Authenticate properly or don't bother calling

Summary:Have you received a telephone call from your bank asking to 'confirm' a recent transaction?

Have you received a telephone call from your bank asking to 'confirm' a recent transaction? How can you be sure it was actually your bank calling?

A colleague recently made a AU$9 transfer from her online account to pay for an eBay purchase. For some reason the transaction must have failed one of the Commonwealth Bank's risk management tests because she soon received a call.

She was asked if she had used her account recently and the amount she transferred. The caller -- who apparently sounded like they were in an Indian call centre -- asked the usual authentication questions before identifying themselves.

This caused some stress for my colleague, who put the phone down wondering if the call was genuine or not.

Had she just been tricked into divulging her account details? She doesn't remember giving out passwords or anything obviously risky but these days, who knows exactly how much information is too much?

I have questioned whether banks should continue using e-mail for communicating with customers and this kind of phone call doesn't seem any safer.

The issue is about how banks can authenticate themselves to their customers in much the same way as the customers are expected to authenticate themselves to the bank before they are given any information about their account.

Adam Biviano, premium services manager at antivirus firm Trend Micro also received a similar call but being in the security game he refused to simply pass on his details.

The caller asked him if his name was Adam Biviano and when he said yes, they asked for his date of birth.

"All of a sudden we were at an impasse because I am not going to give my credentials away to somebody who is ringing up saying they are from my bank.

"The bank demands that you authenticate to them by answering some questions but I haven't seen any organisations yet that have any methods in place where they authenticate to you... that is a crucial piece of the puzzle that is missing," said Biviano.

Banks really need to get their acts together and figure out a way to fix this authentication problem otherwise they may soon run out of ways to communicate with their customers.

Topics: Malware, Banking, Security

About

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.Munir was recognised as Austr... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.