By silicon.com, 11 January 2005 17:35
We've long taken for granted the processes in place when contacting our banks. We hand over account numbers, passwords, postcode, mother's maiden name and any number of other identifiers to prove who we are.
But who is on the other end of the line?
This isn't a diatribe about the integrity of call centre staff, that's a whole other issue, this is more about taking for granted that the person on the other end of the line is from the bank they claim to be.
If we call them, via a number on a bank statement or a number published on their website, then that's all well and good, but increasingly our banks have taken to contacting us and it's a situation which is causing great concern.
Banks need to be aware of the role they play in providing a consistent voice in the battle against phishing. Of course, they must also contact customers if they see any reason for alarm but this is why we believe they should adopt some of the security measures they have foisted upon us for so long.
With phishing a major worry for bank customers, unsolicited contact from their bank instantly raises suspicion. Egg and LloydsTSB, for example, have taken to contacting customers out of the blue via text or automated voice message, requesting the customer call a given number.
Upon calling customers will be asked for some degree of personal information - although the banks are quick to point out not enough information to complete a phishing scam. But how easy would it be for a scammer to replicate such a strategy, just pushing a little further the kind of information they require? Some companies now favour a method of asking for random characters from a password or log-in. It would only take a couple of calls asking for different 'random' characters before the scammer had pieced it all together.
The security dialogue should be two-way, challenge and response - 'I'll show you mine if you show me yours'.
Before you give them your mother's maiden name you should be able to check they are indeed sitting in front of a screen which has such details on it. They should have information which only they and you should know is used for such authentication and they should prove they know it.
Customers should tell banks that if ever they contact them out of the blue they will need to use 'code word X' to confirm they are indeed their bank.
It's not a silver bullet to eliminate fraud, but it's an extra level of authentication which has now become necessary. Banks used to be unchallenged and upheld as institutions of authority. The prevalence of phishing scams now mean no business, least of all the banks, are free from suspicion.
While banks have previously reimbursed customers stung by phishing attacks there are murmurings afoot about their intention not to reimburse customers who haven't taken appropriate measures to protect themselves. Essentially a lack of common sense could cost you dear. So it's only fair that customers be allowed to demand more reciprocity from their bank.
Simply saying 'this is your bank...' isn't even worth the time it takes to say it. Now they must prove it.
Comments
There are 8 comments. Join the discussion
1. MikeW
I now ask any "cold calls" from credit or storecards (= GE Capital !) to give me one of the digits of my card number, which they should have in front of them.
They don't seem very keen, but eventually comply. Perhaps this will filter up the management chain eventually ...
2. MikeW
Time for ATMs to use chip readers, too.
If it's a requirement for retailers, it should be a requirement for bank machines as well.
As usual, they've had this in Europe for years.
3. anonymous
Totally agree. We don't know who is on the other end of the line with banks or whoever.
4. Graham Shepherd
If you want to verify that the person you're talking to has the right answer to a security question they ask you, give them a wrong answer and see if they reject it. And the right answer you have already provided should never be the "right" answer - how difficult is it to find out someone's mother's maiden name?
5. Kevin Inskip
I am also in total agreement.
I was contacted by British Gas late last year. They wanted bank account details to start collecting premiums for maintenance, which it seems for months they had been taking from someone else by mistake.
I caused them great consternation by refusing until they had satisfied me that they were not a phisher. It took 3 or 4 phone calls either way & considerale time on my part to check my bank statements before I was satisfied they were genuine.
passwords working both ways would seem to be an easily understood & workable solution.
6. Martin A
I will only speak to banks, utilities etc if they give me my password. If they say they can't do this then I won't speak to them and I won't call them back unless I am given a good reason for doing it, not just "we need to talk to you" because often that's just code for a sales call (I don't have the time to play those sorts of games). British Gas like to hide behind the data protection act claiming that I have to identify myself to them even when they call me. They change their tune when I explain that it's the data protection act that prevents me from divulging this personal information because I am not authorised to do so - sounds daft but it works.
7. anonymous
A digit from your card? Phishers could easily have got a roll of these from a hundred sources.With no other data, it DOES NOT verify their identity. Only you originating contact does that.
8. Mark SPLINTER
people generally behave. it is so easy to break these security arrangements that the only conclusion i can draw is that there aren't many fraudsters around or there would be a whole lot more fraud.
same with terrorists in london - how ineffectual are they!!! they are supposed to attack at any minute with deadly pathogens, but all we get are fancydress-for-justice invading parliament.
so let's face it, humans are generally well behaved. now relax.