I have a question raised in my mind since I came to UK. Why do banks still use challenge-response authentication as a identification on the phone.
What is Challenge-Response?
challenge-response authentication is a family of protocols in which one party presents a question ("challenge") and another party must provide a valid answer ("response") to be authenticated.
When I came to UK I tried to get Bank account and I got Bank account with one of the street banks in UK. But, I found they have a weak authentication system for their e-Banking service,like accept only alpha numeric characters as passcode, and their customer service staff using challenge-response to identify the caller.
Here is how they doing their Identification on the phone:
Customer Service (CS): Hello Sir., may I take your account number please.
Me: It is XXXX-XXXX-XXXX CS: How could I help you Sir? Me: I need ..... Please CS: May I know your surname please? Me: Galal CS: I'd like to go through some security questions with you before I process with your request. Me: Okay CS: What is your date of birth? Me: XX-XX-XXXX CS: what is your post code? Me: XXXX-XXXX CS:What is your house number please? Me:XXXXX CS: May I know what is the last transaction you did from your account,please? Me: I withdrawn £1 pound for 2 days ago. CS: That is enough sir, You have been identified and I will process with your request right now.
As we see, it is completely not enough to identify caller on the phone. Why?
Referring to “Identification & Authentication” blog you will know that identification should be combined with strong authentication process. Also,most of the asked questions could be gathered easily from many sources.
1- Social Engineering with your current employer to gather this information about you. 2- If you applied for voluntary work or any social activity as I did, they have most of these information. 3- from social sites like Facebook and Myspace...etc. 4- Threats raised after attacks on sites like Monster.com or other sites which contains users informations'.
But you may say to me , All of the above doesn't have the information about your last transaction.
Yes, you are right, But it's also could be compromised. How?!!
Well, By using some of social engineering techniques which explained well in “The Art of Deception” by Kevin Mitnick.
Using of challenge-response authenication is simple especially via phone and also easy for end users to have answers for the asked questions but it isn't enough to use it as the only method of identification nowadays.
1 comment:
As I said before. Please have a look on this:
UK's families put on fraud alert
Post a Comment