Thursday, January 25, 2007

Not phishing just normal company practice.

Apparently we had a phone-call this morning purporting to be from our bank, asked for a director by name who holds a personal account with the same bank. The phone call went something like this:

"Is this Mr[Name]?"
"Yes"
"Ah this is [Name] from [Bank]. Just to confirm I'm speaking with the right person can I take your date of birth?"
"No"
"Uh, I can't talk to you without confirming who you are"
"Well how do I know that you're who you say you are, can you confirm that? Where are you calling from?"
"Uh, Malawi"
So lectures on phishing and social engineering are worthwhile. The logs indicated the source of the call was an 0800 number, so unlikely to be bogus. None the less I contacted the complaints division of the bank.
"One of our staff received a call supposedly from you, they asked for his date of birth and he quite rightly refused to give it. Can we check that the source was you?"
"Well on out-bound calls we do ask for the date of birth so we can confirm who we're speaking to."
"But all your security pages tell us not to give out personal information like that."
"Yes it is a bit contradictory isn't it."
Delightful. Easily solved by the bank, of course, they simply state that they need to speak to X and X calls an 0800 number they know belongs to the bank. Thus X knows that they're speaking to the bank and therefore have no qualms about using information to identify themselves.

All it requires is that all parts of the bank are in communication so either you don't have to speak to one specific person, or the person you are speaking to can easily look up and transfer you to that person... <must keep straight face> I'm sure they can use flying pigs to courier messages around.

3 comments:

Anonymous said...

The anecdote still goes around Cambridge that the late Roger Needham, famed GSM developer, founder of Microsoft Research Cambridge, and co-inventor of the Needham-Schroeder protocol, once received a similar call from his bank. On being told by the exasperated girl on the other end of the line that "Oh, but you have to tell me," his response is said to be a cold and haughty, "Madam, if you want to know my date of birth and mother's maiden name, you can look them up in Who's Who."

Incidentally, previewing this message before sending I note that Blogger has stripped my name of its rightful capitalization. I would be shocked were I not already inured to the pervasive incivility of software.

FlipC said...

How delightfully English of him.

As to capitalisation I've taken the plunge in switching to the new version of Blogger, so perhaps it is this that has caused a change. Interestingly the notification I received was capitalised, so mayhap it's a template setting that I haven't spotted.

I too notice the free use of my first name by total strangers calling on the telephone. I'm sure it's down to wanting to seem friendly, more familiar, but as we all know familiarity breeds contempt.

FlipC said...

Yup it's a style change. One that wasn't caused by me switching to pop-up comments, but by me switching versions. The identity of the commenter is set to lower-case. Looks like a global template too, so I doubt it can be changed. Nevertheless I've asked if it's possible and why it's been done.