How do I know you are who you say you are?
I had a marketing call from a credit card company whose card I have the other day. They wanted to tell me about an offer that was tailored specifically for me. But before they could tell me about it, they wanted me to confirm my postal code.
I said “uh, no”.
Then they said “umm.. ok. Could you confirm the last four digits of your phone number then?”
I said “No… you know what my phone number is because you called me on it.”
They said “I can’t go into the offer without confirming one of the security questions.”
“I guess we’re at an impasse.”
We had a short discussion about why I wasn’t prepared to answer security challenges when they called me out of the blue. In this day and age of identity theft, a clever Bad Guy with some information about you could impersonate your bank/credit card company/utility company and ask you to confirm you identity by answering a security challenge. If you fall for it and answer the questions, now the Bad Guy has everything he needs to be able to impersonate you to your bank/credit card company/utility company.
How it should work is that the bank calls you and you ask them for a piece of information that unambiguously identifies them as being who they say they are. Assuming they provide the correct piece of information, you then know they are who they claim to be.
So, how do you actually do this?
One way would be for the bank (or whoever) to send you a two-factor authentication token. Whenever they call you, you poke the button on it and ask them to give you the number. If the number matches what your token says, then you know they are who they are.
Now, the token doesn’t have to be a physical gadget. It could be a feature in the bank’s app or web portal that you could quickly access to get the number. But it has to be something that only you and the bank know about.
Until then, if you call me claiming to be my bank/credit card company/whatever and ask me to confirm my identity to you by answering a security challenge, I’m going to say “no” and ask you to confirm to me that you are who you say you are by providing me with some piece of information only the two of us should know.