A while ago my credit card was cloned, or hacked in some way, and their computer systems correctly identified a fraudulent transaction. That part of the system worked very well, however the next part of their process was almost a textbook example of what not to do.
I was alerted by a text message, from a number not known to me, telling me of the suspect activity, and telling me to ring a phone number, which was not the contact number given on my card.
I did some research and found that the number they were asking me to call might belong to the bank – although it was not given on their web site as a number to call. I also checked my online banking and did find a transaction I had not made. Note that not everybody would have done this, and it should not be necessary.
I rang the number, and they asked me a number of security questions to try to establish that I was the owner of the account. If they had been criminals they would then have been in a position to pretend to be the account owner! See The Proof of Identity Problem.
There was no attempt by them to establish that they really were the security department. They were, but just because they know they are the good guys is not a good reason to ‘train’ their customers to ring random phone numbers and provide their identifying information.
Best practice for bank security departments.
What I think should have happened is laid out below.
A text message with a security reference, from a known number.
Although source number for text messages can be forged, using a source number which can be found on the bank website, preferable even on the back of the credit card, would be an extra step.
The message should say something like ‘Please call the main contact number on your card, select option {7} and enter the code {43702}’
Call the main contact number
It is a bad idea to hand out or mail leaflets to customers telling them to beware of fraud, and then in the case fraud has occurred to expect them be do something you have warned then not to do. Keeping a constant contact number is important.
The 7 referred to above is some option in the initial options all corporate phone systems love so much. Selecting that option should ask the caller to enter the number from the text message.
The five digit number, picked randomly, and re-selected if there is a clash, would actually be an index identifying a particular open security issue. A 5 digit number should give a sufficiently sparse space that the chances of a caller who is not related to an open issue hitting one by chance should be low – of the same order as guessing a PIN number.
The requirement for a number at this stage means that the security department will only be called by customers they have alerted, to prevent the security specialists from being swamped with calls from other customers.
Demonstrating that the customer is talking to the bank
When the call is routed to the bank security department the person answering the call should have the customer’s details already on their screen, including their name and the suspect transaction. They should be able to greet the caller by forename , and tell them something not very secret, but not on the card – possibly their address, or day of the month they were born. As at this stage there a small chance that the caller is not really a customer they should not give, for example a full date of birth.
Checking the bank is talking to the customer
They can then confirm the customer’s identity, possibly by asking roughly what the last transaction they are aware of was, bearing in mind that in these paperless days the customer may well not know the exact details. If a particular location crops up frequently amongst the last transactions made by customers, then that is probably where cards are being skimmed.
The process of refunding fraudulent transactions and other investigation can then proceed as it does currently.