Wednesday, 15 April 2020

Banks, phone calls, and security (again)

Nine years ago, I blogged about the scenario where someone calls you purporting to be from a bank and asks you for some security information before they'll tell you why they are calling.

Well, I had the same scenario again last night.

A very nicely spoken person, probably Indian by his accent, called me and said he was from a bank I no longer have an account with.

My phone did show that he was calling from a Melbourne number, but phone numbers can be spoofed, as we know, and with so many people  working from home at the moment, someone isn't necessarily calling from their office.

So when he asked me for the month of my birth to prove I was who I said I was I asked him to first of all prove that he was from XYZ bank.

(I wasn't particularly concerned about giving out my date of birth - it's out there in the public domain, along with my full name, in fact both are pretty useless as identity verification questions - my driver's licence number, or passport number would be much more secure.)

So I asked him to tell me what the last three digits of my customer number was - this is different to my account number, and is something that only the bank and I should know.

He of course, said he wasn't allowed to tell me this, but he did offer to send me a text with a number to call him back on.

Well this didn't really address the security problem, numbers can be spoofed, and nowhere in the process would he have told me a secret that only he and I could know.

So I declined and hung up.

I suspect he was probably genuine, and calling to ask me why I had closed my account, but nowhere did he, or could he, tell me anything to prove he was genuine ...

No comments: