Cifas is pushing education as a means to help call centre staff
Why not just pay them enough to give a monkeys in the first place.....
Identity crimes remain among the greatest threats to UK businesses online. The offences made up three in five (60 per cent) of all fraud recorded by Cifas, the UK's leading fraud prevention service. Cifas' annual report, published Wednesday, collates statistics from 325,092 instances of fraud recorded in 2016. These internal …
Why not just pay them enough to give a monkeys in the first place.....
"Why not just pay them enough to give a monkeys"
Something about peanuts?
I think it's a bit naïve to think that just paying existing staff more would change their behavior. Even though it would probably attract some better candidates for future positions, you'd still need to improve the hiring process to make sure you're not just wasting your money by paying more for the same level of skills.
...would change their behavior.
Indeed, but it's equally naive to think that you can incentivise staff to care about fraud when they're worried about whether the electricity will be on when they get home.
As usual, the situation is complex and solutions like "pay more" or "care more" aren't very helpful.
Doesn't the saying go
To make the rich work harder, you pay them more. To make the poor work harder, you pay them less
If you make them *really* worried about whether the electricity will be on when they get home and you dock them pay for giving out details to fraudsters that might incentivise them.
I'm not saying that would be a good or nice thing to do, just that there's not necessarily a correlation between good and effective.
If you penalise them personally for falling for scammers, then you'll make it impossible for anyone to do their banking by phone, and the whole call centre will be redundant within a month.
This is what rules and procedures are for. Provided your call centre drone follows the correct R&Ps*, they should not be held personally responsible in any way for what happens next. Punishing people for making honest mistakes is only a smart idea if you want them to err massively on one side of the line.
* = And of course it will be obvious that they've done so, because only then will the appropriate online form/flowchart validate.
It doesn't help that their 'security' questions are often rather less than secure. In general I think we can assume that a person's full name, address, date of birth and, probably, mother's maiden name are publicly known information. Why shouldn't they be?
The standard "Who was your first teacher", "what is your favourite colour" type questions don't really help either - no-one in their right mind would give a true answer, or the same made-up one to two different businesses/banks, and so they're unlikely to remember the answers.
My bank tends to ask questions like "You recently charged £49.75 to your account, can you remember what it was for?" - well, probably not but I'd guess a tank of petrol maybe? Not perfect but it's better than the other options.
It's a problem which needs solving, and I don't have a good answer (what kind of useless commentard does that make me?), but the present system of questions only seems designed to give a false sense of security, a bit like all the airport searches and no-fly lists we're plagued with these days.
as a(n ex-)hacker schooled in the days of dial-up, I have never used the *real* answer to a security question anyway.
Yes, I have supplied a string of characters for my mothers maiden name. But don't expect them to bear any resemblance to my mothers maiden name.
You could probably improve online security tenfold by simply allowing the *customer* to choose the security answer - and it's associated question.
My bank tends to ask questions like "You recently charged £49.75 to your account, can you remember what it was for?" - well, probably not but I'd guess a tank of petrol maybe?
And so might anyone else.
High street branches - remember them?
And so might everyone else.
It doesn't help that their 'security' questions are often rather less than secure
It also doesn't help that they are often based on certain cultural assumptions. Even if I wanted to, I couldn't provide accurate information for most of my bank's offered security questions, and for "what was the first album you bought", the only answer I could reasonably have offered would have been "stamp" and my "Favourite Singer" would be "Hunter 75". Which might be fine online, but call centre staff might quibble...
Hunter 75? I am more of a Gazelle type of chap.
Banks use the phrase, "Know your customer". Not for real, of course; merely to fob off stroppy articles in el Reg.
One of my banks allows the customer to choose their own web banking username. I generated mine using 1Password, and as such is 40 random characters. The password is only 10 random characters, as that is the maximum password length.
It doesn't help that their 'security' questions are often rather less than secure
Indeed. A while ago I was talking to The War Department about her online banking and security in general, when I threw in what seemed like a random aside - the old chestnut of "what's your pronstar name? Take the name of your first pet and your mother's maiden name?"
"Tiddles McNulty*", she replied
I thanked her for letting me have the answers to 2 of the top 3 questions for getting through her personal security check. She was genuinely surprised - although she's fairly savvy and had seen the name game thing before, the penny had never dropped that it was a stupidly easy way to phish for information to be used in nefarious ways.
* names have been changed to protect the gullible
One of my service providers allowed me to choose the question from a list, then provide my own answer.
When I had to ring them, they asked "what are the first, third and seventh characters from the answer to your secret question?"... um, I have no idea what banal question I chose, at least give me that clue.
I write down the made-up answers in my password manager, along with the questions if necessary. Yes it's a single point of failure, but with 2FA, I think it's the best I can manage.
"One of my banks allows the customer to choose their own web banking username."
I'm channelling XKCD here...
You chose "password" as your username and set "username" as your password.
The last time I was forced to choose a telephone password for something I was never going to use again, I picked "none."
"My bank tends to ask questions like "You recently charged £49.75 to your account, can you remember what it was for?" - well, probably not but I'd guess a tank of petrol maybe? Not perfect but it's better than the other options."
What this says is that the "you charged £49.75 to your account..." type of security question isn't a lot of use if they then guide you to the answer.
Anyone remember UsVsThem and how popular it was a few years ago? They had a long series of pr0nstar name type games that went viral for a while on FB, all of them asking those sort of questions. After watching a few of my friends fill them in faithfully, I noticed that they'd covered pretty much all and more of the standard questions and presumably had them tied in to your FB account, email address and whatever other public info one was spaffing. Then they sold the site - and presumably all that lovely data - to the Daily Mirror. Never mind the "all these people questioned in a station gave over their password for a chocolate bar" stunts; this was large scale, automated hacking on a grand scale in plain sight. I kinda salute them tbh.
The security questions with answers that can change over time are not very good. I had this one come up the other day: "What is the name of your favourite movie?"
What took me forever to remember is that I had setup the online security on this account a good decade ago, so I had to ask what my younger self would have answered. I probably only got it because I had rewatched it recently.
So then I had to work through how I could have ever liked that movie, much less had it as my favourite!
"High street branches - remember them?" Yes I do, but they opened from 9AM to 3PM Monday to Friday so I never got to visit inside them unless I had a day off work. When Barclays came out with ATM's and the Barclaybank card in 1975 high street banks became so much more useful...... as the wall for a hole in the wall machine.
What's your favorite colour?
Is it red?
No .......errrrm .... actually I'm just messing with you it was Blue. Ok. I'm resetting your password for you. You will need to choose a new password 10 to 14 characters long, including upper case, lower case, numeric and at least 2 "special" characters, because we take security very seriously here.
Pretty scary when it comes to the "human" element...
Old as the hills but PEBCAK
Personally I always set my security question to "Kitty cat meow meow meow meow meow meow" and put my first cat's name.
I enjoy having them read out my question over the phone.
First car: Reliant Robin
Favourite year: 1966
Bath night: Tuesday
Doesn't help that these companies think their 'security questions' give them security, but then degrade that security by asking for them even when they ring you... Recent example when rung by a call centre employee (or possible hacker / monkey / google voice bot / LMD - delete as preferred):
Them: Hi, I'm from [a utilities company], I'd like to talk to you about your account
Them: Can you confirm the last three characters of your postcode please?
Me: no, I don't give details out to people who ring me up
Them [incredulous tone]: What do you think someone could possibly get from the last three characters of your postcode!?
Me: access to my utilities account...? [hangs up]
good point - they provly think they aree being extra vigilant asking when they rang , but they are in fact setting a precedent that allows anyone to ring up and ask for password info
The best thing to do is to ask them for a hash of your account balance, salted with the current date and time. Proves that they are the bank (or at least that they know your balance) but is useless to any attacker so the bank should have no security issues with providing it.
Realistically if I go to pay for something and the card machine pauses on authenticating then my phone rings, I believe it's the bank. I've rarely had them ring me up in other situations, why would they? If it's not time critical it's cheaper for them to send me an automated email than pay someone to talk to me.
I can't compute that in my head, and neither could the calls centre monkey!
Mutual authentication would be a big plus here.
If there was some way for me to authenticate that they really are genuine, then I might be more inclined to talk to them. My usual response when they call is "if its important, then write me a letter and provide some account specific information so I can validate your request is genuine and I'll contact you on your customer service number that I hold on file."
The problem is that they always ask for something that is by definition useful to the bad guys.
If I give some info on trust, then all they have to do is say "yes, that matches", how do I know that they didn't just write it down and say "OK". Of course, if their next response is oh, "my system has just gone down" and they want to call back later - then you know you were suckered, but by then its too late. How many non-IT types would fall for this ??
Don't get me started on phrases containing "for data protection reasons" - its my data, you can't protect it from me or intimidate me with the scary sounding phrase !!
I was late paying a bill.(yes I know its my fault) they jack ass called me then wanted to verify my address, phone number and last 4 of my ss# The lady at the other end got weird on me when I asked her for her full name, home address, phone number and SS#. I told see you would not give that out to some random person over the phone why would I.
