Security

When bank ID management goes wrong

Banks are required to collect information to identify their customers. But do they go far enough when conducting remote transactions?

Businesses today rely heavily on their ability to provide remote services to their customers. However, in addition to allowing them to remain competitive, it also causes challenges associated with implementing identity management processes. The question banks and other financial institutions have to answer, for example, is how can they identify a person on the phone as the actual customer?

There are paths to reaching effective identity verification objectives. I’ll get into those later. First, I’d like to share an example of what can happen when the process is either weak or breaks down.

The event

My wife (MW) and I share a home office.  A few days ago, I overheard a call she made to the bank where we have our business account. The following is a close approximation of the “interesting” conversation I overheard.  (My wife always uses a speaker phone.)

Bank: Good morning, how may I help you. MW: I need to make a change to my business account. Bank: Okay, I can help with that.  What is the name and address on the account? MW: [provided name and address] Bank: What is the business tax ID? MW: [tax ID given] Bank: OK, how can I help you? [After this weak effort to identify my wife, I am very interested in this call.]

(My wife told the bank representative what she needed, and the changes were made. Then it gets even more interesting.)

Bank: Is there anything else I can help you with? MW: Yes. I don’t remember the PIN on the business debit card. I need to change it. Bank: No problem. What would you like the PIN to be? MW: [New PIN given and applied to the account.]

I won’t bore you with the rest of the conversation.  However, I can say without hesitation that I was not happy with this transaction.

Interested in methods other financial institutions used, I did a quick search on the Web.  Among other approaches, I found the process shown in Figure 1 at another bank’s Web site.  All I need is a person’s social security number and probably an account number with associated address to gain initial access. How many times do I have to access an account to transfer or withdraw funds?

Figure 1

Event analysis

I understand the need to ask questions customers can easily answer.  However, the questions shouldn’t request information easily accessible via online or traditional identity theft methods. This includes my mother’s maiden name…

We all know about the threats associated with online identity theft.  Many users behave safely when on the Web, but most don’t. Further, traditional methods of identity theft (i.e., dumpster diving or mailbox theft) present other opportunities to criminals.

A study from 2007 revealed that the mailbox is the most risky point, outside technology, for gaining access to a person’s identity, which is precisely why any plan for identity theft prevention must take into account your own mailbox. The US study, which assessed during 2000–2006 those closed Secret Service cases that had shown there to be elements of identity theft or fraud, revealed that mail ‘redirection’ and actual mail ‘theft’ were at the top of the list, disregarding technological means of identity theft (IdentityProtectionReports.com).

According to the Better Business Bureau:

In the wrong hands, your incoming mail can be a treasure trove of information about you. A bill from your credit card company, a statement from your checking account, an unsolicited offer of a new, pre-approved credit card (complete with application). And your outgoing mail may include personal checks you are sending to pay bills (containing your routing and checking account numbers). If you don't have a locked mailbox for incoming and outgoing mail, you are vulnerable (BBBonline.org).

In addition to the mailbox, people who don’t shred bills and other information-rich documents before throwing them in the trash and wheeling them out to the curb are providing opportunities for identity thieves.

Going back to look at the conversation between my wife and the bank, it’s obvious to me that answers to her questions are both easy to obtain and easy to overcome. With a cursory examination of my wife, the bank representative was ready to perform all actions my wife requested.

Possible solutions

The US government requires financial institutions to verify a potential customer’s identity.  This is to protect the customer from criminals who seek to open accounts and manage transactions as someone else.  Information financial institutions must collect, as part of a Customer Identification Program (CIP)  includes:

  • Name
  • Date of birth
  • Address
  • Identification number (social security number, tax ID number, passport number, etc.)

As evidenced by the call I overheard, our bank collects this information and uses it for remote post-account creation identification. In my opinion, this isn’t enough. So why doesn’t the bank do more?  Is it our fault they don’t collect more information?

First, the banks could ask for more information with which to identify us. They have to collect some anyway; why not expand the list? I think the answer lies with us.

Bank customers are so filled with FUD (Fear, Uncertainty, and Doubt) because of all the hype about identity theft, they strongly resist providing personal information. Banks, on the other hand, are slammed by the press, bloggers, their customers, and regulatory agencies whenever the inevitable breach occurs. So why would a bank collect more than is absolutely necessary to achieve regulatory compliance?

