Wednesday, November 01, 2006

Now for the compelling event

I applied for a new credit card the other day with a bank that shall remain unnamed. I won't go into why I did so given the numerous other credit cards I already have because that's not the point. As with any new application, the process involves verification checks on the details I provided as per the mandatory fields in the application form. Why some of the details are mandatory is beyond me...probably for marketing and sales purposes, but I digress.

Interestingly enough, I'd only just read the Burton Group's post about the Law of Relational Symmetry. Essentially, it notes that natural interpersonal relationships between people don't rely on IDs (as is the case with IT systems) but rather the relative symmetry of the connection between endpoints (or identities). The more symmetrically balanced a relationship is, the less chance there is of exploitation of one party by the other because each participant shares rights equally. In other words, if a friend begins to really annoy me or take advantage of me, it is no longer a symmetric relationship and I'm more than likely to terminate the relationship with that person. This is all within my control. IT systems however, are inherently asymmetrical. More often than not, IT relationships involve a corporation (e.g. a bank) on one end, and a user on the other.

How many times do we give up information about ourselves for the right to have an "identity" created at an institution without requiring that we get any information back? I'd dare say 99% of the time. Take a bank for example. We fill in mandatory details to apply for a bank account. We're not even guaranteed an account. We give up the information hoping we get one. We have to, otherwise we don't get the service we want be it a bank account or a credit card. We're so accustomed to this fact that we simply accept it as a fact of life and move on (in my humble opinion, this is also part of the reason why Phishing attacks work on certain people). The bank's attitude is "I don't care if you don't like it. This is how it is". And we just sit there and take it. This is partly the reason why there's so much focus on user Identity and privacy nowadays. We need to get away from being forced to engage in these asymmetric relationships where we have to give up all sorts of private information that in most cases are simply not required.

Bob Blakley's (ex-IBM and now of the Burton Group) blog is one which I read from time to time. His comments on the need for a Meta-Identity System (read the post here) are spot on. We do NOT need to give up specifics relating to pieces of information about ourselves. We should only have to give up meta-data (e.g. yes/no answers to specific questions). For example, does the bank really need to know someone makes $50,000 a year or do they really only need to know that they make "more than $35,000" a year? After all, that's the criteria for being allowed to have a certain type of credit card. That and the fact the person is "Over 18". Must they know someone is 30 years old? Not really. I'd be more comfortable knowing that all the bank knows about me is that I make more than $35,000 a year and that I'm over 18. They don't need to know I'm X years old and that I make Y dollars a year! I don't care that if they know how much I make and how old I am, it helps their bottom line by using targeted marketing campaigns on me. It does not benefit me one iota!

So that was the first issue. Now, the real compelling event that pushed me onto the "Blogosphere" occurred when the bank called me as part of their verification process.

Here's how it went:

Bank: Hello Mr. Yip this is (Bank X) calling you regarding your credit card application. For verification purposes, can I just confirm a few details with you?
Me: Uhhhh...ok.
Bank: What's your full name?
Me: Ian Yip
Bank: What's your date of birth?
Me: (I gave it to them)
Bank: What's your mother's maiden name?
Me: (I gave it to them)
Bank: What's your full address including postcode?
Me: (I gave it to them)


OK, even those among you that aren't in the security business can see that this conversation has all the hallmarks of something very suspicious. I don't know why I didn't notice it at the time...maybe for the same reasons why people on the street will give up their passwords for a small "reward" (I'm not kidding - this was a proper study done by some scientists...or some journalists...can't remember). We're simply too trusting and have been conditioned to just give our private information up! In my own defence, they DID know my mobile phone number (they called me), they knew my name and they knew I applied for a credit card so perhaps that's why I let my guard down. If you think about it though, this could easily have been a standard line used against a whole list of people and they may get a few who actually fit the criteria of having applied for a credit card. It's essentially phishing by phone.

They then proceeded to ask me to authorise my employer to validate my information for them. You know, things like proof of employment and the fact that my salary in the application form was indeed correct. I agreed...at the time. This then brings me to the question of how my employer is supposed to actually validate that it is REALLY the bank calling them for my information? I have no idea, but I'm thinking there isn't a nice answer here so I'm probably better off not knowing...which brings me to my next reaction.

