I have been very concerned for sometime about the rather blasé attitude that banks sometimes take towards security when dealing with their customers.
They are correctly insistent in verifying who they are speaking to on the phone and now maintain that they never ask for PIN number details in full, although I have been asked for these details in the past.
However, what they fail to do is provide a mechanism to verify who they are. I have had several occasions where banks and credit card companies have rung up asking to verify who I am before continuing their conversation. However, when asked to prove who they are, they often have become very defensive.
Indeed, calling out of the blue and asking people to verify their details could easily form the basis of a phishing scam that aims to furnish the perpetrator with someone's credentials.
Apparently, it is obvious who they are, which suggests to me a basic inability to assess risk from any other perspective than their own, which is worrying.
On some occasions, I have been asked to call back using an 0800-like number if I am anxious about an inbound call. I remember one occasion in particular (at least 18 months ago) where I had the gall to suggest this might be insecure, pointing out that anyone can easily set up such a number and implement a simple computer system that asks you to enter your account and PIN details before being put through to an operator.
I remember the call, in particular, because it was a sales call. Why they insisted on verifying who I was so they could try to sell me a financial product I did not want I do not know. I ended up being told the details were needed for Data Protection purposes, which is of course rubbish. The credit card company concerned apologised, but it worries me that such organisations don't think these things through first.
I recently complained to one bank that asked me to provide personal details in the name of account verification using a letter that was so badly produced that I did initially think it was a scam. Ironically, this had been issued by their compliance unit, which one would have thought would have had such matters under careful scrutiny. Furthermore, there was a London number to call if I felt that anything was untoward. I have no idea if the number belonged to the bank in question and worse still, when I called the branch, they reached the same conclusion.
I think it is time for banks to think through some mechanism that can be easily used to identify them to their customers as well as the other way round. Mutually authenticating each other must be more secure than one-way authentication. It could be as easy as providing the bank with a secret word that they could be challenged for parts of when they call.
It seems from a BBC article today that the hacking community have already started to exploit this lack of basic security. The alarming fact is that telephone calls made using the Internet are free and this largely removes the financial barrier for this type of telephone fraud.