Authenticate properly or don't bother calling

Authenticate properly or don't bother calling

Summary: Have you received a telephone call from your bank asking to 'confirm' a recent transaction?

SHARE:
6

Have you received a telephone call from your bank asking to 'confirm' a recent transaction? How can you be sure it was actually your bank calling?

A colleague recently made a AU$9 transfer from her online account to pay for an eBay purchase. For some reason the transaction must have failed one of the Commonwealth Bank's risk management tests because she soon received a call.

She was asked if she had used her account recently and the amount she transferred. The caller -- who apparently sounded like they were in an Indian call centre -- asked the usual authentication questions before identifying themselves.

This caused some stress for my colleague, who put the phone down wondering if the call was genuine or not.

Had she just been tricked into divulging her account details? She doesn't remember giving out passwords or anything obviously risky but these days, who knows exactly how much information is too much?

I have questioned whether banks should continue using e-mail for communicating with customers and this kind of phone call doesn't seem any safer.

The issue is about how banks can authenticate themselves to their customers in much the same way as the customers are expected to authenticate themselves to the bank before they are given any information about their account.

Adam Biviano, premium services manager at antivirus firm Trend Micro also received a similar call but being in the security game he refused to simply pass on his details.

The caller asked him if his name was Adam Biviano and when he said yes, they asked for his date of birth.

"All of a sudden we were at an impasse because I am not going to give my credentials away to somebody who is ringing up saying they are from my bank.

"The bank demands that you authenticate to them by answering some questions but I haven't seen any organisations yet that have any methods in place where they authenticate to you... that is a crucial piece of the puzzle that is missing," said Biviano.

Banks really need to get their acts together and figure out a way to fix this authentication problem otherwise they may soon run out of ways to communicate with their customers.

Topics: Malware, Banking, Security

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

6 comments
Log in or register to join the discussion
  • Completely agree!

    Interestingly enough, I just blogged on a very similar issue last month (http://ianyip.blogspot.com/2006/11/now-for-compelling-event.html).

    Half the problem is the banks and their lack of thought in this area. The other half of the problem is us as customers and users. We're so conditioned to accepting bad security practices (even those of us in IT security who occasionally have "stupid" moments) that there aren't enough of us forcing their hand by telling the banks that it's not good enough. If enough of us refused to deal with the banks this way, they'd have to change the process.
    anonymous
  • Easy fix for authentication

    I've had my bank call - there is a VERY easy way to authenticate the call:

    I call back.

    NOT a number provided by the person calling me (who could feed me a bogus number as well) but the banks' published phone number.

    If it's legit, we take care of the problem. If the original call was bogus, the real bank has no idea what I'm talking about.
    Problem solved!
    anonymous
  • Authenticate properly or don't bother calling

    I
    anonymous
  • not just banks...

    It's not just banks that do this. We've had Telstra try this too.

    My wife and I flatly refuse to divulge any personal details at all to anyone who rings us, even so far as to refuse to answer questions like "Am I speaking to Mr so and so", especially if there is a hint of an accent on the phone.
    anonymous
  • nice idea

    thats a great idea - i will do that next time for sure.
    anonymous
  • Authentication is essential infrastructure

    There is a simple solution, the problem is that everyone wants to 'own' it. Banks, will promote any rubbish 'solution' in order to own it and Telco's want to own it and make us to pay too much to be able to do it, and we'd need to trust them.
    In the end all these flawed attempts will disappear because they are flawed, and designed to generate income rather than solve the problem of what is essentially missing infrastructure.

    ID and trust is essential infrastructure for the 21st and every other century.

    We are providing a mobile solution which authenticates both parties, without any exchange of personal data, and it works on every phone for every purpose.

    The smart card lobby are 'throwing' a lot of money at promoting their solution into government and that's why we're seeing all these ID card proposals costing billions of dollars.
    Whether the governments spend a lot of money on a flawed solution basically comes down to influence - money.

    The best thing you can do is express your displeasure at any proposal to spend billions on ID cards and suggest we use mobiles instead and spend the money on education and reducing both government and corporate corruption. One leads to the other.

    For instance the tender process is still open to abuse - the government merely precludes any solution which it hasn't already approved by specifying the system they have already approved. In the case of the ID card replacement - 'The Whole of Government Identity Project' they have made the tender process incomprehensible and reliant on using some potentially dud system they already spent millions on and have to keep to justify keeping their jobs. It's bound to be exactly the same system they supposedly already canned and have now renamed, rebirthed and divided up between the different government departments

    Ultimately mobile identity and trust is the big fix for a digital society where we can't trust any of the technology we use, like email, phones, cards, merchants, banks, or even that the person at the door is a real whatever they claim to be.

    The smart card lobby would see us installing readers everywhere - we'd need as many as cards in order for a lame brained smart cart system to have any chance and that's something even a teenager would counsel against. I suppose they'll offer to implant the readers in our heads like some idiots have suggested we do with their dumb 'smart' chips.

    It seems to have esacped their attention that there are already mobile phones in almost everyone's pockets in Australia and half the world's population have one, but despite the rhetoric the new government is merely a new poster on the wall with the real government running along just as it always has, in this case undermining the best intentions of the new poster boy.
    anonymous