'Anti-phishing' verbal signatures get thumbs up

With phishing attacks on the increase there has been growing support for the introduction of 'verbal signatures' for two-way authentication between banks and their customers, as suggested by silicon.com.

A number of banking customers have become concerned about the apparently random methods used by some banks to contact them, with unsolicited calls singled out as a source of confusion in these days of phishing, where criminals, typically posing as banks attempt to trick users into divulging details such as passwords and log-ins.

Banks appear to be increasingly contacting customers by SMS or by automated phone call, often asking them to dial back on a given number where they are asked for varying levels of personal information. Similarly, cold calls are made to customers where they are again asked to prove they are the name customer on the account - with no similar level of authentication coming the other way.

The institutions involved have included banks such as Egg and LloydsTSB. One silicon.com reader contacted us with the following example.

"Someone phoned me claiming to be from the Co-Op Bank and immediately asked for answers to security questions. I complained to the Co-Op Bank, pointing out the phishing risk and the need to educate customers not to reveal their security information to cold callers, but the Co-op Bank could see nothing wrong with their phone call."

Richard Allan, Lib Dem MP for Sheffield Hallam and member of the All Party Internet Group, agrees that more needs to be done and supports silicon.com's calls for greater authentication.

"We need to keep ahead of the fraudsters and this issue of calls appearing requesting personal identification details is a potentially serious security hole the fraudsters are likely to exploit. Banks should act now before we see a wave of phishing calls that lead to customers rejecting all calls from their bank."

Allan agrees that requiring banks to use 'verbal signatures', such as those used by customers, would ensure two-way authentication. It is no 'silver bullet' to combat fraud, but it is certainly an improvement on the current system.

"The use of passwords would certainly provide an immediate improvement in the level of security," said Allan. "This should be a specific password for the bank to use when calling you and not part of your normal secure personal identifiers."

silicon.com readers have also written in expressing support for the scheme, saying customers of many businesses, not just banks, are commonly expected simply to believe the person on the other end of the phone.

silicon.com reader Kevin Inskip said: "I am in total agreement. I was contacted by British Gas late last year. They wanted bank account details to start collecting premiums for maintenance. I caused them great consternation by refusing until they had satisfied me that they were not a phisher. It took three or four phone calls either way and considerable time on my part before I was satisfied they were genuine."

"Passwords working both ways would seem to be an easily understood and workable solution," he added.

Independent computer crime expert Neil Barrett sympathises with the banks to an extent saying "their hands are tied by money-laundering laws" which mean they have to check all anomalous transactions with customers and this requires some element of cold calling.

However, Barrett agrees there needs to be more two-way dialogue in ensuring the authenticity of both parties taking part in such calls and believes a three-fold "password, counter-password, counter-counter-password" system would prove most effective.