Monday, 9 May 2011

Banks, phone calls and security

[This was originally posted to my "stuff that doesn't fit anywhere else" blog. Probably actually should have gone here ...]

Now I’m probably turning into an old fart, but I get really annoyed by banks when they phone you up about something trivial:

- Hello this is the XYZ bank. Can I speak with Mr Xyzzyy?

- Speaking

- I want to talk to you about some correspondance. Can you please confirm your date of birth and account number?

- No, I am not assured that you are calling from XYZ bank. You are calling from a call centre on an unlisted number. Can you please confirm the last four digits of any of my bank accounts

- I am sorry I cannot release any information unless you confirm your identity

I’m sure you can see what’s wrong about this dialogue. The bank quite properly wants to confirm my identity. Unfortunately they are asking for a something (my birthday) you can find by googling, and something I’d like to keep secure, an account number. Now while I’d be happy to tell them that, I’m alert to social engineering, after all they keep on sending me emails about being secure online and scammers, so not unreasonably I want them to prove that they’re not some sophisticated scam.

They of course can’t do that as they don’t let the phone bunnies give out any information.

Much better would be something like:

- Hello, I’m from the XYZ bank. I’m calling about some recent correspondance. Would you like me to confirm my identity?

- Yes

- Do you have your credit card handy? If you look at the back of it you will see you customer number. The last three digits are a, b, c.

- They are.

- Can you please now confirm that your identity by telling me the last four digits of your savings account number

- m, n, o, p

Now it could be better, we could have agreed some security questions in advance but this system has the advantage that they tell me something unlikely to be public knowledge, but not all of it, and I tell them something that is unlikely to be public knowledge, but not all of it.

We have then established that we are who we say we are, but no one knows something that can be of use. Also, if I’m working in an open plan office I havn’t divulged anything that I’d be unhappy having overheard, accidentally or not.

Dates of birth, full names don’t work as they are scattered everywhere on social networking sites.

1 comment:

Jonathan Jarrett said...

I've had almost exactly this conversation and had to go into my branch to find out whether someone genuine had called me or not. (They had, in fact, and the news was bad, but this was all many years ago.) I'd be stuck now though as `my branch' is in a different town. It's absurd that they can't think of a way round this, especially as their chosen path leaves well-meaning people so open to scammers.