7

I've been dealing with two separate banks for completing a 401k rollover (I do not have any other accounts with either of the two banks), and I've encountered something with both that I've never seen at any of the banks I usually work with. Both banks have asked for my website password over the phone, when requesting to speak with a customer service representative. Every time, I insist that I won't divulge that, because it's not secure, and that I'd like to verify myself in other ways, to which they usually just ask for date of birth, home address, and usually social security number.

My question is: is there anything more or less secure about using my website password (as opposed to address, date of birth, SSN) for account verification over the phone with a customer service representative?

My intuition says that it's less secure because I believe that my password should never be readable by anyone other than myself - as it should be transmitted via SSL, properly hashed/salted/etc, and stored. Once I divulge the plaintext password to the rep, it's compromised. Is this accurate? (Sidenote: These banks almost certainly do not properly encrypt passwords for storage, but that's a separate issue, I think).

xdumaine
  • 171
  • 4

7 Answers7

3

I'm going to disagree with some of my colleagues and suggest that the Bank's solution is much safer than your proposed alternative. Though it's not ideal either. Let's look at each solution and it's attack profile.

Address, SSN, DOB, etc.
We should all be able to agree that these are absolutely terrible ideas. Facts make horrible passwords and should never be used. No exceptions. Literally no exceptions. If someone can research it, then you can't use it to authenticate yourself. Period. Nearly all security questions fall flat on this rule. It's embarrassing. This technique is exploited frequently, often with high-profile targets. We should know better but we keep using it. This needs to stop.

Website Password
While not ideal, this solves the research problem. It can still be used with secure hashing since the support rep should have to type in the password verbatim to verify it rather than read it off the screen. Your potential attacks are: (a) someone listening can re-use it to impersonate you over the phone, and (b) someone listening can use it on the website. Still, if more companies did this we'd be a lot safer. We can do better, but at least you don't have to worry about someone looking up what street you grew up on or the last digits of your credit card number and then using that information to take over your account.

Call-In Pin
This is Godaddy's solution. You have a 4-digit number on your account that you must provide when you call support. It's better as it solves problem (b) above -- you can't use the call-in pin to log in to the website. But problem (a) remains. The pin doesn't change unless you reset it, so an attacker who hears your conversation can impersonate you. Besides the below, other "call in passwords" tend to fall into this category and are susceptible to "replay attacks".

One-time pass-code
This is PayPal's solution, and it's the best solution available. When you click "contact us" on your PayPal account, you're given a single-use time-limited 6-digit pass-code that you must provide over the phone. It expires after 60 minutes or after you use it once, so an eavesdropper can't impersonate you. And it's random so it can't be predicted. If you're going to implement a solution for yourself, this is the way to do it. PayPal has been doing this for many years and it's worked for them so far.

The "tell me some facts about yourself" way of authenticating over the phone, as you suggested, really shouldn't be allowed; it's a shame so many companies do this. Giving your website password over the phone is much better (to be fair, anything is better), but it presents some problems. Authenticating online and then getting a one-time secret code -- that's a solution I can respect.

Note that the fact that the bank is willing to fall-back to asking for your SSN or Address, etc., is the real scandal here. If you refuse to authenticate yourself securely, you should not be given the option to provide some facts about the victim you're trying to impersonate.

tylerl
  • 82,225
  • 25
  • 148
  • 226
  • A bank I used had a typical 'make your own security question and answer' scheme, but what I liked about it was that instead of asking for the answer, the rep on the phone asked for 2 random letters from the answer. "What is the 2nd and 6th letter of the answer?" Simple enough, non-factual, and no 'overhearing' vulnerability. It was also only used when calling in. – schroeder Jun 19 '14 at 21:13
  • @Schroeder - who decides the "random" letters? What happens when dealing with something like Arabic, where some letters combine in words (so computer output might not be correct, or otherwise match what a person gives)? If the CSR doesn't ask you the question, it's essentially a call-in pin (of only two digits). If they do, it's likely to be publicly available information. Too, some people are going to have a hard time figuring out character index, and so will **write it down**... potentially permanently. I dislike that scheme. – Clockwork-Muse Jun 20 '14 at 05:27
  • @Clockwork-Muse I agree with all of your points. It seemed like the rep's computer chose the random letters. It required the language to be one of the official languages of the country of the bank, but that is not unreasonable. The guidance when created the Q&A was to not make it public information. In my personal experience, the general public does not have a problem with character indexes of words in their native language. I agree with all the weaknesses, but as a customer, I thought it was an effective scheme nonetheless. – schroeder Jun 20 '14 at 14:32
2

As an authentication mechanism, passwords are not bad -- in fact, passwords are meant for authentication. Historically, phone lines have been prone to spying, but that was in days before the Internet. I don't claim that phone lines are more secure now; rather, that people who want to spy on bank passwords concentrate on computer attacks, mainly because they can perpetrate them from the comfort of their home (or basement or den), whereas classical interception often involves some physical operations on outdoor equipments, implying exposure to meteorological elements, night-time fumbling with wires, crouching under dumpsters, and other activities which have little appeal to the young generations that we get nowadays.

