BankWest occasionally call me to discuss "a personal banking matter". Generally, it'll be one of
- You're overdrawn. Again. Give us some money.
- Your card has been used overseas. Again. Was it you?
- You're a few days late on your payment. Again. Give us some money.
The first is a business necessity - I do occasionally overstretch my card and Bankwest are right to chase me for it. The second is a nice courtesy and important for security. The third is slightly needless but understandable.
HOWEVER, the way BankWest goes about making these calls is extraordinarily bad practice. And you'll see why in a moment. Here's how it goes
RING RING!
Me: "Oh, who's this? An unlisted number? It shows up as 'blocked' on my iPhone. I'd best ignore it. Probably a telemarketer or a recruiter"
(repeat several times through the day, eventually cave-in and answer)
Me: "Hello?"
Stranger: "Hello, can I speak to [legal first name*] please?"
Me: (suspiciously) "Yes, this is he"
Stranger: "Hello, this is [name] calling from BankWest and I'd like to talk to you regarding a personal banking matter. Can I first get your Date of Birth?"
Me: "No. You can't".
Stranger: "Oh. Well, you see, I need to identify you before I can tell you anything"
Me: "Likewise"
Stranger: "Huh?"
At this point, a stalemate ensues, during which I'll usually berate the person on the other end of the line for lacking even a basic working knowledge of information security and mutual authentication schemes. I'll also, often, take them to task for repeatedly calling me through the day, interrupting my podcast listening and generally making me quite pissed off. I might tell them that I'm relatively sure that they actually are from BankWest, but that this is a simple matter of infosec principles. Sometimes I feel bad about giving them such a hard time, but then I remember that these people are representing a business that should know better.
Eventually, I'll agree that at some point I'll call BankWest back on their published customer service number, at which point we will be able to mutually authenticate. I'll know it's them, so I'll be comfortable providing my PII (Personally Identifying Information), and then they'll know it's me. Then we can talk. It's a quite simple handshake protocol.
Without such a handshake, I have no way to distinguish "[name] at BankWest" from "Fraudster at random blocked number". No way at all.
In fact, since BankWest seem to do this to all their customers, they're actually providing "Fraudster at random blocked number" with a pre-rolled gateway into identity theft. After all, It's not too hard to find out my first name, phone number and the fact that I have an account with BankWest. This, apparently, is all our friend the Fraudster would need to get my DoB, Mother's maiden name and possibly other PII from me, all from the anonymity of a phone call.
A particularly convincing caller might be able to use such a position to ask for internet banking details, credit card numbers, bank account details and all manner of different things. He could even finish up the phone call by asking the customer to set up a new secret question, thereby getting PII that even BankWest doesn't have. Very simple indeed, when you know a little about infosec. Next thing you know, your bank account is empty, your house has been used as security on an overseas loan and your mother has been sold to the Russian Mafia.
So, BankWest, here's your new script for when you call me
RING RING!
Me: "Oh, look, an 08 number. Someone is calling me from WA. Who could this be?"
(hits "answer")
Me: "Hello?"
Stranger: "Hello, can I speak to [legal first name*] please?"
Me: "Yes, this is he"
Stranger: "Hello, this is [name] calling from BankWest and I'd like to talk to you regarding a personal banking matter. So that we can both be sure we're talking to the right person, could I ask you to call us back on the freecall number as listed on our website or the back of your card? As you know, we encourage our customers to practice secure phone banking."
Me: "Certainly. I'd love to call back. I think I know what it's about. Is it OK if I call you back in, say, two or three hours?"
Stranger: "Yes, it is. Would you like us to give you a reminder tomorrow if you don't call us back by then?"
Me: "Yes, that might be quite useful, I am rather busy today. Thank you"
Stranger: "Thank you. And have a nice day"
Me: "You too"
Isn't that better? Happy Banking for the win. It's much more secure, and it requires little change to how things currently work, but it WILL train your customers into being a little more sensible with their PII, which after all is the lifeblood of any competently-executed identity theft scam.
Oh, there are other ways we could do it. We could do a two-way handshake on the initial phone call, but that would require me to pre-arrange a passphrase of some sort for the purpose, which you'd have to securely store. Or you could provide me with some sort of physical token such as RSA, but that's rather expensive and logistically difficult.
Or (and I like this one merely for its technical aspects) you could have a simple smartphone app or web applet which acts as a trusted key provider for mutual authentication keys. You read me a one-off code, I tap it into my app (or the Bankwest website), which verifies it and returns me two codes. One code I can read back to you, which you can then verify at your end, reading a final code back to me which should match my second code from the app, thereby completing the transaction. Yes, we could do a form of syncronous telephone Kerberos.
These are all workable, but admittedly slightly complex options.
Or you could just have an identifiable caller ID on your initial contact, but I think the callback model requires the least re-engineering.
Feel free to implement this at your earliest convenience. I shall not, at this time, be charging a consultancy fee for information contained in this blog post, but I reserve the right to yell down the phone continually if nothing changes. And since I have whinged about this before, consider this a second strike. The third one may be less polite. Do not ask me for my date of birth over an unsecured channel again.
And finally, just a little excerpt from the January 2005 Financial Services Technology Consortium (now BITS) Report:
"Better institution-to-customer authentication would prevent attackers from successfully impersonating financial institutions to steal customers' account credentials; and better customer-to-institution authentication would prevent attackers from successfully impersonating customers to financial institutions in order to perpetrate fraud."
* Jason Brown is not my full legal name
posted @ Wednesday, November 16, 2011 1:04 PM