How can we resolve these challenges?  First, people need to get over their belief that banks, the government, and anyone else who collects their personal data will never lose it. They should provide whatever is necessary to uniquely identify them when banks request it. Meanwhile, each of us must take responsibility for protecting ourselves from unauthorized use of our identities.

Second, banks should assess the use of better identification management solutions. For example, they should give customers the option of receiving a one-time PIN or password via SMS. The one-time token would only work for the current conversation or session. If this isn’t an option, then the institution might take the secret question route, using information not readily available on the Web or in the mailbox.

The final word

Resolving identity verification methods for phone or other remote transactions needs work. But nothing will change until customers understand what behavioral changes they have to make. And banks must get more creative with how they interact with customers not standing at a teller window.

In addition, everyone should understand steps they have to take to protect paper-based information passing through their homes. They must also educate themselves so they can identify and react to weak identity management processes practiced by their financial institutions.

What security measures would you put in place for banks that would also be practical for customer service considerations? What is the proper balance?

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

23 comments
ejowitch
ejowitch

Telefonica O2 Czech Republic, hosts application on their SIM, which appends OTP at the end of the called number, and only if this OTP is verified, the call is routed to the correct customer care operator.

ejowitch
ejowitch

Plus this application is protected by application specific PIN code - 2 factor authenication

MailBoss
MailBoss

That's interesting your wife's bank did so little to verify her identity, and just goes to show you HOW criminals can use information they find in your mailbox to steal your identity. They might not be lucky every time, but they can sometimes gather enough of your info to really make your life miserable! The USPS states that only 2% of ID theft is caused by mail theft, but they grossly underestimate this (and obviously they are biased since they have a vested interest in people continuing to use the mail). The fact is that MOST people DO NOT KNOW how their information was stolen, but of those who DO know (only 35%) the majority was taken the old fashioned way - stolen wallets/purses, mail and trash (this is according to Javelin Strategy Research). That means to protect yourself against identity theft, there are several simple steps to take. Guard your physical personal documents, first and foremost, and that includes SECURE YOUR INCOMING MAIL with a high security locking mailbox. When looking for a locking mailbox be sure it can't be fished by hand or pried open easily with a screwdriver. The Mail Boss (as well as the Fort Knox and Armadillo) are good options. Also, do not send checks from unsecured mailboxes - take them to the post office, or better yet, use online bill pay. Finally, shred all of your mail before discarding it. Interestingly most people use a paper shredder but do not think about what they are shredding... what comes in their unsecured mailbox. And it is my opinion that a criminal would rather take your info from a (clean) mailbox than the dump. Just saying...

adnan1981
adnan1981

I am handling IT and support in our call center (Bank); following checks are involved, 1- Call must originate from registered Caller ID which can be done via online banking 2- Customer has to enter a TPIN which is assigned at branch 3- Token password generator is used and or a registered mobile number is used if call originates from an unregistered Caller ID to send SMS for authentication. After valid TPIN input. 4- Any transaction financial in nature employes the use of SMS or token password generator. Similar interface is used for online banking... only instead of Caller ID a registerd PC concept is used

john barker
john barker

I have a Friend who is a bank president he hast to change password every 30 day i know i lost a debit card and they killed it when i told them right then i had to change checking acount to someone had a check book on me but he was caught and didnt coust me a dime even though he wrote some on me they have a hard job keep up with alot of people it all goes through the main bank in brimingham ala. i dont know how they do it and keep it right they have to balance to the penny every day so i dont know more they could do john barker

Datacommguy
Datacommguy

While both my bank and my broker have web sites which allow me to do many of the things I want to do online, and do a fairly good job of protecting onlne access to my accounts with passwords, cute little pictures when I log in to ensure I got to the right web site, and extra questions such as "Who was your best childhood friend" if you're not on your home PC. But once you get people involved, some of those 'safeguards' can be bypassed by established procedures. Case in point: I called my broker last week to set up a new bank account link to my brokerage account - something that can't be done online. I can edit existing links online - including the bank account number if I change accounts at the existing bank, but need to talk person-to-person to create a link to a new bank. They 'verified' who I was by asking for my name, address, and account number - things that could easily have been learned from one lost or stolen piece of mail. And then after setting up the new link, asked if I'd like to do a transfer from my existing brokerage account to the newly created bank account. I declined at that point knowing I could take it from there once the link had been set up, but we did discuss why what just happened was not at all secure. She understood and agreed, but that was the way she was told to verify, and she was just trying to be helpful. I strongly doubt that anything in their procedures changed after our conversation.

