There is a scene during the underrated '70s conspiracy thriller Three Days of the Condor when Robert Redford's bookish spy is asked to verify his identity when calling into base. He resists, insisting that the person who took his call needs to verify their own identity before he gives anything away. Authentication ought to work …
Always ask for a callback
I always as a matter of policy ask for a callback reference. I then call the public number. If I found a bank not doing this I would close my account immediately. I have had no difficulty with this with HSBC and firstdirect no matter what the call was about.
HSBC also ask a security question that is verifiable but not part of your normal security response for matters that are somewhere in between, eg getting further details for product applications that will later be verified by other means.
E.on also cancelled my online account without telling me and then sent me a snotty reminder saying that if i didnt reregister i would lose the benefits of an online account. It looked just like a phishing email but turned out to be genuine.
Get it wrong
Quite simply - when asked for security verification, get something wrong. If it's your bank they will tell you you have got something wrong, if it's a scammer they wont, but you will also have given them wrong information - a win-win situation.
get it wrong id wrong
What if the scammer is on the phone to your bank and is just passing on the questions and answers between you and the bank?
The scammer will know right away if you give it wrong because the bank will tell him.
It's a classic man-in-the-middle.
The coincidences of timing would be damn-near impossible to get right.
Doesn't work. If there is a man in the middle, there will be a noticeable pause after you give the details. A bank that's asking you the question (that's legitimate, mind you) will be looking at the question and answer at the same time, so the actual delay will be <2 seconds for the person to respond. Every company, be it bank or otherwise, that's asked me to verify details can give answers in a heartbeat or two.
I closed an account with a well-known cooperative banking establishment for just this reason - they used to 'phone me up out of the blue and ask for two characters from the (then) 4-character numeric password. Do that twice and you're in, no messing at all.
They see totally nonplussed when I kept refusing, and I don't think they ever did understand why I took my business elsewhere.
firstdirect, on the other hand, is always happy to have you call back in on the public number.
I have had accounts with Coop for fifteen years and they have never called me out of the blue and asked for part of my PIN.
Also, I make a point of telling them that I will call them back, if they do call me out of the blue, and they say, sure the number is on the web site.
I had PC World do this only last week
Oddly enough PC World rang me last week to check an order I had made with them. They wanted more information about the order (an iPad 2).
I challenged the person to confirm who he was, he said that nobody had ever asked to do that, but recognised that it was a valid thing to do. He provided numbers and other information, I rang back and it worked out OK.
Now their subsequent customer service on delivery of the iPad was utter, utter shite and led to me cancelling an order that they had no chance of ever fulfilling (whilst taking my money in advance and taking a week to refund it) is another story altogether...
So 10/10 on security and -10M for subsequent crap customer service
I get this ALL the time, and I always refuse to give details to someone who calls me.
Most annoyingly I recently had this on a SALES CALL from BT! Yes... They wanted to upsell me... And they called me... And they needed to ask me to confirm my details first. Um... YOU CALLED ME!
Yes, I had this exact same nonsense from them. I explained that they had called me using the number they had on file for me. It took a while and i did get quite cross (but polite) but I did manage to get them confirm some things to me first, before I would confirm anything for them.
same from inland revenue
They got quite shirty when I said I didn't know them from Adam and didnt want to provide DOB etc for them to check my identity - I told them I would call back.
Other half has also had calls claiming to be from NatWest Bank but in this case a clear case of attempted fraud (the phone number used was listed on internet as source of many scams)
I have also had similar issues in the past with a credit card company that always called other half while I was at work. After they called every day for a week and said that they could not accept assurances of what time i would be home from someone else I complained that they were engaged in nothing less than harrasment.
Banks are not the only organisation that have forgotten that trust is a two way street I am afraid.
I an not sure that common sense will not prevail on this one though.
"Other half has also had calls claiming to be from NatWest Bank but in this case a clear case of attempted fraud (the phone number used was listed on internet as source of many scams)"
The Internet, in this case, is wrong. That is in fact Nat West. See my other post below.
Aye, got one from them too. Seemed quite put out that I wanted to call them back on a published number.
Eventually found the number they gave me deep inside an internal looking document that was available on their website.
These organisations should implement 2 things - 1stly always print their numbers as a single string, and secondly put up a lookup box on their website to verify numbers that are client facing, or flag numbers that are known tricksters.
They also need to do something sensible with their ATMs... but that is a different subject!
Calling their published number
Wouldn't be too bad if it wasn't a 0845 number. Surprised the banks to try to encourage this as they'll make some money back on a call they initiate.
