Banks (still) don't get it... 3
So fixated are the media by the technical side of security (chip-and-pin, secure websites, CDs in the post), it’s easy to forget that most fraud is carried out using social engineering techniques. Both parties need to be able to trust that are talking to who they think they are. With that in mind someone called me on the telephone last night purporting to be from my bank:
- ‘Bank:’ Hello this is yyyy from xxxx bank. Before we continue this conversation I need to confirm that I’m speaking to Mr Larcombe. To confirm this, please could you tell me the first and third numbers of your security code.
- Me: I’m sorry, I can’t do that until you can confirm that you’re from xxxx bank.
- Bank:’ Sorry?
- Me: You want me to tell you some of my security details – how do I know you’re calling from xxxx bank and not a fraudster
- Bank:’ (Getting increasing perplexed) Well my name is yyyy and I’m from team 302 in building 1234 and the xxxx bank will only ever ask for two digits of your security code, so could I have the the first and third numbers of your security code please?
- Me: Not until you prove you’re from the bank. Whatever this call is concerning, could you send me a message about it using the banks’ on-line messaging facility?
- Bank: Errr, no I can’t do that as I’m not calling from Customer Services.
- Me: Ok, thanks for your call. Goodbye. Bzzzzzzzzt.
Chances are the caller was genuine, but they just couldn’t understand that if they initiate a conversation the onus is on them to prove that they are genuine caller before asking me for sensitive information. No doubt though if this was an elaborate attempt at fraud I’d have been financially liable…
Trackbacks
Use the following link to trackback from your own site:
http://blog.andrewl.net/trackbacks?article_id=banks-still-dont-get-it&day=22&month=05&year=2008
-
Top quality replica watches.
This has always perplexed me a bit. They seem to think it’s acceptable to dial people, and that the people hand out their security details without the bank seem worried. My mobile phone operator rang me one day asking me to pay my outstanding balance (yay for changing direct debits just before traveling abroad!). Luckily I knew enough about my outstanding blance etc to “trust” (used loosely) them to hand over my CC details over the phone. Should it have been a fraud, I would have pleeded “stupid-consumer”. Still quite amazing that they can dial you up without any sort of security on their behalf. Next time I’ll give your method a go. :)
Brilliant! I’ll definitely give it a go, as these morons are calling me fairly regularly trying to “discuss cheap insurance options” or some other crap with me. They always require me to authenticate without authenticating themselves indeed. And they are usually quite difficult to get rid of, even when I am explaining directly that I am abroad, and am not inclined to talk with you wasting my money on roaming charges.
I had a similar situation with Natwest. Now, I know that caller ID can be spoofed, but in this case, the phone number they were calling from wasn’t even listed on the bank’s website. I wrote to them numerous times to try to explain why this was foolish, and suggested that even if they didn’t want to put all their numbers online, they could have a phone number checker… Into this box, you’d enter the phone number, and the website could reply with one of three options:
1) This is a Natwest phone number 2) This phone number is for a Natwest partner, such as card protection insurance or breakdown cover. 3) This number is not associated with Natwest. Exercise extreme caution.
Similarly, when applying for life insurance, I was phoned up and asked to confirm my details. I offered to tell them any medical information from my application form, but not my date of birth, address, etc. The person at the other end was enormously supportive, and said they’d suggested to their management that they add a “Password” box on the application form. Their idea was that if they needed to call applicants, then they’d say “Hi, we’re calling from XXX regarding your application. You know it’s us, because we’ll quote the password you put on your application form – it’s YYY. Now, can you confirm you’re Mr Bloggs?”. However, their management didn’t like the idea.
One day….