back to article Crooks can nick Brits' identities just by picking up the phone and lying

Identity crimes remain among the greatest threats to UK businesses online. The offences made up three in five (60 per cent) of all fraud recorded by Cifas, the UK's leading fraud prevention service. Cifas' annual report, published Wednesday, collates statistics from 325,092 instances of fraud recorded in 2016. These internal …

  1. Gordon Pryra

    Cifas is pushing education as a means to help call centre staff

    Education?

    Why not just pay them enough to give a monkeys in the first place.....

    1. Doctor Syntax Silver badge

      Re: Cifas is pushing education as a means to help call centre staff

      "Why not just pay them enough to give a monkeys"

      Something about peanuts?

    2. Tim 11

      I think it's a bit naïve to think that just paying existing staff more would change their behavior. Even though it would probably attract some better candidates for future positions, you'd still need to improve the hiring process to make sure you're not just wasting your money by paying more for the same level of skills.

      1. sabroni Silver badge

        re: I think it's a bit naïve to think that just paying existing staff more....

        ...would change their behavior.

        Indeed, but it's equally naive to think that you can incentivise staff to care about fraud when they're worried about whether the electricity will be on when they get home.

        As usual, the situation is complex and solutions like "pay more" or "care more" aren't very helpful.

        1. Seajay#

          Re: re: I think it's a bit naïve to think that just paying existing staff more....

          Doesn't the saying go

          To make the rich work harder, you pay them more. To make the poor work harder, you pay them less

          If you make them *really* worried about whether the electricity will be on when they get home and you dock them pay for giving out details to fraudsters that might incentivise them.

          I'm not saying that would be a good or nice thing to do, just that there's not necessarily a correlation between good and effective.

          1. veti Silver badge

            Re: re: I think it's a bit naïve to think that just paying existing staff more....

            If you penalise them personally for falling for scammers, then you'll make it impossible for anyone to do their banking by phone, and the whole call centre will be redundant within a month.

            This is what rules and procedures are for. Provided your call centre drone follows the correct R&Ps*, they should not be held personally responsible in any way for what happens next. Punishing people for making honest mistakes is only a smart idea if you want them to err massively on one side of the line.

            * = And of course it will be obvious that they've done so, because only then will the appropriate online form/flowchart validate.

  2. Pen-y-gors

    'Security' questions?

    It doesn't help that their 'security' questions are often rather less than secure. In general I think we can assume that a person's full name, address, date of birth and, probably, mother's maiden name are publicly known information. Why shouldn't they be?

    The standard "Who was your first teacher", "what is your favourite colour" type questions don't really help either - no-one in their right mind would give a true answer, or the same made-up one to two different businesses/banks, and so they're unlikely to remember the answers.

    My bank tends to ask questions like "You recently charged £49.75 to your account, can you remember what it was for?" - well, probably not but I'd guess a tank of petrol maybe? Not perfect but it's better than the other options.

    It's a problem which needs solving, and I don't have a good answer (what kind of useless commentard does that make me?), but the present system of questions only seems designed to give a false sense of security, a bit like all the airport searches and no-fly lists we're plagued with these days.

    1. Anonymous Coward
      Anonymous Coward

      Re: 'Security' questions?

      Well ....

      as a(n ex-)hacker schooled in the days of dial-up, I have never used the *real* answer to a security question anyway.

      Yes, I have supplied a string of characters for my mothers maiden name. But don't expect them to bear any resemblance to my mothers maiden name.

      You could probably improve online security tenfold by simply allowing the *customer* to choose the security answer - and it's associated question.

      1. jdoe.700101

        Re: 'Security' questions?

        One of my banks allows the customer to choose their own web banking username. I generated mine using 1Password, and as such is 40 random characters. The password is only 10 random characters, as that is the maximum password length.

        1. handleoclast
          Joke

          Re: 'Security' questions?

          "One of my banks allows the customer to choose their own web banking username."

          I'm channelling XKCD here...

          You chose "password" as your username and set "username" as your password.

          The last time I was forced to choose a telephone password for something I was never going to use again, I picked "none."

      2. Anonymous Coward
        Anonymous Coward

        Re: 'Security' questions?

        What's your favorite colour?

        Is it red?

        No.

        Blue?

        No.

        Green?

        No .......errrrm .... actually I'm just messing with you it was Blue. Ok. I'm resetting your password for you. You will need to choose a new password 10 to 14 characters long, including upper case, lower case, numeric and at least 2 "special" characters, because we take security very seriously here.

    2. Doctor Syntax Silver badge

      Re: 'Security' questions?

      My bank tends to ask questions like "You recently charged £49.75 to your account, can you remember what it was for?" - well, probably not but I'd guess a tank of petrol maybe?

