Blog article
See all stories »

Hello this is your fake bank calling...

With the UK’s “Get Safe Online Week” drawing to a close today, hopefully awareness of fraudulent online activity is on the up. The campaign highlighted all sorts of risks consumers may face with online banking, online shopping and their use of smartphones to browse internet websites, and explained how they could take care and be aware.

Unfortunately, it is almost unavoidable that determined fraudsters will obtain bank details, although there are ways to prevent them from actually benefiting from the use of the details, namely multifactor authentication and out-of-band systems as I’ve argued before in these blogs.

However, there was not a lot of information this week about how an individual can be sure that it is their bank and not a fraudster calling or emailing them. It is all too easy for individuals to be lured into a false sense of security when they receive calls from people claiming to be from their bank. As a result they unwittingly provide the fraudster with personal information while ostensibly being asked to “verify” that they are the account holder.

Banks are (rightly) putting great emphasis on getting customers to identify themselves with security questions and one-time passwords, but how can bank customers feel similarly confident that the person on the other side of the phone really is from their bank?

Well, one approach that can help is for the customer and the bank to agree on a secret pre-recorded word or phrase – recorded by the customer. When the bank calls the customer, the customer hears a replay of the pre-recorded secret word or phrase and the customer can be assured that they are speaking to their bank and can carry on with confidence.

Mutual authentication – now there’s a thought!

5882

Comments: (3)

A Finextra member
A Finextra member 11 November, 2011, 12:11Be the first to give this comment the thumbs up 0 likes

Nice idea.  I am sure there is an attack approach for that one too.  I normally ask the 'calling bank' to provide some information about me before I enter into IDing myself.  If they cannot or do not, they sometimes offer a call back number I can use to ring them (doesn't often help the problem unless its the one I know).  Why not ask them to list a transaction from your account (assuming you haven't had a paper statement intercepted?).

Better still - a push alert from your bank to your mobile phone, prior to the call to pre-notify the incoming call - very easy to do and encourages use of mobile banking alerts or registration at least. Even this can be spoofed and made to look genuine when it is not however.

Hmmm... why are they calling me again?

 

 

 

Keith Appleyard
Keith Appleyard - available for hire - Bromley 14 November, 2011, 18:55Be the first to give this comment the thumbs up 0 likes

In recent years I've seen Royal Bank of Scotland staff only ever use mobile phones. I've got no idea who they are when they call me.

In turn they never answer the Bank branch landline when I call - the phone just rings & rings.

I refuse to discuss my details with RBS on a mobile, I make them call me from the Office landline, or I don't do business with them.

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 15 November, 2011, 17:28Be the first to give this comment the thumbs up 0 likes

I really enjoy these calls from one of my banks. Everytime I log a complaint or query using the secure email feature on their Internet Banking website, they somehow choose to call me instead of simply replying to my email, and ask me to verify my identity! I turn the table around on them and ask them to verify their identity. At first, the CSR gets dazed with my demand but eventually they get my point. When they correctly read the first few lines from my email, I'm sure they're who they claim to be viz. my bank. 

Pat Carroll

Pat Carroll

Founder/Executive Chairman

ValidSoft

Member since

17 Mar 2011

Location

London

Blog posts

79

Comments

40

More from Pat

This post is from a series of posts in the group:

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...


See all