Security

When bank ID management goes wrong

Banks are required to collect information to identify their customers. But do they go far enough when conducting remote transactions?

Businesses today rely heavily on their ability to provide remote services to their customers. However, in addition to allowing them to remain competitive, it also causes challenges associated with implementing identity management processes. The question banks and other financial institutions have to answer, for example, is how can they identify a person on the phone as the actual customer?

There are paths to reaching effective identity verification objectives. I'll get into those later. First, I'd like to share an example of what can happen when the process is either weak or breaks down.

The event

My wife (MW) and I share a home office.  A few days ago, I overheard a call she made to the bank where we have our business account. The following is a close approximation of the "interesting" conversation I overheard.  (My wife always uses a speaker phone.)

Bank: Good morning, how may I help you. MW: I need to make a change to my business account. Bank: Okay, I can help with that.  What is the name and address on the account? MW: [provided name and address] Bank: What is the business tax ID? MW: [tax ID given] Bank: OK, how can I help you? [After this weak effort to identify my wife, I am very interested in this call.]

(My wife told the bank representative what she needed, and the changes were made. Then it gets even more interesting.)

Bank: Is there anything else I can help you with? MW: Yes. I don't remember the PIN on the business debit card. I need to change it. Bank: No problem. What would you like the PIN to be? MW: [New PIN given and applied to the account.]

I won't bore you with the rest of the conversation.  However, I can say without hesitation that I was not happy with this transaction.

Interested in methods other financial institutions used, I did a quick search on the Web.  Among other approaches, I found the process shown in Figure 1 at another bank's Web site.  All I need is a person's social security number and probably an account number with associated address to gain initial access. How many times do I have to access an account to transfer or withdraw funds?

Figure 1

Event analysis

I understand the need to ask questions customers can easily answer.  However, the questions shouldn't request information easily accessible via online or traditional identity theft methods. This includes my mother's maiden name…

We all know about the threats associated with online identity theft.  Many users behave safely when on the Web, but most don't. Further, traditional methods of identity theft (i.e., dumpster diving or mailbox theft) present other opportunities to criminals.

A study from 2007 revealed that the mailbox is the most risky point, outside technology, for gaining access to a person's identity, which is precisely why any plan for identity theft prevention must take into account your own mailbox. The US study, which assessed during 2000–2006 those closed Secret Service cases that had shown there to be elements of identity theft or fraud, revealed that mail ‘redirection' and actual mail ‘theft' were at the top of the list, disregarding technological means of identity theft (IdentityProtectionReports.com).

According to the Better Business Bureau:

In the wrong hands, your incoming mail can be a treasure trove of information about you. A bill from your credit card company, a statement from your checking account, an unsolicited offer of a new, pre-approved credit card (complete with application). And your outgoing mail may include personal checks you are sending to pay bills (containing your routing and checking account numbers). If you don't have a locked mailbox for incoming and outgoing mail, you are vulnerable (BBBonline.org).

In addition to the mailbox, people who don't shred bills and other information-rich documents before throwing them in the trash and wheeling them out to the curb are providing opportunities for identity thieves.

Going back to look at the conversation between my wife and the bank, it's obvious to me that answers to her questions are both easy to obtain and easy to overcome. With a cursory examination of my wife, the bank representative was ready to perform all actions my wife requested.

Possible solutions

The US government requires financial institutions to verify a potential customer's identity.  This is to protect the customer from criminals who seek to open accounts and manage transactions as someone else.  Information financial institutions must collect, as part of a Customer Identification Program (CIP)  includes:

  • Name
  • Date of birth
  • Address
  • Identification number (social security number, tax ID number, passport number, etc.)

As evidenced by the call I overheard, our bank collects this information and uses it for remote post-account creation identification. In my opinion, this isn't enough. So why doesn't the bank do more?  Is it our fault they don't collect more information?

First, the banks could ask for more information with which to identify us. They have to collect some anyway; why not expand the list? I think the answer lies with us.

Bank customers are so filled with FUD (Fear, Uncertainty, and Doubt) because of all the hype about identity theft, they strongly resist providing personal information. Banks, on the other hand, are slammed by the press, bloggers, their customers, and regulatory agencies whenever the inevitable breach occurs. So why would a bank collect more than is absolutely necessary to achieve regulatory compliance?

How can we resolve these challenges?  First, people need to get over their belief that banks, the government, and anyone else who collects their personal data will never lose it. They should provide whatever is necessary to uniquely identify them when banks request it. Meanwhile, each of us must take responsibility for protecting ourselves from unauthorized use of our identities.

Second, banks should assess the use of better identification management solutions. For example, they should give customers the option of receiving a one-time PIN or password via SMS. The one-time token would only work for the current conversation or session. If this isn't an option, then the institution might take the secret question route, using information not readily available on the Web or in the mailbox.

The final word

Resolving identity verification methods for phone or other remote transactions needs work. But nothing will change until customers understand what behavioral changes they have to make. And banks must get more creative with how they interact with customers not standing at a teller window.

In addition, everyone should understand steps they have to take to protect paper-based information passing through their homes. They must also educate themselves so they can identify and react to weak identity management processes practiced by their financial institutions.

What security measures would you put in place for banks that would also be practical for customer service considerations? What is the proper balance?

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

Editor's Picks

Free Newsletters, In your Inbox