Question on the state of the security industry (second half not necessarily on topic)

Thu Jul 8 11:42:20 EDT 2004

On Jul 3, 2004, at 14:22, Dave Howe wrote:

> Well if nothing else, it is impossible for my bank to send me anything 
> I would believe via email now....
>
> To take this even slightly more on-topic - does anyone here have a 
> bank capable of authenticating themselves to you when they ring you?
> I have had four phone calls from my bank this year, all of which start 
> out by asking me to identify myself to them. When I point out that 
> they must know who I am - as they just phoned me - and that I have no 
> way of knowing who they are, they are completely lost (probably takes 
> them away from the little paper script pinned to their desk)
>

Last month I had a rather good experience with American Express
in this regard.  I recently moved and had ordered something
to be shipped to my new address (this was before I changed my
billing address with AMEX).  Apparently the merchant had Amex
verify the transaction, and so AMEX called me.

Naturally, I asked how I was supposed to know it was really them
calling.  Without missing a beat, the caller invited me to hang
up and call back the number on the back of my card, which I did.
After the usual exchange of information to establish my "identity,"
I was transferred to the right department, and ended up speaking with
the same person who had originally called me(!).

After confirming the validity of the transaction in question, I
asked how many people are as suspicious as I was in asking for
confirmation that it's really AMEX calling.  He said not many,
but a significant enough number that they're ready to handle it
routinely when it happens (he also congratulated me for my
diligence).

It's nice that they have a procedure for this, but it's still a
mixed success for security against the theft of sensitive personal
information.  People like me (us?) remain the exception rather
than the rule, and while it's comforting that the standard procedures
accommodate us, the vast majority of people appear to happily give any
information requested to whoever calls them.  And when banks and
credit card issuers make calls requesting sensitive information
as part of their routine operations, they're training their customers
to engage in exactly the same behavior that they should be trying to
discourage.

Perhaps a better procedure would be to always simply ask the customer
to call back the known, trusted contact number (e.g., as printed on
the card), and never ask for any personal or sensitive information
in an unsolicited call.  They could widely advertise that this is
always the procedure and ask customers to be alert for any caller
who deviates from it.

-matt

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com