Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[sevenlayermuddle]

Last week I opened a new account.    I won't say who with as one's like another but, it seems, I automatically got enrolled for telephone banking as a 6 digit code came through in the post today.

At first glance I thought, 'what harm can it do'?, it's mainly about shifting funds between accounts.     Then I noticed, the system could also be use to request a debit/credit card PIN reminder to be sent by post, which an attacker could intercept.     Again, I thought yes, but I can already ask for a PIN reminder by phone, so what's to lose? 

But the penny dropped, if I ask for a PIN reminder by voice call then the call is recorded and if done by a fraudster if necessary I can employ expert witness to bear testament that the voice on record wasn't mine.   But with Telephone banking there is no such safeguard.  I suspect they may be labouring under the illusion that calling line ID identifies the caller but of course it does not, caller ID is trivially easy to spoof.

There's probably 1001 other vulnerabilities but I figured that one out in about 10 minutes of opening the letter, so how come the bank didn't figure it out before launching the service 

I really do despair.   

[Berrick]

with Telephone banking there is no such safeguard

Have you tried requesting by phone? there must other safe guards in place such as asking for the answer to your security questions?

Even so having a totally secure process is difficult. Especially with those crafty ppl who are very good at social engineering. 

[sevenlayermuddle]

with Telephone banking there is no such safeguard

Have you tried requesting by phone? there must other safe guards in place such as asking for the answer to your security questions?

Even so having a totally secure process is difficult. Especially with those crafty ppl who are very good at social engineering.

With Telephone Banking the only security is that you need to remember a six digit passcode.   And in the T&C, if the bank thinks you have written it down or told it to anyone, the bank will have no liability for fraudulent use.

Prior to Telephone Banking there was a spoken conversation with call centre staff.  That conversation included rather pointless security questions that any attacker could easily find out such as DoB or postcode, but there was at least be a recording of the conversation which could be used to prove it wasn't your voice.   Also, the bank couldn't play the liability shift as they can't penalise you for telling anybody else your DoB or postcode.

[kitz]

lol...  Im not sure if I should mention this, but several years ago, banks used to issue PIN requests via a phone call to the branch.   Yes you'd get asked those questions youve already pointed out.  Chq books would  be posted without any questions.
But... There was no call centres back then, calls werent logged and there was no caller ID.   

 

[sevenlayermuddle]

lol...  Im not sure if I should mention this, but several years ago, banks used to issue PIN requests via a phone call to the branch.   Yes you'd get asked those questions youve already pointed out.  Chq books would  be posted without any questions.
But... There was no call centres back then, calls werent logged and there was no caller ID.   

Yes I remember.  And just to make to the process even easier, ISTR the branch's full phone number was printed on every cheque?

Clearly, people were just more honest and trustworthy in these days.   

Dare I suggest, bankers were more trustworthy too?

[kitz]

heh, it wasnt that long ago...  & it certainly was in the days when targets were put on staff to sell PPI.

I have one of those fobs for my banking which looks like a small calculator, but its not needed for internal transfers under a certain amount, so Ive only used it a few times so far when setting up a new external transfer and for amounts in excess of the limit.  Not sure if its needed for a PIN request as Ive not tried that.   

I did check to see if the site was safe though immediately the news of heartbleed broke. 

Ironically only a few days before heartbleed became public, I had a convo with another member of this forum about SSL and webservers and why my server didnt use it.