Identify Yourself! Financial Institutions: Social Engineering At It’s Best???

Posted on 08. Sep, 2011 by Charly Leetham in Security

Social Engineering: is the art of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques…. In most cases the attacker never comes face-to-face with the victim (Wikipedia).

A very basic scenario – someone calls you, say’s they are from a ‘trusted’ organisation (like your bank) and asks you for your personal details – date of birth, residential address… sometimes they leave a message and ask you to call back and then ask for the details.  The next thing you know, you have a big credit card bill or some other black mark against your name.

So, given the above scenario, why do financial institution employees get upset when you ask them to provide a little bit more information to identify themselves before you provide your information to them?

This happened to me today – I received a text message from my mortgage provider asking me to call.  The person who answered the phone didn’t identify the company they were with, and didn’t provide a name.  When I finally ascertained that they were the person I needed to speak with, I asked how I really knew they were with who they said they were – their response: “Why else would someone say they are with xxx company”?

Ummmm, I don’t know – why do I get email messages from my ‘bank’ telling me to change my password by clicking on this link?  Maybe they want to hack my account or compromise my credit card.  In the last 12 months, I’ve had to replace my credit card twice because it was compromised???

For my International readers, the privacy act in Australia basically says that a business can not provide personal information to anyone but the ‘account owner’ – there are some reasonable fines and penalties associated with breaching this act.  All good – I GET that… and I love that my dealings can’t be made public.

I APPRECIATE that these staff can’t do anything to change the process – they’re just doing they’re job, but getting annoyed and being rude to the poor client who is just trying to make sure they protect themselves as best they can isn’t helping anything.  I am amazed at the apparent naivety of the staff regarding our concern for our private information.

Wouldn’t it be refreshing if instead of us calling a phone number that may, or may not, be the correct number and giving away our private details to a faceless unknown, that they be required to ask a challenge question for us to answer?  That way – we would know that we have the right company (the question would be set by agreement between the parties), they would know they have the right party because of our answer.  No personal information required…

How many of you, get phone calls that you provide your information freely and willingly – do you feel a twinge of worry at all?  Do you say anything to the caller about the process?  Maybe if enough of us ‘say’ something, the process will change!  What do you think?

Tags: banks, financial institutions, privacy act, protecting your private information, social engineering

     Subscribe to It!