After kicking myself (metaphorically speaking) for the rest of the day after the call, I eventually decided I was going to do whatever it took to NOT have to authorise my employer to give up that information. I was also still unsure if I had just been "Phone Phished". So, I called them today to validate they did indeed call to ask me those questions and to authorise the release of information from my employer. Luckily for me, it was them (phew). So I had just established that I dodged a bullet. I then proceeded to ask them if there was any other way for them to validate my information. I may be a little paranoid, but apart from the reason I mentioned above (how does my employer validate that the bank is indeed the bank), I also didn't want to authorise my employer to release any of my information to ANYONE in case they screw up in future and take my authorisation as meaning they can freely give it up to anyone claiming to be a bank. I tried getting the bank to allow me to fax them a payslip. They apparently also wanted proof of employment via my letter of employment (which has outdated pay information anyway, so they would probably have called me to ask what the deal was) and they also wanted proof of address. So I would have had to fax them a copy of my driver's licence. Fun...NOT. They wanted more information that one could argue they didn't need. I then piped up (because I was getting rather frustrated at their lack of customer management procedures and processes) by saying...

Me: "I know this is all standard process for a new credit card, but may I ask why I need to provide all this information again when I already have an account (I actually have an existing credit card) with the bank and you have no doubt already validated I am who I am when you issued me that card?"
Bank: Oh you have an account sir? Would you like us to cross reference against that"?
Me: Yes. If that is possible and would save me all this hassle. Would you like my existing account number?
Bank: Oh no sir, that's ok. I can find it on the system and you have also quoted it here in your application.
Me: Yes I did.
Me (in my head, not out loud): and why the F*$& did you not notice that in the first place rather than putting me through all this?
Bank: Thank you sir. Will there be anything else today?
Me: No.


Now, if I've learned something from this, it's that banks should REALLY change how they verify things with customers on the phone...AND that we should behave differently to force them to change their procedures. They are all so busy locking down their Internet facing systems (as they should) that they've neglected trying to secure the traditional means of communication. As people commonly say, they try to deadbolt the back door with all sorts of locks, but forget the front door is wide open.

Here's how my first conversation should have gone:

Bank: Hello Mr. Yip this is (Bank X) calling you regarding your credit card application which you submitted on (exact date). For verification purposes, can I just confirm a few details with you?
Me: Ok.
Bank: What's your full name?
Me: Ian Yip
Bank: I will now tell you what year you were born in. (Tells me the year I was born in). Now please tell me your date of birth?
Me: (I give it to them)
Bank: I will now tell you the last letter of your mother's maiden name. (Tells me the last letter of my mother's maiden name). What's your mother's maiden name?
Me: (I give it to them)
Bank: I will now tell you the street you live in. (Tells me the street I live in). What's your full address including postcode?
Me: (I give it to them)


Now, while this is not perfect, it is definitely more secure than the current standard practice we all accept when speaking with the bank over the phone whenever the call is not initiated by us. Sure, the bank is not giving me any details about them but that's not the point. They are authenticating themselves to me by giving me exact details about myself. i.e. My surname, exact date of application (this is KEY - there is no way to know this unless you are the bank, you were looking over my shoulder when I submitted the application, I told you when I did it or you have a keystroke logger or network sniffer on the machine that I used), year I was born, last letter of mother's maiden name and the street I live in. And I'm authenticating myself by filling in the blanks. This is mutual authentication (albeit rather low-tech). The way they do it now is simply by performing client authentication. There is no authentication by the bank to the person involved, which is just plain wrong and lends itself to the proliferation of "Phone Phishing". In other words, the bank is not protecting users from identity theft over the phone.

From now on, we should ALL force our hand by taking the necessary steps on our end to ensure that we are actually speaking to who we think we are speaking to, especially when we are not the initiator of the phone call. Hopefully the banks wake up soon and change this procedure. I applaud any banks who have already realised this problem and are taking the necessary steps to rectify the HUGE potential problem. If we think "Phishing" attacks online are a big issue, I'd dare say this poses a far greater risk due to the fact that Internet banking users are only a subset of all banking customers. All customers (especially non-Internet banking users) still communicate with their banks over the phone at some stage do they not?!

I'm not the first person to write about this issue. Many have talked about this so I'm not exactly saying anything groundbreaking. I just felt the need to make myself heard and hopefully feel a little less silly.

Disclaimer: I know I'm picking on a single bank here, but I have dealt with other banks for other issues and they are not much better when on the phone so this has the potential to be a VERY big problem.

No comments: