My bank really annoyed me because they called to ask some questions about my credit card application. But before telling me what it was about, they proceeded to ask a bunch of questions so that I could validate myself to them.
Why is this so wrong? First of all, they called me. They should be the ones that need to validate themselves before I need to validate myself. For all I know, it could have been a phishing phone call. As security professionals, we should know better...which is why I was so annoyed at myself for capitulating before realising what I had done. The ideal situation would be some form of mutual validation of both parties (I propose a way to do this in my post). Most banks do this...which is completely idiotic. How can they say they are trying to protect their customers when one of their fundamental processes exposes us to phishing scams?
The other day, my mobile phone service provider called me (it turned out they were trying to sell me something) and did a very similar thing. This time, I knew it was them because of the caller ID (which was authentication enough for me because that's much harder to spoof), so I gave up my details when they did the "please allow us to validate you first". The only problem was that they made me give up my PIN, which is actually in full view of the call centre employee...this is another problem altogether. Identity theft anyone? (Side note: My Internet provider also does the same thing. They ask for the first 4 characters of my password - hopefully the call centre person cannot see the rest of it). But this is another topic for another day (maybe).
The phone call brought back memories of my whole bank validation incident, but this time I had an additional thought (I'll get to that...read on).
Until the banks and other organisations that deal with consumers (and have to store/use our details) wake up and fix their processes to better protect the average non-security aware user (because good security is very much about education and awareness), we're going to have to continue to deal with them in this way and "validate" ourselves. If we can't change the way they interact with us, we can at least force a level of mutual validation/authentication and protect ourselves somewhat.
How? Next time an organisation calls and proceeds to say that they need to validate they are talking to you, just give them the wrong answer. If they are who they say they are, they'll say "I'm sorry sir/madam, but I'm afraid that's incorrect". Someone phishing for your details will accept that wrong answer as being correct. Now why didn't I think of that earlier?!
Here's the added bonus. Had I done this to my mobile phone service provider, I would have been able to say (rather gleefully I might add): "Too bad, I can't authenticate myself so you can't sell me anything."