Posted by: David Scott
authenticating questions, authentication, authentication questions, bank security, data breach, data security, data theft, financial security, ID theft, info security, information security, security plans, security policies, security policy, security question, security questions
Something interesting happened to me the other day. There was an unauthorized debit made to my checking account in the amount of $150 and some change by an entity that was unknown to me. I was reasonably certain that I hadn’t conducted any business with any such business.
These days, as most here probably know, breaches involving bank accounts usually involve modest amounts; the “breachers” hope that this allows an unauthorized withdrawal to fly under the radar, and they’d rather hit several accounts for these modest amounts than to hit one account for a massive withdrawal – sure to garner unwanted attention and, hopefully (for us), thwart.
When I called my bank of 30+ years to report an unauthorized transaction, the initial contact was with a representative who was concerned with telling me what he (and the bank) could not do for me – their customer. He explained that he could “delete” the transaction, but that the offending party could simply resubmit. He suggested that I call the entity and discuss the transaction with them. I patiently explained that they might not be the originating party – that it could be someone spinning the unauthorized transaction through them. His counsel was to contact them none-the-less. Having already Googled them, I called…
That entity, a web services company, was sympathetic – and of course, in order to validate whether I was a customer or not, they wanted… my name and address; the last six digits of the debit card; the three security digits on the back – as well as other things. All of this to “look me up” in determining if I was even a customer of theirs – before getting to the question of the transaction.
My question to them was – how do I know you are who you say you are? And, how do I know you’re a legitimate company, and not simply gleaning personal details and financial authentication information from people? Fortunately, they were ultimately able to determine that I was not a customer with my name, primarily, and that they had not issued the charge to my account.
I called my bank back, and I’d like to credit the second representative with some intelligence. He deleted the transaction and, in his words, “blew the bridge” to the card by cancelling the card and reissuing a new one. Thank you. I wish I had thought of it. But that first rep had me thinking that the transaction had to be honored by the bank. Hmmm… after all, what good is my word? I’m just a customer in good standing for more than 30 years.
But – my question to you, dear reader, is… when you call your bank, or any business such as the one I had to contact, or any agency that wants things such as address, last four of SSN, mother’s maiden name, birth date – and essentially wants exposure of all sorts of security data and answers to security questions: How do you know to whom you are speaking? What is your security question to them?- with attendant, and correct, security answer(s) as provided to you for your comfort and identification of them?
Phone numbers can be hijacked – what if, when you call your bank’s number, you instead reach a nefarious party out to harm you? Consider: What if your bank’s web page is taken over, or substituted, and you dial a number posted there that goes to a hacking agency out to grab your details, and your money?
As breaches and thefts become ever more clever, watch for breaches to be mere springboards: A theft that causes an individual to launch a call, which in-turn may be hijacked into some spurious realm for further gleaning of confidential information.
Security needs to be a two-way street. Presently, in these circumstances, it is one-way and therefore only mounted half-way. True security demands a face-to-face meeting in a physical location, to establish security questions that the bank, for example, must answer correctly to YOUR satisfaction when dealing with a disembodied voice on the phone.
Of course, even that authenticating standard can be breached, but every layer helps.
August 21st: On this date in 1841, John Hampson patents the venetian blind.