Deprecated: Function set_magic_quotes_runtime() is deprecated in /home/raedan/public_html/textpattern/lib/txplib_db.php on line 14
State of Flow: Do Banks Understand Security?::journal

Do Banks Understand Security?

Lance Walton - Tuesday August 1, 2006

Banks are helping fraudsters!

The security of online shopping and internet banking are subjects of frequent interest to the media – usually in response to the latest phishing scam or some bungle of the organisations who hold our details.

Given this sad state of affairs, I find it strange that every now and then, the fraud department of one of my banks phones me and this is how the conversation starts:

Me (picking up the phone): Hello. Lance Walton.
Security Person: Hello Mr. Walton. My name is Joe Bloggs and I’m calling from the Mega-Bank Fraud Department. I need to confirm that a recent transaction on your account was not fraudulent.
Me: OK.
Security Person: Before I proceed, I need to confirm that you are who you say you are.
Me (thinking): WTF? You called me!
Me1: Errr…. OK.
Security Person: Can you tell me < some piece of information about me that's so much in the public domain it has no value whatsoever - e.g. my date of birth >
Me (thinking): Good grief! Is that the best you’ve got?
Me: OK. 25 April 1969
Security Person: Good. Now can you tell me the second and fourth character of your online password?
Me (thinking): !!!!
Me: Ummm…. I don’t think I should do that.
Security Person: ... I’m sorry?
Me: I don’t think I should give you that information.
Security Person: Mr. Walton, I’m afraid we can’t proceed unless you give me this information.

And so it goes. They offer all sorts of information to try to convince me that they are who they say they are but none achieves anything like the level of security that they require of me.

What’s my problem with this? Social engineering, that’s what.

The banks are getting customers used to people phoning them and asking for security information. The people who call even try to argue with you and persuade you they must obviously be legitimate; ‘I can tell you the security code on the back of your card if you like’. The very same one that I give to Domino’s Pizza whenever I place a phone order. Clearly an item of significant cryptographic worth – if only Turing had thought of it at Bletchley… One even tried to use the fact that he could tell me all of the information on the front of my debit card as a means of proving his legitimacy2.

Now, given that most internet banking services restrict passwords ridiculously3, exactly how many of these kinds of phone calls would it take to get the full password from someone more trusting than me4? This is made particularly easy since most services also do not allow you to change your password online but instead, require you to phone them or snail-mail a form5, which I doubt is something that most users do frequently.

So with a few phone calls over a 6 month period, a scammer could extract the full password from a more naive individual who has been trained to expect such calls by the very bodies that are supposed to be protecting them.


1 I’m British, so I proceed. Sigh.

2 Do these people have any training in security mechanisms?

3 Typically between 6 and 9 alpha-numeric characters only. Some also require mixing of case and alpha-numeric characters, thus reducing the search space.

4 I’ll leave that one as an exercise for the reader.

5 Bizarre. If the security is good enough to let you make payments, etc., why not let you change your password?

  1. mummy    Saturday August 26, 2006

    :-) Now they all know your birthdate, your nationality, you eat pizzas from Dominos , and have a good soh