Welcome to Finextra. We use cookies to help us to deliver our services. We'll assume you're ok with this, but you may change your preferences at our Cookie Centre.
Please read our Privacy Policy.

Accept
Channels
Blog article
See all stories »

Channels

Security

Group

Innovation in Financial Services
External | what does this mean?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

Who the f... are you?

My mobile phone rang this morning. By the time I reached it, the caller (with blocked caller ID) hang up. A minute later my (ex-directory!) home number rang. I picked up the phone.

The person on the other end of the line told me he was from Barclaycard's fraud investigation department and wanted to verify some transactions (Barclaycard does indeed makes such calls from time to time).

I joked that I cannot be sure he was indeed calling me from Barclaycard to which he replied he would not be asking me for any personal information.

The very first question was: "Who do you bank with?" - "Hm, Barclays, obviously..." - "And apart from Barclays?" - "Why do you need to know?"

He told me again he was there to help me. Did I ask for any help?

"What is your email address?" - "Tell me what address you have on file and I will confirm whether it's the right one." (I have two work addresses and three private ones.)

At that point the guy realized he is not getting anywhere and suggested I called Barclaycard myself "to verify those transactions". Which I did. There were no transactions to verify, and their fraud investigation department had no scheduled outgoing calls in the system in respect of my account.

Social engineering is the key part of spearfishing fraud. It can penetrate even two-factor authentication security to play the classic "man in the middle" attack. To protect consumers, banks need to ID themselves first so that consumers know who they are dealing with. How can that be done in a secure way? That's a million dollar question. Any answers?

5281

Channels

Security

Group

Innovation in Financial Services
External | what does this mean?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Report abuse

Comments: (3)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 28 June, 2013, 13:32Be the first to give this comment the thumbs up 0 likes

NetBanking websites can of course authenticate themselves to users by displaying a graphic or text or both that was preselected by the user earlier. But I think you're asking about incoming calls, for which I have no answer. I keep getting similar calls and I respond similarly. The social engineers quickly hang up when my questions become too uncomfortable. The genuine callers flag me as a "difficult customer in their CRM, which generally helps me get good service when I call them next! Only once did the caller display presence of mind by reading out my last card transaction. Not sure if that's a foolproof method of authentication.

Report abuse
Chris Errington
Chris Errington - None - London 28 June, 2013, 14:11Be the first to give this comment the thumbs up 0 likes

I took a call from a member of the Lloyds Group, who said there was an unusual transaction on my account and they wanted to check it.

Went through the same dialogue of 'you show me yours and I'll show you mine'.  Did establish that they were probably genuine but wasn't sure because the branch they were calling from wasn't my local branch - I knew where it was but I had never been there [subsequently found it is the closest branch to my postcode; clue #1].  Asked specifically whether this was a sales call.  No, categorically not - there was an unusual transaction on my account I needed to check out.

'We' agreed I would ring head office.  Did so.  The caller was genuine.  But in fact, a genuine sales person at a Lloyds Group branch looking to invest my 'unusual receipt' - my monthly wages (which I've had for 10 years in a row) [Clue #2].  Head office said I had probably not checked the privacy box on my preferences - oh, the head office person says I had.  Oops. 

Received a similar call a few months later, someone different but same storyline.  Same pretence - but this time I knew the game.  Thinking about it, I've had a number of these calls over the years but just put the phone down.  Then home phone rings and same story.

Shame they are using the 'unusual transaction' angle since banks need all the help they can get in combating fraud - not 40 year customers who have been through this and just hang up.

My calls ran very, very much like yours.

Report abuse
A Finextra member
A Finextra member 28 June, 2013, 15:49Be the first to give this comment the thumbs up 0 likes

The funny part is... that was indeed Barclaycard who rang me this morning - one of my Barclaycards got blocked this afternoon because of some "suspicious transactions".

Report abuse
Join the discussion

Member since

0

Location

0

More from member

This post is from a series of posts in the group:

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

See all
Community
See all blogs »
Payments strategies 2015-2020-2030 

Open-loop EMV standard Fleet and Mobility Payments – Convenience, Security and the Road Ahead

Jonathan Hancock

Jonathan Hancock

Fintech 

How innovation in encryption is helping secure the credit card approval process

Ghazi Ben Amor

Ghazi Ben Amor

Operational Risk Management 

DORA – Navigating the EU’s Operational Resilience Landscape

Antony Fung

Antony Fung

Fintech 

The importance of risk management in trading

Kate Leaman

Kate Leaman

Now hiring

See more