A post relating to this item from Finextra:
22 January 2009 | 12177 views | 3
Banks are putting their customers at risk by using standard security questions, such as mother's maiden name, to confirm identities online or over the phone, according to Symantec.
During my 5 year spell as a fraudster, I used the telephone banking system almost every day, in order to keep track of the finances of those whose accounts I had taken over (this would more often than not be a credit card account, although I did occasionally
get information relating to bank accounts too).
Needless to say, the fact that some of the information I needed was quite often just a google search away helped me enormously in my day-to-day fraud activities. For example, once I was asked by a fraud team member to name a street close to my house. This
would normally cause a problem for the fraudster, but as I had internet in front of me I simply distracted conversation long enough for me check google maps (a matter of seconds).
I can recall quite clearly one occasion when the card I had been using was cancelled and the customer had been contacted to provide a new password in order to secure the account against further fraud. I proceeded to call the issuer and when asked for this
password, I said I had forgotten it. The agent then asked me a series of other questions, including mother's maiden name and date of birth. When I passed, she not only gave me access to the account once again, but (and here's the real shocker) revealed to
me the new password which had been set. As a result of this, I was able to access the cardholder's accounts with other issuers as well.
Take for example this scenario:
1. Account holder's details compromised by fraudster.
2. Fraudster does some digging to find out what he/she can about the victim and their account.
3. Fraudster contacts bank in attempt to change details or to find out what they can get away with in terms of available funds etc. Access is given due to their knowledge of the account holder.
4. Fraudster is then able to make purchases knowing what is likely to be acceptable to the issuer, and may have found out more about the account than they knew in the first place, potentially enabling them to pass any security checks they may encounter.
Now, let's say that at step 3, the fraudster is tackled by a completely random question - i.e. "You went on holiday last year, where did you go?" or "What supermarket do you normally shop at?". The fraudster is much less likely to be able to answer this,
and their failure to pass security will (hopefully) lead to the card being stopped.
The point I am trying to make here is that these sorts of 'advanced' security questions should not be something that is saved for the occasions when a call is transferred to the fraud team. Training your CS staff to be able to pick out something random from
the account should not be a particularly difficult task.
The key to posing a threat to potential account takeover via the telephone is random questions. I am certain of it.
Please don't hesitate to contact me with any further queries regarding this matter.