Remember "I've fallen, and I can't get up"? You may think that was mildly humorous, but when you're infirm it's a serious worry. My lifestyle being what it is, if I have another, more serious, stroke, I might well die, slowly, of thirst. Likewise if I lose my balance and fall and break a bone.

It's not a prospect I really look forward to. So that's why I got the cell phone; and I always keep it within arm's reach. It's my solution to that problem. My normal wireline phone doesn't serve; it's on top of my refrigerator, and if I was hurt there would be no way to reach it.

I wanted to set up my account with Verizon to auto-pay from my checking account, and I figured I could do that online. The question was, would I have to go to the Verizon store to set up a login?

Turns out not. Their authentication isn't foolproof, but it's pretty darned good.

To set up the login, I gave them my phone number. And then they sent a text message to my phone with a temporary password. (It was an 8 digit number, which looked random to me. I don't think it was a hash.) It caught me by surprise; I was sitting at my computer using the web browser, and suddenly my phone chimed.

Using that, effectively it confirmed that I had that phone. It didn't prove I hadn't stolen it, of course, but that can be handled other ways. (Like the owner reports it stolen or lost, and then Verizon shuts down service for it.)

Anyway, using that one-time password I was able to log in and set a permanent password, and tell them my email address (to which, from now on, they will send all bills and communications; I am now "paperless"), and then I gave them all the information they need about my checking account in order to automatically pay my bill each month.

I had another experience like that a couple of days ago. A couple of my prescriptions ran out and needed refilling, and I decided to see whether I could put in the order using the web.

And it turns out that I could. If you're not from around here, you probably don't know what Fred Meyer is. It belongs to Kroger now, but it's a chain of stores located all over the Northwest and even down into northern California. It's kind of an omnibus store; they sell groceries, but also variety stuff, and electronics, and appliances, and furniture, and there's a home center, and... about the only thing they don't sell is cars. (I think they don't sell beds, either.)

Well, I got my prescriptions from their pharmacy, so I got onto the web site. What they asked for was, first, the prescription numbers I wanted to refill. But was I just entering random numbers to foul them up? How to prove not?

I had to enter the full phone number of the particular pharmacy I was using (which is printed on the label of the bottle), and the last four digits of my own phone number, to prove it was me.

For someone trying to cause grief, that means that even if they got a real prescription number, they'd have to guess right which of the many Fred Meyer pharmacies first issued it (and there are probably fifty of them), and then have one chance in ten thousand of getting the customer phone number right. That's sufficiently daunting that I doubt anyone bothers to try hacking it, which for Fred Meyer is good enough. (But if it becomes a problem, their records also include the name of the customer and they could ask for that, too.)

Both of those I thought were pretty clever. Security is always a tradeoff with convenience, but in these cases I thought they choose a pretty good tradeoff point.

Posted by: Steven Den Beste in Daily Life at 09:39 PM | Comments (2) | Add Comment
Post contains 661 words, total size 4 kb.