I just got off the phone with one of my banks, calling because their website refused to let me login to my account (red flag thought #1: a supposed online banking system that won't let me log in? Perhaps they've been attacked and this is a phishing scheme... if so, it's too late for me now). If they have, in fact, been attacked, then anything on the site could have been changed, including their contact us for support phone number.
If I call a number on a potentially compromised website (or a number left in a voicemail from my supposed "bank", or one I received in the mail from someone claiming to be the First Thirtysecond Bank of That One Lake in Rural Wisconsin) -- how would I know whether I was actually talking to the bank? The first question they ask you is for your account number. Next, the date and amount of last deposit. Then, of course, the obligatory "mother's maiden name", location in which the account was opened, and other similar questions. All of this is meant to verify that I am who I say I am, which really isn't the concern here. All an attacker posing as the bank would need to do is say, "Yep, that's all correct. And Mr. Martin, for a limited time, since you're such a loyal customer, I've taken your identity. Please have a nice day."
The real issue here is, are they who I think they are? At no point is there ever an opportunity or means of verifying THEIR identity. Where did THEY grow up? What is THEIR blood type? Give me the last four of your social Mr. Bank representative, if that's even your real name....
Now it's obviously a bad idea (and impossible) for each customer to have a database of personal information about each bank representative from which to verify their identity, but there are a few little things we can do to mitigate some of the risk.
First, be sure to call a number that you are 100% certain is valid, (such as the one on the back of your bank card or statement), then have them transfer you to the correct department. You could also have them call you back at your number so you could at the least check against caller ID (likely to be unlisted though and easily faked). In addition, try some well placed lies to check whether they are actually validating your responses against something. For example, if they ask the date and amount of your last deposit, and you know it to be $100 on 3/13, respond with "I believe it was $75 on 3/16" - they should stop you and say that it is incorrect, then you say "Oh yes, I meant to deposit that but forgot, it was $100 on 3/13."
Lastly, and perhaps the best solution would require some policy changes on behalf of the bank, but I believe it would provide an excellent counter to this threat. The reverse security question is something that is already used in highly secure environments such as intelligence agencies or military special forces, but should really be adapted to anything that impacts privacy and identity protection. When the customer opens an account with the bank, they should be made to create a secret phrase for validation of the bank. Then, when a customer calls for support, the conversation would become: "This is The Bank, could you please verify your account number and mother's maiden name?" "That's correct, your secret phrase is the white swan flies at midnight. Could you now please verify the date and amount of your last deposit as well as your social security number?" Some places are starting to use this logic with images of the customer's choice, but this would obviously not apply to phone conversations. If my banks began to authenticate themselves to me like this, it would be much more difficult to beat, and certainly put my mind a little more at ease.
Be on the lookout for more on this topic from yours truly and Steven Jackson in the near future.
