Who are you?
I received a telephone call yesterday on my mobile (cell) phone. The display showed that the incoming number was withheld. I answered the call and the lady on the other end explained that she was from the credit card company. She went on to explain that for her to continue I had to answer some security questions. ‘Was that OK?’ she asked. I paused and then replied ‘I am afraid not. Can you prove who you are and where you are calling from?’. Why would I present an unknown party with information relating to my identity and possible financial issues? The caller explained that she could not but went offline to identify with someone else what could be done to continue.
About a minute later she returned and explained that they would just like to know my DOB and postcode and then they would be able to update me on a number of transactions that they wanted to check. As both of these pieces of information are already in the public domain I agreed and we continued. The result of the telephone call was that I became reassured that they were paying attention to my account activities and they had provided me with a good service.
There is a straight forward expectation among many organisations and service providers that as they are contacting you, the customer, you should authenticate to them the unknown. I have seen the same thing when working with clients and conducting exercises on social engineering to review security policies.
Remember ‘Who are you?’ and ‘Can you prove that?’ otherwise it might cost you or your organisation more than you expected.
I must say this is a great article i enjoyed reading it keep the good work