--- F R E N D Z of martian --- (precis: don't tell ppl stuff on the phone if you don't know who they are) I feel like a prat. I sit here regularly pointing out security stuff, and occasionally lecturing (this is another one of those but with a built-in caveat) Today I had a call from First Direct (the bank), at least I suppose it was them. "Mr Cosgrave, this is a customer service call" (not the first time I've got a call from them so I wasn't surprised, more worried in case they were hassling me. They were actually trying to sell me a loan). They were trying to get me to transfer my credit card balance to a loan. (My response - "in my experience I find that that method of managing debt invariably ends up with more debt as a result of having two open credit lines" was incredibly effective and I invite (incite?) you to use it any time someone tries to sell you a loan) Before they got to that part, they found it necessary to ask me this: "For security, we have to ask you these questions. What's your date of birth? What's your mother's maiden name?". For fuck's sake, WHAT KIND OF SECURITY IS THAT??? That could've been Joe Blow, I just gave them 2 good pieces of info about myself... it wa (a) cos they were Scottish, and all my contact with First Direct has been with Scots (I guess the callcentres are cheap in Scotland) and (b) on the spur of the moment I presumed that I was still protected by the password I chose when I joined them. But that was a password that I chose for their systems. When I phone them I have to give them 3 characters from my password. But they've never asked me to give them a password for my system (ie phoning me up) So when ppl (esp banks) ask you for stuff like that on the phone, ask them to positively identify themselves - there's no way they can unless they've made a prearranged agreement with you or they ask you for your password with them (but how would that be secure? they phoned *you* and they could be anybody with a Scots or whatever accent. so the onus is on them to identify) Imagine how confused the callcentre lady would have been if I'd asked her for letters 1,3 and 5 from her password... but that's the kind of verification we need for this kind of thing to work. >From their point of view, they'd phoned me; the person answering claimed to be me and could answer two questions about me (wouldn't be hard if they were living in the same house as me, and I once lived with someone who subsequently stole my.credit card and tried to forge my signature. Luckily he was crap at it) - so they were satisfied that I was me. But I had no indication to whom I was talking - even the call came in as 'Withheld number'. So to cut a short story a little less long than if I had gone a bit longer with it, DON'T TELL THESE WANKERS A THING - if your bank manager phones up he's either trying to sell you something (a loan) or foreclose on you - in either case, force him to identify himself, because you *cannot* be sure it is him. Hopefully you get my drift. /rant for now (I'm tired, this post was probably full of shit but have it anyway. I'm only swearing so much cos Tony snailed me a tape of Bill Hicks) luvonya martian -- http://mp3.com/martian/ -- Sent to you via the frendz list at marsbard.com The archive is at http://www.mail-archive.com/frendz@marsbard.com/