The problem with password-over-phone is that banks train their customer never to give away their passwords. At least all my banks do. They point out that the password secrecy is my responsibility. Disclosing my password over the phone would be a gross misbehaviour on my part. They swear that their representative will never ask for my password, whether over the phone or even if I meet them physically.

There are good reasons for such training: it makes customers much more resilient to con-artists (that kind of attack is much older than computers, but somehow people felt the need to forge an ugly neologism -- "phishing" -- for the case of computers). Now if the bank employees begin to ask for the customer's password, then all that training goes down the drain.

Security requires the cooperation of users. Cooperation is achieved through education. Education relies on coherence. The employee behaviour you describe contradicts that coherence.

(@tylerl exposes several alternate solutions. He is right in pointing out that the SSN, address and mother's maiden name are terrible authentication methods. But I insist that reusing the Web site's password is not much better.)

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
1

You are right, They don't need to know your password and can verify by Name, Address and DoB. No need to tell them your password and it will most likely be against company rules "Never tell your password to anyone" is always #1 when working with passwords.

--EDIT--

I was unaware of other companies issuing a "Billing Password" or another password just for technical enquiries. A Pin or another small identifier is possible but for the majority it's usually Location, Date of Birth and Last name + Secret Answer to a Question.

James Clarke
  • 11
  • 2
  • This is not necessarily true. There certainly are companies that verify you by password, and verifying by name, address, and date of birth is most certainly *not* as secure, given that this is all generally public information. That's not to say that giving your password to a CSR is a good idea, but I don't think this answer offers a better option. – Xander Jun 19 '14 at 13:27
  • @Xander could you elaborate on that? I know that verizon has both a "billing password" which is essentially a numeric pin for identifying yourself over the phone, and a website password. That seems like a better option. – xdumaine Jun 19 '14 at 13:33
  • @xdumaine Yes, definitely. DirecTV has a similar system. One password for authenticating on the website, and a second password for making account changes (either via the website, or a CSR.) – Xander Jun 19 '14 at 13:37
1

The simple rule to adopt is to never give out a password. As you say, they should be held in an encrypted form and besides, the bank has no need for the password to access your details. The closest they should come is asking for random letters from a 'memorable word or phrase' and that should not be the same as your password.

user49598
  • 11
  • 1
0

The question you need to ask is: Why am I still at that bank if I think it's not safe?

It's certainly far from best practice and you are correct in saying that this is indeed not safe. Nobody ever said that banks were all safe. To be honest, this is probably really bad. Most of the authentication mechanisms I know require two factor authentication.

Most of the phone banking solutions I know require you to first make a secure code through the bank's webinterface (like a pincode). The webinterface uses a card reader to generate a time-limited authentication token.

Once you have your PIN code you need to dial into the bank, submit your client id and PIN. You are then considered authenticated.

If you nitpick even more you could say that the phone is not considered a secure medium either. Security is always a trade-off with usability and risk. Fortunately for you most banks take the risk for themselves (unless they can proof that you did not act with due dilligence). Most banks pay for this as the reputational damages of not paying are more damaging anyway. However it all depends how your bank manages this, considering they don't seem to adhere to industry best practice, I wonder what their policy is regarding fraud with a client's account.

I know most European banks already have these type of measures or plan to adopt them. I'm not really familiar with the American banks, but generally they slack a bit behind when it comes to security (at least that's what I heard).

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • Unfortunately I don't have a choice of moving to another bank (neither do most 401k participants in the US), as the company decides which bank to work with, and the employees can either opt in, or opt out, in which case they lose the benefits of the plan and any employer matching. – xdumaine Jun 19 '14 at 12:55
  • My bank suntrust has a maximum password length of like 15 iirc. 15 is probably sufficient but of all of my online accounts, my bank, where all of my money is kept, has the shortest maximum password length. :P – Andrew Hoffman Jun 19 '14 at 13:33
0

Entering the numeric representation of the password on your phone may be considered ok since generally phone conversations are considered relatively secure since they are generally point to point and relatively challenging for anyone other than the phone company or the government to tap. Sure someone could tap it at your house, but if they are doing that, they could also tap your keyboard.

The big no-no is actually disclosing it to a low paid CSR rather than an electronic system. The bank can easily ensure that the electronic system just indicates yes/no for having been verified, telling it to an employee is horrible. Even better would be to ask someone to login and provide a OTC as an alternative option or use a call me feature that auto-validates the call, however someone may need to access their bank while not near a computer.

Personally, given the option of giving out a password that I can change after the call or giving out my social, I'd rather give out the password as it isn't tied directly to me forever without lots of hoops to jump through, though that's assuming you were following best practice and using a unique password for that account.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
0

Not safe at all. at least not if you have a phone key or pin.

If is your bank account, then you should talk only with your account manager. If you need to do sensible transactions with any other ( even the same bank) without a pin or phone keycode don't do it.

Talking to your account manager. means she didn't need that lot of info to check your account.

When I'm out of my country MY LESS secure bank account will call me, and ask me a lot of private things before allow me do some transaction

And do this.

  1. Please keep not telling them
  2. Ask your account manager for a phone keycode, pin or rsa-key

if you can't do step 2

  1. Open a bank account with bank which support phone keycode, pin or rsa-key
  2. close your current unsecure bank account
  3. keep not telling them
Quijote Shin
  • 134
  • 2