Comments on: Jonathan Jensen – Protect yourself from voice phishing

By: sevendotzero

sevendotzero — Mon, 21 Jul 2008 15:26:31 +0000

I like the idea of very personal questions, rather than the usual DOB etc.

By: juliancooling

juliancooling — Thu, 17 Jul 2008 13:11:07 +0000

The method used by my Oz bank was to make me nominate two personal and very specific questions and answers when opened the account. Being asked a question like “In which month did we get my dog in 2003″ pretty much guarentees that the person is from the bank or they have hacked the bank's systems fairly well already.

You don't even really have to remember whether the question is exactly the one you asked (the calls always come at the wierdest times) since they pretty much validate themselves.

By: smstextnews

smstextnews — Thu, 17 Jul 2008 10:21:05 +0000

I like the idea myself!

By: Mike42

Mike42 — Thu, 17 Jul 2008 10:14:19 +0000

Hmmm...nice for the geek crowd, waaaay too complex for my mum.

Me? I ask THEM to provide ME with an item of relevant info from my account, like my last transaction location etc. If they refuse because they can't give that away to someone they don't trust yet, I put the question back to them: Why should I give critical info to them when I don't know who they are. Banks insist on this way of working because it's easy for them and puts the onus on customers. If you divulge your info to a phisher who then calls your bank, gives the correct login info and empties your account, they can claim no fault.

If we are at a stalemate, I ask for an extension to call off their main, public 0870 number. I wouldn't trust any 0870 number they gave me unless it was verifiable publicly.

I can see 2-factor authentication like an RSA keytag becoming standard, where the bank calls you, tells you what your keytag should be reading, you give them some info to ID you, and then you are both happy.