2 March 2017
Tech Culture

First Direct Trains Customers to be Phishing Victims

Banking security is a big deal and has been all over the news of late. Most of the coverage focusses on digital security and how to avoid having your account hacked. A common culprit is the Phishing attack, where a hacker sends you an email claiming to be from a trusted source, and asking for personal information like your password, mother's maiden name, date or place of birth. Most security savvy companies have got wise to this approach, so on every email they will state clearly that they will NEVER request personal information like this.

So I was amazed when I got a phone call, with no caller ID, from somebody claiming to be from my bank. The caller said that before he could speak to me he needed to take me through security and ask me a bunch of personal questions. If you know anything about security you know that Social Engineering on one of their easiest attack vectors. With Social Engineering somebody phones up claiming to be somebody official—your finance department, your IT team, your bank—and asks you to divulge personal information they can then use to compromise your account. This is essentially the real world—or at least phone world—version of a phishing attack, and is something and good security team should be concerned about.

As somebody who cares about personal security I was shocked, so immediately called the bank to highlight this glaring security risk. However rather than caring about security holes, I was told that this was bank policy and if you didn't want to answer the questions you could always go online or call up.

This is a terrible response as it essentially legitimises and habitualness the fact that banks can phone their customers up without notice and expect people to hand over personal information to a stranger. Security savvy folks like me would decline, but not everybody is as wary as I am. If First Direct trains its customers to hand out personal information to strangers on the phone, this opens up a massive security hole. Any fraudster can now identify First Direct customers (for instance folks who have interacted with the first Direct Twitter account recently), find their contact details online, then phone them up to extract personal security information, and then use that information to break into their account.

This feels like a crazy thing for banks to be doing. What’s more, it seems strange that banks should be conscious about this type of security weakness through digital channels, while actively encouraging it through their phone banking services. There are of course various ways banks could solve this problem, like making automated calls asking the customer to contact the bank using the number on their card. That way, the customer knows they are talking to the bank and can go through the usual security protocol. Instead, it seems that banks like First Direct are sacrificing good data security, for the sake of convenience, which should be a worry to all their customers.