Comments on: Teaching people to get phished, old skool style!

By: Jonathan

Jonathan — Sat, 15 Nov 2008 10:06:33 +0000

@bart – not my bank. My secure login page requires a unique key (not “password” fielded so everyone could read it off my screen), and then my date of birth, and THEN 3 characters from my X-digit secure password. The idea is that even if someone has a keylogger installed on the machine, they still can’t snag my full password.

The point is that phones are just a bad way to do this. There’s no convenient way to do security checks over the phone, so why do banks insist on using them for people like us, for whom plenty of secure channels already exist?

A great example is Egg – I’ve never received a call from them, because all comms go through their website’s secure messaging system. I get email, but all it says is “go log in”. Yes, that’s open to phishing, but it’s better than some random scammer phoning me up and asking me straight out for my details.

By: Zarate

Zarate — Sat, 15 Nov 2008 08:53:48 +0000

Another one here from Barclays UK. Once I asked them how could I be sure they were calling from Barclays. The guy on the phone gave up after 5 minutes because I was refusing to “identify” myself.

On another call I asked them again if _they_ could identify and the girl asked me: “What you want to know from you? I’ve your date of birth, date when you opened your account, visa number or I can give you any piece of your data so you can verify this is an honest call”.

By: bart

bart — Sat, 15 Nov 2008 07:46:57 +0000

@ jonathan:

The banks website would require all 8 digits to log in. That’s a secure connection, which you can check by the https protocol and the genuine url of the bank. On the phone, you don’t have those checks, so you don’t give out your full PIN code. Or put it like this: if my colleague at work would overhear me saying those 8 digits on the phone, then he could fish up my account number via my last invoice, and log into my bank account online. So basically: online you always need the full 8 digits, on the phone you can never give out the full PIN. Still seems solid to me.

By: Aral

Aral — Fri, 14 Nov 2008 19:10:28 +0000

@Tom: which at signs? :)

By: Tom Morris

Tom Morris — Fri, 14 Nov 2008 18:18:35 +0000

Robert: not so. There are plenty of ways to communicate securely. Public-key encrypted e-mail, or instant message.

If my bank wants to communicate with me, well, I’ve got an e-mail address and a GPG public key. That they can’t use that is their problem, not mine.

The security thing that irritates me is that phones are inherently insecure because they require you to be in a secure area. Most people aren’t when they use their phones – they are in public areas. I’ve had to explain to people over the phone that there’s no way I’m giving them my details over the phone because I’m on a bus or standing on a railway platform. I was on the train yesterday and a man across the aisle from me gave his full address, postcode and phone number over the phone. I’m betting people would absent mindedly do the same thing with credit card numbers.

To paraphrase Linus Torvalds: if your security doesn’t include a web of trust, it’s not security, it’s masturbation. This applies very much to pre-shared keys – if you give someone access to something that you can’t revoke without changing the key for everybody, I would consider that a failed security model.

(Also, what’s with all the damn at signs in comments? This is not Twitter.)

By: Mario Klingemann

Mario Klingemann — Fri, 14 Nov 2008 17:37:58 +0000

You could also do this 3 random digits game the other way around to make to the person on the other side is who he claims to be – they should give you the 3rd, 5th and 8th number in the pin you got mailed. How about reading each other each consecutive digit “you say one, I say two, you say three, I say four…”

By: Robert

Robert — Fri, 14 Nov 2008 17:33:17 +0000

I definitely understand the need for security, but this comment thread has entered a realm where nobody can communicate except by being face to face. Unfortunately, having top security and convenience are mutually exclusive. For every security measure put in place, it’s easy to think of two or three what-ifs. It’s all a balancing act, and if you don’t like the way your bank or credit card provider is handling it, make suggestions or switch.

By: Jonathan

Jonathan — Fri, 14 Nov 2008 16:13:07 +0000

@Joey I like that, but the impression I get is that the call centres have effectively EXACTLY the same interface as the online one: they get asked for 3 characters, and only get through if they’re right. That’s certainly how I’d want it to work. So All bart would have done there is verify that they know when the characters are wrong. Again, I can do that.

By: Joey

Joey — Fri, 14 Nov 2008 16:00:00 +0000

@jonathan I guess bart would have to lie about one of the digits to make sure the person on the other side of the phone really has his code.

By: Jonathan

Jonathan — Fri, 14 Nov 2008 15:54:31 +0000

@bart see above. Who’s to say I’m not sitting at a computer ringing you and asking you for *exactly* the same information that your bank’s login page (or phone banking!) is asking me for?