A new script for @BankWest

BankWest occasionally call me to discuss "a personal banking matter". Generally, it'll be one of

  • You're overdrawn. Again. Give us some money.
  • Your card has been used overseas. Again. Was it you?
  • You're a few days late on your payment. Again. Give us some money.

The first is a business necessity - I do occasionally overstretch my card and Bankwest are right to chase me for it. The second is a nice courtesy and important for security. The third is slightly needless but understandable.

HOWEVER, the way BankWest goes about making these calls is extraordinarily bad practice. And you'll see why in a moment. Here's how it goes

RING RING!

Me: "Oh, who's this? An unlisted number? It shows up as 'blocked' on my iPhone. I'd best ignore it. Probably a telemarketer or a recruiter"

(repeat several times through the day, eventually cave-in and answer)

Me: "Hello?"

Stranger: "Hello, can I speak to [legal first name*] please?"

Me: (suspiciously) "Yes, this is he"

Stranger: "Hello, this is [name] calling from BankWest and I'd like to talk to you regarding a personal banking matter. Can I first get your Date of Birth?"

Me: "No. You can't".

Stranger: "Oh. Well, you see, I need to identify you before I can tell you anything"

Me: "Likewise"

Stranger: "Huh?"

At this point, a stalemate ensues, during which I'll usually berate the person on the other end of the line for lacking even a basic working knowledge of information security and mutual authentication schemes. I'll also, often, take them to task for repeatedly calling me through the day, interrupting my podcast listening and generally making me quite pissed off. I might tell them that I'm relatively sure that they actually are from BankWest, but that this is a simple matter of infosec principles. Sometimes I feel bad about giving them such a hard time, but then I remember that these people are representing a business that should know better.

Eventually, I'll agree that at some point I'll call BankWest back on their published customer service number, at which point we will be able to mutually authenticate. I'll know it's them, so I'll be comfortable providing my PII (Personally Identifying Information), and then they'll know it's me. Then we can talk. It's a quite simple handshake protocol.

Without such a handshake, I have no way to distinguish "[name] at BankWest" from "Fraudster at random blocked number". No way at all.

In fact, since BankWest seem to do this to all their customers, they're actually providing "Fraudster at random blocked number" with a pre-rolled gateway into identity theft. After all, It's not too hard to find out my first name, phone number and the fact that I have an account with BankWest. This, apparently, is all our friend the Fraudster would need to get my DoB, Mother's maiden name and possibly other PII from me, all from the anonymity of a phone call.

A particularly convincing caller might be able to use such a position to ask for internet banking details, credit card numbers, bank account details and all manner of different things. He could even finish up the phone call by asking the customer to set up a new secret question, thereby getting PII that even BankWest doesn't have. Very simple indeed, when you know a little about infosec. Next thing you know, your bank account is empty, your house has been used as security on an overseas loan and your mother has been sold to the Russian Mafia.

So, BankWest, here's your new script for when you call me

RING RING!

Me: "Oh, look, an 08 number. Someone is calling me from WA. Who could this be?"

(hits "answer")

Me: "Hello?"

Stranger: "Hello, can I speak to [legal first name*] please?"

Me: "Yes, this is he"

Stranger: "Hello, this is [name] calling from BankWest and I'd like to talk to you regarding a personal banking matter. So that we can both be sure we're talking to the right person, could I ask you to call us back on the freecall number as listed on our website or the back of your card? As you know, we encourage our customers to practice secure phone banking."

Me: "Certainly. I'd love to call back. I think I know what it's about. Is it OK if I call you back in, say, two or three hours?"

Stranger: "Yes, it is. Would you like us to give you a reminder tomorrow if you don't call us back by then?"

Me: "Yes, that might be quite useful, I am rather busy today. Thank you"

Stranger: "Thank you. And have a nice day"

Me: "You too"

Isn't that better? Happy Banking for the win. It's much more secure, and it requires little change to how things currently work, but it WILL train your customers into being a little more sensible with their PII, which after all is the lifeblood of any competently-executed identity theft scam.

Oh, there are other ways we could do it. We could do a two-way handshake on the initial phone call, but that would require me to pre-arrange a passphrase of some sort for the purpose, which you'd have to securely store. Or you could provide me with some sort of physical token such as RSA, but that's rather expensive and logistically difficult.

Or (and I like this one merely for its technical aspects) you could have a simple smartphone app or web applet which acts as a trusted key provider for mutual authentication keys. You read me a one-off code, I tap it into my app (or the Bankwest website), which verifies it and returns me two codes. One code I can read back to you, which you can then verify at your end, reading a final code back to me which should match my second code from the app, thereby completing the transaction. Yes, we could do a form of syncronous telephone Kerberos.

