I'm busy working on my blog posts. Watch this space!
Simple Security Screwups: Chase Fraud Customer Support (SSS file)
September 26, 2017
Since my main "theme", if you will, is that security can never be divorced from people behaviors, I figured why not start "writing em when I see em".
I'm gonna call them "Simple Security Screwups" because it sounds cute to my untrained, non-marketer's ear.
So here is one from the other day.
Our culprit today: Chase Banking.
Not the online site, but plain ol' boring customer support over the phone, and more explicitly, the fraud department.
I recently had the occassion to receive a couple of calls from them, and what I found particularly interesting in this context is how they conducted the call - their script, if you will.
Because here is what they do: they call you from some 800 number, and then ask you to validate that you are you. The way they do that is by asking you questions about yourself that supposedly only you should know. They literally start with a line along the lines of "to make sure that you are the person we want to talk to..."
Do you see the problem here?
If not, don't worry, I'll eventually train you to spot these things (obligatory book reference: I have all sorts of examples there, too).
You see, if I'm a scammer, I now have the perfect opportunity to get senitive information about people. Why? because all I need to do is open an 800 number that looks legit (or even similar to the one Chase has except for 1 digit), and then start calling people at random following the Chase validation script! when I get a Chase customer, I can then ask them all sorts of "validation questions", and obtain the sensitive information I need for me to then call Chase myself, pretend that I'm them, and steal their money.
And why should this work, you ask?
Because Chase themselves have trained their customers to expect their fraud calls to proceed along these lines. Their script has made people more susceptible to social engineering.
Let me repeat that: Chase's fraud department has set up a phone script that trains people to be more likely to be defrauded - explicitly with respect to their Chase bank accounts, no less.
Designing the script in a better way is easy - a basic two-way challenge-response scenario would work far better, for example.
Chase is bad at this in other ways, too. For example, they ask you for the phone number they should send validation codes to, instead of using the number stored in their system. I can go into all this at a different time, but my main point is that this is happening all around us.
Us, the supposed security pros, keep teaching people how to behave insecurely. And then we're shocked that they do.