Why do banks ask you for your password when THEY call you?

Short post: why don't companies in the UK positively identify themselves before asking for a users password when they call you over the phone?

I know due to the data protection act they need to positively identify the account holder (as that is all they can give info to) but seriously calling up saying your are XXX company and then asking for the users password is just plain wrong. It is training your users and customers to be more susceptible to social engineering attacks, and it is not just Sky and other retail companies that do it but also HSBC, Barclay's and other banks. Just terrible. Such a classic contravention of Law 6: Human Integration.

I mean is it so hard to do a positive verification, e.g. when they register ask them to provide a phrase that you repeat back to them, or send a picture they select via MMS to their registered phone. Just don't do it stupidly and use some really public info like half the users postcode or address.

I also really dislike the idea of companies storing user passwords in reversible format (or not hashed/encrypted at all) and anyone with helpdesk access having access to it, the user should be able to enter their password using the phone keypad or use voice biometric or make it a one time password that is texted to their registered phone which is read to the helpdesk operator and keyed into their system.

What's your experience been with this?

Update on this after HSBC fraud department called me. Lovely lady from India of course struggles to pronounce my name surprisingly but still insists on calling me Mr Samarasekera every time Is it like a kidnap situation I'm supposed to do or feel x because she says my name a lot? She reads out her script I'm from HSBC fraud prevention... etc etc. now can you please give me "JUST" the date and month of your birthdate!

Now what's wrong with this picture? I don't know what is worse a poorly designed control or no control. Is it the former as it gives you the illusion of security? Think about the attack tree here, someone has got my credit card details, how did they get them? Lets say they stole or I lost my wallet. What else does my wallet contain?..... My drivers licence with my date of birth. Also she has not authenticated to me at all. Then she proceeds to read out my last transactions at a pace so fast and with such a bad accent that I have no hope of identifying them. So I just say yes its all fine and check it myself on my statement. Would it not be better to just ask about the specific transaction that flagged the alert and why or does that give away too much of the "secret" algorithm?

While I'm on the topic I find HSBC fraud prevention amazing. They actually block your card if they suspect something and then put it in a queue to the Indian call center to call you. All that time your card does not work... I got really upset with them once when I used my card in Geneva and then we drove to France to ski, when I tried my card it didn't work. It took HSBC two days to call me, in that whole time my card didn't work. Of course I just used my wife's card on the same account - apparently their software doesn't look for that correlation. In Australian banks at least we had the policy of, call the customer immediately upon detection of an unusual transaction if you can't get through then allow the transaction (kind of a fail open policy). I guess HSBC's is better for the bank but worse for the customer... I think I'm seriously going to look at moving to that new Metro bank that's opening up here. Wonder who they hired for security? :)

1 comment:

  1. This is a long standing issue of mine as well. I've called a few banks out on this very thing by asking them to verify to me who they say they are. Typically they find it very difficult to do because no one actually asks them to prove it. In some cases it is compounded by the fact that you can't even call them back directly due to call center policies and the like.
    As you say, this type of behavior re-enforces all the bad habits that people often have already. For companies that supposedly take security seriously (or at the least should even if they don't) it's an amazing oversight.



Written by