The Security Mentor

A columnist finds scary security deficiencies at his bank.

The first incident was when the bank's call center let him "prove" his identity using only readily available information like his account number. That sort of careless procedure is one of the reasons "identity theft" works.

The second was really scary. The bank did something indistinguishable from what criminals do. They called him, said there was a problem, and asked him for some sensitive information. People like me have been talking ourselves hoarse explaining that criminals send emails and make calls like that to steal personal information, and that legitimate institutions never operate like that. Well, at least the clueful ones don't. Remember: if the other party places the call, you don't know who they are, and if they start asking for secret information you're entitled to consider it a scam. It's the modern version of the "we're-bank-examiners-and-we-need-you-to-make-a-cash-withdrawal" scam from your grandmother's day. If your bank does it on purpose, they deserve to get hung up on.