banks still do not understand that authentication is a mutual process (Credit Suisse)

I just got a call on my Swiss mobile from a fellow claiming to be from "your bank" and asking me to "confirm your identity".  Switzerland is rife with spam and scam calls, and when I was resident there I had to field several calls a day from the parasites cold-calling about switching health insurers, being from tech support and having you install a backdoor on Windows, and on and on.

I was in the mood for having a go, rather than just hanging up, but as I berated him about being a low-life, and how he would shortly be in jail if he continued with this line of work, he insisted that he really was from "your bank".  Which bank?  He said he'd tell me if I could confirm that I'm Tom Jones.  So now he's supplying the name, instead of asking as an open question.  Okay, yes, I am.  He now says he's from Credit Suisse.  Well, I am a customer, and I did send a chunk of money into my account last week for the first time in years.  So it's probably them.  He knows the basic attributes of the transaction.  Yes, I'm now fairly sure it's them.

He wants Credit Suisse to handle investing the money, so they can, one way or another, cream off 5% a year.  A balance is worth nothing to them.  It may be, under certain central-banking climates, but currently it is more of a liability.  They can make money by selling insurance, managing investments, selling debt including mortgages, but not by just holding a balance.  All this is beside the point here.

The point is: banks have never understood that authentication is mutual, and they still don't understand this.  They call up, out of the blue, with no process designed for them to authenticate themselves to the customer.  A relationship manager is one thing, because you know them, but Credit Suisse don't seem to bother with this, at least not for me, so I'm talking about rando employee.  They then start demanding, off the bat, that the customer authenticate themselves by giving information.  They are apparently unaware that this is indistinguishable from a scammer calling to get the same information, to impersonate the customer, to the same bank.

"I'm from your bank could you confirm your identity", Credit Suisse you fucking what m8?

Comments

Post a Comment

Popular posts from this blog

the persistent idiocy of "privileged ports" on Unix

TCP and UDP have ports.  These are 16 bit; there are 65535 or so per IP address. These protocols don't care to differentiate between the ports.  Elsewhere, IANA presumes to operate a process to allocate "well-known" ports in the range 1-1023, "registered ports" in the range 1024-49151, and to reserve the remainder, 49152–65535, for "ephemeral" ports.  The caller end has to have a port, which is how replies get back within the virtual connection, and these are conventionally picked from the ephemeral range by the OS's networking stack. The whole idea of ports is ridiculous, because it allows ISPs to arse around presuming to decide which services they will "not allow".  Anything that allows IPSs to do anything other than shift opaque packets will allow ISPs to meddle and break things, and due to the Law of Meddling, if they can, they will.  I am currently working around an issue with Claro, a pretend ISP, blocking port 5060, allocated to SI...
Read more

JT "their my" nonsense

Image
Another example of the "your my" nonsense produced by corporations calling customers' things "my" things. Let's mark this for pronouns: In total, I've identified 12 correct pronouns, 6 incorrect pronouns, given from the wrong perspective, and one direct clash between a correct one and an incorrect one, in the form of "their my JT account".  This should be a dead giveaway that something is wrong. As well, observe this perfunctory, bossy, yet passive tone that they take.  "all customers are required" to such and such.  Let's try this.  "All telecoms providers are required to provide ipv6 service".  Oh, that didn't work.  "All entities are required to desist from calling other entities' things 'my'".  Oh, that didn't work either. This is the real pronoun crisis.
Read more

easyjet: repeated entry of information they already have

Image
As I observed earlier today, airline web sites are obsessed with making people re-enter information, apparently arbitrarily. The following seems to be required for Easyjet, for an "existing" customer relationship, every time: country of residence selected from big list, involving skidding around on the screen that makes the victim feel sick should be remembered. If it has to be changed, should be type-and-choose victim is taunted with the text "tell us about you", when they thought they had logged in form with the following on one page: business / leisure title, first name, last name, age there is a button to "copy from contact details", but this doesn't do the "age" field.  Since they have my date of birth, they are of course able to calculate my age.  As well, the only values for this field are "18+", "17", or "16".  Is it a deliberate decision, to not fill this field based on the customer data, and to make the...
Read more