Telephone "Security" Questions

Who is this "security" for, anyway?
Author: Andrew Aylett
Version: 1.0Last Revised2012/07/18Expires: 2032/07/18
In this post, Andrew discusses why he is not a fan of answering security questions when receiving incoming call from a company, and how security should be designed to protect both parties.?

We don’t get many people phoning our land-line — just my mother-in-law, marketers willing to flout the TPS and the occasional company trying to get hold of me. Whenever the latter happens, the conversation always seems to take the same trajectory:

“Hello, is that Andrew Aylett?”

Speaking

“This is Linda from Acme Insurance Services, I’d like to talk to you about your policy”

OK

“Before we start, for security purposes, can I ask you to confirm…”

Well, no, actually. There are a couple of reasons why I’m not happy with this, but first I’d like to ask a question I’ll come back to later: who would be protected by this security, and for whom should the security have been intended?

If we examine the differences between me calling the company and the company calling me, we see that the security implications are quite different. When I call a company, using their published phone number, I can be quite sure I’m talking to the right people. They, on the other hand, have no idea who I am and are quite within their rights to require me to prove my identity — not to do so would open them up to fraud.

When a company calls me, though, the roles are not-quite reversed. This time, the company has some idea who they have called, but they can’t be entirely sure they are speaking to the right person. I’ve got no reason to believe they are who they say they are. That makes them asking me security questions much less attractive to me — it might help them a bit, but it doesn’t help me at all: I know that the only people who might pick up that phone are trustworthy (and in any case, they could probably answer the security questions), and I can’t tell whether I’m talking to a legitimate caller or to a fraudster.

My standard practice in such situations is first to ask whether they can prove their identity — to date, none have even tried — then to offer to call them back on their published number: that turns the security question back into one where I can have confidence that I’m talking to the right person. Where that falls down, is when they tell me that I have to phone a different number to talk to them. That defeats the whole point of the exercise, yet it’s offered as a complete remedy.

I fear that companies don’t care about this sort of issue because they don’t have to: most of their customers don’t object, and if people are taken in by fraudsters, the customer suffers not the company — the security protects only the company, while it should be designed to protect both parties.

As it happens, this post was prompted by a call from someone claiming to be from Aviva. They were quite polite, and I have no real reason to doubt their legitimacy, nor that I’m being singled out as a target. However, if I were being singled out, that call went almost exactly how I’d expect a call from a fraudster to go — asking for my personal details, refusing to authenticate herself and offering a number I can’t verify for me to call back.