These are all workable, but admittedly slightly complex options.

Or you could just have an identifiable caller ID on your initial contact, but I think the callback model requires the least re-engineering.

Feel free to implement this at your earliest convenience. I shall not, at this time, be charging a consultancy fee for information contained in this blog post, but I reserve the right to yell down the phone continually if nothing changes. And since I have whinged about this before, consider this a second strike. The third one may be less polite. Do not ask me for my date of birth over an unsecured channel again.

And finally, just a little excerpt from the January 2005 Financial Services Technology Consortium (now BITSReport:

"Better institution-to-customer authentication would prevent attackers from successfully impersonating financial institutions to steal customers' account credentials; and better customer-to-institution authentication would prevent attackers from successfully impersonating customers to financial institutions in order to perpetrate fraud."

 

* Jason Brown is not my full legal name

posted @ Wednesday, November 16, 2011 1:04 PM

 
 
 

Comments on this entry:

# re: A new script for @BankWest

Left by BastardSheep at 11/16/2011 1:37 PM
Gravatar
Commbank already do this approach, which leaves me very impressed. I regularly forget to pay my credit card in time so every few months get a call to remind me that it's now due.

However, when the call comes through it's from an unlisted number and is a recorded message saying to call the bank. It gives the number (which isn't too good), but I can also check on my card/the banks website.

Only upon calling them back will they tell me anything regarding what it's about.

It's good to see whatbank can get at least SOME things right. ;)

# re: A new script for @BankWest

Left by Jason at 11/16/2011 1:41 PM
Gravatar
I was under the impression Commbank owned (or at least were heavily invested in) BankWest?

I'd probably not be happy about the robocall aspect, but it's at least more secure. Apart from the "giving out the number on the call" bit. Does anyone in Australian banking actually follow these thoughts through to their logical conclusion?

# re: A new script for @BankWest

Left by The Vicar at 11/16/2011 6:11 PM
Gravatar
On the whole, banks do not really understand security, and the rare occasions when they know what they're doing they try to weasel out of doing it right. Seriously. I think the only reason that criminal hackers don't wipe out the banking system is that transferring the money out would leave a trail. If a criminal hacker ever decides to donate money to charity instead of just keeping it, the evidence suggests that they'll be able to wipe out the major institution of their choice with ease.

Nearly all online bank authentication in the U.S. relies on what has been called "wish it was two-factor security". (See thedailywtf.com/Articles/WishItWas-TwoFactor-.aspx which page I have linked to at signature) Strictly speaking, it's illegal -- federal law requires real two-factor security for online banking transactions. But since the banks have bought and paid for both national parties, nobody ever points this out.

# re: A new script for @BankWest

Left by anonymousType at 11/17/2011 10:04 AM
Gravatar
I'm pretty sure the cost of compliance is always going to be higher than the cost of reimbursing the victims of fraud. Otherwise the banks would have increased personal security measures long ago. Its an issue of cost/risk rather than some argument about usage or being too stupid to do it properly.

# re: A new script for @BankWest

Left by Jason at 11/17/2011 10:37 AM
Gravatar
Yeah, the cost of good security to BankWest is quite possibly higher than the cost of merely covering the current background level of fraud.

But firstly, that background level can and will fluctuate, and it's NOT independent of BankWest's security measures. It will go down based on better security, and it will go up based on worse security. Economically speaking, banks will be looking for a sweet-spot where they're getting maximum milk for minimum moo.

Secondly, the cost to an individual who becomes a victim of fraud is exponentially larger than any cost to the bank. I'm not that likely to get caught out by this, but think of your grandma, or your uncle who isn't all that savvy, or your cousin who's just got her first credit card even though she lives hand to mouth most months... they're the real potential losers in this.

After all, about 18% of Australians got sucked in by scammers in 2009:

www.smh.com.au/...

Thirdly, winding up tech-savvy blogging, tweeting, Facebooking types is pretty bad PR.

# re: A new script for @BankWest

Left by Daniel Sinnott at 11/19/2011 2:38 PM
Gravatar
I like the two-way handshake idea, it reminds me of the countersigns in Get Smart.

Sign: The wingless dove protects its nest.
CS: The toothless tiger rules the restless jungle.

That would be so cool

# re: A new script for @BankWest

Left by Jason at 11/23/2011 1:20 PM
Gravatar
I got another call yesterday and yet another today.

