I found a charge this morning on my bank account statement. I called to report the activity and the customer ’service’ agents seemed sketchy as hell. They started by asking for my social security number. This is not an ID number. You don’t have the authorization to use it as such. They ask for my account number. Ok, not a big deal. Just a string of numbers. They ask for my name. I give them my first. They ask for my last. I provide it. But by this point I’m feeling a bit unsecure, and it just gets worse.
I have no assurances that my phone call went to where my call went. I don’t have a land line, so I had to use a cell. Not the most secure form of communication, but good enough for 95% of my communication needs. I ask the woman for some form of proof she says “I am Stephanie Stupid,” (names changed to protect the retarded, and I forgot them) “and I work for Chase.” I roll my eyes and say, no I mean actually provide me some information that I couldn’t just make up on the spot.
She got irate and asked me for more identification information. I said that I would just wait the one hour and go into a bank branch. This seemed to iritate her and she tried to get me to give her more information. This was irritating. Chase needs to have a two way, two factor authentication system. They don’t have a procedure for creating verified secure connections between customers and representatives.
This could be cheap and easy to implement. Hell, I just thought of a solution that would have solved the problem in the last 30 seconds of thinking about it. It would cost $0 and thwart a lot of phishing attempts. If someone was unsure of the source of the communciation, they could request the representative give them the last three digits in the amount of the last processed transaction after providing a basic amount of non-name information (account number or social).
This wouldn’t violate the account owner’s privacy in the event that the bank failed to further authenticate but one only knows a number between 0 & 1,000 representing a transaction. That doesn’t provide the total dollar amount, doesn’t provide the party to the transaction, and doesn’t give the date. This would provide a built-in two factor authentication similar to Bank of America’s “find the photo” feature that has the bank display something after you enter your username but before you enter your password.