EGG's Training Program for Cyber Criminals
This morning as I was finishing breakfast with the children, I received a call which was an automated call from EGG ( a UK credit card provider ) stating that there had been unusual activity on my credit card. This in itself is not unsurprising as I have just come back from South Korea (see past posts) , the deeply deeply worrying part was the automated call then demanded Security information from me. Some of you may know that I regularly speak on Software and Application Security and more so on How easily people can be manipulated into handing over Secure information and how this can be mitigated. In my opinion the single biggest problem in opening people up to manipulation is large organizations showing users poor security.
So what have Egg done that in my opinion is so wrong, Simply they are suggesting that if you receive an unannounced call you should hand over security details to the unknown party , this is great for Cyber Criminals who are looking for a population who are used to at the drop of an automated phone call hand over security information , but not for the general public who need greater security training . The security transaction should be at the very least two way ( they supply information to you ), but better still they should follow the best example I have experienced which was Royal Bank of Scotland (RBS) who when they called suggested that I call the number on the back of my Credit Card and asked to speak to their group. The RBS scenario works so well as I have to authenticate against a source I trust ( the card and number ) and RBS gets to speak to me, a win for everybody.
Now all of this IMHO is bad enough but I have gone on record with EGG several times about this and I have been assured :) that this is being dealt with. But today to add insult to injury , instead of handing over my details blind to an automated system, Linda called them back ( I had the pleasure of helping dress the children at the time ) and after several minutes of watching Linda struggle with the automated voice recognition the children were in fits of hysterics , eventually someone came on the line and asked to speak to me and I was told in no uncertain terms that Linda calling Egg was in direct breach of Eggs security protocols ( I think they must have been watching a bit too much 24 ) and that I did not understand how important security was in preventing Credit Card fraud. At these moments there are too many levels of sarcasm ready to pounce, I decided that no more could be done to help and I just closed the account ( I suspect that the fraud prevention group don't get that very often ).
It must be said that in general this is not just Egg it occurs with many of the Service companies and Banks and that Egg Fraud have detected times when you would expect to see fraud, but this is just not enough. Banks and Service companies should have procedures that protect customers not just themselves.
if this all wasn't so depressing it would be funny.
On a lighter note , for those of you who are interested in the implications of real security for IT managers and Developers , I am pleased to announce that I will be doing another tour with Ed Gibson ( Microsoft's Chief Security Advisor for the UK ) in the Autumn, details will be coming soon. Have no Fear that this story will be top of the list to tell.
b.
Technorati tags: Security, Credit Cards, Banks