I want to ask something to my bank - about some transaction on my credit card account.
So I call in to the call center.
After the usual niceties exchange, the Support Guy on the phone asks me:
SG : "Sir, I need to ask you a few questions for security purpose."
Me : "Yes, Sure!"
SG : "What is your birth-date?"
ME : "xx-xx-xxxx". (wondering : 'isn't my birth date known to many - I own so many accounts on multiple social networking websites and voip chat softwares and many of them actually show up my profile to complete strangers, if I am not careful enough
to block such views)
SG : "How many supplementary cards you own?"
Me : "Just one" (wondering : don’t they just print all dues from all supplementary cards in one statement - to reduce their costs of mailing - and don’t I have occasions when I never receive the original statement? isn't it possible for someone else
to know this information?)
SG : "What is your credit limit?"
ME : "XXXXXXX" (wondering : don’t they just print that on my statement always? and don’t I have occasions when I never receive the original statement? isn't it possible for someone else to know this information?)
and so on....
When I forgot my password ( called PIN : isn't the head of the human being living in modern era a "pin-cushion" now? so many PINs to remember...) to another stock trading website, I could generate a new PIN online by answering some more or less similar questions
online and it was pretty alarming that most of the information that was supposed to be a "private information" say a couple of years ago, has now become public information due to the advent of numerous social and professional networking websites. Technology
changes lives - surely !
And the so called "security procedures" that were effective yesterday, are simply "open doors" today.
What is the role of "risk management" personnel now in our institutions?
Does "experience" make a difference or does technology play a more important role in defining risks?
What can we do?
· First and foremost, don’t put yourself for auction online. You will be sold off sooner than later. In other words, give out just adequate information on networking sites - generally just the email id should do - to remain contactable.
· Keep your private and personal preferences just that - private and personal.
What can banks and other institutions do?
· Employ technology savvy persons in the risk management departments.
· Let them create as many accounts on as many social networking or professional networking sites and register with voip service providers.
· Let them create detailed list of "data fields" that many of these sites ask the user to fill in.
· Ask each customer if they use these social networking sites and keep that data in the client-master. Just a simple "tick this" part in the account opening form or their internet banking "home page" will get you this data.
· Map the "data-fields" from these networking sites with the answers from customers and then "don't ask the customers the security questionswhose answers can be easily found in the "data fields" on these networking sites."
· Review the most common data fields across these websites and REMOVE from your security questions list such questions which are based on these "common data fields".
· Devise innovative questions that can be answered only by the customer himself/herself. E.g. what was the last credit / debit transaction to your account?
Well...it is an evolution out there. One needs to continuously catch up with the developments to keep making real sense. But isn't that the law of nature, always - if we don’t adapt, we become extinct!