We often hear banks complaining loudly about the losses they suffer from payment card fraud.  Campaigns like “Protect your PIN” and humorous commercials with a miniature armoured truck following a customer down the street must cost tens of millions of dollars.

But then consumers still receive calls like I did on Saturday afternoon.  The bank – or someone claiming to be from the bank – called me, advised that they were recording the call, welcomed me as a new customer, and then asked me for my date of birth and postal code, “to confirm they were speaking to the right person.” 

I have a very simple rule: If I call you, it’s reasonable for you to ask me to prove I am who I say I am.  However, if you call me, you get to go first.  And unfortunately, while banks are somewhat good at authenticating their customers, they never seem to consider how customers should authenticate them.

When I declined to provide personal information to the caller, she politely replied that I could call the number on the back of my card if I had any questions and then she ended the call.

So I did just that, and asked about the call.  The CSR verified that the person who called me was indeed from the bank, and that they ask for a date of birth and postal code to make sure they’re speaking with the “right person”. But he didn’t have a solution to how I should authenticate future callers who claim they’re from the bank.

Banks should know better.  Telephoning customers and asking for personal information is irresponsible and contributes to the identity theft problem.  Banks should be telling their customers that they will never call them and ask for personal information – just as they currently do for PIN numbers.

There’s also an obvious solution: The bank could easily add one more field to their database, a password that they will use when they call me. In fact, next time they do call, I think I’ll ask them for their telephone password.

Perhaps the Bank’s security, fraud and marketing people need to have a chat.