My wife has a comfortable routine for balancing her checkbook that involves a cozy chair, a cup of coffee, and checking her ledger against the information provided by her bank’s telephone banking system. Despite the advantages of technology, I realize that some prefer a printed book to digital or the morning paper in their hands instead of on a tablet, so far be it from me to disrupt that.
When she calls in, the system prompts her to enter a four-digit PIN, which allows access to account information such as balances and recent transactions. This four-digit PIN has been the security standard since this type of service was introduced. Sadly, I can’t help but think about how telephone banking might be used for more nefarious purposes as well. As an IT person, I can be heard saying, “To protect against a thief, you have to think like a thief.” So I took a deeper stroll down the rabbit hole and found a couple of things that I think are noteworthy. First, it is important that this type of system is not enabled when it is not in use. And if it is tied to another product, it should be deactivated after a certain period of inactivity. Second, knowing how to enroll potentially allows unauthorized access without the customer being made aware. Once in, access to account information is granted, which could pose a risk of accessing yet additional information. A social engineer can take this information and attempt to answer security questions, ultimately gaining access to other functions such as resetting passwords and other systems such as online banking.
Part of the solution to this type of concern is being sure to inform and monitor. Make sure that activity by inactive users of telephone banking is monitored. Look at trends to determine whether activity has increased in the telephone banking system. Being aware of frequent password resets and account lockouts is also important in determining a potential problem. Identify and educate those who use the service to find out whether a better fit is available. Encourage users to change their PIN frequently, look for suspicious activity on their accounts, and ensure their PIN is something other than the last four digits of their social security number.
I am reminded of a coworker who said, “You have different keys that you use for your car, front door, etc. You want your passwords to follow suit, different for each type of use.” Keeping this in mind and sharing this with my wife add the comfort of security to the cup of coffee and comfortable chair as she continues her comfortable routine.