      And so might anyone else.

      High street branches - remember them?

      1. Terry 6 Silver badge

        Re: 'Security' questions?

        And so might everyone else.

      2. Primus Secundus Tertius

        Re: 'Security' questions?

        Banks use the phrase, "Know your customer". Not for real, of course; merely to fob off stroppy articles in el Reg.

        1. 2Nick3

          Re: 'Security' questions?

          The security questions with answers that can change over time are not very good. I had this one come up the other day: "What is the name of your favourite movie?"

          What took me forever to remember is that I had setup the online security on this account a good decade ago, so I had to ask what my younger self would have answered. I probably only got it because I had rewatched it recently.

          So then I had to work through how I could have ever liked that movie, much less had it as my favourite!

      3. Anonymous Coward
        Anonymous Coward

        Re: 'Security' questions?

        "High street branches - remember them?" Yes I do, but they opened from 9AM to 3PM Monday to Friday so I never got to visit inside them unless I had a day off work. When Barclays came out with ATM's and the Barclaybank card in 1975 high street banks became so much more useful...... as the wall for a hole in the wall machine.

    3. Warm Braw

      Re: 'Security' questions?

      It doesn't help that their 'security' questions are often rather less than secure

      It also doesn't help that they are often based on certain cultural assumptions. Even if I wanted to, I couldn't provide accurate information for most of my bank's offered security questions, and for "what was the first album you bought", the only answer I could reasonably have offered would have been "stamp" and my "Favourite Singer" would be "Hunter 75". Which might be fine online, but call centre staff might quibble...

      1. Ejit

        Re: 'Security' questions?

        Hunter 75? I am more of a Gazelle type of chap.

    4. Hans Neeson-Bumpsadese Silver badge

      Re: 'Security' questions?

      It doesn't help that their 'security' questions are often rather less than secure

      Indeed. A while ago I was talking to The War Department about her online banking and security in general, when I threw in what seemed like a random aside - the old chestnut of "what's your pronstar name? Take the name of your first pet and your mother's maiden name?"

      "Tiddles McNulty*", she replied

      I thanked her for letting me have the answers to 2 of the top 3 questions for getting through her personal security check. She was genuinely surprised - although she's fairly savvy and had seen the name game thing before, the penny had never dropped that it was a stupidly easy way to phish for information to be used in nefarious ways.

      * names have been changed to protect the gullible

      1. Anonymous Coward
        Anonymous Coward

        Re: 'Security' questions?

        Anyone remember UsVsThem and how popular it was a few years ago? They had a long series of pr0nstar name type games that went viral for a while on FB, all of them asking those sort of questions. After watching a few of my friends fill them in faithfully, I noticed that they'd covered pretty much all and more of the standard questions and presumably had them tied in to your FB account, email address and whatever other public info one was spaffing. Then they sold the site - and presumably all that lovely data - to the Daily Mirror. Never mind the "all these people questioned in a station gave over their password for a chocolate bar" stunts; this was large scale, automated hacking on a grand scale in plain sight. I kinda salute them tbh.

    5. Anonymous Coward Silver badge
      Facepalm

      Re: 'Security' questions?

      One of my service providers allowed me to choose the question from a list, then provide my own answer.

      When I had to ring them, they asked "what are the first, third and seventh characters from the answer to your secret question?"... um, I have no idea what banal question I chose, at least give me that clue.

      1. rd232

        Re: 'Security' questions?

        I write down the made-up answers in my password manager, along with the questions if necessary. Yes it's a single point of failure, but with 2FA, I think it's the best I can manage.

    6. VinceH

      Re: 'Security' questions?

      "My bank tends to ask questions like "You recently charged £49.75 to your account, can you remember what it was for?" - well, probably not but I'd guess a tank of petrol maybe? Not perfect but it's better than the other options."

      When reading articles like this one - and posts like yours in particular - I am usually reminded of this - followed up here and here.

      What this says is that the "you charged £49.75 to your account..." type of security question isn't a lot of use if they then guide you to the answer.

  3. chivo243 Silver badge

    Check this out...

    Pretty scary when it comes to the "human" element...

    https://youtu.be/lc7scxvKQOo?t=2

  4. Anonymous Coward
    Anonymous Coward

    Old as the hills but PEBCAK

  5. SimonC

    Personally I always set my security question to "Kitty cat meow meow meow meow meow meow" and put my first cat's name.

    I enjoy having them read out my question over the phone.

