Picture a beautiful clear, cool November central Florida day- temperatures in the 70’s and everything shaping up to be the start of a great weekend. Well, maybe next time. Fraud alert! Here I am focused on my daily routine when out of the blue I receive a text from Banking Institution, or someone masquerading as Banking Institution, alerting me to potentially fraudulent activity on my account. I am sure many of those reading have encountered similar fraudulent, day or week-ending circumstances. I was able to eventually dodge any lasting ramifications here, but many are not so fortunate. Some have spent weeks, months, or even years sorting out the consequences of fraudulent activity.
Let’s get into it. I get the notification and right away my radar is pinging. Is this real or another scam? Being a security professional, I fancy myself overly cautious about how and where I use my cards. Likewise, I tend to be skeptical about giving out my personally identifiable information (PII), especially sensitive PII.
Not really enough information to make a decision at this point, so I call the number. I am on high alert for indications this isn’t a legitimate alert and instead a false flag intended to perpetrate the real fraud.
This is one of the scary parts of today’s landscape. We really do not know, and we must make judgment calls on seemingly every communication we receive. This is frightening enough with day-to-day emails, but especially terrifying when it comes to our hard-earned money.
We began our game of cat and mouse, the person on the other end of the phone and me. She was trying to make sure I was who I claimed to be, and I wanted to make sure I was on the phone with a legitimate Banking Institution representative. She was able to ask questions to help her validate me, well questions that just about anyone might have. I, unfortunately, had no such luxury. I could not ask her if she could tell me about herself and prove her association with Banking Institution. This was a no-win situation; I could not validate her, and she could only tangentially validate me. Nonetheless, I made the judgment call to proceed. I divulged some information, and we established a cursory, albeit tentative, trust.
What should have happened? A secure push notification bolstered by full-duplex authentication!
Banking Institution: Who am I speaking with?
Me: Jeremy Walker
Banking Institution: Great, we recognize the number you are calling from, I just sent you a picture of a plant with code516- is that what you are seeing?
Me: Yes.
Moving on… Through some investigation, I finally arrived at the reasonable assurance that she was indeed a Banking Institution representative operating in an official capacity. We discussed the transaction and determined it was fraudulent. She was fantastic by the way very personable, knowledgeable, and open to questions.
We talked about the fraud process for a bit and eventually came to the following.
I asked her why they still relied on zip codes to validate credit card transactions. Fair enough, she did not really have an answer.
We exchanged pleasantries and ended the call.
Something I have thought about in the past, but now that it was directly in front of me. A zipcode is not even sensitive information and just about anyone can discover a zip code with a cursory search.
Even more, most of the time the people stealing your card data will have access to it anyway.
While better than nothing, maybe, it is a pretty poor excuse for a security precaution.
How easy would it be to, again, use a secure push notification to validate the transaction? Evolve the antiquated process into something much more proactive and relevant.
What should have happened? A secure push notification bolstered by full-duplex authentication!
I should have received a secure push notification out of the blue asking me to authorize a transaction I knew I was not making.
I could have declined and then called Banking Institution and easily validated them and myself.
Seem too good to be true? It is not.
The entire fraud prevention process is fraught with uncertainty. Why does this continue to plague us all?
Well, setting aside cost impact analysis, it comes down to the status quo. My intention is not to bash financial institutions for not doing enough, as they are businesses and must balance out costs and the benefits of implementing security measures. Still, there are steps these institutions could take that would virtually eliminate fraud.
A major step forward would be moving past reliance on dated and reactionary security measures and moving to a more proactive approach that is in line with the current threat landscape. The technology is out there, it is a matter of embracing it.