20 July 2018

Elliot Castro

Elliot Castro - EC Consultancy

1Posts 3,371Views 1Comments
A post relating to this item from Finextra:

Banks must ditch standard security questions - Symantec

22 January 2009  |  12177 views  |  3
Banks are putting their customers at risk by using standard security questions, such as mother's maiden name, to confirm identities online or over the phone, according to Symantec.

Random is the key!

23 January 2009  |  3372 views  |  4

During my 5 year spell as a fraudster,  I used the telephone banking system almost every day, in order to keep track of the finances of those whose accounts I had taken over (this would more often than not be a credit card account, although I did occasionally get information relating to bank accounts too).

Needless to say, the fact that some of the information I needed was quite often just a google search away helped me enormously in my day-to-day fraud activities. For example, once I was asked by a fraud team member to name a street close to my house. This would normally cause a problem for the fraudster, but as I had internet in front of me I simply distracted conversation long enough for me check google maps (a matter of seconds).

I can recall quite clearly one occasion when the card I had been using was cancelled and the customer had been contacted to provide a new password in order to secure the account against further fraud. I proceeded to call the issuer and when asked for this password, I said I had forgotten it. The agent then asked me a series of other questions, including mother's maiden name and date of birth. When I passed, she not only gave me access to the account once again, but (and here's the real shocker) revealed to me the new password which had been set. As a result of this, I was able to access the cardholder's accounts with other issuers as well.

Take for example this scenario:

1. Account holder's details compromised by fraudster.

2. Fraudster does some digging to find out what he/she can about the victim and their account.

3. Fraudster contacts bank in attempt to change details or to find out what they can get away with in terms of available funds etc. Access is given due to their knowledge of the account holder.

4. Fraudster is then able to make purchases knowing what is likely to be acceptable to the issuer, and may have found out more about the account than they knew in the first place, potentially enabling them to pass any security checks they may encounter.

Now, let's say that at step 3, the fraudster is tackled by a completely random question - i.e. "You went on holiday last year, where did you go?" or "What supermarket do you normally shop at?". The fraudster is much less likely to be able to answer this, and their failure to pass security will (hopefully) lead to the card being stopped.

The point I am trying to make here is that these sorts of 'advanced' security questions should not be something that is saved for the occasions when a call is transferred to the fraud team. Training your CS staff to be able to pick out something random from the account should not be a particularly difficult task.

The key to posing a threat to potential account takeover via the telephone is random questions. I am certain of it.

Please don't hesitate to contact me with any further queries regarding this matter.


Comments: (4)

Roger Elwell
Roger Elwell - Yes Please - Colchester 23 January, 2009, 12:07

I agree that the use of more random questions is going to be increasingly needed.  It doesn't always work, though.  I had a situation where I was asked about an entry to my account that I actually couldn't answer (it was something like 'what was the last transaction to your account?'), and that made life pretty uncomfortable.

What the CSR didn't think was that they had asked a question I couldn't possibly answer, as I could not see the data that they had in front of them, and the random way in which transactions are presented and displayed on an account is impossible for anyone else - even the account-holder - to see.

I guess it all comes down to training.  Companies have 'deskilled' CSR work so much in the past that I wonder whether, unless they reverse course (with all the implications that has for wages), this will ever happen, or will happen without the kind of absurd situation I describe above...?

Be the first to give this comment the thumbs up 0 thumb ups!
John Dring
John Dring - Intel Network Services - Swindon 28 January, 2009, 13:36

I should maybe start another thread, but my experience is related to this one, so although it might be down the list a little bit by now, I will add it.  Its also just a bit of 'flame on' therapy.

Ever had your bank contact you asking to contact them, URGENTLY?

This happened to me yesterday. Via an automated computer voice message providing a phone number and a web site.  So I ventured to the website.  It was undoutably a section of my banks web portal - not a secured https page, but asking for bank account and sort code information.  It also popped up an 'invalid server Certificate' message, which when viewed was 6 months out of date and belonged not to the bank, but another company? 

So I called the number provided instead.  Also seemingly genuine bank call centre (albeit with a fire alarm test at the time).  Immediately asking for my bank account, sort code, name etc.  Not able to tell me what the nature of the call was about until I had done this (which I objected to and did not).  When I provided my surname, they confirmed I was not the person they were trying to contact after all (my number is 14 years old, I've been with the bank 25 years).  It transpired that they were a debt collection department of the bank (so I hope they genuinely did have it wrong!).

So I felt the need to try to at least report the dodgy/amateur website to the Bank Fraud department.  Found the number and called.  Same routine of grilling for my identity first, before listening to the point I had to make, and simply diverted me to the first number I had spoken to in order to get rid of me.

By now, this was becoming a challenge.  I wanted to report the shoddy processes and contacted the Bank Customer Services.  This time, after providing my account number, they challenged with individual digits from my password.  They actually listened to the problem, agreed with me it didn't sound very sensible and went to look at it.  Unfortunately, they then got cut off from me (lost 1-way communication!) but at least I think they got the point and went to check it.

I don't really have a point except to say that Banks seem to think the need to identify every caller is their right, and that it is of detriment to the caller experience.  Anyone could set up such a spamming service and use it to phish personal details with very little chance of locating the fraudsters.  Just ask a user for their PIN, and some will provide it, or at least 2 digits of it!  They should take a little effort to demonstrate they are actually your bank, before grilling for ID.

flame off.

Be the first to give this comment the thumbs up 0 thumb ups!
Nick Green
Nick Green - ISD Consultants - Northampton 29 January, 2009, 11:19

The oportunity is there now with the on-line banking 'readers' being distributed (see thread http://www.finextra.com/community/fullblog.aspx?id=2439). Many have a challenge and response function: Insert card, key in challenge from call centre, tell them the response, they key the response in an verify who you are - job done.

Be the first to give this comment the thumbs up 0 thumb ups!
John Dring
John Dring - Intel Network Services - Swindon 31 January, 2009, 01:07

Got one of those.  They are a royal pain.  Every time I use it, I am not sure what its doing.  It works, but its not exactly handy, and I didn't have it with me when I got the phone call.  They need to do a basic check of me, then tell me something that shows me they know me (like a recent txn, or the month of my birth - nothing too specific).

Be the first to give this comment the thumbs up 0 thumb ups!
Comment on this story (membership required)

Latest posts from Elliot

Random is the key!

23 January 2009  |  3372 views  |  4 comments | recomends Recommends 2 TagsCardsSecurity

Elliot's profile

job title Man
location Glasgow
member since 2008
Summary profile See full profile »
Hi I'm Elliot Castro, an ex-fraudster now working with the banking and security communities to help close up loopholes and give advice on anti-fraud techniques. I have written a book about my previous...

Elliot's expertise

Member since 2008
1 posts1 comments
What Elliot reads
Elliot writes about
Elliot's blog archive
2009 (1)

Who's commenting on Elliot's posts