By Will Sturgeon, 12 January 2005 15:15
NEWS With phishing attacks on the increase there has been growing support for the introduction of 'verbal signatures' for two-way authentication between banks and their customers, as suggested by silicon.com.
A number of banking customers have become concerned about the apparently random methods used by some banks to contact them, with unsolicited calls singled out as a source of confusion in these days of phishing, where criminals, typically posing as banks attempt to trick users into divulging details such as passwords and log-ins.
Banks appear to be increasingly contacting customers by SMS or by automated phone call, often asking them to dial back on a given number where they are asked for varying levels of personal information. Similarly, cold calls are made to customers where they are again asked to prove they are the name customer on the account - with no similar level of authentication coming the other way.
The institutions involved have included banks such as Egg and LloydsTSB. One silicon.com reader contacted us with the following example.
"Someone phoned me claiming to be from the Co-Op Bank and immediately asked for answers to security questions. I complained to the Co-Op Bank, pointing out the phishing risk and the need to educate customers not to reveal their security information to cold callers, but the Co-op Bank could see nothing wrong with their phone call."
Richard Allan, Lib Dem MP for Sheffield Hallam and member of the All Party Internet Group, agrees that more needs to be done and supports silicon.com's calls for greater authentication.
"We need to keep ahead of the fraudsters and this issue of calls appearing requesting personal identification details is a potentially serious security hole the fraudsters are likely to exploit. Banks should act now before we see a wave of phishing calls that lead to customers rejecting all calls from their bank."
Allan agrees that requiring banks to use 'verbal signatures', such as those used by customers, would ensure two-way authentication. It is no 'silver bullet' to combat fraud, but it is certainly an improvement on the current system.
"The use of passwords would certainly provide an immediate improvement in the level of security," said Allan. "This should be a specific password for the bank to use when calling you and not part of your normal secure personal identifiers."
silicon.com readers have also written in expressing support for the scheme, saying customers of many businesses, not just banks, are commonly expected simply to believe the person on the other end of the phone.
silicon.com reader Kevin Inskip said: "I am in total agreement. I was contacted by British Gas late last year. They wanted bank account details to start collecting premiums for maintenance. I caused them great consternation by refusing until they had satisfied me that they were not a phisher. It took three or four phone calls either way and considerable time on my part before I was satisfied they were genuine."
"Passwords working both ways would seem to be an easily understood and workable solution," he added.
Independent computer crime expert Neil Barrett sympathises with the banks to an extent saying "their hands are tied by money-laundering laws" which mean they have to check all anomalous transactions with customers and this requires some element of cold calling.
However, Barrett agrees there needs to be more two-way dialogue in ensuring the authenticity of both parties taking part in such calls and believes a three-fold "password, counter-password, counter-counter-password" system would prove most effective.
Comments
There are 7 comments. Join the discussion
1. David Barker
At least Egg and LoydsTSB call to check out of the ordinary transactions. Bank of Scotland doesn't, and instead just freezes customers accounts until the customer can call during business hours to confirm the transactions were ligit. I found this out after buying a laptop then going for a pizza that evening - My card was denied at the pizza place and I had to have a friend come drop off cash so I could pay for it!
The bank said it was an anti-fraud measure and that it was in my best interest..
2. nick coster
Although I agree that this is a good step it makes the believability of a potential con stronger.
Let's say my bank password is "rabbit" and the bank calls me or I call the bank.
First the bank needs to ensure that they have the right customer, at least to a first level of authentication, so I provide them with my username or account number.
Now they tell me my secret password - "rabbit". So far so good....
Except I am actually a fraudster phishing the bank. Now I have the customers secret bank password. I can hang up and proceed with cold calling this unlucky customer and use the "secret" bank password to gain the customers trust. Now I just ask for all of the answers to all of the other identification questions that will allow me to steal the identity of the customer. <Dr Evil laughter>
The point here really is that a static password can be defeated quite easily in this manner. What is really needed is some way of sharing a pass code is available and useful only to the bank and the customer and cannot be replayed more than once. This is a harder problem to solve.
I am a big supporter of adding simple methods of raising the security bar, however customers must understand that it is only an incremental increase and should remain on their guard.
--nick c
3. Misha
Nick I think you missed the point in the article. The static password suggested would be used only when the bank calls the customer.
What are the odds that the bank calls your phone number and instead of getting you, they get a fraudster on the line. This fraudster then luckily guesses your account number and then also knows your real phone number to call you back on. Yes, someone specifically targeting you, could hijack your phone line and wait for the bank to call but how many times does your bank call in a year?
4. Rob
I think Nick still has a relevant point, static security in an age of so many dynamic digital devices seems daft. I read of a bank (I think it was in Holland) where by they use your mobile to send you a 4 digit pin (via SMS). This means the code can be changed on a daily basis and the customer still has their own set of credentials for further verfication. These sort of systems appear to be more fool proof and robust than a static password.
It only takes some lazy individual in an organisation somewhere to issue the same password for all customers (Ed note, the article clearly states the customer provides the password) and then the static password system is useless. Circumvent humans in this case and let a computer issue a random 4 digit code.
5. --nick c
Misha I didn't miss the point but my second line did confuse my argument.
A personalised pass code that the customer gives to the bank to be used to confirm that it is really the bank calling in the future is a really good idea. It will make it harder for a fraudster to set up shop and cold call customers Phishing for customer details.
It won't however stop a more targeted Identity theft attack where the fraudster has your initial details already but is hunting for more. In this case the FRAUDSTER calls the bank, gives them enough information to allow them to respond with your passcode. Now the fraudster has it.
The next call comes from the fraudster to you, and they are able to "validate" themselves to you because they have your passcode.
Before you know it, you have provided them with more trusted information than they originally had, and they head off and set up a new credit card in your name. Your identity has just been stolen.
Static passwords are better than nothing, but to beat phishing a one-time password from both the bank and the customer will be required.
--nick coster
6. Kevin Inskip
I hope the banks are monitoring all of this, because pooling all these ideas should give their security experts the way forward to reduced catches for the phishers.
Nick, your second comment successfully clears up one confusion from your first comment. However the professional phisher should not be able to get the password that the bank uses to prove it's identity, as this is only necessary when the bank initiates the call. The onus to prove identity should always be on the calling party.
7. nick coster
The future of online authentication will have to be 2 way. ie the onus will be on BOTH parties to prove their identity, in every occasion.
There will always be new ways to trick customers into calling a scammer number or visiting a faked website. Two way identification will need to become a consistent standard with every type of communication before the level of trust can reverse it's decline.
Thanks for the support Kevin.
--nick coster