Comm Bank has no idea about online security. That sounds rude and disrespectful, but I stand by my statement. I know that the bank has many stellar attributes. Its profits last year were over $4.7 billion. It has over $487 billion in assets and funds. It is a massive organisation. Notwithstanding all the great things that they get right, it is still perfectly true that the Commonwealth Bank of Australia (Comm Bank) has no idea about security. None. Zip. Zilch. Am I being clear enough?
This very minute I was in the middle of preparing a presentation to be delivered next week called, ‘The dark side of the internet’. For years I have been screaming every-which-way, trying to get banks and institutions to understand about online fraud and identity theft. And so this very minute, I received a call on my mobile phone, showing an unlisted number, and the man said, ‘Is this Yonar?’ He means ‘Jonar’, but that’s ok. When someone gets any of my details wrong, I neither confirm nor deny, so I asked, ‘Who’s calling please?’ He told me that he is from the Commonwealth Bank. I could tell that he was leading up to asking me for my password, so I pre-empted his stupidity with a sigh and said in a low exhausted voice, ‘Don’t tell me you are going to ask me for the password.’ He then said, ‘Just one moment please,’ while he fiddled for ten seconds. And then he came back and said, ‘Yes what is your password?’
I told him that this was the most stupid question that any bank can ask over the phone. He called me out of the blue. He could have been anyone. I told him that I would never divulge that information over the phone to a stranger calling me, and he then said that I could call a 1300 number if I have concerns. I said, ‘No way. How do I know that the number you give me does not go to your mother or to your mate in Siberia?’ He then said, ‘You do not have to be so disrespectful’. So I replied, ‘Go away you silly person.’ Then I hung up.
The Commonwealth Bank has done other super silly things before (I shall blog those in due course). Some time ago, when the Comm Bank was stupid about another matter, I went online and sent a message to ask them for the name of their security manager, so that I could be a good citizen and a good client and assist them about a grave security problem of their own making. They never provided the name. I have tried to tell them. I mention it to everyone with whom I speak at the bank. Alas, they have no idea. Not a single clue. No brain cells in that department whatsoever.
Never, never, never, call a customer out of the blue and ask for a password. Identity theft is so problematic, that this practice is stupid and absurd and daft and crazy.
If the bank needed to speak with me, the man (or an automated computer) should have called and said, ‘Hello, I am calling from the Commonwealth Bank. If this is Mr Nader, can you please log into your online banking system and read a message that we have for you. Or please call our normal phone number and quote reference 12345’.
This solves the problem. Never never never never never never call anyone and ask them for their password. Hey stop: I have heard all the arguments before. My cry of never never never never never is supposed to protect us all because if we accept that this method of communications is acceptable, then we can be 100% certain that fraudsters will call poor unsuspecting customers who will naïvely hand out their password to strangers. How on earth can the Comm Bank expect any customer to respond to one of their staff calling and asking for a password?
Ok, let me make this clearer. Did you know that the password you have must never be shared with your spouse? If the bank ever finds out that you told your spouse the password, you will be penalised and unprotected if anyone hacks into your account. Let me try again: If anyone hacks into your account, you will be asked a series of questions, and if you are asked whether or not you have ever divulged your password (or written it down), and you admit to the bank that you had told your spouse (or anyone), then you void all protection that you might have been afforded. So, do you hear the alarm bells? If the terms and conditions forbid you from sharing your password with your spouse (or any living soul), how, in the name of all that is logical, does the bank expect that we answer a phone call, listen to a stranger who could be calling from anywhere, and just surrender the password just like that? What the bloody hell are they doing? It blows my mind. It is so beyond my comprehension that I just cannot believe that an organisation the size of the CBA can do this.
And one more thing: there are times when you might be speaking with your bank, when the staff member (or one of their colleagues) will need to call you back. I have had this happen before. They call and ask for the password, and I hit the roof again. Here is the solution to this problem: before you conclude the first call, the operator should say, ‘I, or one of my colleagues, will need to call you back. For this reason, we need a temporary password for this transaction. When we call you back, our password to you (so that you know who we are) will be “Mother Goose”. And in response, when we ask you for the temporary password, you will need to say, “Donald Duck” unless you wish to make up a temporary password of your own.’ (This is doubly important because the bank might call back when you are amongst friends and colleagues, and you do not want them to hear you uttering your regular password, because over time, people will begin to learn about the logic of your passwords, and they could hack into other programs of yours (because the bet is on that the style of password you use for one situation, is likely to be similar (if not identical) to how you craft passwords for other systems.)) I was once making a purchase at a department store. The sales person called my credit care issuer and asked for authorisation. The bank asked him to put me on the line. While on the phone, the bank asked me for my date of birth. How inconvenient and how risky. Also, I was surreounded by other customers and the sales person. How silly!
There you have it. In this single entry, I have given two solutions. It’s dead simple. I have no idea how large institutions, who are burdened by security breaches, can be so darn stupid!
P.S. Earlier I had said, ‘When someone gets any of my details wrong, I neither confirm nor deny’. Here is another example of this. A sherif knocked on my door at home (I am always in trouble) and he asked, ‘Is Miss Jonar Nader at home?’ There is no Miss Jonar anywhere. He was looking for Mr Jonar, being yours truly. However, being the super-duper-mega security conscious person that I am, I could neither confirm nor deny the existence of this Miss Jonar. I will never help a stranger to correct his data. It would be imprudent of me to add to his information. I was not trying to elude the law or to evade my duties, but we must never give a stranger one sliver of new information. He was perplexed because he kept asking me where she was, and I kept replying, ‘I can’t say’. For example, if someone calls you at home and asks, ‘Is this the Peters residence?’ You must never confirm nor deny. If they do not know who they are calling, you should be extra careful. If at this point you truly and really, and in all honesty, do not see anything wrong, and if you so much as slightly disagree with me on this point, I can say that you truly and really do not know how ID theft works and how hackers work. Each unsuspecting innocent friendly insignificant micro-bit of data is of great value. If you knew how to hack, your blood pressure would be very high at the moment. If you are a sweet lovely person with no concept of why I am enraged, then I fear for you.
P.P.S St George Bank suffers from the same stupidity, as noted here.