funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Bank security

From: <michael.blanchard () emc com>
Date: Fri, 4 Mar 2011 12:04:23 -0500
I've had similar calls and have always force their hand to provide me information that is not public information.  

 But, because they called you about a complaint that you filed with them, isn't that pretty reasonable proof that they 
are whom they state they are?  Unless the complain you filed was considered public knowledge.
  My issue would absolutely be with them calling me then asking for personal information for sure....

 Oh and that other person that called you back, is a dope and clearly doesn't know how security works LOL...  By his 
thinking, if a thief calls me, I should verify that the thief is not a thief by asking the thief for a callback number 
to verify the thief is not a thief, then when I callback the thief's number and he answers, I can then be assured that 
he is not a thief and give him any information the thief wants...  LOL  Sounds like a Monty Python skit to me!

 Mike B

Michael P. Blanchard
Senior Security Engineer, CISSP, GCIH, CCSA-NGX, MCSE
Office of Information Security & Risk Management
EMC ² Corporation
32 Coslin Drive
Southboro, MA 01772


-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Drsolly
Sent: Friday, March 04, 2011 10:45 AM
To: funsec () linuxbox org
Subject: [funsec] Bank security

I was called by my bank recently, to discuss a complaint I'd made. After a 
few minutes talking, my called decided she needed to do a security check.

So she asked me for part of my sort code, part of my account number, part 
of my mother's maiden and, and my birth date.

After we'd finished dealing with the original complaint, I told her that I 
now had another complaint - their security procedure.

1) Someone calling me, where I can't verify who th4ey are, should not be 
asking for such info. 2) My account number and sort code are on every 
check I send out, so are public info. My birth date and mother's maiden 
name, aren't hard to discover. So, it's asking for info they shouldn't ask 
for, and it isn't verifying that I'm who I say I am.

I was called back by another person in their complaints department. I 
asked him, "If I'm asked by someone who called me, for my account number, 
should I give it?" He said that I should not.

So I told him that his own department was asking people for that 
information. He was surprised.

Then I explained to him how a proper security system should work (shared 
secret). He said that he was very familiar with how security works.

He suggested that if I was unsure that a caller was from the bank, then I 
should call them back. "And where do I get the number from?" I asked. 
"From the caller," he replied.

So I explained to him why that was a very bad idea.

I'm left with the conviction that my bank, at least, is clueless about how 
security works.

I've escalated the issue. He told me I'd get a final resolution (which I 
take to mean, and we won't discuss the matter further after that).

I don't suppose there's anyone here from a bank? 

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: