Practicing security

Last week I was stuck a night in Frankfurt due to the high winds. Soon after I settled into the 17th floor of the Holiday Inn, gusts screaming round the building, I got a call on my mobile. I thought it would be my taxi driver confirming the time for the re-booked flight the next day, but instead there was an unfamiliar voice:

“This is HM Revenue and Customs, we have a message for you, but first can we confirm your name and address”

Actually name and address to phone number is not that secret, but still I asked:

“How do I know you are who you say you are?”

“If you prefer you can ring back on …. it is to your advantage”

I checked that it would be OK to ring the next day on my return and rang off … I didn’t say (life is too short), that being given a number to ring back does not increase my confidence unless I can verify it.

In fact the next day I checked on the HMR&C site and the number was their helpline. However, this call had many hall marks of a fraudulent call: how could I, or a less technically aware citizen know this was a good call? In this case the information requested was relatively innocuous (but of course could easily continue, “and date of birth … bank details …”) and the phone number given was an 0845 number which costs the recipient money … either genuine or high-value fraud. Of course, if I was fradulently ringing up people pretending to be HMR&C, at any sign of trouble giving the genuine helpline numer would be just what I would do to allay suspicion!

It is not just HMRC that give calls like this; banks and credit card companies are forever ringing up and asking you to confirm your identity … and that usually does include giving some form of security code. But they have rung you up, so have more confidence in who you are then you do in them, yet never offer any means to confirm their identitiy.

Email too: I have received various mails from banks which look very like phishing emails. In one case I received an email where the domain of the sender was different from the domain of the reply email and different again from the domain of the URL link. It goes to say that none of these were the same as the standard domain of the bank. In this case the only reason I knew it was not phishing was that it offered information and did not request anything secure.

By sending emails and making phone calls that are virtually indistinguishable from fraudulent ones, the banks (and even HMR&C) are training us to be victims of fraud.

Literally we are encouraged to practice being insecure.