15 February 2015

Authenticating phone calls

When bankers phone you, they need to know who you are.  You must be a signatory to an account belonging to the bank, or the bank must not disclose the details of the account to you.  For this reason, the bank would ask you a number of questions to verify that you are who they assume you are.

Even when they have initiated the call, and not you.

The same principle applies to accounts for utilities as phone, internet, gas or electricity.

But how do you know that the calling party is actually who you think they are?  If it is really an employee or an agent of the bank (or utility company), and not an imposter?

Of course, it is possible for unscrupulous employees or agents to steal your private data as well.  But this is less likely to be the issue, as it is more tracable.  The bigger concern is for an outsider, through social engineering, con you into disclosing details that should remain private between you and your service provider.

You should authenticate the person on the other end of the line - especially if you do not know who they are.  They should be able to send you an email, a net-banking message, an SMS, or disclose a private piece of information to validate that they are who they claim to be.

Many of us, as customers, are used to being verified, but are not used to doing the verifying task ourselves.  We don't often think of doing so.

Do you think so?  How do you think the systems can work for two-way authentication?  How can we protect ourselves from being manipulated and cheated by the bigger organisations and the criminal minds?


No comments:

Post a Comment