If I were more motivated, I’d write this up into a white paper. But here’s the basic idea:
Banks and other entities that deal with sensitive (especially financial) information often require that their customers specify a “passphrase” (mother’s maiden name, a PIN, etc.) to verify their identity for transactions over the phone (and sometimes through online portals).
The next step in improving the security of a customer’s information and assets will be the reverse–a personally assigned identifier for a corporate identifier.
So I get a call from Wells Fargo yesterday–some 1-800 number that I don’t recognize. The caller identifies himself with a name and says that he wants to inquire about suspicious activity with my credit card. He asked me whether or not I made certain transactions with my debit card ($400 for Chelsea football apparel, $450 for some online bingo website, blah blah). My card’s numbers, apparently, had been “compromised”–and I’m grateful for the phone call, and that the charges are being reversed.
But in retrospect, I realized that I had no way of verifying the caller’s identity, and that I gave away information like candy–as though the person on the other end of the call was my trusted, personal banker. I didn’t even catch his name.
Fortunately, this call was real. But it could have been malicious. It could have been the person who stole my credit card–and had that person asked me for my PIN or my mother’s maiden name, I probably would have given it out without a second’s hesitation. Which scares me.
So the solution is this: when I become a Wells Fargo customer in the future, I’ll provide Wells Fargo with a PIN or passphrase to verify my identity in the future if I should need to call a banker. Then, I’ll provide Wells Fargo with their passphrase, to be used to identify their authorized agents who might call me.
Then, next time I got a call from a Wells Fargo employee, the employee would provide me with the passphrase I assigned to Wells Fargo. I might provide my PIN as well–such that we’ve both verified each others’ identities before the conversation begins.
In the computer world, certificate-based schemes work very much in this manner. I suspect it’s only a matter of time before banks, medical clinics, universities, phone companies, etc. adopt such a measure.
Only, it needs something more catchy than “personally assigned corporate identifier.” Something that makes a good accretion (consider the abysmal failure of the CVV2 code, variously known as the “security code”, “the three digits off of the back of the card”, the online verification thing. etc.) Any suggestions?