karen2205: Me with proper sized mug of coffee (Default)
Karen ([personal profile] karen2205) wrote2014-06-15 01:00 am

Banks, identity theft and social engineering

One of the things that keeps us safe from fraud/identity theft/other crimes of deception is the ability to think "wow there, something's not right here" and act on that feeling that something isn't right and at least needs further investigation.

Banks seem to be going out of their way to undermine people's ability to keep themselves safe, by behaving in ways that replicate the behaviour of those who are trying to take advantage of us. They phone us and ask us to confirm security information. When we phone them they ask us for security information before they even know what question it is we want to ask (it might be "what time does the branch in $foo close on a Saturday?" - they don't need to know who is asking that question!). They send us text messages from numbers that cannot be verified online - how am I supposed to trust that a text message apparently containing details of my transactions is genuine when there is nothing to link that mobile number to the bank in their contact details page of their website?

So no, banks:

1. You do not telephone me and ask me to confirm who I am. Ever. Bad practice. I won't do so, I will hang up and report the call to you, on a number I can verify as belonging to you, as a potential fraud.

2. I will avoid dealing with you by telephone whenever possible, because it is so fucking frustrating. I don't ask clients who phone me at work to prove they are who they say they are before I'll talk to them! You could make the process much less frustrating by employing staff who speak English to the standard of a native speaker and by not asking security questions until you know someone wants information about their own accounts.

3. Publish your contact information. All of it. If a text message claims to come from you, I should be able to verify it.
hairyears: (Escaped Moustache)

Allow me to state the obvious...

[personal profile] hairyears 2014-06-16 07:56 am (UTC)(link)
The retail banks' security procedures are not impelled by a desire to keep their customers secure; the objective is to fabricate a legal figleaf by which the banks are covered and the customer is held to be at fault for all and any failures of security, even - or especially! - if the failures originate within the bank.

It follows that a 'customer service' that is driven by a fundamental ethos of disservice will be generally dismal; and, as the processes of 'security theatre' are empty rituals with no useful purpose, the only way to maintain their use is to elevate them to canonical rites and ceremonies that are sacrosanct and sacred in and of themselves, essential to all supplications to and blessings of the bank.
Edited (spell-checked) 2014-06-16 07:59 (UTC)

[identity profile] land-girl.livejournal.com 2014-06-15 03:23 pm (UTC)(link)
Yes to all of this. It isn't all right, ever.
lnr: (Default)

[personal profile] lnr 2014-06-15 08:31 pm (UTC)(link)
Yeah, amen to that - drives me bonkers too.

[identity profile] thekumquat.livejournal.com 2014-06-16 08:40 pm (UTC)(link)
Definitely - though all my banks claim in their blurb they live up to the standards you expect. Funny how they generally try phoning me despite it being allegedly in my records that I don't do phone calls - but gave a number for ID verification.