  6. Anonymous Coward
    Anonymous Coward

    Nigel

    First car: Reliant Robin

    Favourite year: 1966

    Bath night: Tuesday

  7. regbadgerer

    They shouldn't encourage you to give out your 'security' data so easily

    Doesn't help that these companies think their 'security questions' give them security, but then degrade that security by asking for them even when they ring you... Recent example when rung by a call centre employee (or possible hacker / monkey / google voice bot / LMD - delete as preferred):

    [phone rings]

    Them: Hi, I'm from [a utilities company], I'd like to talk to you about your account

    Me: sure

    Them: Can you confirm the last three characters of your postcode please?

    Me: no, I don't give details out to people who ring me up

    Them [incredulous tone]: What do you think someone could possibly get from the last three characters of your postcode!?

    Me: access to my utilities account...? [hangs up]

    1. Prst. V.Jeltz Silver badge

      Re: They shouldn't encourage you to give out your 'security' data so easily

      good point - they provly think they aree being extra vigilant asking when they rang , but they are in fact setting a precedent that allows anyone to ring up and ask for password info

    2. Seajay#

      Re: They shouldn't encourage you to give out your 'security' data so easily

      The best thing to do is to ask them for a hash of your account balance, salted with the current date and time. Proves that they are the bank (or at least that they know your balance) but is useless to any attacker so the bank should have no security issues with providing it.

      Realistically if I go to pay for something and the card machine pauses on authenticating then my phone rings, I believe it's the bank. I've rarely had them ring me up in other situations, why would they? If it's not time critical it's cheaper for them to send me an automated email than pay someone to talk to me.

      1. Richard 12 Silver badge

        Re: They shouldn't encourage you to give out your 'security' data so easily

        I can't compute that in my head, and neither could the calls centre monkey!

    3. Dwarf

      Re: They shouldn't encourage you to give out your 'security' data so easily

      Mutual authentication would be a big plus here.

      If there was some way for me to authenticate that they really are genuine, then I might be more inclined to talk to them. My usual response when they call is "if its important, then write me a letter and provide some account specific information so I can validate your request is genuine and I'll contact you on your customer service number that I hold on file."

      The problem is that they always ask for something that is by definition useful to the bad guys.

      If I give some info on trust, then all they have to do is say "yes, that matches", how do I know that they didn't just write it down and say "OK". Of course, if their next response is oh, "my system has just gone down" and they want to call back later - then you know you were suckered, but by then its too late. How many non-IT types would fall for this ??

      Don't get me started on phrases containing "for data protection reasons" - its my data, you can't protect it from me or intimidate me with the scary sounding phrase !!

    4. kain preacher

      Re: They shouldn't encourage you to give out your 'security' data so easily

      I was late paying a bill.(yes I know its my fault) they jack ass called me then wanted to verify my address, phone number and last 4 of my ss# The lady at the other end got weird on me when I asked her for her full name, home address, phone number and SS#. I told see you would not give that out to some random person over the phone why would I.

  8. Gerry 3
    Facepalm

    Bank security is a complete joke

    The golden rules of passwords are (1) not to share them between accounts, (2) not to use information in the public domain (3) to change them regularly.

    So what do they ALL use ? Parameters that break all three rules: Date of Birth, Mother's Maiden Name, First Line of Address & Postcode, Telephone Number. Obviously no-one ever phones them or sends them cards on their birthday !

    Worst of all, when calling back they expect you to provide your security details when they have offered no evidence that they really are calling from the bank. When challenged, they invariably seem utterly bewildered and refuse to provide any info, endlessly repeating the mantra of 'Data Protection'. They still refuse to co-operate even when I suggest providing info that would be useless to anyone else e.g. 'Ignoring the pounds, what's the odd number of pence in my account?'.

    The silliest were Flow Energy. Their website told me to enter my DoB from a drop down menu, so I entered one from early in the last century. Two weeks later they rejected my application, saying that it was an invalid date ! They said they were happy with a date other than my real DoB, but it couldn't be an invalid one (i.e. too old) even though their Computer Said Yes.

    1. Hans Neeson-Bumpsadese Silver badge

      Re: Golden Rules

      For a long time, the philosophy was "treat passwords, etc as you would treat a toothbrush - change regularly and never share". That covers your rules 1 and 3, but sadly your rule #2 was overlooked for a long time

    2. heyrick Silver badge

      Re: Bank security is a complete joke

      "Worst of all, when calling back they expect you to provide your security details when they have offered no evidence that they really are calling from the bank. When challenged, they invariably seem utterly bewildered and refuse to provide any info, endlessly repeating the mantra of 'Data Protection'"

      A few years ago my bank called me. After identifying themselves as such, I asked for the name and amount of any of my direct debits. They kinda freaked out so I politely said they had completely failed to verify that they were in fact my bank. I didn't wait for a response, I hung up.

