This afternoon I got a phone call from a -blocked- phone number. I answered. The person who called said he was calling me from Bank of Ireland. I got the usual “the call is being recording for training purposes” speech. And then the shocker:
“I need to ask you some security questions”.
- This person called me. I assume he got my number from a database. OK, my phone could have been stolen. But let’s remember that he called me.
- He was going to ask me the security questions?
Who the hell was he? This could be any geezer with caller ID disabled on his phone and reading off an official sounding script. Let’s imagine he asks me to confirm my date-of-birth, my credit card number, and my mother’s maiden name, etc. What’s to stop that dude from calling the bank and claiming to be me?
I refused to proceed. To be honest, I knew it was BoI and I knew why he was calling. But I wanted to highlight how stupid this “phishing” practice was. The guy in question understood and told me how I could contact the bank to proceed. He was quite professional about it, and not to blame for the process he was force to follow by his employer/manager.
But the call from block number practice followed by asking security questions process is ridiculous. I took to Twitter to let BoI know what I thought:
This is the response that I got:
So let’s imagine the scenario out:
- The Prince of Abuja picks up his phone, blocks caller ID, and calls me. He reads out the “call is being recorded” script and starts out with the security question process.
- I stop him because I don’t want my security question answers to be phished.
- The Prince of Abuja now says “Sure, my name is Prince of Abuja and you can call me on 01 4567890 and I’ll be happy to help you”
- I call 01 4567890
- The Prince of Abuja now asks me the questions and I give him the answers
- Now the Prince of Abuja has the necessary information to call Bank of Ireland and pretend to be me.
Bank of Ireland, this is the most ridiculous “security” practice. It’s clear that you don’t have the first clue about data or identity security. I am not a real security expert but I know enough not to be sharing information in this manner.
This blog post is the property of Aidan Finn (@joe_elway / http://www.aidanfinn.com) and may not be reused in any manner without prior consent of Aidan Finn. You may quote one paragraph from this blog post if you link to the original blog post.