Educause Security Discussion mailing list archives
Re: Telephone Verification of Identity
From: "Tonkin, Derek K." <Derek_Tonkin () BAYLOR EDU>
Date: Fri, 20 Mar 2009 10:05:01 -0500
I don't have any answers but I would be very interested in this as well. I believe that our helpdesk has some policies in place for this and will see what they are but I doubt that they would meet our needs in the security group. Presently we use a combination of phone numbers on file and caller ID but I would be interested in a better practice. -------------Baylor University------------- Derek Tonkin Information Security Analyst Information Technology Services - Security derek_tonkin () baylor edu 254-710-7061 ---------------Sic 'em Bears--------------- -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kenneth Arnold Sent: Thursday, March 19, 2009 8:59 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Telephone Verification of Identity We are dealing with the problem of how you verify the identity of a person over the telephone sufficiently to discuss non-directory/confidential information with them. Do you require the person to supply specific data about themselves? If so, what data? Do you have challenge questions/responses on file that you use to verify identity? How are other schools dealing with the problem? We currently don't have a standard method to verify identity. We have tossed around some ideas like: 1. Is the student ID sufficient? Is the student ID similar to the SSN in that we can't use it for identification either because of FERPA? 2. Is the birthdate sufficient? Facebook makes this information readily available. A doctor's office tends to use this to verify identity over the phone. 3. Is the student ID and the birthdate sufficient? 4. It is our impression that we can't use the social security number or even part of it because of FERPA. 5. Do you call the person back at a telephone number recorded for that person in our administrative database? 6. Do you use caller ID to verify that the person is calling from a number recorded for that person in the administrative database? Caller ID can be forged. 7. Do you generate a random number, display it to the person answering the phone, send the random number to the person through email and then require the person to give you the random number? -- Brother Kenneth Arnold Director of Network Systems Christian Brothers University Memphis, TN (901) 321-4333
Current thread:
- Telephone Verification of Identity Kenneth Arnold (Mar 19)
- <Possible follow-ups>
- Re: Telephone Verification of Identity Tonkin, Derek K. (Mar 20)
- Re: Telephone Verification of Identity Irish, Adrian L (Mar 20)
- Re: Telephone Verification of Identity Matthew Giannetto (Mar 20)