1

Recently, I got a new credit card via post. To activate it, it is required to call to the bank (phone number is attached to the card) and confirm, that card was received. For activation purposes, the bank employee asks me to provide full card number, as well as my name/address/etc.

However, I do not use phone banking so often, and I was not sure if it is safe to tell my card number over phone.

So, are there any security risks of doing this (except Man-In-The-Middle, listening to my phone communication)?

Andrey Sapegin
  • 260
  • 1
  • 2
  • 16
  • Seems a little redundant - if you had stolen the envelope with the new card in, you'd know those details... However, if it's a number printed on the card, they presumably know the credit card number anyway. Never give your ATM PIN over the phone though - a bank should never ask for it. – Matthew Jan 11 '16 at 09:38
  • @Matthew My bank is very poor in some ways and ask for x digits from pin and password...I argued on the phone but they said they refused to help me unless i provided it. (i know it was my bank I phoned them and have many times) though I really hated it. – TheHidden Jan 11 '16 at 09:43
  • 1
    What is the connection with "phone banking"? FWIW (in the UK) I've not had to activate a new CC over the phone for a number of years now. – MrWhite Jan 11 '16 at 10:15
  • @w3d well, if you use phone banking, you need to authenticate over phone. And some banks could also ask to provide them card number as a part of this authentication, or just ask for it during phone banking conversation. – Andrey Sapegin Jan 11 '16 at 10:29
  • No bank employee should ever know any digits from your card PIN. They need as few as four to steal from you. If you have a different PIN for IVR/VRU or Phone banking/Contact then yes this is a password to identify you. They should not be the same number or password for obvious reasons. – mckenzm Dec 26 '18 at 19:35

6 Answers6

3

If you consider how credit cards are used there is no increased security risk associated with providing the bank employee with the card number and your name and address.

For example if you use the card for mail order purchases you will provide the same detail, but also the CVV code and expiry date a greater level of risk...but this is how they are intended to be used!

Similarly for any 'in-person' transactions, often the retailer will have full access to all the details from the card, albeit normally without address details.

Given that you are phoning the bank, by implication the person you are providing the details to is trusted by the bank...for the vast majority of subsequent card use scenarios there will not be as much trust in the person you provide the information to.

If the phone call requires you to 'authenticate' using a telephone banking password or phrase of some description, this can help to ensure that someone who has intercepted your post and stolen the newly issued card cannot activate it and use it.

R15
  • 2,923
  • 1
  • 11
  • 21
3

As long as you called them, at a phone number on the card or from your bank statement, it sounds standard to me.

The hazard would be if someone called you claiming to be a bank employee, or you got the phone number you called from some untrusted source, such as a piece of email or a random snail mail that appeared to be from the bank.

ddyer
  • 1,974
  • 1
  • 12
  • 20
1

This question is alot of speculation, though I will say no its not safe BUT there is a certain amount of trust we have with banks and the employees the only risk is telling the employee down the phone, all phone calls to banks are recorded and easy to prove who abused their position of responsibility.

I would say your risk is extremely low but not zero though I wouldn't worry too much, they cant copy your card just from the number and to make purchases you the the CV2 number

TheHidden
  • 4,265
  • 3
  • 21
  • 40
  • I think you need to be a lot more specific about the risks about which you're worried. Is it a bank employee writing it down? That seems like a small sliver on which to say its not safe. – Adam Shostack Jan 11 '16 at 22:00
1

You're asking the wrong question. The question should never be "Are there any security risks to doing X". The answer to that question is always yes. No risk is zero.

The question should be more "Are the risks of doing X worth the benefits, and is there any benefit to trying to further reduce my risks".

The answers to the above (in my estimation) are a simple yes, and no.

I think your question stems from trying to create a world where there's no risk. That world doesn't exist. In trying to create zero risk, you only wind up creating a 3rd set of risks. The risks of inaction. In the IT world this is commonly called "analysis paralysis", and this seems like a bit of a classic case.

I wish you luck, and hope you try to accept that risk is an inherent part of life and can't be avoided.

Steve Sether
  • 21,480
  • 8
  • 50
  • 76
-1

You have to call the bank, not the other way - phone number spoofing to social engineer, acting like a banker, to retrieve sensitive data is really common these days.

NTITONV253
  • 1
-1

It’s for verification purposes to gain access to your account. If you don’t want to provide that info, we can’t service your account. As long as the “bank” doesn’t call you and ask for this info, if they do it’s scam. Banks never call you and ask for this info.

user247408
  • 1