B, but that wouldn't confirm that the person calling me (you) is in fact Patrick from the ATO."

At this point we argued back and forth for ages. One of his arguments being that everyone else he calls accepts that he is from the ATO, so apparently I'm supposed to fall into line.

So finally I say "Look, the only way I'm going to feel confident that I am actually speaking to the ATO is if I call you, through the main ATO phone number, or a phone number that I have confirmed to belong to the ATO."

He says "Well, I work in an area that cannot take incoming calls. If you don't want to continue this conversation, or confirm with the ATO in the manner I have suggested, then I will have to close off this file."

Basically he's said that although I have no guaranteed way of knowing whether he is in fact from the ATO, I have to just trust him or have a potentially important issue completely wiped from their to-do list.

I can tell you despite the fact that I knew of several issues I needed to speak to the ATO about, I wasn't at all tempted to give in and trust an unknown caller. Some people would call that overly paranoid, but I don't think so. You really should make it a point to know for sure who you're giving out personal details to, and my suggested method of confirmation would be perfectly reasonable, aside from the fact that this particular staff member couldn't take incoming calls.

So I said, "Well, since you have given me no sure way to confirm your identity I basically have no choice but to discontinue this conversation altogether".

And he basically said, "Okay then, bye", and that was that.

That's a huge flaw in the ATO procedures. It basically makes me realise that possibly hundreds of people every day are too trusting of people over the phone claiming to be from the ATO (or other organisations).

Now, if you have seen the first series of Underbelly, you'll know how very bad s*** can happen when the 'ATO' calls.

-Ian
 
Some people would call that overly paranoid, but I don't think so.

Not I.

It is difficult to keep one's cool and keep at arm's length sometimes.

My son did a contract with an ATO call centre although that should be called a "call out" centre so I'll ask if this is plausible.
 
I haven't seen underbelly (I know ... I should get out more), but I assume the scenario goes something like this ...

"please give DOB, TFN and a previous assessment number". They already have your name & address from the directory or theft of mail.

THEN they file a fictitious etax return requiring a substantial refund to be credited to a bank account of their choice.

THEN the ATO comes after you for tax fraud !!

Its funny, I can spot email phishing scams a mile away but a personal phone call where somebody already has some of your information throws me a bit !!

Cheers,

Rob
 
You can never be paranoid enough.

Have you checked to make sure it was from the ATO?

To my knowledge they always have a contact number and reference number.

Had a few call backs from banks and I always ask them for name, contact number, reference number and to confirm last time of contact and why. A common question the bank asks is can you identify regular payments into your account?
 
I had a call from the 'electricity company rep one arvo'.

I'm calling to confirm the size/locations of a current blackout in your area, what is your full address and is your tv, stereo or computer still working?

I say straight up, reflex action, if you called me on my home number from your records then you can tell me my account number and address and I'll tell you if the power is off or not.

I felt sorry for any trusting/unsuspecting elderly people as the question was so leading and was pretty forward. Easy to fall for it and tell them yeah we're watching my big screen right now with the subs crankin' and next day you're robbed...

I got his details and called the company back - yup, he was a phoney.
 
Have you checked to make sure it was from the ATO?

I was never able to confirm the call, and never got around to making a complaint. This is the first time I've put the incident in writing, and the quotes are only approximate.

In the days following that call, I did resolve all outstanding issues I had with the ATO (by calling them myself).

Also, this is going to make me sound even more paranoid, but I have a phone pick-up which I plug into my PC, and occasionally record calls. But it's usually only plugged in if I'm making the call and I know it's going to be important, not if I'm caught off guard by someone calling me.

-Ian
 
I haven't seen underbelly (I know ... I should get out more), but I assume the scenario goes something like this ...

**SPOILER ALERT**

No, from memory I think it went more like this...

Caller: Please tell me your name, date of birth and address.
Victim: ...my address is...
*Caller packs large knife and gun and heads over to victim's house*
 
So after introducing himself, the caller says "Firstly for security purposes, I just need to confirm your name, date of birth and address".

Couldn't you just give fake details?

This then would test if they are from the ATO or not, a fraudster would accept false details?

:confused:
 
H all,

Funnily enough I had a phone call today asking for "bob jones". My reply? Why do you want "Bob"??

Reply. " I need to talk to Bob about a business transaction and I got this phone number from the phone book".

Me. "Sorry you have not given me enough information to help you".


bye
 
So I say, "Before I can do that, for my own security, I need to confirm your full name, and confirm that you're actually calling me from the ATO. Is there an extension I can reach you on?"

Hey says "Okay, well I'm calling from a department that can only make outgoing calls, but my name is Patrick and I work in the Melbourne call centre in Team B". If you call the ATO, you can confirm that, then I'll give you a call back in about 15 minutes, okay?".
I've had a very similar conversation myself. Given that we're encouraged to do exactly what you suggest to protect ourselves from identity theft, it staggers me that call centres haven't figured out a way for you to be able to call them and confirm that they're who they say they are.
 
I've had a very similar conversation myself. Given that we're encouraged to do exactly what you suggest to protect ourselves from identity theft, it staggers me that call centres haven't figured out a way for you to be able to call them and confirm that they're who they say they are.

I work in a large gov. dept & we are often calling people to confirm info. We ask a series of questions (not always the usual full name dob etc) to try & confirm we have the right person but it amazes me how many people give us that info without question.
The ones who do question us then are asked to contact us on the everyday number they already use to contact us & we give them our personal computer log on code to ask for us by.

They call that number, ask for log on xzy & are put thru to us. Simple isn't it but its amazing how many don't question us..

Cheers
Stella
 
The ones who do question us then are asked to contact us on the everyday number they already use to contact us...

The other thing I've heard is when the caller actually gives me the number to call them back on (not the main company phone number), and then expects me to just call them straight back on that without first confirming the owner of that phone number. eg. This happened with CBA.
 
If I got that phone call a few years ago I probably would have curled up in the corner in the fetal position.

I reckon I'd answer a call from the ATO nowdays.

I challenge the so called Optus, Telstra call operators who ask if I want some great deal, then ask me for my personal details. I explain to them, you called me, what are my details?

Maybe that's why I pay so much for my phone bills.
 
A colleague and I were talking just the other day how stupid the ATO system is. We both received calls recently from the ATO saying they had received returned mail and wanted to update the address for our clients. I asked them to tell me what address they had on their system and they said they couldn't tell me due to the privacy rules. WTF? They rang us, and then expect me to take their word for it that they are they ATO and give out someone's address. I don't think so! Surely they have more proof they are talking to someone legitimate when they have rung the phone number of a registered tax agent. How do I know it's really the ATO on the other end though??
 
Had a similar call from Telstra (we have a landline through them).

Caller asked for my name, DOB and address "for verification".

Me: Why, you called me, you know who I am.

Caller: We need it to ensure you are the person we called.

Me: How do I know who you are?

Caller: I can give you your account number (apparently different from phone number) and you can check it on your bill.

Me: Paperwork is in study, why should I go through that hassle?

Caller: I can play you the Telstra "waiting" music?

Me: You could have recorded that anywhere.

Caller: I don't think we are gettin anywhere.

Me: Goodbye!!

On the positive side, at least his English was good enough for me to understand!!
Marg
 
Haha, I love it Marg, especially the "Why should I go through that hassle?" part.

It reminds me of a note that was left in my letterbox a few weeks ago saying Energex needed to access my property but we weren't home and that I should call them to arrange a time when I will be home so that they can come back.

That went straight in the bin.
 
They call that number, ask for log on xzy & are put thru to us. Simple isn't it but its amazing how many don't question us..

It's amazing all call centres don't insist on a secure procedure! If every call centre insisted on a call back process through a main telephone number then people would know to look out for it. When someone tried calling without that process, you would then know it's a fake!

Call centres are the ones to blame here for getting people used to being setup! The current process is just an invitation to fraud!

End rant!

:mad:
 
Top