Antonin J. (they/them)I don't often see security-related articles on dev.to so I might as well get started.
A while back, I saw a tweet from Troy Hunt about having a bank authenticate with him over the phone as well as the other way around. I think about that tweet a lot and recently, I was in a situation where that type of thinking came in handy.
How we authenticate with services over the phone
You know how it is, you call your bank or your internet provider and they ask you a series of questions:
- what are the last 4 of your SSN?
- what's your address?
- First and last name on the account?
- Last 4 digits of your bank account number?
We provide some of this information, sometimes several times which gets frustrating.
It gives our bank, service provider, or whomever a reasonable-enough amount of trust that you are who you are.
Online on the other hand, you do this by providing your username/password. Or when you forget your username, you might get a reset email. Again, the service provider/bank trusts that your email is a trustworthy method of authentication.
(sidenote: some banks may require extra online authentication for password reset, like your Debit card information).
But how do services authenticate with us?
Let's start with online services. This one is easy. SSL.
Yeah, SSL. We trust that little lock in the top left next to the URL to tell us that we're not on a site that looks like our target site but is not (check out dev.to's certificate!). SSL works in a funny way.
Browsers trust certain certification entities and have their encryption (public) keys. This way, anyone that entity trusts, the browsers trusts as well. It's a chain of trust! When you initiate a connection, the browser checks against that chain of trust, and tells you if you're secure or not and who issued the certificate and for what URL. And so on.
Here's the thing, banks and other entities get a more secure SSL certificate which in turn displays their information directly in the browser! Go to your bank site and check out the address bar. You'll notice that you'll see the Bank's full legal name in the address bar! If you click through, you'll even get their address.
Easy verification that you're on the right site.
But how does a bank or a provider authenticate with you over the phone?
They don't, do they?
The problem with unauthenticated phone calls
Here's the thing. My wife's bank called her yesterday to verify something (a new account opening) and they asked her a verification question: how many accounts do you currently have open with the bank? She answered, it didn't match what the person over the phone saw on their screen. Red flag. BIG red flag. I seriously expected them to start asking more personal questions (full SSN, full debit card number, etc.).
We looked up the phone number online and received mixed reports. The phone number was listed as a scam. Other times, it was listed as an official number. Which was it? More importantly, it could've been spoofed! (just like you can spoof emails!).
So what do you do? We confronted the caller. We asked her, "How do we know you're from the bank?". And she was taken aback. She insisted she's with the bank.
How could we know however? How can a bank authenticate with us without divulging very important information? And how can we authenticate with a bank without divulging very important information to the wrong party?
Phone authentication methods
Eventually, the caller came up with an idea. She gave us the timestamp of when my wife applied to open the account. Day, hour, minute. Not super important information but it proved it was the bank. And we moved forward. The account mismatch (the original authentication question) happened because you can have an active but closed account. Or an inactive but open account. And we moved forward.
Here are some other methods I've seen:
- authentication PIN. You set one for yourself, and one for the service provider. During a phone call, you authenticate with basic info (address, name, etc.) and then exchange PIN numbers
- simultaneous online authentication. A PIN appears on your and their screen during a conversation. Upside is that this has to be triggered by the service provider
- unimportant but private information exchange. The caller telling my wife when she applied for an account was proof enough for example.
Have you had any similar experiences?
Whenever someone calls me these days, I immediately look up unknown numbers and I tend to be skeptical whenever the caller claims to know me somehow (like a bank, or electric company, or whomever). How about you?
