Commentary

Giving personal data by phone to verify identity an archaic practice

Better methods are available; firms should not perpetuate an unsafe cyber security practice

How do I know you are whom you say you are?

It is a question many consumers do not ask often enough when approached over the phone or via e-mail for their personal details or to transfer funds.

Identity verification is a standard procedure when consumers call, say, their banks to ask for a finance-charge waiver or credit-limit increase. Banks deem it necessary to ask for consumers' NRIC number, 16-digit credit card details or telephone PIN to prove who they are - to counter the increasing threat of fraud.

Consumers, however, are more trusting when they are being called. When their callers or e-mail senders claim to be from a certain company or government agency, many would give out personal information without verifying the other party's identity. The evidence is in the rising online scam rate.

In August, the police, in announcing Singapore's mid-year crime figures, said that e-mail impersonation scams rose 30 per cent to 160 cases in the first half of this year, from 124 cases in the same period last year. The total amount cheated also grew 25 per cent to $21.9 million in the first half of this year, from $17.4 million in the same year-ago period.

Such scams usually involve hacked or spoofed corporate e-mail accounts used by scammers to trick unsuspecting victims into transferring money to a bank account used for fraudulent purposes.

Dr Lim Boon Leng, a psychiatrist at Gleneagles Hospital, had said in an article in The Straits Times in August that Singaporeans are predisposed to such scams as "we tend to trust... the authorities, and are more easily taken in when a scammer pretends to be one".

Instead of asking customers to give personal data such as NRIC and credit-card numbers over the phone, a workaround is to use biometric authentication.
Instead of asking customers to give personal data such as NRIC and credit-card numbers over the phone, a workaround is to use biometric authentication. ST PHOTO: DIOS VINCOY JR

It does not help that legitimate companies are perpetuating an unsafe practice by asking customers for verification details over the phone even when the firms initiated the call.

I received a call from a bank marketing an insurance product a few months ago. I was told that I would get a promotional rate if I signed up over the phone, and I was asked for my NRIC number among other personal information.

"How do I know you are whom you said you are?" was my reply to my caller, presumably a bank sales employee.

Indeed, there is no way of verifying the caller. He did not get any information from me but gave me his name and asked me to visit the bank's road show at Parkway Parade mall.

Banks are required to verify customers' identity before signing them up for any products. But asking for personal information over the phone - when the call is not initiated by the customer - is an archaic practice.

Consumers should not be encouraged to divulge confidential details to random callers or e-mail senders. In fact, this practice must be outlawed to be consistent with the cautionary messages in cyber security campaigns: do not freely click on Web links in e-mails, or give out confidential information to random callers or e-mail senders even if they appear legitimate.

Some firms like UOB and Amex have experimented with using machines to call customers to get them to return the call to the organisations' publicly known hotline. This is a safer workaround but does not seem to sit well with some customers.

Consumers should not be encouraged to divulge confidential details to random callers or e-mail senders. In fact, this practice must be outlawed to be consistent with the cautionary messages in cyber security campaigns: do not freely click on Web links in e-mails, or give out confidential information to random callers or e-mail senders even if they appear legitimate.

The automated message is vague such as there is "a problem with your account" or there is "an urgent message". These calls are usually a reminder for overdue payments, and customers will find out if they call the hotline.

Some customers wonder why an SMS reminder is not good enough. Others had mistaken the machine calls to be a social engineering move to trick them to give out personal information.

The best workaround by far could be biometric authentication. For instance, Citibank records customers' voice patterns with their permission and automatically verifies customers over the phone without asking for any personal details. It is not known how accurate the voice-matching is based on today's technology.

And I presume a human officer is handling all the calls to make sure that a scammer is not playing back a recorded voice message.

There is a need for consistency in the messaging to consumers so they do not continue to fall prey to scams. Firms should not be allowed to perpetuate an unsafe cyber security practice. Better authentication methods such as voice recognition are available. They should be used instead.

A version of this article appeared in the print edition of The Straits Times on October 11, 2017, with the headline 'Giving personal data by phone to verify identity an archaic practice'. Print Edition | Subscribe