Authentication Failure: Bank Transactions in Person

May 3, 2013 by · Comments Off on Authentication Failure: Bank Transactions in Person
Filed under: Security 

Usually I write about the security flaws that I have seen over the years both as a developer and a security professional.  Recently, however, I was in a situation where I realized after the transaction, that there was no authentication to who I was.  Of course, when we talk about technology, we discuss authentication a lot.  Making sure that we are proving that the entity that we are dealing with is really that entity, and not some other impersonator. 

I recently had the need to wire some money from my bank to another bank.  My bank has many options for requesting the wire, but I chose the one where I actually walk into the local branch office and sit down with someone to complete the transaction.  When I entered the branch, I was greeted by the information desk asking if they could help me.   I told them that I needed to perform a wire transfer.  They asked for my name and sent me to the waiting area. 

After just a few minutes in the waiting area, a representative walked over and brought me back to her cubicle/office.  I have never done a wire before this, but had instructions from the receiving bank all ready to go.  I sat down and explained my situation and that I had this document that had all the information on it that I needed. 

The representative asked me to verify my information.  This is good right?   Wrong!!   She proceeded to say “your address is still….” and I just said “yes”.  Then she asked who my employer was.  I told her and she just entered it into the system.  I guess that had never been updated.   Then she confirmed my phone numbers, but again, she read them to me, I just had to say yes. 

She asked which account I wanted to transfer from, but not the number, just asking if I wanted my sole account.   Again, I didn’t have to know anything about this account to perform the transaction.   I did have to sign the confirmation, but I could sign anyone’s name, couldn’t I?   Never once did I get asked for my Driver’s license or any other type of identification. 

Although this sounds like the story of a contracted penetration test, I can assure you it was not.  I wish it had been, then it would have been a really great test and I would be excited for the easy win.  Unfortunately, it was not and I was far less than excited that it was a big fail on my bank’s part.  

We spend so much time analyzing and testing the technology side of security, that we often overlook the human and process side of it.  At Secure Ideas, we perform physical assessments that are just like this scenario.  Unfortunately, as I stated, this was not a test, but a real transaction.

My first instinct was to switch banks.  I went home and was telling my wife about it all and hastily said, we are switching banks.  Unfortunately, I have so much stuff set up using that bank, that switching would be a headache.  I know, that shouldn’t be any reason to not switch, but this seems to be the trend that we are seeing these days.  I guess I am getting lazy.  Just look at all of the breaches that we have seen in the past.  Are people really not using companies any more just because they had a breach??   And this bank didn’t even get breached.. I just happened to notice that their security was not so good when they completed my transaction. 

This will definitely be a story that I throw into all of my classes as it is a perfect example of authentication, or lack there of.  Please everyone, be aware of what you are doing and what security may be missing in everything you do.  It is not just the web sites or the networks that are vulnerable.