This just literally happen again to me today, twice.  So, I thought I have to emphasize the critical aspect of this issue and the fact that it is really easy to get overlooked. What am I talking about ? I am referring to the verbal ID verification during phone conversation when you are dealing with (usually) your bank, financial institution or other service provider. Disregarding this you might end up exposed yourself to identity theft, fraud, scam or other unwanted nasty that we really don’t want to deal with. Beware !

For security reason, could you tell me ….?

For security reason, can you tell...

For security reason, can you tell...

When you call your service provider and asking about specific detail of your account, this question will always come up in the conversation. Start from date of birth, mother maiden name, email address,  current address to some other difficult question such as when the account was open (who remember this?) or even the amount of the last credit card transaction. Sounds familiar ?

Well, for this one, it’s all still good and within reason. After all, they need to protect your privacy, isn’t it? You call them to access some sensitive data, they need to know whether you are really the person that authorized to access the account before giving the information. Yes, it’s not fool proof as somebody close to you may actually impersonate you and pass this verbal questioning, but it’s quite effective and easy to the extend that almost all company use this method.

But, now… They are the one who call….

What if the company is the one who call you at your number ? The conversation will be something like this:

“Hi, this is Jane from [Your Bank], may I speak to John, please ?”
“Yes, John here. What’s up?”
“We have some transactions on your account that need to be confirmed with you, do you have time now”
“Yes, sure. What transaction you are talking about ?”
“But before we continue, for your security, can you confirm your date of birth, please ?”

Right there at that point: what would you say ?

Since we get used to this kind of verbal identification process, it’s not surprising that people will go ahead and answer the question as per normal. It is okay (at least safer) to answer this kind of check when you call the company as you know exactly who you call to (at least the company or bank name) – yes, people that can hijaak the communication system will still be able to mis-use it, but that require major criminal operation to hijack the exchange, so less likely happen.

But for identity theft or people doing fraud and scam, how difficult is it to go to the pay phone/public phone and initiate the conversation above for evil purposes? It’s very easy!
Also, this outgoing call from company will usually hide their number. But so does the public phone. So there is no way you can see on your caller ID from where it is calling.

So, the conversation should continue like this:

“Sorry, that’s not how it works. Can you give me some kind of reference number and I will call back to you straight away”
“Sure, I understand. Please quote this reference number ABC1234 when you call. Our call center is 1800123456. We will wait for your call, then. Thank you”

Another Corporate Bungle…

I think all those companies who keep doing the verbal verification where they are the one who initiate the call need to be slapped in the wrist.  They should know better the privacy and security best practices. Similar like the scam email impersonating banks to click the fraudulent website. They will never sent such email for their own reputation. Then they should not do this kind or verbal identification (where they are the one who call)

It does not prevent any company to call any customer though, but if some privilege information is involved and some verbal verification is needed then customer has the right to do the right thing.

The most important thing

But the most important thing is that you should be the one aware of this potential threat and act accordingly when it happen. Be responsible and take charge of your own privacy and security.

Also, this should make you think twice to put all your life and details on facebook, friendster myspace and the like….