By Two Legs Good

"Just for security..."

You know as soon as you hear those words that whoever it is saying them now wants to know yet another of the increasing PIN numbers, passwords, and associated security gubbins we're expected to memorise and be able to recall instantly when challenged.

(And yes we know that "PIN number" is incorrect, that it translates to "Personal Identification Number number", but have you ever tried talking to people about their "PI number"? Sometimes we have to realise that there's a tide of eejits out there that we could never stem.)

There's a common problem with most of these in that they're only one way. Of the 6 or 7 banks, 6 communications companies, 4 or 5 hospitals and doctors surgeries, and about 20 or so retailers The Blog With Two Legs deals with, only one - that's 1 - of them actually supplies a way for the customer to verify that they're genuinely dealing with the right people and not a spoof website or phoney phoneline. (Well done, Alliance & Leicester!)

Why is it one-way? Well, that way it protects the bankers, retailers, etc. When anything goes wrong with your account, like some money going missing or getting stolen, they can fall back on the old chestnut "you must have given someone your password or PIN". Then they're off the hook - after all, how can you possibly prove that you never told someone a number?

When it used to be a physical key, like an actual key, or even a signature, the emphasis was on the likes of banks to detect fraud, to weed out the fake signatures on fake cheques. Now, they can just point at you, make YOU the criminal, whether the problem is a crime or even their mistake.

Did you notice what they did? That's right - they made YOU their unpaid security for YOUR money while it's in THEIR bank! And YOU get the blame when THEY lose it or give it away to the wrong people!

Of course, where there's such a gaping security hole, naughty people will take advantage. "Social Engineering" is a nice euphemism for "con tricks", but whichever way it's put you should beware of anyone phoning out of the blue and asking for your security details unless you can actually verify they really are who they say they are.

Yes, that means that a lot of bank staff are going to get annoyed. That's OK, they get paid for it. Remember, WE are the customers, not their unpaid employees. If enough of us do, if this idea can snowball, we can eventually cause enough disruption to their businesses that they'll be forced to give us - and our money - some REAL security.

* RING *


"Hello, is that Mr William Smith?"

(Now, straight away you know it's NOT a call you really want to be taking - calls where people want to formally identify you before you even know who's calling never are. It's a rule. Admit nothing!)

"Who should I say is calling?"

"This is GRAB International - is that Mr William Smith?"

"Yes, how can I help you?"

"Just for security, can you tell me the second and fifth letters of your password?"

"Yes, I can. Can you?"


"Umm, I'm sorry, but we have to check security before we talk about the account, so just for security, can you tell me the second and fifth letters of your password?"

"Yes, as I just said, yes I can - but you haven't told me if YOU can."

"I'm sorry sir, as I explained we cannot talk about the account until security is checked."

"I'm not wanting to talk about the account, I want you to tell me the second and fifth letters of my password BEFORE we talk about my account."

"I'm sorry, sir, we're not allowed to do that."

"Oh? Why not?"

"Well, sir... you could be anybody."



"No, sir, this is GRAB International, and before we talk about this account we need to verify that you are Mr William Smith."

"Well, at the moment I only have your word for that! Before I start revealing ANY of my password to YOU, I need to verify that YOU are a bona-fide bank employee. That's fair, isn't it? After all, YOU called ME, so you know my name and number, whereas I don't know anything about you. So - what are the second and fifth letters of my password?"

"I'm sorry sir, we can't reveal that."

"Fine - well, if you can't answer my security check password questions, I'm not going to reveal any of my secret password to you. You could just be someone calling to get clues to my password - a couple of letters this week, a couple next week, and you might guess the password!"

"Uh? Ummm.. we just need to talk to you about some offers we have available at the moment..."

"Well, if it's just to try to sell something to me, you don't really need to know my password, do you?"

"Well, we can't talk about the account until we check who you are"

"We're going round in circles then, because I won't tell you any secret password information until you can prove who YOU are."


"I'm sorry sir, I don't know how I can prove who I am..."

"That's quite worrying. I mean, if YOU can't prove who YOU are, how do YOU know you're not actually somebody else?"


"You know, I don't think I want ANY services from a bank that employs people that don't know who they are. In fact, you've just convinced me to close my account with GRAB. Just so I can tell the whoever it is I speak to when I call to close the account, what do you THINK your name is at the moment?"

* click *

vote for or bookmark this article:

Bookmark this post:
Google Ma.gnolia DiggIt! Blinklist Yahoo Furl Technorati Simpy Spurl Reddit StumbleUpon
Vote for this post: Top Blogs Vote on