I have taken this to the logical extreme and ask callers for two characters from their PIN. If they don't hang up instantly I have prepared a 23 page document to request a PIN which I will send if any of these organisations are daft enough to go there. I have caused a credit card company for which I hold a card to abandon their security processes whenever they want to talk to me and we now follow a simplified process which ends with them asking me to phone them.
I fully agree that they should have to follow at least as stringent controls that they force on their customers since they clearly feel these are reasonable.
A friend recently had her laptop infected by Malware. Asking "had she used her credit card online", she told me she'd used it on the phone.
Obviously not what I was looking for, but curiosity got the better of me, and it transpires that her catalogue company uses an automated system to collect her payment. Their system phones her, tells her her payment is due, and asks her to key in her card details to pay it. No, not just an autodialer - a fully automated IVR to collect payments.
(she doesn't use it any more)
What chance of the public got of not being scammed when companies use things like this?
Depends how it's implemented
If you buy a kettle from Kay's catalogue, one would assume that a callback service would provide you with enough context to recognize it was asking for payment. I suppose it could go further by quoting a reference back to you that you filled in your order in the first place.
I've had companies phone me up out of the blue looking for money and couldn't understand why I wouldn't hand over my card number to them then and there.
Meter readers also seem to think that some crappy ID card and a hand held computer are enough to prove who they are.
As an ex-meter reader
On the back of the crappy ID card is contact details for the operator you are working for, who will then verify your identity for the old biddy who thinks you want to open up her gas meter for some nefarious reason. Being a temp, I didn't have a uniform at all, but got almost zero grief regardless - only 1 in 50 would ask to verify identity.
That was a pretty sweet summer job actually, meter reading is piss easy, you got paid decent mileage allowance to drive to work, all work routes automatically added to your computer overnight, with all collected data transferred at the same time. Never had to talk to a boss, and was finished by 3pm every day.
As Dodgy Meter Reader
I'd put a number on the back of the card that calls a colleague who would of course verify me.
Is you don't want to take the contact number from the back of the "meter reader's" ID card. That is always going to be an accomplice. The number should be printed on the back of the bill and on the energy co's website.
"On the back of the crappy ID card is contact details for the operator you are working for, who will then verify your identity for the old biddy who thinks you want to open up her gas meter for some nefarious reason"
Or, the number of your mate Bob who will pretend to be British Gas and say you're legit?
"The number should be printed on the back of the bill and on the energy co's website."
Which brings you neatly onto the next issue which is that nowadays companies tend to farm out their meter reading to 3rd parties and so wouldn't be able to confirm anything. I doubt they'd even have the competence to be able to give you the number of the 3rd party.
HSBC did it to me
HSBC rang me up and insisted I answer their security questions.
I told them there was no way I was going to do that.
Matey then proceeded to tell me that he couldn't speak to me unless I did.
So I told him that was his problem.
It all smelt like a phishing scam, but it actually did turn out to be HSBC. And I no longer have an account with them.
Not just banks
"RevK" of AAISP had a very similar issue with Sky earlier this week - the mp3 recording of it is quite funny: http://revk.www.me.uk/2011/05/sky-being-pain.html . Sky called him up, asked for him by name and then asked him to confirm his name and his phone number(!) It went downhill rapidly from there...
Sounds like a knob to me.
Lloyds TSB called me a few times, and mostly their staff argue, insisting I prove who I am, but I refuse until they've proved who they are. Occasionally they say well you can ring us on xxxx number and talk about it, but they never give a reference number or anyway for me to tie their call into anything when I call them.
Personally I think everyone should just refuse to play their game until they wake up to the fact that as you say, trust is a two way street.
They often think that handing out a phone number so that you can call them back proves their identity, which it doesn't. I've had many an argument with them, saying that I've got no way of verifying the number they're asking me to call back on is actually a genuine number belonging to the company. Often it's a private (ish) number that isn't mentioned as a customer facing number.
I worked for a bank, and it was my job, in part, to ring customers to tell them that their equity release loans, or remortgages, had completed. Meaning they may have thousands of pounds in the bank, to buy an extension or a nice holiday, for example.
One thing I was told, was that I was not allowed to make it clear that there was even a relationship between the bank and the person I was talking to until I could confirm their identity, as this would fall foul of data protection laws.
I couldn't say "I'm calling from the HSBC Mortgage centre", which would have tipped them off, and I couldn't say "I have your postcode" or "Can you tell me details of a recent transaction".
HSBC do use the last question when they ring me as a customer. I don't think the Data Protection laws have changed, but perhaps this demonstrates some of the complexities involved.
This sounds barking mad
But oh so plausible.
I've had experience of organisations having silly implementations of data protection, typically involving a form arriving by which they got permission to tell anyone at all everything they had on record about you, with no clue what the original purpose was. Clearly they can't give every possible future necessity in their DPA registration.
