Yeah no, these companies should NEVER be calling people, period. It's way to easy to phish people for information by calling them and claiming to be their bank. Too many people will fall for it:
"Hi, this is SomeDude from Bank of America, and we noticed some suspicious activity on your account. Before we go further I would just like to confirm your identity. Could you please provide your name? Your address? Your mother's maiden name? The last four digits of your SSN?"
Banks should adopt a policy of only interacting with customers physically, via their web interface with a login, official mobile app, or by the user calling the bank's official, publicized number. Never by calling the user.
That way they can post big signs saying "We will never call you, if someone calls you claiming to be us, it's fake" and people will get it.
I've had my bank call me, wanting to talk about something important (I think it was loan payment that didn't go through or something of that sort) and the first thing they said was: "This is Bank XYZ and I'm calling to inform you of something. But before we do that you have to prove your identity. Can you tell me what your account number is?"
I said: "I'd be happy to, but first can you prove your identity to me? After all, you're the one that called me"
What followed was a hilarious discussion where they were unable to prove anything to me (for example, telling me something about my account that only I would know) because they're not allowed to tell anything to me until I proved who I am.
Finally I told them that I'd be happy to call them back and I asked them where I can find the number to call. I was obviously not going call a number the person would give me. They didn't know how to find the number to the customer service, so I found it myself and called back.
When they answered, I explained the situation but obviously there was no way to actually get in touch with the person with whom I had spoken earlier, and the person that I did speak to didn't know what the topic was. I asked them to call me back.
Well, they did eventually called me back, but what was the fist thing they asked after they did? "We need you prove your identity, can you tell me XXXX?"
They've stopped doing this now, and the mest recent thing they called me to inform me about something they just went to the point right away. I wonder if I've been flagged as someone who doesn't need verification or if they changed their policy.
For my bank they just send a verification request to the app (or web page using your one time code book if you prefer that) to verify who you are. So basically the same process as logging into the bank and/or verifying payments.
Correct me if I misunderstood, but that sounds insecure.
I imagine an attack where someone attempts to log in to your Internet bank account, and at the same time calls you and tells you that they are the bank and that they have sent you a notification on the phone to confirm this.
You accept the notification on the phone and all of a sudden they're not just logged in to your Internet bank, but also on the phone with you, with you trusting that they are indeed the bank.
The only way I see that this could be avoided is if they provide you with a verification code that will appear on your phone.
The verification app does tell you what the verification request is for. Also you can't really do anything in the bank without verifying yourself again (basically any change/write requires you to approve again)
Basically in the app you see if the verification is for logging in, providing strong auth for some service, approving transfer of X euros from Y account to account Z, etc
In general we have had really well working online banking since the late 90s here in Finland (first versions are actually from the early 80s where you dialed directly to the bank instead of your ISP with your modem). Haven't really heard of any major security flaws ever so they do have a really good track record. This is also why the governments attempt at creating their own strong auth service failed. The banks already effectively provide that and everyone is used to using them.
It is possible to make it secure. "Hi, this is SomeDude from Bank of America, and we noticed some suspicious activity on your account. Please go to the Bank of America website and find the number labeled 'Customer callback number' and call us there. That way, you can confirm you're talking to us, at which point we will confirm your identity, and then work with you on the issue."
I've seen this proposed. I don't know if anyone is actually doing it.
Banks should adopt a policy of only interacting with customers physically, via their web interface with a login, official mobile app, or by the user calling the bank's official, publicized number. Never by calling the user.
You either don't travel, don't travel for very long, or don't travel anywhere interesting.
I've had several experiences over the years where using a credit card in a country I didn't expect to be in got a call from the bank to verify it was me.
You may tell your bank you're traveling in Germany, Italy, and Switzerland for a week, but on night three of your trip, when you get invited to a party in the Czech Republic by your friend's pretty sister, you get on the train and keep talking. You don't say, "Hold your hormones for a sec, I need to tell my bank I'm going out of bounds."
> You either don't travel, don't travel for very long, or don't travel anywhere interesting.
I would prefer you didn't make assumptions.
I travel to lots of interesting places, and I have had my credit card disabled several times. Once because my idiot geography-illiterate bank didn't know that Bulgaria was a part of Europe. Good thing I had a stack of cash with me. For less prepared travellers, the bank is doing nothing but stranding their own customers cashless in unfamiliar places.
In any case, my point still stands that they really shouldn't be calling to verify it is me when I don't even have my home country's SIM card in my phone.
They should be e-mailing me instead, which is the only reliable way to reach me while travelling and SIM swapping. Most people are more reachable easily by e-mail than by phone when travelling for the exact same reason.
> I've had several experiences over the years where using a credit card in a country I didn't expect to be in got a call from the bank to verify it was me.
Me too. My bank sent me a message telling me to call them using the number on the back of my card. That is an easy solution to the problem.
Maybe things are different where you travel but I've travelled to many countries and I don't think my SIM card from the previous country has ever worked in the next one. Even if it did, I wouldn't dare talk to anyone on it in case of some exorbitant roaming charge.
Yeah no, these companies should NEVER be calling people, period. It's way to easy to phish people for information by calling them and claiming to be their bank. Too many people will fall for it:
"Hi, this is SomeDude from Bank of America, and we noticed some suspicious activity on your account. Before we go further I would just like to confirm your identity. Could you please provide your name? Your address? Your mother's maiden name? The last four digits of your SSN?"
Banks should adopt a policy of only interacting with customers physically, via their web interface with a login, official mobile app, or by the user calling the bank's official, publicized number. Never by calling the user.
That way they can post big signs saying "We will never call you, if someone calls you claiming to be us, it's fake" and people will get it.