The study assessed the ability of researchers to access financial services through the bank-run call centres if they were unable to provide a password – the most commonly used call centre security tool.
The study found that call centre agents at nearly half (9 out of 20) of the financial institutions investigated – which in total offer services to more than 20 million people in the UK – could be simply coaxed into accepting less stringent identity checks from callers claiming to have forgotten their personal passwords.
These included requests for alternative data such as a landline phone number for the account holder, mother’s maiden name or recent direct debit details.
In the case of three financial institutions that provide personal credit cards, no security password was required at all to conduct a balance transfer of £500.
Intervoice Director David Noone described the findings as shocking.
“The problem is that call centre staff are trained to be helpful and in their efforts to avoid customer frustrations will readily offer up alternative security checks,” he said. “This is often with questions relating to personal data on the account holder that could be second sourced in the most extreme cases through stolen bags or in the simplest form through internet research.”
He warned that in their rush to prevent fraudsters gaining access to accounts over the internet or through computer viruses, financial institutions had turned their back on telephone fraud.
“This has become one of the easiest back doors for criminals to conduct fraud. The Intervoice study shows that passwords may have had their day in call centres,” added Noone.