The study assessed the ability of researchers to access
financial services through the bank-run call centres if they were
unable to provide a password – the most commonly used call centre
security tool.
The study found that call centre agents at nearly half (9 out of
20) of the financial institutions investigated – which in total
offer services to more than 20 million people in the UK – could be
simply coaxed into accepting less stringent identity checks from
callers claiming to have forgotten their personal
passwords.
These included requests for alternative data such as a landline
phone number for the account holder, mother’s maiden name or recent
direct debit details.
In the case of three financial institutions that provide
personal credit cards, no security password was required at all to
conduct a balance transfer of £500.
Intervoice Director David Noone described the findings as
shocking.
“The problem is that call centre staff are trained to be helpful
and in their efforts to avoid customer frustrations will readily
offer up alternative security checks,” he said. “This is often with
questions relating to personal data on the account holder that
could be second sourced in the most extreme cases through stolen
bags or in the simplest form through internet research.”
He warned that in their rush to prevent fraudsters gaining
access to accounts over the internet or through computer viruses,
financial institutions had turned their back on telephone
fraud.
“This has become one of the easiest back doors for criminals to
conduct fraud. The Intervoice study shows that passwords may have
had their day in call centres,” added Noone.