Yesterday's went:

BW: "To protect your privacy can you confirm your full name and date of birth?"
Me: "How exactly does that protect my privacy?"
BW: "errrrrrrrr"
Me: "I'll tell you, it doesn't. Now please stop calling me"

Today's was much the same

BW: "To protect your privacy can you confirm your full name and date of birth?"
Me: "No, because frankly that's anything *but* privacy protection. Please stop doing this. I know why you're calling, I have internet banking that allows me to check my account status. Just stop now"
BW: "I understand your concern but blah blah blah"
Me: "No, seriously, just stop. This is getting absurd" *click*

So now I've moved this blog to http://bit.ly/BankWest and will be increasing the noise I make over social media. If they want to troll me, I'm happy to fight back.

# re: A new script for @BankWest

Left by Jason at 11/23/2011 1:38 PM
Gravatar
And then there's this tweet from DIngram. Is anyone awake over at BankWest?

".@BankWest say in their emails never to click a link to log into their website, and then provide a clickable link. Not the brightest ..."

http://bit.ly/vtFcpe

# re: A new script for @BankWest

Left by Adrian Clark at 11/23/2011 1:42 PM
Gravatar
I've also taken the BankWest callers to task over their blocked number. You may be interested to know that I was told it isn't actually BankWest calling you for the "give us money" calls but an external contractor.

The person I spoke to said that they understand but that BankWest didn't allow them to have their number visible or leave messages if the call was not answered. I've got no evidence that this is the case & not just something this caller made up, however it fits their operation.

After talking with a friend who once worked in collections calls he mentioned that it is a legal requirement that they use this sort of information to confirm that someone else hasn't just answered the phone. He said his understanding was the law only allowed them 3 calls per week if the call is answered or if they leave a message. The loophole here is that if they simply call & hang up on voicemail they can call as much as they like.

# re: A new script for @BankWest

Left by Harpy at 11/23/2011 1:45 PM
Gravatar
Citibank do this all the time too. Call multiple times a dayfrom a blocked number and as a bonus have a dodgy auto-dial service just like crappy telemarketers so that if the system doesn't quite catch your "hello?", it cuts out.

Last time someone actually got through to me, I said much the same thing as you did, and the guy on the line actually sighed and said in a patronizing tone "I see you did this last time when we called". Why yes, yes I probably did. My file with Citibank apparently has me down as some kind of troublemaker because I don't like giving out details to blocked numbers.

# re: A new script for @BankWest

Left by Jason at 11/23/2011 1:58 PM
Gravatar
Ironically enough I just got a Twitter DM from @BankWest , who have obviously noticed someone making noise.

Have a guess what they offered?

Yes, they'd have someone call me.

/facepalm

# re: A new script for @BankWest

Left by Dave The Happy Singer at 11/23/2011 2:12 PM
Gravatar
^ That is hilarious.

(And yes, CBA bought BankWest from HBOS when the latter fell victim the the GFC)

# re: A new script for @BankWest

Left by Jason at 11/24/2011 6:15 PM
Gravatar
Response to me from Bankwest's CS representative:

Good Afternoon

Thank you for your email below.

Taking into account your needs, would you consider being given the Bankwest
direct contact number to discuss your account. That will alleviate your
concerns outlined below and will ensure that you have the comfort and
confidence that you are contacting Bankwest, and not a third party.

The contact number is 1300 787 144.

I hope the above is to your satisfaction and suits your requirements, if
not, please feel free to contact me again.

Regards


Linda Van Gent
Customer Advocacy Manager



My reply:

Linda, you appear to have completely missed the point. Try reading the email again.


J

If I get the same in response, they'll get the "CAN I SPEAK TO A GROWNUP?" response.

# re: A new script for @BankWest

Left by anarchic teapot at 12/3/2011 6:21 AM
Gravatar
I had a similar experience with a local family allowances office (not in Oz). I called for info.
Anonymous receptionist: I need your account number and password to access your file
Me: It's a confidential password. That's what passwords are for. I certainly cannot tell you that, it would negate the whole reason for having one.
Anonymous receptionist: I'm sorry, but I can't access your file without it.
Me: You don't have ANY specially-configured access as an authorised representative of (organisation)?
Anonymous receptionist: No. You have to tell me your password.
Me: No. Please tell your supervisors and IT department that they're fucking idiots. Thank you. *hangs up*
Comments have been closed on this topic.
«October»
SunMonTueWedThuFriSat
293012345
6789101112
13141516171819
20212223242526
272829303112
3456789
 
Vaccination Saves Lives: Stop The Australian Vaccination Network
 
 
Say NO to the National School Chaplaincy Program