Join the Community

22,526

Expert opinions

44,549

Total members

557

New members (last 30 days)

199

New opinions (last 30 days)

28,869

Total comments

Join Sign in

Random is the key!

23 January 2009 4 comments

Elliot Castro

Man

EC Consultancy

During my 5 year spell as a fraudster, I used the telephone banking system almost every day, in order to keep track of the finances of those whose accounts I had taken over (this would more often than not be a credit card account, although I did occasionally get information relating to bank accounts too).

Needless to say, the fact that some of the information I needed was quite often just a google search away helped me enormously in my day-to-day fraud activities. For example, once I was asked by a fraud team member to name a street close to my house. This would normally cause a problem for the fraudster, but as I had internet in front of me I simply distracted conversation long enough for me check google maps (a matter of seconds).

I can recall quite clearly one occasion when the card I had been using was cancelled and the customer had been contacted to provide a new password in order to secure the account against further fraud. I proceeded to call the issuer and when asked for this password, I said I had forgotten it. The agent then asked me a series of other questions, including mother's maiden name and date of birth. When I passed, she not only gave me access to the account once again, but (and here's the real shocker) revealed to me the new password which had been set. As a result of this, I was able to access the cardholder's accounts with other issuers as well.

Take for example this scenario:

1. Account holder's details compromised by fraudster.

2. Fraudster does some digging to find out what he/she can about the victim and their account.

3. Fraudster contacts bank in attempt to change details or to find out what they can get away with in terms of available funds etc. Access is given due to their knowledge of the account holder.

4. Fraudster is then able to make purchases knowing what is likely to be acceptable to the issuer, and may have found out more about the account than they knew in the first place, potentially enabling them to pass any security checks they may encounter.

Now, let's say that at step 3, the fraudster is tackled by a completely random question - i.e. "You went on holiday last year, where did you go?" or "What supermarket do you normally shop at?". The fraudster is much less likely to be able to answer this, and their failure to pass security will (hopefully) lead to the card being stopped.

The point I am trying to make here is that these sorts of 'advanced' security questions should not be something that is saved for the occasions when a call is transferred to the fraud team. Training your CS staff to be able to pick out something random from the account should not be a particularly difficult task.

The key to posing a threat to potential account takeover via the telephone is random questions. I am certain of it.

Please don't hesitate to contact me with any further queries regarding this matter.

External

This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

4239

Report

Channels

/security

Comments: (4)

A Finextra member

23 January 2009

I agree that the use of more random questions is going to be increasingly needed. It doesn't always work, though. I had a situation where I was asked about an entry to my account that I actually couldn't answer (it was something like 'what was the last transaction to your account?'), and that made life pretty uncomfortable.

What the CSR didn't think was that they had asked a question I couldn't possibly answer, as I could not see the data that they had in front of them, and the random way in which transactions are presented and displayed on an account is impossible for anyone else - even the account-holder - to see.

I guess it all comes down to training. Companies have 'deskilled' CSR work so much in the past that I wonder whether, unless they reverse course (with all the implications that has for wages), this will ever happen, or will happen without the kind of absurd situation I describe above...?

Report

John Dring Digital Services and mCommerce at Intel Network Services

28 January 2009

I should maybe start another thread, but my experience is related to this one, so although it might be down the list a little bit by now, I will add it. Its also just a bit of 'flame on' therapy.

Ever had your bank contact you asking to contact them, URGENTLY?

This happened to me yesterday. Via an automated computer voice message providing a phone number and a web site. So I ventured to the website. It was undoutably a section of my banks web portal - not a secured https page, but asking for bank account and sort code information. It also popped up an 'invalid server Certificate' message, which when viewed was 6 months out of date and belonged not to the bank, but another company?

So I called the number provided instead. Also seemingly genuine bank call centre (albeit with a fire alarm test at the time). Immediately asking for my bank account, sort code, name etc. Not able to tell me what the nature of the call was about until I had done this (which I objected to and did not). When I provided my surname, they confirmed I was not the person they were trying to contact after all (my number is 14 years old, I've been with the bank 25 years). It transpired that they were a debt collection department of the bank (so I hope they genuinely did have it wrong!).

So I felt the need to try to at least report the dodgy/amateur website to the Bank Fraud department. Found the number and called. Same routine of grilling for my identity first, before listening to the point I had to make, and simply diverted me to the first number I had spoken to in order to get rid of me.

By now, this was becoming a challenge. I wanted to report the shoddy processes and contacted the Bank Customer Services. This time, after providing my account number, they challenged with individual digits from my password. They actually listened to the problem, agreed with me it didn't sound very sensible and went to look at it. Unfortunately, they then got cut off from me (lost 1-way communication!) but at least I think they got the point and went to check it.

I don't really have a point except to say that Banks seem to think the need to identify every caller is their right, and that it is of detriment to the caller experience. Anyone could set up such a spamming service and use it to phish personal details with very little chance of locating the fraudsters. Just ask a user for their PIN, and some will provide it, or at least 2 digits of it! They should take a little effort to demonstrate they are actually your bank, before grilling for ID.

flame off.

Report

Nick Green Consultant at ISD Consultants

29 January 2009

The oportunity is there now with the on-line banking 'readers' being distributed (see thread https://www.finextra.com/blogs/fullblog.aspx?blogid=2439). Many have a challenge and response function: Insert card, key in challenge from call centre, tell them the response, they key the response in an verify who you are - job done.

Report

John Dring Digital Services and mCommerce at Intel Network Services

31 January 2009

Got one of those. They are a royal pain. Every time I use it, I am not sure what its doing. It works, but its not exactly handy, and I didn't have it with me when I got the phone call. They need to do a basic check of me, then tell me something that shows me they know me (like a recent txn, or the month of my birth - nothing too specific).

Report

Elliot Castro

Man

EC Consultancy

Member since

20 Nov 2008

Location

Glasgow

See all Opinions from Elliot

More expert opinions

Shailendra Prajapati Associate AI Engineer at Compunnel Inc.