The golden rules of passwords are (1) not to share them between accounts, (2) not to use information in the public domain (3) to change them regularly.
So what do they ALL use ? Parameters that break all three rules: Date of Birth, Mother's Maiden Name, First Line of Address & Postcode, Telephone Number. Obviously no-one ever phones them or sends them cards on their birthday !
Worst of all, when calling back they expect you to provide your security details when they have offered no evidence that they really are calling from the bank. When challenged, they invariably seem utterly bewildered and refuse to provide any info, endlessly repeating the mantra of 'Data Protection'. They still refuse to co-operate even when I suggest providing info that would be useless to anyone else e.g. 'Ignoring the pounds, what's the odd number of pence in my account?'.
The silliest were Flow Energy. Their website told me to enter my DoB from a drop down menu, so I entered one from early in the last century. Two weeks later they rejected my application, saying that it was an invalid date ! They said they were happy with a date other than my real DoB, but it couldn't be an invalid one (i.e. too old) even though their Computer Said Yes.
For a long time, the philosophy was "treat passwords, etc as you would treat a toothbrush - change regularly and never share". That covers your rules 1 and 3, but sadly your rule #2 was overlooked for a long time
"Worst of all, when calling back they expect you to provide your security details when they have offered no evidence that they really are calling from the bank. When challenged, they invariably seem utterly bewildered and refuse to provide any info, endlessly repeating the mantra of 'Data Protection'"
A few years ago my bank called me. After identifying themselves as such, I asked for the name and amount of any of my direct debits. They kinda freaked out so I politely said they had completely failed to verify that they were in fact my bank. I didn't wait for a response, I hung up.
(3) - to change them regularly.
there are other opinions on that advice.
But the thing is, what if your password was guessed and you don't know that? Periodic password changes help to deal with such unknown compromises: either by closing the door or making you aware of it. Can you think of a better way, especially for people with bad memories?
If your password was guessed and you don't know it, then a malicious actor has already done whatever they're going to do to you. The value in changing it periodically "just in case" is greatly undermined by the added cost of remembering it/entropy added by that requirement.
Number of passwords the average person is expected to maintain? About 20. Number of passwords a lay user can realistically be expected to remember? About 3, I reckon. Any more than that, I'ma gonna write down on a Post-it note and stick to my monitor.
"If your password was guessed and you don't know it, then a malicious actor has already done whatever they're going to do to you."
Not necessarily. Consider APTs. By going a little at a time, over a longer period, they could smurf you and slip under your notice. Furthermore, what if your account is but a stepping stone to a higher-level account? Again, that could take time to crack, so ongoing access would be important for them. Thing is, they can't alert you to the fact they can access you, so they can't change your credentials, so what if you force the issue?
On the rare occasions that I do get a call from my bank, requesting my personal info to identify myself, it's invariably turned out to be from their marketing dept.
"This is xyx Bank here, Mr. ZZZZZZ. Could I take you through security...! ..... Thank you. This is just a courtesy call to see if you would like to accept one of our over-expensive loans secured on your granny's life..."
And yes, if it's not a call I'm expecting then these days I do go down the route of asking "How do I know it's you...etc" It's a matter of principle TBH.
Just say no, then hang up.
And if they CALL BACK? AND claim to be a campaign caller so they can't be blocked due to First Amendment grounds?
When my bank calls me, I never talk to them, I always politely hang up, then call them back from the number printed on my card (not their website - it could be hacked).
This should be ABSOLUTELY standard. "Good morning Mr X, this is HSBC. We need to talk to your urgently about your account. Please call us back on the number on the back of your card at your earliest convenience."
But no, when I refuse to give out my security information to an unverified rep from a blocked number, and insist on calling back, they just don't get it. One of my favourite lines was "I guarantee I'm really from the bank. I wouldn't lie to you about that."
And you do call from a different phone (ideally a mobile) don't you ?
Not a different phone, a different LINE. However, most exchanges will now drop a call within a few seconds of you clearing down, so the risk of a scammer holding the line open is much reduced.
Long live the fonejacker.
"Yes hello there I need all of your bank details to authenticate who you are."
Never mind giving out your password on the phone to a random, what about this nonsense of giving your credit card / debit card details to someone over the phone? Who's to say they're not sitting there, scribbling it all down for later use?
If ever there was a fucking ridiculous system, it's that one.
So you don't trust e-tailers, either, since they could easily take down your information then as well? Compromised clearing houses also show there's no refuge for ANY kind of credit card transaction, cardholder present or not. Not even cash is entirely safe thanks to sites like Where's George.
Their agreement with their card processor - and a documented, audited PCI-DSS review ???
Biting the hand that feeds IT © 1998–2018