Banks, stop asking for verification when calling customers
It is the standard procedure for most banks in Singapore, if not all, to do a verification of identity at the start of a bank-to-customer phone call.
An Insecure Practice
The problem is that these outgoing numbers aren’t the official/recognised hotline numbers, and even if they are, it isn’t difficult to spoof them. Callback verifications are cumbersome and most banks do not even provide that option. Most operators are even surprised when I decline to provide verification information over the phone when they call. Just to be clear, it’s perfectly fine to provide these details when the customers call the banks.
Common types of requested verification information include:
- mode of credit card payment
- registered email address
- full name
- last 4 digits of NRIC (government-issued identity card/SSN)
- types of banking accounts with them
- date of birth
- banking pin
If we do provide these verification details to random numbers claiming to be our banks, it only takes a few of such calls to fully reveal our verification details and scammers can use that data to impersonate us with the very same banks.
The Irony
Banks (I generalise) educate customers about phishing, vishing, and smishing with EDMs and posters to never divulge personal or sensitive information, but yet there is a disconnect on what they practise.
Some banks go as far as to direct the customer to an automated OTP receiver (ie. bank call customer, ask for OTP and transfer to bot, redirect back after verification), which merely provides a sense of false security without any actual difference. The identity of caller is still not verified.
A Way Forward
As much as banks should stop requesting for these verification details on calls initiated by them, we customers should stop providing such sensitive data to them as well. That would push them to look into alternative options that can mutually-authenticate both parties.
Some options could be:
- mobile banking app verification/challenge with clear context (ie. of the current call and not of login or a transaction)
- simultaneous push notification on trusted mobile app
- asymmetric authentication over composite secret key
Or, doing away with the manual provision of personal details and use methods such as voice verification. The possibilities are many.
