Banks using not-so-best-practises…

idiot-pictureOne of the idiosyncrasies today with banks is that they “claim” to be securely holding your funds and are normally very strict on giving out personal information.

If you call a bank up to report a lots credit card, or have any queries at all, you get put through a string of questions, regarding your personal information so that they can verify that you are who you claim to be.

I’m all for that – but what happens when the “bank” calls you up?

Well, before they’ll even entertain the idea of letting you know who they are and where they’re from, they again want to put you through a string of questions, to verify that you are who you claim to be.

Now, am i the only one who’s read countless books on social engineering? or am i the only one getting spam mail sent contain bank detail hoaxes?

Do i then normally reply with all my personal details, banking details (account numbers, pin codes, passwords etc) straight away because they ask for it?

no – that’s the short answer – i don’t – and neither should you.

So what makes a bank think that i’ll simply just take their word for it that they are who they claim to be? And god forbid that i should tell them that i’m NOT going to verify who i am by giving you all my details over the phone before i can verify who you are…

Last time it happened for me was when my banks fraud squad had found some “suspect” transactions against my credit card and called me up…i told them the person on the phone that i had absolutely no intentions of giving him/her my banking details, nor any of my personal details – they should know these already if they’re calling me.

Obviously i must be one of the very few that has any problems with this set of practises – seeing as banks are continuing to use this approach. Oh, it’s great for them as they can verify who i am, but i’ve no way at all to verify who they are.

Either people are too trusting or banks sees this as “the best practise” approach…

Basically, if a bank – or hell, any other organisation or corporation – wants to know who i am, they can give me means to verify who they are. Why don’t they call me up and ask me to call a specific number (which should be preordained via my banking details) together with a RSA SecurityID code? Or, why don’t banks give me details that enables me to verify the caller? such as a password for them to say, or other details they can verify?

I think it’s just about being lazy and i dont’ think i can' count how many bank calls i’ve hung up on because they refused to let me, in any way or form, verify who they are.

Does anybody else have any problems with these practises?

Published Mon, Mar 9 2009 15:45 by Brian Madsen
Filed under: , , ,

Comments

# re: Banks using not-so-best-practises…

Monday, March 09, 2009 6:57 AM by Doug

I've run into this all the time. We need some sort of authentication from the bank. My usual approach is to get a number from them, verify that number and call the bank back.

Unfortunately I've had the problem where I had a voice mail message and a number to call, but no easy way to verify the number belonged to a bank... I ended up going into a branch.

After ranting about it one day to my mum, she then got a similar call the next day and ended up hanging up on them... perhaps they'll work it out in the end.

Or is it a business opportunity for some savy developer ;)

# re: Banks using not-so-best-practises…

Monday, March 09, 2009 7:02 AM by Brian Madsen

What frustrates me the most is the indignation you're faced with from the bank when you tell them you wont be giving them any personal details over the phone.

last time it happened here, we got the reply "you know, these calls wont stop"...

all i can say is, you can lead a horse to water, but you can't make it drink.

# re: Banks using not-so-best-practises…

Monday, March 09, 2009 9:07 PM by Colin Scott

Ah, banks. My problems with my previous bank involved them trying to change my credit card for no reason other than they presumably get a better deal. So I changed banks. Pity there's only so many of them which limits how many times you can do that.

www.abstractcode.com/.../today-in-corporate-fail.aspx

# re: Banks using not-so-best-practises…

Monday, March 09, 2009 9:37 PM by Brian Madsen

LOL@Colin - i can just imagine how pleasant you'd have been when that happened!!

# re: Banks using not-so-best-practises…

Tuesday, March 10, 2009 12:22 AM by Mitch Wheat

Excellent post, Brian.

It's amazing how much info someone will give you over the phone if they only think they know you are who you say you are.

Kevin Mitnick's book "The Art of Deception" describes some classic ploys for obtaining info.

# re: Banks using not-so-best-practises…

Tuesday, March 10, 2009 12:25 AM by Colin Scott

I was polite but firm. I didn't abuse the guy in the callcenter who told me the only change for me was I was getting a new piece of plastic. Not his fault. I didn't abuse the woman in the branch who closed my accounts. And I got to write a post somehow relating it to software development.

www.abstractcode.com/.../the-risks-and-costs-of-making-end-users-pay-for.aspx

# re: Banks using not-so-best-practises…

Tuesday, March 10, 2009 1:09 AM by Brian Madsen

@Mitch,

thanks for the compliment - the art of deception was one of the books i was referring to which speaks almost completely about social engineering.

it's a security aspect that a lot of companies doesn't realise (or care?) is even more dangerous than having incorrectly configured networks.

@Colin,

it's a very serious issue imho - and you can related it completely to software development.

haven't read, or can't recall your blog post, it's amazing how often developers trust external data completely. the saying goes "you ask for it and are the 'only' source that knows about the data, so hence it must be safe" is a fundamental aspect of application architecture that's flawed.

why don't we have security protocols tightened when we're asking for data from a service we built? believe it or not, we actually often do renege on this aspect..

anyways, banks obviously live in the world of "disbelief" since they're trusting that i am who i say i am, just because i've obtained (and provided) them with information.

some of this info could easily have been attained from dumbster/trash searches..how often do we just minimally tear up our credit card statements? how many shred it beyond recognition? how many burn it?

# re: Banks using not-so-best-practises…

Tuesday, March 10, 2009 1:22 AM by Colin Scott

My post was on how passing costs off onto your userbase can incentivise them to become someone else's userbase instead. Your points on security are good, and it is depressing how many people don't care and can't be made to care. I'm not sure where the failure is but it's certainly a problem.

I remember reading somewhere that almost all people in a London tube station could be convinced to hand over their work password in exchange for a small chocolate easter egg. There's not much technology can do to prevent that.

# re: Banks using not-so-best-practises…

Tuesday, March 10, 2009 1:44 AM by Brian Madsen

@Colin,

i recall something similar as well - can't remember where it was at, but the idea behind the "survey" was roughly the same (could have been a mars bar) and the outcome is shocking.

Since we're not the brightest sparks in the world, i'm assuming that others have thought about this as well - it's nearly unimaginable that sercurity experts, within the banking sector, hasn't considered it as well..

maybe it's a case of "don't look, don't care"..

I had a read through your post and i agree 100% with what you're saying...

question really ends with this though - does a bank justify their choices based on rate of retaining customers or by initial increase in profit or a decrease in costs (amounts to the same usually)?

Playing Australian Roulette with my private details is however not something i can put a value to, nor would i want to - so is the cost-gain factor high enough for them to dismiss the legal ramifications from incidents which could happen if a clever, malicious individual got hold of my details and exploited it? Or what about the public ramifications if the media should catch a story like that?

"Bank gives out essential details to social engineering plot"

or

"Bank falls victim to social engineering gang, working underground in your trash cans"

-- i know which story the banks would prefer to see headlined :)