If I were more motivated, I’d write this up into a white paper. But here’s the basic idea:
Banks and other entities that deal with sensitive (especially financial) information often require that their customers specify a “passphrase” (mother’s maiden name, a PIN, etc.) to verify their identity for transactions over the phone (and sometimes through online portals).
The next step in improving the security of a customer’s information and assets will be the reverse–a personally assigned identifier for a corporate identifier.
So I get a call from Wells Fargo yesterday–some 1-800 number that I don’t recognize. The caller identifies himself with a name and says that he wants to inquire about suspicious activity with my credit card. He asked me whether or not I made certain transactions with my debit card ($400 for Chelsea football apparel, $450 for some online bingo website, blah blah). My card’s numbers, apparently, had been “compromised”–and I’m grateful for the phone call, and that the charges are being reversed.
But in retrospect, I realized that I had no way of verifying the caller’s identity, and that I gave away information like candy–as though the person on the other end of the call was my trusted, personal banker. I didn’t even catch his name.
Fortunately, this call was real. But it could have been malicious. It could have been the person who stole my credit card–and had that person asked me for my PIN or my mother’s maiden name, I probably would have given it out without a second’s hesitation. Which scares me.
So the solution is this: when I become a Wells Fargo customer in the future, I’ll provide Wells Fargo with a PIN or passphrase to verify my identity in the future if I should need to call a banker. Then, I’ll provide Wells Fargo with their passphrase, to be used to identify their authorized agents who might call me.
Then, next time I got a call from a Wells Fargo employee, the employee would provide me with the passphrase I assigned to Wells Fargo. I might provide my PIN as well–such that we’ve both verified each others’ identities before the conversation begins.
In the computer world, certificate-based schemes work very much in this manner. I suspect it’s only a matter of time before banks, medical clinics, universities, phone companies, etc. adopt such a measure.
Only, it needs something more catchy than “personally assigned corporate identifier.” Something that makes a good accretion (consider the abysmal failure of the CVV2 code, variously known as the “security code”, “the three digits off of the back of the card”, the online verification thing. etc.) Any suggestions?
My banks website has this. After you submit your login, they display with a picture you selected and your bank’s passphrase (that you assigned to them).
Both are susceptible to the same attack.
BANK THEIF YOU
If you have to authenticate first, at least you know when you have been compromised *after* you have been compromised.
When I get a call from a credit card company, I thank them, and then call the number on the back of my card. Banks have focused almost exclusively on identifying who the customer is, and have spent virtual no time providing a means for the customer to verify who they are.
Unfortunately, there isn\\\\\\’t an effective way for a bank to prove who they are on an inbound call. Lets say you setup a corporate identifier. Then a phisher calls and says \\\\\\”Due to a potential security breach, we cannot reveal your corp identifier as your account has been locked by Central Security Control\\\\\\”. The victim will then generally respond \\\\\\”Well, OK then, here\\\\\\’s my password\\\\\\”.
This is a tricky situation as it really is up to the user to make sure their information is secure. I imagine actually the best way to go about it is to ask for their employee id and extension. Then call your company back and ask for that employee.
Anybody working in Customer Service (especially a manager) needs to read Kevin Mitnick’s “Art of Deception.”