LedLincoln
LedLincoln

Even large financial institutions sometimes have really stupid identity verification questions on their websites, such as "What was your mother's maiden name?" and "What was the name of your first school?"; easy-to-obtain info. They should know better.

Ocie3
Ocie3

then tell me the name of my first school! :-)

LedLincoln
LedLincoln

...who went to the same school, but I don't necessarily think they should be able to retrieve my bank password.

JamesRL
JamesRL

Asks a series of questions, and varies the questions asked. So you'd have to learn ten things about me. James

rdevereux
rdevereux

Personally I think the banks and us are in a no-win situation. I personally, and as an IT professional get very annoyed when banks in UK are pushing cumbersome and CPU-intensive 'security' software because they consider people are not trustworthy to do their own banking and request card reader identification for every transaction where I want to move money, so long as it isnt a direct debit or stadning order or something I do regularly - all of which could be as fraudulent as my checked transactions. On top of this, I had to face the ignominy of having my cards stopped last summer on a visit to Italy - not because they were being misused, stolen or I had gonbe over any limit, but because the bank thought it was unusual for transacations to come from there and stopped my cards without bothering to consider that I might possibly be on holiday and therefore using the pre-supplied email address or mobile number to check when they couldnt get an answer on my home number. In my opinion, banking has started getting too nanny state.

govemp10
govemp10

More than once, I have had the bank call me within 2 hours, for confirmation, after I made a larger than usual charge on my credit card

JamesRL
JamesRL

We have to have a telephone banking PIN, and to get that we have to answer a barrage of questions very few people would know, shared secrets, recent transaction history etc. To reset the PIN on my bank card I have to go to my bank. I've had the security people freeze my card twice because they suspected a problem, and both times I had to make a visit, where I had to present ID with the card. Similarly with my VISA card twice I've had the card refused, because they determined it didn't fit my pattern. While I've experienced some major inconveniences, I do appreciate that they are making an effort, and since my wife had her identity stolen, I can't complain too much. James

wesley.johnson
wesley.johnson

Scared Yet???? Go to the courthouse and check the info on your voter registration form. Then go check your mortage while you are there. Next stop.....is your garbage shredded? Too much info is publshed and available to the public. Your scared now.

Vulpinemac
Vulpinemac

... I can tell you that at least some banks use much more detailed information to protect your account. When you first make your call, the Voice Response Unit (VRU) asks you to key in account number and other information before you ever talk to an associate. This information is then displayed on the associate's screen along with other information they may use to further identify you. I might also note that they also have the phone number you are calling from, if you are using a hard-wired land line; this information also helps to identify the caller when you are calling from home. So things aren't as lackadaisical as you may believe. However, the fact that your bank let your wife change her PIN over the phone like that is worrisome; not all banks allow you to do it in that manner, some letting you key it through your telephone handset while others issue a random PIN and snail-mail it to your home. Even others may request that you visit your local branch to make the change. All of these are more secure than what you describe. So how can a customer insure their account transaction is at least reasonably secure? * Start by using a hard-wired phone whose number is on file at the bank as your home number. * Where possible, use the handset keypad for any numerical entries rather than voice; this ensures that nobody can conveniently 'overhear' the numbers. (Of course, if the person on the other end verifies by voice and you're using a speaker phone...) * As your analysis above states, have all pertinent information available at the time of the call. Even if it isn't used, if you don't happen to have an ID number available that they have on file, you not only slow the call down, you end up frustrating yourself. I can't speak for all banks in the US, but for the two I personally do business with, I can be fairly well assured that my identity information is safe.

TrueDinosaur
TrueDinosaur

I have seen that when I get a replacement credit card and call from my home land line to activate it the process is automated. If I call from work or my cell I get transferred to a human.

