We often hear banks complaining loudly about the losses they suffer from payment card fraud.  Campaigns like “Protect your PIN” and humorous commercials with a miniature armoured truck following a customer down the street must cost tens of millions of dollars.

But then consumers still receive calls like I did on Saturday afternoon.  The bank – or someone claiming to be from the bank – called me, advised that they were recording the call, welcomed me as a new customer, and then asked me for my date of birth and postal code, “to confirm they were speaking to the right person.” 

I have a very simple rule: If I call you, it’s reasonable for you to ask me to prove I am who I say I am.  However, if you call me, you get to go first.  And unfortunately, while banks are somewhat good at authenticating their customers, they never seem to consider how customers should authenticate them.

When I declined to provide personal information to the caller, she politely replied that I could call the number on the back of my card if I had any questions and then she ended the call.

So I did just that, and asked about the call.  The CSR verified that the person who called me was indeed from the bank, and that they ask for a date of birth and postal code to make sure they’re speaking with the “right person”. But he didn’t have a solution to how I should authenticate future callers who claim they’re from the bank.

Banks should know better.  Telephoning customers and asking for personal information is irresponsible and contributes to the identity theft problem.  Banks should be telling their customers that they will never call them and ask for personal information – just as they currently do for PIN numbers.

There’s also an obvious solution: The bank could easily add one more field to their database, a password that they will use when they call me. In fact, next time they do call, I think I’ll ask them for their telephone password.

Perhaps the Bank’s security, fraud and marketing people need to have a chat.

One Response to Do as we say, not as we do.

  1. Evolving Squid
    Oct 19, 2009

    I get this sort of thing from banks and from Rogers all the time. If they call me, I start this sort of informal script:

    Phone_Drone: Hi, I just need to ask you some questions to verify your identity.

    Me: Oh, I’m sorry, but you called me. I hope you don’t mind, but I’m going to have to ask YOU some questions to verify YOUR identity. I know it sounds peculiar, but realistically, any moron could call me up and claim to be the bank or the phone company.

    P_D: sure.

    Me: Please tell me my account number.

    P_D: [hopefully] …(reads account number)

    Me: Please tell me the amount of my last bill / balance of my account.

    P_D: [hopefully] …(gets it right)

    Me: Thank you. Please carry on.

    I’ve had no problems going through this with anyone so far, and I’ve used it on my phone company, my bank, and one credit card company.

Leave a Reply