2013
03.13

This afternoon I got a phone call from a -blocked- phone number.  I answered.  The person who called said he was calling me from Bank of Ireland.  I got the usual “the call is being recording for training purposes” speech.  And then the shocker:

“I need to ask you some security questions”.

Huh?

  1. This person called me.  I assume he got my number from a database.  OK, my phone could have been stolen.  But let’s remember that he called me.
  2. He was going to ask me the security questions?

Who the hell was he?  This could be any geezer with caller ID disabled on his phone and reading off an official sounding script.  Let’s imagine he asks me to confirm my date-of-birth, my credit card number, and my mother’s maiden name, etc.  What’s to stop that dude from calling the bank and claiming to be me?

I refused to proceed.  To be honest, I knew it was BoI and I knew why he was calling.  But I wanted to highlight how stupid this “phishing” practice was.  The guy in question understood and told me how I could contact the bank to proceed.  He was quite professional about it, and not to blame for the process he was force to follow by his employer/manager.

But the call from block number practice followed by asking security questions process is ridiculous.  I took to Twitter to let BoI know what I thought:

image

This is the response that I got:

image

So let’s imagine the scenario out:

  1. The Prince of Abuja picks up his phone, blocks caller ID, and calls me.  He reads out the “call is being recorded” script and starts out with the security question process.
  2. I stop him because I don’t want my security question answers to be phished.
  3. The Prince of Abuja now says “Sure, my name is Prince of Abuja and you can call me on 01 4567890 and I’ll be happy to help you”
  4. I call 01 4567890
  5. The Prince of Abuja now asks me the questions and I give him the answers
  6. Now the Prince of Abuja has the necessary information to call Bank of Ireland and pretend to be me.

Bank of Ireland, this is the most ridiculous “security” practice.  It’s clear that you don’t have the first clue about data or identity security.  I am not a real security expert but I know enough not to be sharing information in this manner.

Jeez!

Technorati Tags:

3 comments so far

Add Your Comment
  1. Completely agree with this and with how daft the banks response was.

    There needs to be some sort of rigorous process in place for the customer to challenge the identity of the bank, perhaps they could give you a couple of characters from your security answer or something alike.

    Great blog keep up the hard work!

  2. I had a similar situation with First Direct (part of HSBC) recently. I said to the caller I didn’t trust them so I would call them back. I was advised to call the number on the back of my debit card which is a lot more sensible.

  3. I like the “Prince of Abuja” one

Get Adobe Flash player