IT can't quell all phone-based transactions fears

Technologies such as two-factor authentication help add security layers to phone transactions, but also increase consumers' unease over divulging too much information. Observers add these features aren't foolproof.
Written by Ellyne Phneah, Contributor

Banks and financial institutions have beefed up their call center security processes with technologies such as two-factor authentication (2FA) and one-time password (OTP) log-in. But these have increased consumer's anxiety over divulging too much information over the phone, while industry watchers note that these features are not completely secure.

Singapore-based consumers ZDNet Asia spoke to express their concerns over sharing too much information to call center operators during phone transactions. Housewife Lim Suet Hua, for one, said she feels a sense of paranoia when she calls up her bank. "It is your personal details you're handing [over] to [the operator]. What if the call center staff hacks into your bank account and steals all your money?"

Jasper Lee, a student, recognizes that banks have policies in place to protect their customers. However, he admitted to "feeling nervous" whenever he is asked to provide sensitive personal information to verify phone transactions.

One customer service officer working at a local bank shared that while most customers are "not apprehensive", some do "make noise" when account-related questions are asked.

"They don't understand why providing a name and an Identity Card (IC) number is insufficient. Anybody can provide [those details] and that is not safe," she said.

Phone banking security taken seriously
Victor Keong, partner of information protection and business resilience at KPMG Singapore, noted that phone banking remains a vital service as most people still prefer interacting with bank staff rather than with electronic systems.

With this in mind, banks and financial organizations do take their call center security very seriously, he said.

After all, call center staff have to access large amounts of customer data, which is why security measures are implemented at various layers--from operation processes such as segregation of duties and job rotation to system access controls and physical security, he explained in his e-mail.

The security focus is extended to consumers when they utilize phone banking services, Keong noted. Users would have to verify their identities through a unique PIN (personal identification number) or answer a set of personal questions before transactions can be processed. For 2FA, customers will need to provide the OTP issued to them via their mobile phones or token device to prevent fraud, he explained.

Customers should be careful
However, these measures are not without security shortcomings, the KPMG executive noted.

"Both methods do not help customers assess the identity of those who call them and claim that they are from the bank," Keong said. "The bad guy can perform phishing attacks on customers using a phone system and techniques called 'pretexting' or 'vishing'."

To address these threats, banks must increase customer awareness, he advised. Customers should not disclose their sensitive information if they receive calls from a stranger and only call the bank's phone banking number.

Jimmy Sng, advisory partner of security & technology of PricewaterhouseCoopers, added that banks should do away with asking customers a set of questions to verify their identity to reduce the amount of information people have to reveal. PIN or two-factor authentication methods would help achieve this, he said.

In order to be completely secure, though, Gerry Chng, advisory partner at Ernst & Young Advisory, suggested that banks and customers be on the same page regarding security measures. "There are no silver bullets for security and it is important that the bank as well as their customers work together to jointly protect their banking accounts," he said.

Editorial standards