03.10.08
Fraud Prevention
One of my favourite non-IT blogs has got to be The Consumerist. I really like the idea of a public online watchdog that has the freedom to publish pretty much anything.
Anyways, the other day this post caught my attention:
Why doesn't a bank (cough HSBC cough) offer the option to have text message alerts sent to a registered phone number any time a withdrawal is made from a specific account via ATM? "$120 was withdrawn at 2:51pm EST in Palo Verde, CA. Reference #293005"
I think this is a great idea... There's plenty of software that takes advantage of Pager/SMS/Email notifications, why can't the bank due the same? We're becoming more and more technologically advanced and cell phones are everywhere. even my 15 year old sister has an HTC S720.
I would love this feature. My fiance, a while back, got a letter saying that her debit card had been used at a business known to have conducted malicious activities with customers banking information. She got a letter because the bank called, during business hours, and didn't leave a message (I've never quite figured out why service based businesses operate during the hours that people work... there should be an offset, especially if you're trying to contact the individual). Sure the proposed feature is for withdrawals, but why couldn't it exist for all fraudulent activities?
Now maybe the reason this doesn't exist is to avoid opening yet another avenue of attack. My bank "requires" (you don't HAVE to enter it, but they sure do want you to) an email address. They send me quasi-important information via email. The next think you know when I log into my online banking, there's a notice warning me about yet another phishing attack that's targeting customers of my bank. Perhaps they don't want to introduce a new method that phishers can take advantage of. I seem to recall getting random SMS spam with my first cell phone, coming from numbers like '00000' and '12345', however I haven't seen any of that in quite some time... either I'm really lucky or cell phone companies have figured out how to stop spoofed messages. (Which I find unlikely given that landlines can't prevent Caller ID spoofing.) So would we be making things riskier by allowing SMS Fraud Notifications?
Scenario
- Customer gets SMS stating that their account has had $500 withdrawn in Mexico.
- SMS asks customer to contact the bank, providing a number.
- Customer is in a panic and calls the number immediately.
- "Agent" asks customer to provide personal information (Bank Account info, SSN/SIN, Address, DoB) to verify that it isn't the fraudulent user.
- Customer has just been scammed.
Do I foresee that scenario happening if SMS Fraud Notification is introduced? Definitely. Do I still think SMS Fraud Notification would be very beneficial? You bet! Banks simply have to remind customers to always contact the bank following an SMS, but to use the number on their debit card or a known trusted source (bank's website, phone book, bank statement, etc.) Banks also have to accept that this is for Fraud Notification only, if customers start getting non-fraud related notifications, they'll grow lax and be more likely to succumb to a targeted phishing attack.
So thoughts... SMS Fraud Notification -- Good or Bad? Beyond that would you pay for the option or only take advantage of it if it were free?
