Tuesday, November 17, 2009

Data Security at Financial Institutions

Would someone please explain the security procedures that banks and other financial institutions implement? I happen to run into a "verification process" quite frequently. This normally entails answering a series of questions. You know, questions like "what city did you get married in?" or "what is the first name of your paternal grandfather?" There seems to be about 15 standard questions used by financial institutions, not all of which are used by each. My problem with these has to do with a lack of understanding exactly how they are supposed to protect me.

When I call a financial institution, my favorite is the old "would you please verify your home address for me?" As if a criminal wouldn't have the easiest piece of personal data to find at their fingertips. Puhleaze! That one is so simple and fast it requires no forethought- just a Google search in real time. Now consider the typical "what high school did you attend" question. This isn't secret or private information by any means. A bit of googling or facebooking and you have the answer. Similarly, it doesn't require much of a fishing (phishing?) expedition to uncover a maiden name or child's name. So what's the point? The standard answer I've been given is that it makes it "more difficult" for the crooks. Sure, but they are crooks. It's like putting an extra wrapper on the box of candy to keep the fat guy from being tempted- it takes an extra second, but he's still going to eat the candy. They are intentionally stealing identities and one more informational hurdle isn't going to stop them. After all, they managed to track down a sufficient amount of the victim's info such as social security numbers and birthdates anyway. This is sort of like saying if we just had more checkpoints at the border, it would stop drug use.

There are some questions, such as the "name of your first pet" which I admit are more difficult to find. However, once you start providing this information to institutions, it becomes part of each company's profile of you. If they get it from one institution, it works at the others too. The more places that ask for this info, the easier it is to be stolen and the more likely it is to be used. Pretend one of your financial institutions, XYZ Credit Union, loses data. The criminals can take the name of your first pet and use it on your American Express account too. Seems like an enormously weak link to me.

Any customer service agent can get such data as can hackers and criminals actively seeking it.  What is to stop a customer service agent from scribbling down this info during your routine call inquiring about an unknown fee for example? I'd like to think it is a brainless, secure computer safekeeping my personal answers, but in reality any customer service agent can see it when you call. Writing it down is a low tech theft for sure, but every time one of these individuals help me, they see my "secret" answers.

Equally unnerving is when I recently opened a new account online at a financial institution I've never worked with before. In order to verify I was who I claimed to be, it asked me "which of the following vehicles have you owned recently?" On the list was a vehicle I owned three years ago for which I paid cash. There was no loan on record that could have possibly been pulled into my profile. Where did this data come from? Old motor vehicle registrations? In other words, if a completely unrelated record could be pulled by the financial institution to verify me (with no right or legitimate related business use of that data), what is to stop a criminal from pulling data to impersonate me?

All this work to annoy people in the name of security. Yet to my eyes, it does little if anything to bolster security. In my view it actually weakens security since one key fits multiple locks. Alas, I am certainly not a data security expert. So tell me, what am I missing? Am I wrong or is this an absurd waste of time in the name of a false sense of security?

1 comment:

  1. When I worked at a financial institution in the past, these sorts of measures were more about 'plausible deniability' rather than actual security. They existed only so the institution could point to them and say 'See! We're protecting your data! If your details get out then it's your own fault, you must have given them to someone!'

    This mindset is also behind the current push to switch from signatures on credit cards to PINs. They don't reduce fraud at all, but they do allow the institution to shift the blame- fraud due to a forged signature has to be worn by the bank, while someone else using your PIN has to be the result of your own negligence, so it's your problem now.

    ReplyDelete