Security theatre – Privacy and verifying identity when companies call you

I’ve noticed recently that my health insurance company’s privacy policy has changed so that when they call you, they need to check personal details to verify your identity before discussing your account. Sounds like a good idea – make sure they always verify your details, so they don’t give out personal details which might lead to identity theft.

But hang on, they call you, and ask you to give them your name, date of birth, address, phone number, policy details? Sounds like a great identity theft scam to me.

Now, I do actually know that the times i have been called by my health insurance company it actually has been them. But really, if i wanted to scam some identities surely it wouldn’t be hard to pick a common company (whether health insurance or some other service provider), blindly ring numbers (without sending your caller id) and pretend to be checking some account details.

The other side to this is that, often when they do ring, I’m out at in a public space. A public place is not somewhere i’d like to recite my personally identifying details for anyone to hear, just like i won’t use an submit personal info over an unencrypted link, especially not when using a free public wifi access point.

It is reassuring that companies are taking identity theft more seriously, but blindly implementing measures without thinking them through? Seems like security theatre is expanding it’s audience.