    3. pabc

      Re: Bank security is a complete joke

      (3) - to change them regularly.

      there are other opinions on that advice.

      https://www.howtogeek.com/187645/htg-explains-should-you-regularly-change-your-passwords/

      1. Charles 9

        Re: Bank security is a complete joke

        But the thing is, what if your password was guessed and you don't know that? Periodic password changes help to deal with such unknown compromises: either by closing the door or making you aware of it. Can you think of a better way, especially for people with bad memories?

        1. veti Silver badge

          Re: Bank security is a complete joke

          If your password was guessed and you don't know it, then a malicious actor has already done whatever they're going to do to you. The value in changing it periodically "just in case" is greatly undermined by the added cost of remembering it/entropy added by that requirement.

          Number of passwords the average person is expected to maintain? About 20. Number of passwords a lay user can realistically be expected to remember? About 3, I reckon. Any more than that, I'ma gonna write down on a Post-it note and stick to my monitor.

          1. Charles 9

            Re: Bank security is a complete joke

            "If your password was guessed and you don't know it, then a malicious actor has already done whatever they're going to do to you."

            Not necessarily. Consider APTs. By going a little at a time, over a longer period, they could smurf you and slip under your notice. Furthermore, what if your account is but a stepping stone to a higher-level account? Again, that could take time to crack, so ongoing access would be important for them. Thing is, they can't alert you to the fact they can access you, so they can't change your credentials, so what if you force the issue?

  9. Terry 6 Silver badge

    Irony

    On the rare occasions that I do get a call from my bank, requesting my personal info to identify myself, it's invariably turned out to be from their marketing dept.

    As in;

    "This is xyx Bank here, Mr. ZZZZZZ. Could I take you through security...! ..... Thank you. This is just a courtesy call to see if you would like to accept one of our over-expensive loans secured on your granny's life..."

    And yes, if it's not a call I'm expecting then these days I do go down the route of asking "How do I know it's you...etc" It's a matter of principle TBH.

  10. Anonymous Coward
    Anonymous Coward

    Unsolicited calls

    Just say no, then hang up.

    1. Anonymous Coward
      Anonymous Coward

      Re: Unsolicited calls

      And if they CALL BACK? AND claim to be a campaign caller so they can't be blocked due to First Amendment grounds?

  11. cosmogoblin
    FAIL

    When my bank calls me, I never talk to them, I always politely hang up, then call them back from the number printed on my card (not their website - it could be hacked).

    This should be ABSOLUTELY standard. "Good morning Mr X, this is HSBC. We need to talk to your urgently about your account. Please call us back on the number on the back of your card at your earliest convenience."

    But no, when I refuse to give out my security information to an unverified rep from a blocked number, and insist on calling back, they just don't get it. One of my favourite lines was "I guarantee I'm really from the bank. I wouldn't lie to you about that."

    1. JimmyPage Silver badge
      Stop

      I always politely hang up, then call them back from the number printed on my card

      And you do call from a different phone (ideally a mobile) don't you ?

      1. Gerry 3
        Boffin

        Re: I always politely hang up, then call them back from the number printed on my card

        Not a different phone, a different LINE. However, most exchanges will now drop a call within a few seconds of you clearing down, so the risk of a scammer holding the line open is much reduced.

  12. John Smith 19 Gold badge
    Unhappy

    The fonejacker is dead

    Long live the fonejacker.

    "Yes hello there I need all of your bank details to authenticate who you are."

  13. Anonymous Coward
    Anonymous Coward

    The whole system is flawed...

    Never mind giving out your password on the phone to a random, what about this nonsense of giving your credit card / debit card details to someone over the phone? Who's to say they're not sitting there, scribbling it all down for later use?

    If ever there was a fucking ridiculous system, it's that one.

    1. Anonymous Coward
      Anonymous Coward

      Re: The whole system is flawed...

      So you don't trust e-tailers, either, since they could easily take down your information then as well? Compromised clearing houses also show there's no refuge for ANY kind of credit card transaction, cardholder present or not. Not even cash is entirely safe thanks to sites like Where's George.

    2. Anonymous Coward
      Anonymous Coward

      Re: Who's to say they're not sitting there, scribbling it all down for later use?

      Their agreement with their card processor - and a documented, audited PCI-DSS review ???

      1. Anonymous Coward
        Anonymous Coward

        Re: Who's to say they're not sitting there, scribbling it all down for later use?

        Since when have auditors stopped anything? You can either just do it when the auditor isn't around or you can bribe the auditor.

  14. Rattus Rattus

    Fraud education in the national curriculum?

    What's that going to do to voting patterns in a decade or two?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like