Not so long ago, I got a legitimate phone call from my bank's fraud department (HSBC HK) regarding a dispute I had made (someone had used my credit card to book on booking.com).
The bank employee asked me to give him my passport number and acted annoyed when I refused. He couldn't understand why I would not give this kind of private information on a phone call and why it was a breach of security. I then called the bank's customer service hotline and they had no record of the call from the fraud department being made because it's a separate department and they didn't have access to that data. It took 3 days before I got a confirmation from my bank that that call had indeed been legitimate (and that's only because I have a relationship manager)...
So I think Banks are part of the problem, they need to massively step up their training in security so as not to make this kind of demands on phone calls they have themselves initiated.
Funny you should say that, I've had several calls from my bank - HSBC UK - who have then asked me for information to 'prove my identity. When I've said "you phoned me, you could be anyone, I'm not doing that", they got pretty annoyed, and didn't see why I was saying that I wouldn't give away the information. I phoned them back and then it was OK - when I spoke to the same person (she'd given me an extension to give once I'd phoned the main, publicly verifiable number), she seemed surprised that I'd take such steps.
It's not just banks - I get the same spiel from my insurers, who say they have to check the information "for data protection" - oblivious of the fact that them regularly doing this means that they're setting the scene for people inadvertently leaking the information they take as sacrosanct!
I'm with HSBC too and they seem to be a bit too cautious with their debit card fraud. I get my card blocked a couple times a year.
Whenever they've phoned me and I've told them I don't want to give out my info they just tell me to call the number on the back of my card. Never had anyone act annoyed towards me. Maybe it's because I never act annoyed or accusatory towards them, so they don't act the same towards me. I just tell them that I'd rather not give my info out to someone who's phoned me
That they do this shows that they have been getting bad publicity by calling the wrong number and give private information to the wrong person. Now and then you see articles about this or that hospital sending faxes with patient data to some company fax by mistake. I'm sure this also happens with phone calls so they are just trying to cover their back, has nothing to do with your security. They get annoyed when it means more work for them.
I regularly make outgoing phone calls where I need to request payment details. Out of all of those calls, only one person expressed concern about providing said information so I provided them with three options: pay in person, pay online, or look up our phone number and call me back. Apparently that was enough verification for them, so they provided the information right after I finished the sentence.
Is it any surprise that institutions would not know how to handle their customers seeking verification when it is rare and at least some of the people who claim to want verification have a very low standard for evidence?
I suspect part of the problem is the minimal effort put into most scams, which is where this story is sobering. The people involved in this scam were clearly willing to lay down the framework to take a smaller scale crime and escalate it into something more profitable. While many of us may seek solace in our own practices being able to filter out the type of scam described in this story, the real question is when (rather than whether) these people will find an approach that exploits our own vulnerabilities.
Exactly. Banks need to be aware that data protection goes both ways, and they should teach their customers to check the identity of any bank employee calling them. Training users to give out personal details to people calling them is exactly the wrong thing.
Indeed. This is far too common in the UK. The banks call people, introduce themselves to be from a $bank, and then start asking security questions. I have had to tell the other side a couple of times that is not how it goes - they called me, they should first authenticate themselves before starting to ask for details that are part of customer authentication.
The first time I called back through the banking app. (The ability to initiate a call to bank's customer service from a trusted app is a good idea.) It took their end about 40 minutes to sort out who the first caller was. To my bank's credit, at least they didn't make me wait on the line, but sent me a notification SMS once they had the information ready. Then I called back again.
The second time I knew better and asked for a direct reference code that I could use to make the callback verification tango easier on their end.
But at least with the banks they mostly understand that customers may be suspicious about unsolicited calls. The ISPs on the other hand...
My solution with ISPs or similar utilities is to put them in a position where they need you and not the other way around. Blocking their payment magically makes them call you, the call is from someone that at least speaks English properly and is not a monkey, and security questions or other nonsense usually go out the window.
It's not just a social problem, it's also a technical problem as you can't tell if a number is legit, as they can be spoofed or hijacked. There could be something like SSL for phones where you would get a green lock and the company/parson name when someone calls. It wouldn't work with analog phones, it's funny actually, that it's just one small part of the chain that is analog, the rest is digital, we could easily get rid of the analog part, I believe. Still, there are no SSL in popular messenger apps, where you can be any person if you just know their username/password, same for e-mail. We need to have private keys controlled by the users for second factor and end-to-end encryption.
