Goto Blog Home PageRevell Research Systems: Alastair Revell's Web Log
On this page....
<January 2020>

RSS 2.0     Atom 1.0     CDF

Blog Roll
About Alastair Revell
Alastair Revell is the Managing Consultant of Revell Research Systems, a Management and Technology Consulting Practice based at Exeter in the United Kingdom.
Contact Alastair Revell
 EMail Revell Research Systems Limited Email Me
Legal & Other Notices
Sign In
The material published in this web log is for general purposes only. It does not constitute nor is it intended to represent professional advice. You should always seek specific professional advice in relation to particular issues. The information in this web log is provided "as is" with no warranties and confers no rights. The opinions expressed herein are my own personal opinions.

Web Log Home | Welcome to this Web Log | Using this Web Log | New to Blogs? | About Revell Research Systems | Contact Details

Review Entries for Day Tuesday, July 18, 2006

I have been very concerned for sometime about the rather blasé attitude that banks sometimes take towards security when dealing with their customers.

They are correctly insistent in verifying who they are speaking to on the phone and now maintain that they never ask for PIN number details in full, although I have been asked for these details in the past.

However, what they fail to do is provide a mechanism to verify who they are. I have had several occasions where banks and credit card companies have rung up asking to verify who I am before continuing their conversation. However, when asked to prove who they are, they often have become very defensive.

Indeed, calling out of the blue and asking people to verify their details could easily form the basis of a phishing scam that aims to furnish the perpetrator with someone's credentials.

Apparently, it is obvious who they are, which suggests to me a basic inability to assess risk from any other perspective than their own, which is worrying.

On some occasions, I have been asked to call back using an 0800-like number if I am anxious about an inbound call. I remember one occasion in particular (at least 18 months ago) where I had the gall to suggest this might be insecure, pointing out that anyone can easily set up such a number and implement a simple computer system that asks you to enter your account and PIN details before being put through to an operator.

I remember the call, in particular, because it was a sales call. Why they insisted on verifying who I was so they could try to sell me a financial product I did not want I do not know. I ended up being told the details were needed for Data Protection purposes, which is of course rubbish. The credit card company concerned apologised, but it worries me that such organisations don't think these things through first.

I recently complained to one bank that asked me to provide personal details in the name of account verification using a letter that was so badly produced that I did initially think it was a scam. Ironically, this had been issued by their compliance unit, which one would have thought would have had such matters under careful scrutiny. Furthermore, there was a London number to call if I felt that anything was untoward. I have no idea if the number belonged to the bank in question and worse still, when I called the branch, they reached the same conclusion.

I think it is time for banks to think through some mechanism that can be easily used to identify them to their customers as well as the other way round. Mutually authenticating each other must be more secure than one-way authentication. It could be as easy as providing the bank with a secret word that they could be challenged for parts of when they call.

It seems from a BBC article today that the hacking community have already started to exploit this lack of basic security. The alarming fact is that telephone calls made using the Internet are free and this largely removes the financial barrier for this type of telephone fraud.

RSS 2.0 Feed If you enjoyed reading an article on this blog, why not subscribe to the RSS 2.0 feed to receive future articles?
Revell Research Systems Logo Visit the Revell Research Systems Web Site if you want to learn more about this management and technology consulting practice.