funsec mailing list archives
Bank security
From: Drsolly <drsollyp () drsolly com>
Date: Fri, 4 Mar 2011 15:45:02 +0000 (GMT)
I was called by my bank recently, to discuss a complaint I'd made. After a few minutes talking, my called decided she needed to do a security check. So she asked me for part of my sort code, part of my account number, part of my mother's maiden and, and my birth date. After we'd finished dealing with the original complaint, I told her that I now had another complaint - their security procedure. 1) Someone calling me, where I can't verify who th4ey are, should not be asking for such info. 2) My account number and sort code are on every check I send out, so are public info. My birth date and mother's maiden name, aren't hard to discover. So, it's asking for info they shouldn't ask for, and it isn't verifying that I'm who I say I am. I was called back by another person in their complaints department. I asked him, "If I'm asked by someone who called me, for my account number, should I give it?" He said that I should not. So I told him that his own department was asking people for that information. He was surprised. Then I explained to him how a proper security system should work (shared secret). He said that he was very familiar with how security works. He suggested that if I was unsure that a caller was from the bank, then I should call them back. "And where do I get the number from?" I asked. "From the caller," he replied. So I explained to him why that was a very bad idea. I'm left with the conviction that my bank, at least, is clueless about how security works. I've escalated the issue. He told me I'd get a final resolution (which I take to mean, and we won't discuss the matter further after that). I don't suppose there's anyone here from a bank? _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Bank security Drsolly (Mar 04)
- Re: Bank security michael.blanchard (Mar 04)