Wednesday, March 31, 2004
(Unintentional) phishing - the problem is that most users are all too eager to divulge their details
Banks in the UK are currently rolling out a system intended to reduce credit/debit card by requiring customers to enter a PIN into a card reader instead of signing a receipt - the idea is that PINs are more private and secure because they cannot be forged and never get written down or made otherwise visible to fraudsters.
But there's a human tendency to think about when rolling out this kind of system, and it's the same tendency that means many people will respond to emails asking for their log in details (see below). The problem is, when we are asked a direct question, we will tend to respond, especially if it is asked in the right context. So when I made a payment at a store that had a card reader the other day, the salesperson asked "Do you know your PIN?" to which I said no, and signed a receipt instead. But apparently a typical response to that question is "yes, it's 9492" or whatever... so much for PINs being secure and private! And this isn't the only area with this problem - I know because I've done it myself. My last call to my telephone banking service had the operator ask "Do you know your telephone PIN?" to which I replied "yes, it's XXXX", and then realised they were only going to ask me 2 specific digits from it.
Of course the real lesson here is for the retailers and operators - don't ask leading questions that might lead to people divulging their PIN or other security details. The proper cue should be something like "If you know your PIN...".
Banks in the UK are currently rolling out a system intended to reduce credit/debit card by requiring customers to enter a PIN into a card reader instead of signing a receipt - the idea is that PINs are more private and secure because they cannot be forged and never get written down or made otherwise visible to fraudsters.
But there's a human tendency to think about when rolling out this kind of system, and it's the same tendency that means many people will respond to emails asking for their log in details (see below). The problem is, when we are asked a direct question, we will tend to respond, especially if it is asked in the right context. So when I made a payment at a store that had a card reader the other day, the salesperson asked "Do you know your PIN?" to which I said no, and signed a receipt instead. But apparently a typical response to that question is "yes, it's 9492" or whatever... so much for PINs being secure and private! And this isn't the only area with this problem - I know because I've done it myself. My last call to my telephone banking service had the operator ask "Do you know your telephone PIN?" to which I replied "yes, it's XXXX", and then realised they were only going to ask me 2 specific digits from it.
Of course the real lesson here is for the retailers and operators - don't ask leading questions that might lead to people divulging their PIN or other security details. The proper cue should be something like "If you know your PIN...".
(c) 2003-2005 Russell Beale
Atom
RSS