Bank security

[Drsolly <drsollyp () drsolly com>]

I was called by my bank recently, to discuss a complaint I'd made. After a 
few minutes talking, my called decided she needed to do a security check.

So she asked me for part of my sort code, part of my account number, part 
of my mother's maiden and, and my birth date.

After we'd finished dealing with the original complaint, I told her that I 
now had another complaint - their security procedure.

1) Someone calling me, where I can't verify who th4ey are, should not be 
asking for such info. 2) My account number and sort code are on every 
check I send out, so are public info. My birth date and mother's maiden 
name, aren't hard to discover. So, it's asking for info they shouldn't ask 
for, and it isn't verifying that I'm who I say I am.

I was called back by another person in their complaints department. I 
asked him, "If I'm asked by someone who called me, for my account number, 
should I give it?" He said that I should not.

So I told him that his own department was asking people for that 
information. He was surprised.

Then I explained to him how a proper security system should work (shared 
secret). He said that he was very familiar with how security works.

He suggested that if I was unsure that a caller was from the bank, then I 
should call them back. "And where do I get the number from?" I asked. 
"From the caller," he replied.

So I explained to him why that was a very bad idea.

I'm left with the conviction that my bank, at least, is clueless about how 
security works.

I've escalated the issue. He told me I'd get a final resolution (which I 
take to mean, and we won't discuss the matter further after that).

I don't suppose there's anyone here from a bank? 

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.