Why do financial institutions insist on pretending to be identity thieves? I just made a big purchase on my Discover Card, and to verify the transaction they left a message on my answering machine telling me to call a number that’s not listed on my card or their website. (1-800-347-4996) Indeed, without calling Discover, their phone company, or the police, there’s no good way to track a random toll-free number. (It’s a little more dangerous for a crook to set up a nefarious number than a nefarious website, but it can be done.)
The irony is that Discover’s website has a quiz on the front page, where one of the questions involves a phishing attack identical to what Discover itself did, except that it’s done through email rather than the phone.
It’s not just Discover. This behavior is rampant among financial institutions. My retirement account (through Charles Schwab) has an option to send monthly reminders to check your online statement. The email has an embedded link, so you can click on it rather than typing the URL into your web browser. Which is exactly the behavior you shouldn’t do, since the link may be to an imposter site.
The reason they do this, of course, is because your security isn’t their priority. They’re not to blame if you fall for an imposter: except for training you to fall for the trick, they’re not even involved.
Actually, that’s not quite true. Credit card companies are on the hook for all but $50 from a fraudulent transaction. So Discover should be trying to prevent this sort of attack. Why don’t they? For one thing, it’s not a common attack yet. But the root cause is more subtle.
Companies secure assets, information, and transactions. Thieves attack the weakest link in an ecosystem. Companies worry about their own infrastructure and how people interact with it. Imposters aren’t part of that world: they create their own faux world. Banks aren’t used to worrying about how customers can verify their identity. Typically you know it’s your bank because you walked into it. Or called the number printed on your statement. That’s not a safe assumption now, if it ever was.
More important, security often consists of reacting to known attacks, rather than preventing potential attacks. In many cases, that’s a good thing, since attackers won’t try something novel unless the tried-and-true stops working, and you can waste a lot of time preventing imaginary threats. With credit card theft, tricks that worked decades ago work just as well today. But identity theft is still evolving, and the preventative measures– in this case, using the same phone number for all incoming calls– are cheap and easy.
(Computer security has the opposite dynamic: preventing whole classes of potential attacks is usually more fruitful than fighting known attacks. That’s because an attack can go from being unknown to being common in a matter of hours. And attacks need to be novel, since once a security hole is patched, it is fixed permanently.)
For the record, I called 1-800-DISCOVER, which is the number printed on my credit card, and had an agent transfer me to the fraud prevention department.