Egg - phone phishing loophole

Dagobert

I just received an automated phone-call from Egg. The caller's telephone number was not displayed. The purpose of the call was to carry out security checks regarding recent transactions. First of all, I was requested to key in my date of birth as part of the identification procedure.

As I had no means of identifying the id of the caller, I hung up and phoned Egg.

Indeed, the call had been genuine. But what a security hole! Anybody could set up phone-calls in an effort to obtain personal data. I think this is absolutely outrageous.

spaceman5

Dagobert wrote: »

I just received an automated phone-call from Egg. The caller's telephone number was not displayed. The purpose of the call was to carry out security checks regarding recent transactions. First of all, I was requested to key in my date of birth as part of the identification procedure.

As I had no means of identifying the id of the caller, I hung up and phoned Egg.

Indeed, the call had been genuine. But what a security hole! Anybody could set up phone-calls in an effort to obtain personal data. I think this is absolutely outrageous.

you did right, i would have done exactly the same if i was put into that situation, Dave.

nickmack

Dagobert wrote: »

Indeed, the call had been genuine. But what a security hole! Anybody could set up phone-calls in an effort to obtain personal data. I think this is absolutely outrageous.

I've had the same automated calls and hung up as you did. Companies need to rethink some of the security procedures as people are rightly much more wary of giving out personal information about themselves.

I had a farcical situation about a year ago where a financial provider I hold an account with called me and asked me to identify myself by telling them various personal details. I told them, I would not reveal anything until they satisfied me they were genuine by providing me with some details. They said they couldn't because of Data Protection. I said that's fine and the call ended pretty quickly after.

It seems now some providers have got their act together and a more recent call I had, was a kind of exchange of information. They'd provide some, then I would until we'd both satisfied each other of the identity.

DifferentFromTheNorm

Details of this system can be found here:

http://new.egg.com/visitor/0,,3_64444--View_1270,00.html

"This service will only ever ask you to confirm your date of birth - it will never ask you to reveal your card number or any other security information."

Whenever I receive a phonecall I do the same as most people, take an extension number or name or department details and call back on the main number.

But, having worked on the other side of things I understand why they have to ask questions to confirm who you are. So, I'd disagree with the original poster saying its 'absolutely outrageous'.

In fact, I'd go as far as saying the opposite, I think it would be absolutely outrageous if a card company didn't ask questions to establish they are talking to the account holder. I would much rather that I have to call them back than for them to just give out details to potentially anyone.

For example, if they didn't ask questions here's potentially something that could go wrong:

Your mobile and wallet get stolen. Before you get time to call every company you have a card with the theif uses your card on the internet (as no PIN needed). The card company call your mobile to check the transactions are genuine, the thief confirms they are so the card company allows the thief to carry on spending.

I know that's unlikely to happen in real life, but it's still a posibility.

Dagobert

DifferentFromTheNorm wrote:

I understand why they have to ask questions to confirm who you are.

You are completely missing the point of my initial post. Of course, I absolutely agree that they have to establish security first.

DifferentFromTheNorm wrote:

So, I'd disagree with the original poster saying its 'absolutely outrageous'.

It is not the fact that they need to establish security which I find outrageous but phoning the customer without establishing identity mutually as described above in [post=8977509]post #3[/post].

Otherwise, the customer has no way of knowing whether this is a genuine call or a phishing attempt! This one-sided security procedure simply invites crooks to imitate these phone-calls.

Recently, I was phoned by one of my other banks, and they gave me small bits of information to establish their identity before requesting me to identify myself.

Thomas_Crown

DifferentFromTheNorm wrote: »

For example, if they didn't ask questions here's potentially something that could go wrong:

Your mobile and wallet get stolen. Before you get time to call every company you have a card with the theif uses your card on the internet (as no PIN needed). The card company call your mobile to check the transactions are genuine, the thief confirms they are so the card company allows the thief to carry on spending.

I know that's unlikely to happen in real life, but it's still a posibility.

Many people keep their driving licence in their wallet so their date of birth is available for a thief to read. Questions asked to identify a customer need to be more difficult for a thief to answer than D.O.B..

Sooler

Dagobert wrote: »

I just received an automated phone-call from Egg. The caller's telephone number was not displayed. The purpose of the call was to carry out security checks regarding recent transactions. First of all, I was requested to key in my date of birth as part of the identification procedure.

As I had no means of identifying the id of the caller, I hung up and phoned Egg.

Indeed, the call had been genuine. But what a security hole! Anybody could set up phone-calls in an effort to obtain personal data. I think this is absolutely outrageous.

Yep, I agree, why do so many companies do this – it’s so thick and stooooooooopid

How’s anyone to know it’s not Joe Bloggs down the road in a phonebox – hello, I’m from company x – tell me your date of birth etc. -
Get real – anyone who responds to such a request without question needs their head examined.

Try telling them a false date of birth – if the caller responds saying thankyou that is correct – what u gonna do then?

DifferentFromTheNorm

Dagobert wrote: »

You are completely missing the point of my initial post. Of course, I absolutely agree that they have to establish security first.


It is not the fact that they need to establish security which I find outrageous but phoning the customer without establishing identity mutually as described above in [post=8977509]post #3[/post].

Otherwise, the customer has no way of knowing whether this is a genuine call or a phishing attempt! This one-sided security procedure simply invites crooks to imitate these phone-calls.

Recently, I was phoned by one of my other banks, and they gave me small bits of information to establish their identity before requesting me to identify myself.

I understood your original post so I'm not 'completely missing the point', I still disagree.

I take their details and call back on the main number. I perfectly understand why you didn't confirm any details, I wouldn't have either. But to call it absolutely outrageous that they asked questions without being able to confirm it is really them is just something I don't agree with.

If any bank called me and gave away information, however small or insignificant it may be, without having first confirmed who I was then I wouldn't appreciate that at all and would question whether or not I would carry on using them.

What information could they give to confirm they are from the bank etc?

Last four digits of the card number? A recent purchase amount? Your date of birth? Your address?

Any information such as that disclosed to anyone other than the account holder could potentially help someone else get access to the account.

I for one would rather have to call them back instead of the bank giving out any information whatsoever to confirm it is them.

Dagobert

DifferentFromTheNorm wrote: »

I take their details and call back on the main number.

Egg's call was automated. Automated scam phone-calls are not unheard of. People less gullible than yourself might fall for a phishing scam if it is common practice for banks to phone and request details for id.

DifferentFromTheNorm wrote: »

If any bank called me and gave away information, however small or insignificant it may be, without having first confirmed who I was then I wouldn't appreciate that at all and would question whether or not I would carry on using them.

The mutual id confirmation causes a bit of a chicken and egg problem.
If I remember correctly, it was HSBC who called me and used this system. I believe they gave me the first part of my post code and possibly a transaction amount.

The only safe method for a bank to get in touch with the customer would be to phone and request the customer to phone the bank.

DifferentFromTheNorm wrote: »

I perfectly understand why you didn't confirm any details, I wouldn't have either. But to call it absolutely outrageous that they asked questions without being able to confirm it is really them is just something I don't agree with.

Are you saying you find such a phone-call acceptable and yet you don't consider it safe to respond to such a call?
What purpose would this call serve if it is not safe for the customer to follow the procedure?