Yeah, a lot of the issues with security on the phone (both spoken and text messages) seem to have to do with backwards compatibility. I mean they add layers on top of the old ones (e.g. to allow higher call quality) but somewhere you can still call someone using just dial tones.
I hope they're working on a new standard for telecom that allows unspoofable caller verification. That, and secure / verified e-mails. But that too is a standard challenged by 60 years of legacy (I had to do a quick wikipedia check).
Unrelated to banks, but more to the point of organizations.
I was reconciling a firms bank account. I had four transactions from their payroll company, but the last payroll was weeks ago.
I called the payroll. The first person I spoke can explain one charge is a tax reconciliation, but don't know about the other three. The next human in another division explains a service fee. Because I'm not authorized, I won't be able to get more information about the last two charges.
Each group is compartmentalized and siloed. Each department is focused on administering their part, but no one person can accounting for the bank activity.
> So I think Banks are part of the problem, they need to massively step up their training in security so as not to make this kind of demands on phone calls they have themselves initiated.
Banks are horrible. Their security measures have been and will continue to be defeated by any targeted attack. Not only that, they act very entitled to people's personal information because they want to protect against fraud. Apparently, that is more important than any other concern.
My bank's authentication system is so convoluted people will just write down the stuff they have to type in. This is so normal, the bank employees print out the passwords and hand them out. This happened to me yesterday: I have two sets of passwords in my wallet. They actually print a message saying they will never ask for this information over the phone but it wouldn't surprise me if they did it anyway. The ATMs ask people trivial stuff like dates of birth as if it was proof of identity. The mobile app wants complete access to my phone, including file system, contacts, camera, microphone and call management. They have a "security" browser plugin that's actually a rootkit: it contains a kernel mode driver module which intercepts all network traffic, reducing performance noticeably. I assume it records the traffic and leaks the information back to the bank. If this thing isn't installed and running, the bank's website won't let users log in.
Interesting story about how this developer got called by the NSA, who instructed him to hang up then call back the publicly listed number for the agency. Exactly the steps that big banks should take. https://medium.com/datadriveninvestor/why-the-nsa-called-me-...
I've had the same thing in the US from Chase bank. They called me about potentially fraudulent charges on a credit card and then proceeded to ask me to verify myself by providing details.
I thought it was fraud, so hung up and called them using the number on the card. Turned out it was a legitimate call. I wrote them a detailed explanation of why their process was indistinguishable from a scam and never got a response. Great.
Same experience trying to open a Checking+Savings account with them online. I get a call supposedly from them and asks me to verify myself by telling them the code they just texted me. I refused, hung up and called back. By then it was past 5 on a Friday and I had to wait till Monday.
The whole thing was BS as it was because they wanted to verify that I owned the external checking account I was using to fund the new accounts -- one that I registered on their portal ~7 years ago and have consistently used since then to pay off my Chase credit cards.
Wow that's bad. My experience with several UK banks has also been "stuck in the 90s"
I did have a very good experience with American Express when they called me about a fraudulent charge on my card. They solved this identity issue by putting a note in their customer support system and had me call the number on the back of the card. On the callback they did their usual phone identity verification and then transferred me back to the fraud department to solve things. Was very confidence inspiring in their security.
If you need "training" to understand such a basic thing you have no place in a fraud department.
I am skeptical of training because I've seen a lot of people do the training sessions and parrot out the knowledge (thus pass any tests) despite not understanding the underlying reasons, so when faced with a slightly different situation than the one in the training session they will fail spectacularly.
Something similar happened to me. Utility company called me with important news about my account. I called them back later and the other department had no record of this call even though it was correct information. So weird.
I'm glad that as far as I know, a lot of the services I make use of - utilities, phone, bank, etc - rarely if ever need any interaction.
I got a letter the other day (yes, snail mail) from my bank (which is one of the more technologically forward ones out there, I've worked for them (as a developer-for-hire) for a couple of years). They said they were rejigging an investment account product I'm using, but all they mentioned is that I should go to the webapp for it and it'll tell me more.
The bank employee asked me to give him my passport number and acted annoyed when I refused. He couldn't understand why I would not give this kind of private information on a phone call and why it was a breach of security. I then called the bank's customer service hotline and they had no record of the call from the fraud department being made because it's a separate department and they didn't have access to that data. It took 3 days before I got a confirmation from my bank that that call had indeed been legitimate (and that's only because I have a relationship manager)...
So I think Banks are part of the problem, they need to massively step up their training in security so as not to make this kind of demands on phone calls they have themselves initiated.