November 6, 2017

There was a time when I was content to let my bank authenticate me over the phone by asking for some personal identifiers (SSN/DOB) that are broadly for sale in the cybercrime underground. At some point, however, I decided this wasn’t acceptable for institutions that held significant chunks of our money, and I began taking our business away from those that wouldn’t let me add a simple verbal passphrase that needed to be uttered before any account details could be discussed over the phone.

Most financial institutions will let customers add verbal passwords or personal identification numbers (PINs) that are separate from any other PIN or online banking password you might use, although few will advertise this.

Even so, many institutions don’t properly train their customer support staff (or have high turnover in that department). This can allow clever and insistent crooks to coax customer service reps into validating the call with just the SSN and/or date of birth, or requiring the correct answers to so-called knowledge-based authentication (KBA) questions.

As noted in several stories here previously, identity thieves can reliably work around KBA because it involves answering  questions about things like previous loans, addresses and co-residents — information that can often be gleaned from online services or social media.

A few years ago, I began testing financial institutions that held our personal assets. I was pleasantly surprised to discover that most of them were happy to add a PIN or pass phrase to the account. But many of the customer service personnel at those institutions failed in their responses when I called in and said I didn’t remember the phrase and was there any other way they could verify that I was me?

Ultimately, I ended up moving our investments to an institution that consistently adhered to my requirements. Namely, that failing to provide the pass phrase required an in-person visit to a bank branch to continue the transaction, at which time ID would be requested. Their customer service folks consistently asked the right questions, and weren’t interested in being much helpful otherwise (I’m not going to name the institution for obvious reasons).

Not sure whether your financial institution supports verbal passwords? Ask them. If they agree to set one up for you, take a moment or two over the next few days to call in and see if you can get the customer service folks at that institution to talk about your account without hearing that password.

While a great many people are willing to trade security for more convenience, it’s nice when those of us who are paranoid can opt-in for more security. A great, recent example of this is Google‘s optional “advanced protection” feature, which makes it much harder for password thieves to hack into your Gmail, Drive or other Google properties — even if the attackers already know your password.

“The opt-in, ultra-secure mode is intended for truly high-risk users, including those who face the threat of state-sponsored, highly resourced cyberespionage,” writes Andy Greenberg for Wired. “Think politicians and officials, high net-worth individuals, activists, dissidents, and journalists.”

Greenberg continues:

“As such, it’s a strict and unforgiving system, designed to reinforce every possible weak link that hackers could use to hijack your account. Logging in from a desktop will require a special USB key, while accessing your data from a mobile device will similarly require a Bluetooth dongle. All non-Google services and apps will be exiled from reaching into your Gmail or Google Drive. Google’s malware scanners will use a more intensive process to quarantine and analyze incoming documents. And if you forget your password, or lose your hardware login keys, you’ll have to jump through more hoops than ever to regain access, the better to foil any intruders who would abuse that process to circumvent all of Google’s other safeguards.”

Gartner fraud analyst Avivah Litan says she has long relied on verbal passwords for her most important accounts.

“I think a verbal password is a good step and definitely adds more security than does KBA built on top of heavily compromised credit bureau and life history data,” Litan said. Plus it’s free and convenient.  It’s of course not perfect and consumers should try to use verbal passwords that are unique for them and which they don’t use for online passwords —  in case the latter have been compromised by hackers.”

Verbal passwords should not be confused with voice biometrics, a technology some financial institutions are now adopting that can help authenticate customers while profiling and blocking fraudsters who repeatedly call in to customer service representatives. Even if your institution offers voice biometrics, adding a verbal password/passphrase is still a good idea.

Julie Conroy, research director at market research firm Aite Group, said financial institutions are still very concerned about putting up too many hurdles for good customers, so many are treading lightly on verbal passwords.

“Many FIs are moving in the direction of not just asking for the password, but also behind the scenes they are performing analysis of the call characteristics as well as the consumer’s voice print,” Conroy said.

Have you asked your financial institution(s) to add a unique verbal password/passphrase for your most important accounts? If so, sound off about your experience in the comments below.


73 thoughts on “Simple Banking Security Tip: Verbal Passwords

  1. Ben Davies

    Why would institutions use a verbal password when they could use voiceprints instead? A similar situation crops up at the California DMV. There you don’t need to present an ID, they just run your fingerprints.

    1. rwk

      My concern with voiceprint, fingerprint, or facial recognition is ‘false negative’ resulting in being incorrectly locked out. Failure rate of authentication is more important than many people realize.

    2. Primož Govekar

      Voiceprints are treated as biometric solution so additional care is to be taken to comply with GDPR. Additionaly it is not (so) hard to match voiceprinting when someone recorded your voice.

  2. Chris

    I will never (unless forced) provide a voice print, or facial definition to any organisaton. Once they get hacked (and they will) your details are available to be used for fraudulent use for the rest of your life, (plastic surgery might help but seems extreme)

    Even allowing my fingerprints to be taken is a problem and I restrict this to official bodies only.

    Biometric data should not be shared with institutions that are highly likely to get hacked.

    Yubi key for me.

  3. coakl

    Banks in Germany used to give you a paper list of one-time codes for log-ins. Once used up, you’d go to the bank and present ID for a fresh batch.

    Of course, for the truly paranoid, you’d ask the bank to block all online access. And return to banking in person or by mail.

  4. TM

    The question I have is: what does a bank allow the customer to do over the phone? Authorize a wire transfer? With my bank, I don’t really see the use case for calling a customer rep. I don’t think they would be able to do anything with my money.

    1. a

      I have to call my bank to reorder checks if I’ve moved since my last check order, even though I can change my address online.

  5. Bob

    Speaking from the perspective of someone managing the cybersecurity and fraud for a financial institution, verbal passwords are a dangerous risk from an internal fraud perspective. You call in, give the call center agent the verbal password, they see something in your account that they know someone might like, they make a note and sell the info to someone else. I agree that KBA is also a bad way to go as I have seen it socially engineered many times. We just deployed a one-time passcode function to validate people calling in. We basically send a random OTP to a phone number that is already on your accounts (and hasn’t changed recently), you would then tell the agent the number, and our platform validates it. The biggest downside here is that we are basing our security posture on a Verizon or AT&T employee’s ability to not be socially engineered, letting someone take over your phone.

  6. M

    A coworker of mine recently got hacked and having a verbal password(s) would have helped prevent it. The hacker called into my coworker’s cell phone provider and(by providing the last 4 of SSN + DOB) was able to activate a new SIM card on the account. My coworker got a text immediately about it; but then their phone(old SIM) was disabled. It took the hacker less than 30 minutes to clean out all their bank accounts using one-time codes connected to their cell phone number to reset individual passwords. By the time they were able to contact the cell phone company; all the damage was done. The hacker must’ve gotten a full cache of info on their ID; as some compromised bank accounts were very old and actually empty. Lock down your accounts; especially bank accounts.

Comments are closed.