Ocie3
Ocie3

Quote: [i]"They (customers) should provide whatever is necessary to uniquely identify them when banks request it." (italicization added)[/i] If memory serves, as many as 26 data items are necessary to "uniquely identify" one human being from all the rest. Because the population has substantially increased since that number was determined, it would probably require many more items of data than just 26 to uniquely identify each and every one of us today. Certainly, I agree that my bank does not collect and use enough identifying data to secure access to my bank account, and neither do any of my creditors do enough to protect my access to credit. There is very little that I can do except let them know that I'm aware that they could and should use more and/or different data, most of which they probably have not collected and would not collect if only because I am not wealthy enough to be important to them. Acquiring and maintaining data does have a cost. It does not matter much how low that cost might be per customer, or citizen, if it is seen as unnecessary, then businesses, governments and other organizations will not accept increasing their total cost burden to increase security. As to "taking responsibility for protecting ourselves", the tools are rather limited, and some are costly enough to eventually add-up to more than we might stand to lose if our identity is stolen. It all depends what you have to protect -- what is it worth in $$$$?? As a certain person once said, "If someone is stupid enough to steal [i]my[/i] identity, then they can have it." The person who said that had reason to need a totally new identity and the brighter future that it would bring. I hope that they did not need to steal it.

TrueDinosaur
TrueDinosaur

For the infamous PII rules (Personally Identifiable Information) in California just having a name and address is enough if the information is for a person that gets any kind of public funds.

Ocie3
Ocie3

You seem to say that if you know someone's name and address, then that is enough for you to determine whether they are receiving "any kind of public funds" from the State of California. Or do you mean that the only information that a person must disclose to receive "any kind of public funds" is their name and address?? Or am I missing the point of your remarks entirely? By the way, the research which established that at least 26 items of data are necessary to "uniquely identify" a human being was taught by a computer science professor at the University of California (Berkeley), where I was a student at the time. At least that many items are indeed [i]necessary[/i] for unique identification, regardless of how many and which ones that any law or court ruling may deem are [i]sufficient[/i] identification for a particular purpose. The term "uniquely identify" deserves some consideration. We routinely "identify" strangers whom we encounter throughout our lives. How much data we [i]can use[/i] to do so depends upon how much we can acquire and remember or record. Regardless, in practice, we initially acquire and use as much as we are satisfied to accept as [i]sufficient[/i] to "identify" someone in the immediate circumstances. For that matter, in most circumstances, we are usually less concerned with uniquely distinguishing one stranger from another than we are with discerning their social and economic status, and their group affinities and affiliations. To whom do they belong? Is this person among those who would do me harm? Can this stranger become a prospective friend? Ordinarily, the criteria which we use to distinguish one person from another may be sufficient for our immediate need but beyond that, perhaps we are not only using more data than just 26 items, but also a different dataset than most IT databases contain. Do any of them record how my girlfriend's scalp smells?? (Maybe a shampoo manufacturer's records do.) In the context of IT: what do we need to know about a human being to distinguish that human being from any and all other human beings? Clearly, "identify" implies "uniquely" if that is the question, and you probably need many more than just 26 items of data about an individual in order to answer it today. Nonetheless, even with IT, the matter of sufficiency arises. How many items of data about a person are sufficient for a bank to identify them as the customer who has a specific account?? Which items should they use for that purpose??

santeewelding
santeewelding

You guys have a bank where you can actually talk to a real, live person on the telephone?

Jaqui
Jaqui

I wonder how well this compares to regulatory compliance issues. A timely piece, since I actually recently applied for a position at a bank for a position responsible for regulatory compliance and I.T. security. [ the description of the duties is 3 pages long ]

Ron_007
Ron_007

The "Security Monkey" blog has a new case study posted: http://it.toolbox.com/blogs/securitymonkey/guest-case-file-alert-case-of-the-broken-bank-38738 Financial officer at a small company had their home computer hacked. Hackers used that info to steal $250,000. Theft is noticed before transactions are completed. Bank does nothing to help, actually obstructs efforts to block transactions. Bottom line, the small company had to eat the loss. Read it, it should make every business recheck their electronic banking arrangements. The Security Monkey has lots of security related cases studies that are good reading and educational.

yorkshirepudding
yorkshirepudding

I live in the UK and things are a lot tougher here. Telephone banking and online you have to go through security with random characters from a password and a passcode and often additional security questions as well, together with remembering a userid thats about 10-12 digits long. We also have devices that work with cards to generate additional codes for certain types of transaction

Editor's Picks