Security FAIL!

Posted on Wed 08 October 2008 in geek

I've just automated call purporting to be from my credit card provider to confirm some recent activity on my card. The concept is a laudable one but not having foreknowledgeof the system I treated it like any other phone call. I certainly don't give personal/security information over the phone to people who call me without verifying their identity first.

I've noticed recently that some companies have learnt that not all their customers will automatically verify their identity when called. This usually involves authenticating them first by getting them to answer questions only they should know. You then go through to the normal process of them checking you are who they think you are. Of course this two way approach does run the risk of information leak from the organisation but typically they do it by answering a question like "what's the 2nd and 6th digit/letter of some account detail". I assume if you fail to identify yourself properly they would flag the account having possibly leaked a few bits of information.