On Thu, 20 Oct 2005, Roland Perry wrote:
> What it needs is an *additional* shared secret, so that if I challenge
> them they say "we have on file that you've asked us to say 'xyzabc' in
> these circumstances".
I agree entirely, and have been saying something to effect for many years
to friends and colleagues.
Both I and my wife have had a number of calls of this nature; someone
claiming to be from one of our banks calls wishing to discuss something.
They ask one of us by name, and when I say "this is he" or whatever, they
say they wish to confirm my identity, and tell them my date of birth. I
have always refused, saying that they called me out of the blue, and I
don't know who they are. They refused to say what the matter was relating
to without me telling them my date of birth, which I continue to refuse to
do. The person on the other end is generally rather taken aback, because
clearly (to them) they are The Bank and they are To Be Trusted - I don't
think they "get it" at all. I generally told them since they couldn't
prove who they were to me on the phone then they would have to write to me
(turned out once they wanted to talk about some unusual transactions on my
account: a timely conversation on the phone rather than a letter a week
later would clearly have been much better).
In another case, they told my wife they would write to confirm that they
would be calling her - the letter never arrived, so we don't know if it
was going to be a useful letter like "we will call you around XX time on
YY day", or something rather useless like "we might call you sometime", in
which case they would have got the same response.
I do keep meaning to discuss this with my banks. They are the ones
banging on about the need for us punters to be more secure with our data
and in our dealings after all ...
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services
University Of Strathclyde, Glasgow, UK
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|