

Tell HN: Commonwealth Bank Australia crazy security processes - andrewstuart

So my phone rings - no caller id.<p>The person on the line says they are from Commonwealth Bank and need to speak to me about my account.<p>&quot;For my security&quot; &quot;to make sure they are not disclosing information to third parties&quot; he needs to know my full name and date of birth and other identifying information before he can proceed with the phone call. I tell him I&#x27;m not handing out that information to a random person phoning me up claiming to be from the bank.<p>I DO believe he is from Commonwealth Bank, however why is the bank using processes in which they are encouraging people to think it&#x27;s okay to hand out account access information to any random caller?<p>Anyone from Commonwealth Bank of Australia here who can explain this crazy security hole?
======
Cogito
While I do some work for the bank, I have no idea how to even try to find out
the answer to this question.

There are two options I would use in a similar situation.

1\. Ask for a case number, and the return phone number to call back. Check the
number belongs to the bank, and call back quoting the case number. Could be
painful to do this depending on how the call gets routed.

2\. Get the caller to verify themselves using information that only they would
know, and that doesn't expose any PII of yours. Things like 3rd,4th,6th digits
of your account, metadata about a recent transaction on the account, etc. Even
better, get them to send you an email from their work account, and make sure
they can reply to you from that account as well.

------
jnord
Tragically, this practice is not limited to Commonwealth Bank. I have had
similar cold calls from Citibank and various telecom companies who all start
out with wanting to verify my account details.

Funny enough, these companies' email policies also state that they will never
request account or security details via email but obviously this has not
carried over to how they interact with customers over the phone.

~~~
yen223
Are you sure the cold calls are genuinely from those banks?

------
dwd
This is quite common.

I have had a similar call from one of my bank's partners identified themself
as being from my bank. I asked for verification of who was calling and a
contact number then called the bank who explained the arrangement and verified
the number.

------
amarcus
This exact thing happened to me last week. I asked for a reference number and
then called the bank on their official number. Quoted the reference and they
transferred me to the person I was speaking with.

