Why Lazy Product Design makes banks complicit in phone scams!
Stop me if this has never happened to you — you’re going about your day and you get a call from your bank, card company, or some other service provider and they tell you that there’s something they need to discuss but they first just need to take you through security.
Of course, I have never and will never give out details to someone who calls me, no matter who they say they are or, for that matter, what number shows up on my screen — unless they first positively identify themselves, which they never can do until I identify myself “because of data protection”. Which always end up at an impasse.
I have never and will never give out details to someone who calls me, no matter who they say they are or, for that matter, what number shows up on my screen.
In some cases I hang up and call them back, just to see whether it’s something important. But in most cases it’s just a silly, time wasting sales call.
And that’s where I’d leave it if it wasn’t for the recent spate of raids on peoples’ savings that you may have read about. Now these people were— by their own admission — silly to have gone along with the lie. But here’s the thing — any scam is the by-product of countless iterations of A/B testing to get to a script and method that works against some fraction of the not totally paranoid.
Any scam is the by-product of countless iterations of A/B testing to get to a script and method that works against some fraction of the not totally paranoid.
And, in that sense, I don’t blame the victims — because someone, somewhere will be tired and fearful, and make a silly mistake every day of the week. And that’s all it takes for the scammers to make tens of thousands daily.
Rather, I hold the banks and other service providers at least partly to blame because they keep perpetuating this myth that it’s somehow OK to cold call their customers and ask them to give up personal information to a total stranger in order “to authenticate” themselves — when the bank is a lot more confident of who I am since they called me, than the other way round.
Banks and service providers keep perpetuating this myth that it’s somehow OK to cold call their customers and ask them to give up personal information to a total stranger in order “to authenticate” themselves
And, considering that most people have that service provider’s app on their phone, it’s just lazy product design to not build a secure authentication process into those very same apps.
At least the scammers are bothering to use good product design tactics to get their messaging spot on.
So this is how it all could go instead. When the call comes in, the operator asks me to validate myself on my app. As soon as I sign in to the app, it would confirm that I should have just received a call from operator X and ask me to click a button to authenticate myself. That’s it! At this point I should have authenticated myself to the bank far more securely than by giving some random information that my partner could easily know. As added protection, the app could also generate three random words that the operator would then read back to me to validate that they are who they claim to be.
While there’s still technically the risk of a man-in-the-middle attack with this approach, it’s so improbable and difficult to perpetrate as to be essentially impossible, and I, for one, would be confident at that point that I am at least speaking to someone with access to the bank’s systems.
And while we’re at it, mother’s maiden name simply isn’t secure. That’s why my mum’s maiden name is larger-infuse-supply at my bank, negate-notify-mitigate at my broadband provider, and piggish-locus-enplane at my energy supplier. Some companies refuse to even allow such secure answers to such a silly question asking for publicly available information as a means of identification! Or insist on a minimum of 8 characters. Really? What if my mother’s maiden name is Smith?
Which reminds me what the Head of Security at a large bank once told me — “if you want to know someone’s password, the easiest way to get it is to call them up ‘from IT’ and just ask for it.”
Book review of the week
Last week I read Banking on it by Anne Boden about how she went from part of the establishment to starting one of the first challenger banks that is rapidly disrupting the industry.
Her book was mentioned in a Guardian article about her and, being at a rather similar juncture in my life, I eagerly bumped her book to the top of my very long reading list. And I’m so glad that I did because hers is a really compelling tale about the excitement and fear, the joys and tears, and, ultimately, the challenge of bringing a newborn into the world — of conjuring something out of nothing — of going from zero to one.
It might leave you looking at a certain Coral credit card and thinking ‘eff im’, but I’m not one to take a single side of any story as gospel.
The fact that I’d also recently opened a Starling business account because my normal bank was too busy processing CBILS loans instead of new accounts certainly added to the belief that the traditional banks are just finished. I still use mine out of pure inertia, but I doubt that we’ll outlast the year together.
