Agency for secure phone interactions
Phone scams targeting bank accounts saw $48 million lost in 2020. To 103,000 reported incidents by phone. While these numbers are staggering, it is important to appreciate they only represent the reported incidents, of successful scam activity in Australia. A recent phone call from my bank has highlighted there are issues of conditioning and a one-way transaction between the parties giving the customer no confidence nor agency when interacting with a customer service agent.
When the bank calls, they authenticate you by asking: “am I speaking with Mitchell Lawton and your birth date is?”. What is going on here?
Yes, the bank needs to authenticate your details to continue the conversation, but, what are you giving up to a stranger on the phone? How is this different from a person trying to scam you? Principally the information flow is in one direction, though the person is a stranger. The only element missing is urgency for action, well possibly this may depend on the nature of the phone call. The only element missing is urgency for action, well possibly this may depend on the nature of the phone call.
In computer science, we have a general principle of a “handshake” where two computers share information in a bi-directional manner. Though the challenge is how is this achieved this over the phone?
My personal solution is to have a note in my account that requires the customer service representative to disclose a transaction that has been processed in the last 48hrs.
This is before asking me for my date of birth, and allows me to remember the transaction or check the transaction details in the banking application.
The unsolicited call
Last week we had a phone call from the bank. The person on the phone sounded like many calls we have received in the past. And a soon as they asked for my partner’s birthdate, she fired back “Who is this what is the call regarding?”.
I regress, It got my attention immediately, though I was surprised the answer wasn’t “sausage” a response that causes a scammer to waste time and yell at you there is no option for sausage
To confirm this was a phone call from the bank, my partners only option was to call back on the listed phone number and follow the extension advice. This always seems to take some time, and I feel it genuinely costs some productivity on both ends of the phone call.
Scammer or bank?
Unfortunately, the myriad of systems and organisations trend toward consumer conditioning to make life easy and predictable for both sides. Each copies the other processes, because it is the expected way of interacting with customers and eventually this is watered down due to complaints and difficulties when interacting. This creates a replicated playbook for the scammer. Though beyond this it creates an easy tool to train staff in the process of interacting with the business customers. See the difference? no, I do not either. Only a savvy and aware customer will hang up the phone to reinstate their agency.
Agency approach
Agency, is not the first thought when people talk about security. The thoughts that spring to mind are network security, information security and physical security. However, the idea of cybersecurity seems to be all-encompassing including things like privacy and dare I say it agency. This is because cybersecurity is essentially at the top of the stack it is everything that keeps “you” secure. By taking an agency approach, we give the customer the ability to design their unique identifier, this is in the absence of two-factor authentication. Just the act of the person knowing the date of a transaction changes the dynamic.
Hurdles
The only reason this small change creates a more secure environment is due to the scammer’s target system. Just like spam email, they are trying to hit as many people as fast as possible, essentially looking for the low hanging fruit. By introducing an additional hurdle, the scammer has no option to abort and move to their next potential victim.
Adding a note in your account that requires the caller to disclose a transaction, might be enough to make you refocus when you receive just another phone call.
