A little while ago I wrote about the poor security procedures that some banks had in place. The BBC have an article on today’s edition of their news website about tactics scammers use called “How to stay off the suckers list“. The common theme is that you have to be constantly vigilent about the situation or the scammers will get away with your money or belongings. However, how do you tell the difference. One reader summed it up succinctly:
The thing that always amazes me is when your bank rings up and asks you to answer some security questions. They could be anyone, and yet they always seem surprised when you ask them to prove who they are.
John James, London
And another wrote:
A further bit of advice when checking oseut credentials is not to ring the number on the ID card shown but to get the official number via the telephone book.
Peter Lockwood, Loughborough
I totally agree with both these sentiments. As I mentioned previously when my bank’s fraud department rang, I verified the phone number left in the voicemail message and when I couldn’t correlate it to any existing correspondance I had with my bank I phoned their customer service department. I spoke at length about the security implications of what they had done, but despite the assurances of the person I spoke to, I still have the nagging feeling that it wasn’t going to be taken any further.
NOTE: This was rescued from the Google Cache. The original was dated: Tuesday, 7th February 2006.
We got cold-called today by some kind of business directory company. I didn’t talk to them, my colleague did. Towards the end of the conversation, as a ‘security question’ he got asked his place of birth. He refused to give it. The telesaleswoman said that she calls 400 people every day and he’s the first to refuse. He refused again and asked why she needed it. Allegedly it was to confirm to her supervisor, should he call, that she had indeed spoken to us.
In the end to get rid of her he simply lied.
My dad says that for his online bank account, he actually hasn’t answered any of the questions as stated. Instead he’s supplied other information which he can remember based on the information he was asked for. I’m not that smart – I couldn’t even remember the right answers to some of the questions (e.g. ‘memorable name’ – clearly not that memorable!)
I completely agree with John James’ comments too about two way verification. If I get called by my bank, telco etc, I always request certain information from them to make sure they are who they say they are. It absolutely works both ways. I am also always surprised when they do not expect it. Recently, BT receoved a call from my partner to report a fault on our line. She is not the account holder, nor is she documented anywhere as living there (apart from council tax, data BT does not have access to) however BT were more than happy to disclose details about my account and even went so far as to divert calls to her mobile number (big security risk – what if I was having an affair or what if she wasn’t indeed my partner – easy trick to pull off!!!). Obviously, this is all going in my letter to them (they finally managed to fix my fault after 6 weeks).
Anyway, back to work for me.
Thanks Colin for the SQL injection attacks article on codeproject.com