An excellent post over on Geekzone about a customer experience with a bank. Seems that the bank contacted their customer by phone in order to make some changes to their account. Said customer was asked to verify their identity by password but when he rightly pointed out to the bank that he had no way of knowing if the person from the bank itself was legitimate – the bank officer was somewhat stumped.
I’ve always been a little laissez faire when it comes to banking and security, kind of having (blind and unwarranted) faith in those venerable banking institutions. I’m not sure why this is, bank lending is unsecured and banks are just another business, albeit one with some regulation lording over them. I have a friend that has spent years doing contract IT work within banks in the UK, she laughed when I told her about my hands off attitude and recounted the number of times she’s seen unencrypted customer username and password information passed around behind the bank’s firewalls.
Sure Internet banking is protected at length by encryption and SSL, but do we know what happens within the banks own systems? Bank tellers often get caught out stealing from the bank, what’s to stop a dodgy bank IT staffer from mining some user information.
SaaS providers talk often about the fact that customer data and customer authentication is separated on their system and within their organisation, thus ensuring that one individual within the SaaS organisation doesn’t have access to a users data – I wonder why we don’t demand the same level of security from our banks?
Neither NZ banks nor NZ IRD are interested in this.
I was in exactly the same situation with the IRD and when I took it to their upper-level management (as it is a major security problem compounded by ignorance and the legitimacy attributed to the practice by the fact that IRD still make calls and ask for sensitive information) they seemed vaguely interested but couldn’t really understand it.