The trouble is, not even being allowed to say who you are (in your example) makes you sound rather like one of those pestilential nuisance call centres. Yet who would expect the DPA to prevent a business clearly identifying themselves when calling a customer?
As far as I can tell, the DPA doesn't stop anyone from identifying themselves. It's the possible inferences made by whoever answers the 'phone, if they're not the customer.
I think I was about eight years old the first time I answered a business phone call. I'm told I was very clear, did a good job, but I suspect that if I'd had a call like that, you would never have spoken to my father at all.
Actually yes, that's true and often overlooked. I'd completely forgotten, but had to do the same rigmarole when I worked in a branch many years ago. I could only say "I'm calling from his/her bank".
"Data Protection Laws"
I always assumed that was a euphemism for "I'm going to dick you around (for fun and profit)"
Every time I get "Because of Data Protection Laws" as an answer, I respond "I think that's a lie" or "I don't believe that to be true". Never had anyone deny it.
Fact is, if you are conducting legitimate business with me, you would be able to tell me some basic details about our supposed business, rather than quoting the DPA at me chapter and verse as if I give a damn. If you genuinely can't answer my questions because of "Data Protection" then you are obviously not worth talking to in the first place and I resent the fact that you thought I would entertain your nuisance calls.
I known NatWest, VirginMedia, VirginCC (MBNA Backed), and RBS do these type of calls.
They usually get quite irritated when I ask them how I can trust someone who has called me. I am fairly sure that NatWest moved to a system to STOP doing this nationally, but because of harsh sales requirements on branches they sometimes call up.
If you ever get a call like this, then ask them what it's for (99% of the time it's a sales call), and if they tell you it's something important then you can phone back via published numbers.
it gets worse . . .
I had one of these calls a while ago - think it was a credit card company. We reached an impasse where i refused to accept he was who he said he was until he proved it.
So, in a fit of inventiveness I'm sure he was proud of, he proved it by telling me my last transaction details and current balance. I was so shocked I carried on with the call!
Recently bought a new car and when somebody called me claiming to be from the company I'd just bought it from I asked them to verify themselves. They proceeded to tell me plenty of information about the car I had just bought from them. Reassuring!
Once I pointed out that anybody who had walked past the house recently could give me the same information she became frustrated and said she would send me the information through the post and hung up.
I feel safer.
@Kevin Johnston: You have a lot of time on your hands don't you.
Sky are as bad
As a ftm transexual (yup I lead a fun life) I was told point blank on the phone with HSBC that I was not the person who owned the account (obviously I am) due to my voice. I had to do extra security stuff and they put a 'note' on my account.
Can't help but think I just made my account less secure
You don't need to be
transsexual to be on the receiving end of that confusion. Actually, it's quite common for those born female to have voice pitch within the male range which has interesting results in telephone conversations. Females so equipped can have endless fun with cold-callers.
Paris, because she's unambiguously female.
Almost on the same topic
Local councils are introducing pay-by-phone parking where you have to either telephone or sms your cc details, registration and some other information such as a location code from the sign by the bay to a non-geographic number with an automated response system. As there's no way to do "SSL over GSM" this is ripe for fraud, after all what visitor will know if a well crafted sign is authentic or not? All you need is a couple of pre-set replies on the mobile phone set to harvest these and the money will come rolling in.
Leaving aside the issue of having to read out your CC details in a public place (you cant exactly make a private call from inside a motorcycle, for whom the scheme also applies) if someone sniffs all the SMS from prominent parking locations now that GSM encryption is apparently cracked, they'll gather a good haul of CC numbers, expiry and the "last three digits from the back of the card".
There's absolutely no security possible in either transmission mechanism but it will be treated by the banks as the customer's liability if the details are misused as there will be no evidence of any "hack" of the system.
I was impressed by my mum who, when answering the phone to a machine claiming to be my bank and asking for my date of birth, deliberately put in the wrong date to see if it was a scam.
Nat West don't get it either. I recently asked an operator who had phoned me to provide me with a couple of specific characters from my security string to prove his identity and he promptly hung up. I phoned Nat West to tell them of a potential phishing scam and they told me that their credit department had been trying to contact me. Bloody amateurs.
I also had some debt collection agency contact me by letter asking me to phone them which I did. The operator then asked me to confirm my name and address which I did because it was already on the letter they had sent me. They then asked for my date of birth and couldn't understand why I refused to give it to them. They refused to talk to me which, to be honest, is absolutely the best result I could have asked for. We are now at an impasse. If they can't prove to me who they are (considering it is a company who I have never had any dealings with so they can't) and I won't prove to them who I am (because I think they are phishing) and they won't talk to me unless I do then there's sod all they can do to recover any money that they feel I may owe them except take me to court for it and I've already explained to them that this is what I would prefer them to do (they seem hesitant to do this for some reason as did the three other debt collection agencies that tried to recover this alleged debt).
