Charles Darke | 10 August 2006You should never give your passwords/PINs to anybody especially if they call you out of the blue and ask for them. Right?
But what if your bank calls you and asks you for verification details? But they never do that right? They tell you that they would never ask. Wrong.
Today First Direct called me to ask about my mortgage application and asked for my details to verify me. I did pause and wonder whether I should ask for their number (to confirm it was same as the one I had and do a call back) or question them on this. In the end, my brain worked into overdrive in the one second pause and I realised I recognised the voice and name and had spoken to the same woman on a previously 'secured' call.
I guess banks may never ask for your PIN (but who know?) but certainly, this call and request authentication behaviour is training their customers to be susceptible to phishing attacks.
But what if your bank calls you and asks you for verification details? But they never do that right? They tell you that they would never ask. Wrong.
Today First Direct called me to ask about my mortgage application and asked for my details to verify me. I did pause and wonder whether I should ask for their number (to confirm it was same as the one I had and do a call back) or question them on this. In the end, my brain worked into overdrive in the one second pause and I realised I recognised the voice and name and had spoken to the same woman on a previously 'secured' call.
I guess banks may never ask for your PIN (but who know?) but certainly, this call and request authentication behaviour is training their customers to be susceptible to phishing attacks.
Add comment!
New topicComments (2)
Written by Charles Darke at 7:51am, 18 August 2006.I just thought of something else: if your banking details somehow got hacked, could First Direct use their previous 'Phishing' attempts as evidence that you've given out details to 'unknown' people in the past and therefore pass any liability for loss onto you?
Written by Charles Darke at 1:07am, 22 January 2007.
Again, they wanted to do a 'security check' before going into details. This time I asked specifically how I could know that this was actually HSBC.
Interestingly, they suggested doing a reverse security check and ask them for 2 letters from some of the security words.