Simon Says – Musings of a Technology CTO

Recently John Sileo spoke at the Department Of Defense’s Joint Family Readiness Conference on the topic of identity protection and theft. As a two time victim of identity theft, John is well placed to speak from the heart about the practical, factual, and emotional aspects of this problem, and though I was not able to attend his presentation the writeup on his presentation is well worth a read.

John advocates a couple of thought processes which I’ll let you read the details of directly from the transcript, but to summarize he encourages us all to “Think Like A Spy” – to question the validity of the request for information at every stage, and with every person.

I’ll give you a classic example of this – Last week my bank called me to discuss a transaction on one of my accounts. It was the usual conversation –

“Hello Mr Hunt, I’m calling from the fraud department of XY Bank, and I’d like to confirm a transaction..”

You know the drill, usually this is a good thing, banks taking care of us etc, looking out for fraud on our accounts, but here’s where my “Spydar” (a poor pun indeed..) got alerted.. The next question from my caller was..

“Please can you confirm your account number and last 4 digits of your SSN”..

Well, hang on one moment – My bank is calling me, and they want to check my identity? Shouldn’t it be the other way around for a start – shouldn’t I be asking for them to prove who they are?

I replied as much to the caller, and suggested to prove she was indeed from XY Bank, that she give me details of a recent transaction on the account. I didn’t want to ask the agent to tell me my address, because anyone who’s got my phone number and name probably knows where I live as well..

“I’m sorry Mr Hunt, I can’t tell you that – it’s against our privacy policy.”

You can see where this is going – My bank can’t prove their identity to me, and I won’t give out personal information without knowing it’s really the bank.

To cut a long story short, I got the agents number, checked it against their web site (it was the number for their fraud department), and then called them back. Probably pretty weak authentication but I thought the chance of someone in their fraud department committing fraud was pretty low.

I don’t know where it got missed out, but shouldn’t we have reciprocal authentication, both between us and our banks, and our banks and us? How many people even consider the fact during a busy day that the caller seemingly trying to help them might be nefarious?