For the record, I don't owe them anything, it relates to a situation with 3 and their absolutely godawful "customer services" that they should have rectified 5 years ago but didn't, but it's a novel situation and one which I'm more than happy to experiment with.
3 calling in the repo men?
My wife has had fun with 3 and repo men. We ended up getting ofcom involved and sorting it all out. Then six months later another debt collector sent her a letter... Be prepared for at least another year of crap.
Interesting solution found by one bank
Having challenged my bank in the past, and refused to give them any info until they can authenticate I note they now have found an interesting solution by offering 3 values and asking you to pick the correct one. This serves as a lightweight arbitration protocol for their internet transaction fraud detection.
The fact that one of the values is correct gives you a degree of confidence, and your confirmation of the right one gives them the same.
This is obviously too lightweight for actual transactions, but they are just confirming that you are happy with a recent transaction.
Call back doesn't fix the problem
Yes, you can call them back on their public number. But that doesn't fix the problem - it is just "security theatre" unless you ALWAYS have to call them back on the public number. I just say, "please don't ever call me again; if you have something important to tell me, please write a letter".
There's also the aspect that they say all over the place that genuine bank staff will never ask you for your personal code number. Except that when they phone you, that's exactly what they do. Of course their argument is that the number they will never ask you for is your "personal identification number", whereas the number that they will ask you for is your "personal security code". Or is it the other way around? And does the other bank call them the same thing? It is clearly totally broken.
Actually Dilbert covered this last week:
problems with callback ...
1) why should you pay, when it was your bank that wanted to call you ?
2) you will get put in a queue which will take 30 minutes to answer, Well it did, when BT tried this with me, Then the person who answered had no idea why they called me in the first place.
They wouldn't know as the person who had been assigned the job by the system would have marked the job as 'contacted' or similar and the job disappears to reappear on another screen with no notes on it. Notes take time and time is money and money is 'numbers of calls made'.
Saying that, I've got to ring BT myself - I've almost remembered the entire number sequence for gettng through and ignoring all the options.
Lloyds TSB are awful for this
Lloyds TSB royally wind me up TBH. When I paid in an insurance cheque I got a phone call from my 'account manager', who without checking my identity gave me my name and account number and then told me how much I had just paid in.
They did it again when i got a new job with a higher salary and asked was I expecting this money to go in. Yes I bloody was and no I didn't want them calling me up and telling me with no security checks one way or the other.
If it happens again I will be having words...
"if I call your office, do I get you?"
It was actually the ISP of a webshop I did work for, who asked me that. My answer was that no, I wasn't at the office, but if they'd call the owner (who had asked me to act on his behalf) on his mobile (and they did have that number already, didn't they?) as he also wasn't at the office, he'd verify the story and give them my number and I'd be reachable there.
My experience with banks, OTOH, isn't quite as good. Like a certain one that had a "webchat" where you'd be connected to someone with only a first name who'd ask for date of birth and such. That "chat" thing ran on a third party site, and no ssl in sight. Subtle.
But it gets worse. Nearly everybody who needs to do authorization actually asks for authentification or worse, /identification/ as if that'd prove anything--requiring "governemnt ID" and often as not taking a convenient copy or scan (that might get lost somewhere too, it's happened) that contains enough information to impersonate.
This is a problem of mindset as much with verifier as with the verifee --failure to ask for counter-verification--, as failure to understand just how this whole thing works or even what the goals must be. Moreover, this is how the government structures the field through providing only identity documents.
It oughtn't be too hard to provide cryptographically secure carriers of /authorization/ instead, then add zero-knowledge proof sauce for added privacy protection. That way, the government would actually help provide a level field for this sort of thing. But they don't, for they don't understand it either; the whole thing grew out of administrating the birth-and-death registry, not from a desire to facilitate anything in a secure and privacy-protecting manner.
This is quite possibly the largest, deepest rooted, worst understood, unsolved problem of our time.
Some banks are better than others
I've had this same problem with an American credit card company, but others are better. Interestingly, some banks insist on this kind of verification online - a picture and/ or passphrase you've previously chosen is shown to you as you log in, to show that this site is genuine, rather than some kind of phishing or malware spoof.
- Product round-up Ten excellent FREE PC apps to brighten your Windows
- Hi-torque tank engines: EXTREME car hacking with The Register
- Review What's MISSING on Amazon Fire Phone... and why it WON'T set the world alight
- Product round-up Trousers down for six of the best affordable Androids
- Chromecast video on UK, Euro TVs hertz so badly it makes us judder – but Google 'won't fix'