Banks are conservative organisations, who worry about the security and integrity of their customers’ financial data, right? They’re conservative in that they won’t introduce new technologies or processes until their highly-skilled security analysts have had the chance to ensure that all bases are covered in terms of any potential security vulnerability, to themselves or their customers. Sounds entirely reasonable, doesn’t it? It also means that we should forgive them for being, shall we say, a tad slow in catching up with the way the world is and wishes to be.
So here’s a challenge for LloydsTSB: Please explain this:
A couple of months ago, I made an on-line purchase for a bunch of hardware. Which was fine, except that the merchant mistakenly put the credit card transaction through twice. Which triggered a security alert on my credit card. So far, so good, and exactly what I’d hope would happen in the circumstances. It’s what happened next that left me slack-jawed with incredulous disbelief. My phone rang, showing a withheld number. I answered it. A synthesised voice then announced that it was the LloydsTSB credit card service, that there’d been a security incident on my credit card and would I please confirm my identity by entering my credit card and security details on the telephone keypad. So, with a, “Yeah, right”, I of course hung up, assuming it to be a scam. But I phoned LloydsTSB Card Services anyway. To have them confirm that, yes, there’d been a security alert on my account, and that I HAD been phoned by their system. The really scary part of it was that I couldn’t seem to get across to them what a huge security hole they were creating – that anyone receiving such a call had no way of proving that it was legitimate.
It would take me, or anyone so inclined, about five minutes to knock up a set of recordings to play over the phone to someone, asking the recipient to input their credit card details, and then record their responses. If I wanted to get really fancy, I’d knock up a very simple interactive system on my laptop, to do the whole thing automatically – that might take a couple of hours. But I could then put an autodialer behind it, and I’m sure it could be very lucrative.
The bottom line here is that the banks appear to see no need to put in place any system by which they should need to prove their identity to us the customers. Until such time as they do so, the obvious advice is to never respond to any call, computer or human, email or SMS asking you to verify your card details, unless the caller can absolutely authenticate themselves to you – if necessary, call them back on the number you already have on record for them, and give them an earful about their systems. The unfortunate thing is that anyone reading this online probably doesn’t need the warning – there are still many out there, on and offline, who’ll take such contacts at face value.
I asked LloydsTSB to respond to this, but haven’t heard anything – if I do, I’ll post it.
Update: 18th July 2006. Well, it’s already happening – http://news.bbc.co.uk/1/hi/technology/5187518.stm. And of course the banks are still using the same system.
Let me guess the next stage: Lloyds realise there’s a problem here, so they publicise their CardServicesBot phone number to account holders for call authentication – not realising that caller ID can, of course, be faked.
(You should send this blog entry to Bruce Schneier to blog about, btw)