Thursday, March 08, 2007

Bloody Banks.

We had a phone call yesterday at work purporting to be from HSBC again, we didn't recognise the person so as per standard operating procedure the person who answered asked for a number to call back on. This we didn't recognise. So we went to the bank's website and pulled up the contact numbers. This department wasn't listed, great. Used the internal search, nada. Used Google, more nothing.

So I called up the closest relevant department.

"Hi we had a call purporting to be from your X department. They left a number and we just want to check it is actually yourselves."
"This is the Y department"
"Yes and it's the closest one I could find listed on your website"
"I'll see if I can find the number"
...
...
"I'm transferring you to the Z department"
...
"Hello?"
"Yeah hi I'm just trying to confirm that a number I've been given for your X department belongs to you"
"What's your sort-code?"
"How will that help?"
"So I can bring up your account details"
...much confirming later and they can't find anything wrong...
"Look all I wanted to do was confirm this number, get them to phone again"
"We don't phone you"
"Well someone did"
"Oh"

and that was pretty much it do note that at no time did anyone actually ask for the number I was given, no interest at all was shown in this possible phishing attempt. So once again, we're expected to prove who we are to the bank yet they've nothing in place to prove that they're who they say they are and apparently they don't want to.

I called our local branch, I know them they know me. Perhaps I should have done this before, but then again how many people have a direct number to their local branch? The charming young women I know couldn't confirm nor deny the number. however, she did offer some advice "Get their full name, and extension and tell them you'll call back on one of the main numbers you know. If it's important they'll call back."

So it seems at a local level someone has at least some knowledge of what to do, perhaps it could be shared with the central office.

2 comments:

Anonymous said...

Wow. I've heard this story before but it's the first time it has actually been a phishing attempt rather than just the bank being stupid. Fortunately, on the one occasion my bank phoned me and wanted to know my secret details it was a woman from my branch whose voice I recognised because I'd been in to see her in person earlier in the week, and she only asked to confirm my identity after we'd transacted all the outstanding business. Ho hum.

Of course, when people phone you to ask your date of birth and mother's maiden name, you should just give them the 'phone number of the local Registry Office and let them deal with it.

There is a lot to be said for this idea of the staff in your local branch being able to recognise you. I remember when withdrawal slips had a little set of boxes to tick to indicate how the customer proved his identity, and "personally known to cashier" was the most-used one. That said, I remember when withdrawal slips.

FlipC said...

I'm still not sure if it was a phishing attempt or not, they haven't called back as far as I know. Tossing the coin for stupid bank/clever phisher leaves a pretty even split.

Heh yeah as a security question let's use something that's pretty much available to anyone. Last time the bank wanted a password out of me I gave them a 14+ string of letters and numbers; took them 4 attempts to enter it correctly. I was simply surprised that the box could manage that many.

If possible I always use a cashier for deposits and withdrawals; I recognise them, they recognise me. The only way a machine recognises me is that my 4-digit PIN matches the card I stick in it; and with the number of false fronts being reported that's hardly a secure way of doing business.