Last week I opened a new account. I won't say who with as one's like another but, it seems, I automatically got enrolled for telephone banking as a 6 digit code came through in the post today.
At first glance I thought, 'what harm can it do'?, it's mainly about shifting funds between accounts. Then I noticed, the system could also be use to request a debit/credit card PIN reminder to be sent by post, which an attacker could intercept. Again, I thought yes, but I can already ask for a PIN reminder by phone, so what's to lose?
But the penny dropped, if I ask for a PIN reminder by voice call then the call is recorded and if done by a fraudster if necessary I can employ expert witness to bear testament that the voice on record wasn't mine. But with Telephone banking there is no such safeguard. I suspect they may be labouring under the illusion that calling line ID identifies the caller but of course it does not, caller ID is trivially easy to spoof.
There's probably 1001 other vulnerabilities but I figured that one out in about 10 minutes of opening the letter, so how come the bank didn't figure it out before launching the service
I really do despair.