This happened to me very recently. I applied to join a certain credit union. The credit union has a wonderful website and, as it should, it has an online application which seems secure enough. I filled out the necessary personal information and submitted my application over the SSL connection. Among the standard questions were few security questions such as mother’s maiden name, favorite teacher, and others. In response to my completed application, I received an email which also seemed to meet adequate financial institution information security and privacy requirements (e.g. no account numbers, login names, passwords, etc. being sent in plain text over email.)
Everything seemed fine. Until the next day when I received a phone call from an "unknown name/unknown number" phone. The lady on the other end identified very politely as X from the credit union, welcomed me to the union, and asked me whether I would be willing to talk with her briefly about my finanical needs and how the credit union may be able to help. This was nice customer service, I thought, and agreed to talk with her for a "couple of minutes." The next thing she asked me was whether I can verify the security information on my account and proceeded to ask me about my mother’s maiden name. The call ended shortly after this question and after I calmly tried to explain to X that asking such questions during an outbound phone call is not a good idea because anybody could, in theory, make this phone call and obtain my security information.
I went to the credit union’s website and was impressed by the thorough explanations they have on Internet security and in the effort they make to "teach" their customers not to respond to phishing emails asking for personal login or financial information. I am sure the credit union has a policy prohibiting outgoing emails from soliciting customers’ security information. But did anyone at the credit union think to put in place the same security policy for outgoing phone calls to customers? Apparently not.
No comments yet