Home > InfoSec, Privacy > Stupidity, begets stupidity – and no security

Stupidity, begets stupidity – and no security

2013/12/13

I realised whilst at work today that my credit card wasn’t in my wallet, after hoping against hope that it would be in yesterday’s trouser pocket when I got home I had to accept that it was lost. Far from the brightest thing I’ve done today, especially given the time of year. So I did the sensible thing and called the card provider to cancel the card.

The number I called was listed as being for (admittedly amongst other things) reporting lost or stolen cards; first question the automated ask was my card number, which I didn’t have; regardless I quickly got through to a person who (I’ll be fair) handled my problem with speed and minimal fuss.

Whilst finding my account without the card number I was asked to confirm my date of birth; once the correct account was identified I was asked a couple of security questions to confirm I was me; all very normal and acceptable. However the second question asked how old I will be come my next birthday; apart from the fact that this is hardly the most protected of information, had I been a fraudulent caller trying to maliciously access someone else’s account I had already correctly provided D.o.B. not 2 minutes earlier; not exactly difficult to extrapolate one from the other.

To be honest, I didn’t worry too much; some of the other security questions were likely sufficiently detailed to limit the chance of someone else getting past the gatekeepers. But being a sarcastic and (hopefully) helpful sort of bloke I jumped on twitter to suggest that asking a ‘security’ question based off a wildly known and shared piece of unchangeable information probably wasn’t the best of ideas.

THIS is where I really started getting concerned, the whole conversation can be read here (Barclays twitter people, I have screengrabs for prosperity if you feel like deleting any of the responses…..).

Some of my favourites:

Unfortunately, we’re unable to confirm what security questions will be asked when you call one of our teams

I wasn’t asking what questions I would need the answers to, but pointing out the questions I was asked weren’t exactly the most robust. Either way, security via obscurity isn’t security, and if knowing the types of questions to be asked really does make accounts vulnerable and I was a fraudster; I’d simply have a number of like minded miscreants call up several times until the pool of potential questions was exhausted….

We only ask questions in which the genuine account holder should know the answer to.

This is the point that tipped me over the edge, if I need to explain to anyone why believing only the genuine account holder knows their date of birth, I’ve got a bridge I want to sell you. (hint if needed: Do you get cards/presents from those that know you the same time every year?).

Admittedly, at this point I got a bit ‘unprofessional’ and suggested I was either being fobbed off, or Barclays (twitter handler)’ security knowledge is inept, I’m assuming this ‘abuse’ may be the reason I’ve had no further response.

I really hope that this incident is the result of the individual handling the conversation being out of their depth and having an inadequate script to follow. If not, and this is indicative of Barclays security provisions (and someone, somewhere had to OK the question being used in the first place) I need to reconsider where I bank….

–Andrew Waite

P.S. I have no evidence, but I’m getting a creeping felling of deja vu that I’ve had a similar telephone authentication process, and a similar discussion on twitter as to whether this is a good idea

Advertisements
Categories: InfoSec, Privacy
%d bloggers like this: