funsec mailing list archives
Re: Bank security
From: <michael.blanchard () emc com>
Date: Fri, 4 Mar 2011 12:04:23 -0500
I've had similar calls and have always force their hand to provide me information that is not public information. But, because they called you about a complaint that you filed with them, isn't that pretty reasonable proof that they are whom they state they are? Unless the complain you filed was considered public knowledge. My issue would absolutely be with them calling me then asking for personal information for sure.... Oh and that other person that called you back, is a dope and clearly doesn't know how security works LOL... By his thinking, if a thief calls me, I should verify that the thief is not a thief by asking the thief for a callback number to verify the thief is not a thief, then when I callback the thief's number and he answers, I can then be assured that he is not a thief and give him any information the thief wants... LOL Sounds like a Monty Python skit to me! Mike B Michael P. Blanchard Senior Security Engineer, CISSP, GCIH, CCSA-NGX, MCSE Office of Information Security & Risk Management EMC ² Corporation 32 Coslin Drive Southboro, MA 01772 -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Drsolly Sent: Friday, March 04, 2011 10:45 AM To: funsec () linuxbox org Subject: [funsec] Bank security I was called by my bank recently, to discuss a complaint I'd made. After a few minutes talking, my called decided she needed to do a security check. So she asked me for part of my sort code, part of my account number, part of my mother's maiden and, and my birth date. After we'd finished dealing with the original complaint, I told her that I now had another complaint - their security procedure. 1) Someone calling me, where I can't verify who th4ey are, should not be asking for such info. 2) My account number and sort code are on every check I send out, so are public info. My birth date and mother's maiden name, aren't hard to discover. So, it's asking for info they shouldn't ask for, and it isn't verifying that I'm who I say I am. I was called back by another person in their complaints department. I asked him, "If I'm asked by someone who called me, for my account number, should I give it?" He said that I should not. So I told him that his own department was asking people for that information. He was surprised. Then I explained to him how a proper security system should work (shared secret). He said that he was very familiar with how security works. He suggested that if I was unsure that a caller was from the bank, then I should call them back. "And where do I get the number from?" I asked. "From the caller," he replied. So I explained to him why that was a very bad idea. I'm left with the conviction that my bank, at least, is clueless about how security works. I've escalated the issue. He told me I'd get a final resolution (which I take to mean, and we won't discuss the matter further after that). I don't suppose there's anyone here from a bank? _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Bank security Drsolly (Mar 04)
- Re: Bank security michael.blanchard (Mar 04)