Authentication

TLDR – when someone calls you and then asks you to authenticate yourself, they are doing it wrong. DO NOT ANSWER.

A while ago, I got a call from a brokerage house I use (Hello Vanguard!). The caller asked me for the answer for one of my challenge questions, to make sure I was actually me.

I burst out laughing.

This a surprisingly subtle issue, and to have a major brokerage get it wrong is both sad and scary.

The caller is the unknown party. The called person is not, at least with the current way the phone system works. Caller ID is easily spoofable. You cannot trust that a caller is who they claim to be.

As long as the phone system is ringing the correct phone, the recipient should be, if not the exact person you want, then someone nearby. There are certainly exceptions to this, such as SIM card hijacking, which is sadly easy as well, but for the most part, if you call 1-800-BIG-CORP from a phone, you are going to get the right people.

The reverse is not true. If 1-800-BIG-CORP calls you, you have no reason to believe it is really them. You must not give away ANY secret information. You must call back, using a number you find out by yourself, NOT one given to you over the phone.

Why is this important? If the caller is actually a scammer trying to break into your account, when they come to the “secret question”, they just call you pretending to be the bank and ask you for the answer! Don’t give it out.

The caller can be quite inventive about trying to convince you they are legitimate. Krebs on Security reports on recent cases in which callers knew details of recent transactions, for example, (see https://krebsonsecurity.com/2020/04/would-you-have-fallen-for-this-phone-scam/) Krebs gives the right advice, look up the number from public sources and call back, but he doesn’t explain the general principle.

The caller must authenticate themselves, not the callee.

This is also the reason why you should never click a link in an email message. There is no reason to trust such a thing. You must look up the link yourself, from public sources.