Double Blind

My phone number and email address is posted freely on this site. Google Mail (despite potential other issues) does an excellent job of getting rid of spams with very few false positives. I also do not receive much volume over my telephone – if it ever becomes a problem I can just turn off the ringer. It does make me open for a class of hack known as social engineering – but only if I voluntarily spill the beans over the telephone.

Just the following day after I post about how I am going to give Ally Bank a shot, I received a call from a 1-866-247-2559 number on my cell phone. I didn’t recognize the phone number, but 99 times out of 100, such calls are usually garbage. I was walking on the sidewalk at the moment and had a couple minutes of disposable walking time and was bracing for some spam about how I won a cruise to the Bahamas or something, but instead it was none other than Ally bank that called. They asked if Sacha Peter is there, and I responded in the affirmative.

They then explained they were calling from Ally bank, and if they can ask me three questions, presumably for identity verification purposes. I said no. They then said “Thank you, please contact us at 1-866-247-2559″, and then I said bye, and hung up on them. I didn’t bother calling them back.

I do genuinely believe it was them (as I checked later and the number does correspond to their toll-free number prominently advertised on their website), but caller ID can be easily forged.

This is a terrible method of authentication – it should not be necessary for customers on an inbound phone call to authenticate themselves, since the bank is calling the phone number directly given to them by the applicant! It makes me regret sending them a $10 cheque in the mail to fund my own account – if they can’t even get their security act together when it comes to authenticating their customers, what makes me think that my own information is secure on their own servers?

I am guessing they called to say “You opened an account with us, did you have trouble mailing a cheque to us?” and information of this sort should not be privileged to require explicit authentication. If the information was important, send me a letter in the mail.

This entry was posted on Monday, February 22nd, 2010 and is filed under Commentary. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.