Sunday, 17 June 2012

Banking Vigilence Fail: Unblocking A Card With Only A Surname

Photography by Andres Rueda, CC-BY

Every year I go travelling, and every year my bank suspends my credit card due to "suspicious behaviour". Luckily, it's easy to get the stops removed... too easy, in fact.

Today, when calling the bank to confirm that I had purchased a US phone service, I was asked only a single piece of identifying information, and that was my surname.  The bank's representative revealed—without my prompting—the last four digits of my credit card, and the full details of the transaction that was considered suspicious.

The thing is, if you're the one making fraudulent transactions on a card, then you probably already know the cardholder's surname, and you definitely know some recent suspicious transactions.
Better still, I assured my bank that I was travelling for the next few months, and even that the other cardholder was travelling as well.  Still no verification except for my name.

To the bank's credit, this is the first time I've encountered them being so lax with security. Every other time has involved me needing to provide a variety of information to verify my identity.  If I were to guess a reason why things were different this time, it would be because I was calling at 7am on a Monday, and the vocal characteristics of the person I was speaking to suggested that he would really rather be in bed.

If you are a fraudster, then calling the client's bank and trying to have the stops removed sounds like a low-risk, high-gain proposition; especially if you do it at crazy o'clock on a Monday morning.

In other news, I was reminded last week as to how easy it is to gain access to hotel rooms with swipe cards. After my card stopped working at a conference I was attending, all I needed to get a new card was my room number, and surname.  For some of my friends that I spoke to, they didn't even need to provide a surname.

Admittedly, one does need to hand over a hotel swipe card to give legitimacy to the "my card has stopped working trick". If I didn't have horrible jetlag, I probably would have tried the "I've locked my card in my room" line to see what response would have been given. I think there's an excellent chance I would have been issued with a new card.

I have little doubt that a lot of this lax security is due to "operational complacency". The vast majority of people who call reporting their card has been suspended, or their hotel key has stopped working, are legitimate: consequently, we're trained into feeling that everything is working fine.  It's the same reason why we stop testing our backups, or checking to see if the GPS antenna in one's cruise ship is actually connected¹.

Of course, the cure for operational complacency is well-known.  You perform vigilance tests. In the same way a retailer can use mystery shoppers to test if staff are asking customers if they'd like to supersize that meal, organisations can employ mystery fraudsters to make sure appropriate security procedures are being followed.

Even recording calls "for training and quality assurance purposes" gives one the ability to randomly audit interactions to ensure procedures are being followed.

Discovering my bank's fraud department doesn't record their calls? Priceless.

¹ “Grounding of the Panamanian Passenger Ship Royal Majesty on Rose and Crown Shoal Near Nantucket, Massachusetts”. National Transportation Safety Board, June 10, 1995.  See pages 34–35 in particular.

Flattr this

No comments:

Post a Comment