T-Mobile
No really, my SSN really does belong to me

T-Mobile's service itself is fine. I have had nearly flawless service, with only a few dropped calls, and those are either while travelling in the middle of nowhere, or out in remote training locations. The customer service is fine so long as your problem is easily defined and fits into their standard procedures. However, if your problem is not standard, the weakness of the customer service section rapidly becomes apparent.

This all started about two months ago when I signed up for T-Mobile and before I came down on orders for Iraq. Unfortunately, T-Mobile botched the initial bank draft that I had set up to pay the bill. When I attempted to call them and fix the issue, T-Mobile's system literally hung up on me. It took them three weeks to acknowledge that I had been hung up on, and then was told, "We shut down from 10:00PM to 3:00AM." No apology, and after more than a month still no explanation for being hung up on 9:00AM.

This inability to admit fault should have been a strong indicator of the lack of professionalism that was to follow.

With access by phone inexplicably blocked, I decided to send an email to T-Mobile through its password protected My T-Mobile site. After providing the password, phone number, billing address, etc, the customer service section refused to do anything unless I verified my identity. Unfortunately, the information they wanted was my Social Security Number (SSN), and they wanted me to send it over an unsecure email.

Hold on a second here, the SSN that provided for a credit check somehow became the default password for my account? It somehow became the default password for the account without my knowledge or permission?

When I objected to using my SSN as a password, T-Mobile responded with, "When contacting customer care via e-mail you are required to provide your full billing name 10 digit mobile number and SSN... We are unable to make any exceptions to this as this is an FCC mandated policy" (Alana L, T-Mobile CS Supervisor)

Unfortunately for T-Mobile, I was not unaware of actual FCC requirements about the safeguarding of information.

1. The FCC requirement involved is that a company take 'reasonable' steps to avoid pretexting, or having someone call up and pretend to be you so they can get your phone records.

2. The FCC actually has a specific admonishment to avoid using SSN as a password in any circumstance.

3. The FCC lists several approved methods for ID verification to avoid pretexting, and none of these approved methods involve the electronic or public transmission of sensitive information.

Please bear in mind that a phished email containing the 'required' information listed by Alana not only easily allows pretexting at will; it will also make stealing your ID extremely easy.

After almost a month of fruitlessly pointing this out, I finally reached George, the CS manager. His first response was, "Gee, I'd love to help you, but you haven't given us your SSN so I really have no idea if it is you or not." Please remember, this is the manager, the guy that sets the tone, and after a month this was the level of professionalism and maturity that any customer will face.in route to him, there were several CS Reps who were so rude and combative that I literally had to ask that they not be allowed to communicate with me ever again.

George's final response to my concerns before disappearing was, "Well, you'll just have to trust us then, as we have your best interests in mind."

Exposing yourself to ID theft just before deploying into a war zone is a good idea? Allowing a corporation to set sensitive information without a customers knowledge or permission as a public password is a good idea? Ignoring FCC approved ID verification methods in order to force me to use an unapproved method is somehow in my best interests?

After George disappeared, a complaint to the Better Business Bureau brought me in contact with Mrs. Masters for the Executive Customer Service Section. Mrs. Masters attempted to explain that verifying my ID was important, and even went so far as to acknowledge that sending information via an unencrypted email was a bad idea. Nevertheless, she wanted to me to go to a T-Mobile store with a valid photo ID, no problem so far, but would then have to whisper my SSN in order to prove I really was the person in the government issued photo ID.

After attempting to point out that the FCC explicitly states that photo ID is the sole means for ID verification in person, Mrs. Masters also simply shut down. Not only was their no explanation as to why my SSN had become my password without my permission or knowledge, but access to my password protected account was blocked, preventing me from even being able to pay my bills. That a password met the requirement for ID verification was ignored. T-Mobile refused repeated requests to restore my access until I gave them my SSN again (apparently by shouting it in public).
All the offers to verify my ID through several different FCC ID approved methods were ignored. The BBB unfortunately cannot bind anyone to agreement, and complaints to the FCC were literally ignored.

When I tried to have a military attorney explain the situation, T-Mobile literally imploded. The CS department completely shut down. As my normal billing method was now blocked, several inquiries about alternate methods were met with demands that I write their legal department by mail for a response. I literally had to call with a lawyer present before they would discuss alternate billing methods. Even when I secured an alternate method for payment, when I attempted to use that method I was met with yet another diatribe demanding that I give them my SSN. Only threats from a lawyer finally allowed me to pay my bill and prevent T-Mobile from using my credit rating as a weapon against me.

Again, the methods T-Mobile uses to verify ID are not supported by the FCC. There is a lack of regulatory understanding and enforcement, as well as a complete lack of understanding and acknowledgement about very real threats from phishing and other ID scams. Under these circumstances, can a customer refuse to use their SSN as a password? Wouldn't it seem reasonable to just use an alternate method that does not expose consumers to ID theft and is approved by the FCC? One would think so, but clearly not T-Mobile.

The only progress I have made in this endeavor is that the CS department no longer claims that sending SSN information is an FCC requirement. I just have to do it. A worse example of corporate incompetence and abuse I cannot find.

Company: T-Mobile
Country: USA

  <     >