Authenticate properly or don't bother calling
Have you received a telephone call from your bank asking to 'confirm' a recent transaction? How can you be sure it was actually your bank calling?
A colleague recently made a AU$9 transfer from her online account to pay for an eBay purchase. For some reason the transaction must have failed one of the Commonwealth Bank's risk management tests because she soon received a call.
She was asked if she had used her account recently and the amount she transferred. The caller -- who apparently sounded like they were in an Indian call centre -- asked the usual authentication questions before identifying themselves.
This caused some stress for my colleague, who put the phone down wondering if the call was genuine or not.
Had she just been tricked into divulging her account details? She doesn't remember giving out passwords or anything obviously risky but these days, who knows exactly how much information is too much?
I have questioned whether banks should continue using e-mail for communicating with customers and this kind of phone call doesn't seem any safer.
The issue is about how banks can authenticate themselves to their customers in much the same way as the customers are expected to authenticate themselves to the bank before they are given any information about their account.
Adam Biviano, premium services manager at antivirus firm Trend Micro also received a similar call but being in the security game he refused to simply pass on his details.
The caller asked him if his name was Adam Biviano and when he said yes, they asked for his date of birth.
"All of a sudden we were at an impasse because I am not going to give my credentials away to somebody who is ringing up saying they are from my bank.
"The bank demands that you authenticate to them by answering some questions but I haven't seen any organisations yet that have any methods in place where they authenticate to you... that is a crucial piece of the puzzle that is missing," said Biviano.
Banks really need to get their acts together and figure out a way to fix this authentication problem otherwise they may soon run out of ways to communicate with their customers.