The thing about security is, well, security happens, and sometimes it doesn’t happen, and then sometimes it’s over the edge with mind-numbing incomprehensibility. I tend to notice these things.
I was on the road recently. I forgot/lost/misplaced my password to log on to Internet banking so I could pay my staff. I called 1-800-Amsouth and asked for my password. They asked me for: 1) my name; 2) account name and number; 3) address; 4) federal ID number; and 5) date of birth. Then they gave me my password.
My wife overheard the conversation and raised hell with me about how easy it was to gain access to our intertwined online accounts with no decent security check. AmSouth’s proof-positive security check was, in fact, public information.
Then it only got worse. AmSouth called me at home. The woman on the phone said she needed to discuss a problem with me, but first I needed to answer a couple of questions. Then she proceeded to ask me for personal information to “protect me” and “confirm my identity.”
What’s wrong with this picture? Millions of e-mail phishing attacks reach out to snag gullible somebodies — for financial gain or identity theft. One type of phishy e-mail induces a greedy victim to respond, promising vast wealth. Others attempt to lure the unsuspecting into “fixing” their PayPal or bank accounts. Then there are those that use fear: “Your account is in serious delinquency,” or “You just bought four plasma TVs and we want to confirm your order,” or “The wire transfer you initiated for US$10,000 needs secondary confirmation.”
Spear-phishing fine tunes the art to select companies specifically targeted for their assets. It’s all about the money.
Especially in the financial sector, we teach companies and their staff about social engineering, identity theft, phishing and all the ways the bad guys want to scam you, your company and your customers. Then we teach them what not to do — how not to respond to phishing or suspicious activity at work or at home, so they can avoid becoming victims.
Here was AmSouth acting and operating just like a criminal enterprise trying to scam personal information from me. It was using the same techniques phishers use to try to get hapless victims to release private information as a pretext to identity theft.
Under the pretense that this really was AmSouth calling me, albeit using phishing-like methods, I called 1-800-Amsouth and asked whether there was an issue with one of my accounts. They verified my identity: name, Social Security number, date of birth, mother’s maiden name. AmSouth clearly has security issues in establishing proof-positive identification using publicly available information — including those things I warned it about almost 15 years ago, and nine years ago and…you get the idea.
I now had a truly helpful fellow from AmSouth’s Alabama headquarters tell me that everything in my accounts was fine. But I am the suspicious type. Something still felt phishy, so I called my local branch, where they know me well yet actually require photo ID when I make transactions in person. I asked if there was a problem with any of my accounts. Thirty seconds later I was told: “You didn’t pay ‘this item’ on time. It’s 10 days late.” I drove to the bank and paid.
AmSouth is the current poster child for how to do security wrong, encourage phishing by illegal entities and offer no alternative to this lame attempt at identity verification.
(For the record, when asked to comment, AmSouth spokesperson Jerri Franz said, “We do not discuss the details of our information security.”)
It’s so simple. “Hi, Winn. There seems to be a problem with your account. Why don’t you call or visit your local branch and see what’s going on?” Or, “Hi, Winn, you might want to log on to your accounts. There might be a problem with one of them.” Or, “Please call 1-800-Amsouth…” — but then there is that proof-positive ID problem.
There are plenty of more viable security alternatives to phishing. Or am I wrong?
Schwartau is president of Interpact, a security awareness consultancy. He can be reached at winn@ thesecurityawarenesscompany.com.