06
Nov 17

Simple Banking Security Tip: Verbal Passwords

There was a time when I was content to let my bank authenticate me over the phone by asking for some personal identifiers (SSN/DOB) that are broadly for sale in the cybercrime underground. At some point, however, I decided this wasn’t acceptable for institutions that held significant chunks of our money, and I began taking our business away from those that wouldn’t let me add a simple verbal passphrase that needed to be uttered before any account details could be discussed over the phone.

Most financial institutions will let customers add verbal passwords or personal identification numbers (PINs) that are separate from any other PIN or online banking password you might use, although few will advertise this.

Even so, many institutions don’t properly train their customer support staff (or have high turnover in that department). This can allow clever and insistent crooks to coax customer service reps into validating the call with just the SSN and/or date of birth, or requiring the correct answers to so-called knowledge-based authentication (KBA) questions.

As noted in several stories here previously, identity thieves can reliably work around KBA because it involves answering  questions about things like previous loans, addresses and co-residents — information that can often be gleaned from online services or social media.

A few years ago, I began testing financial institutions that held our personal assets. I was pleasantly surprised to discover that most of them were happy to add a PIN or pass phrase to the account. But many of the customer service personnel at those institutions failed in their responses when I called in and said I didn’t remember the phrase and was there any other way they could verify that I was me?

Ultimately, I ended up moving our investments to an institution that consistently adhered to my requirements. Namely, that failing to provide the pass phrase required an in-person visit to a bank branch to continue the transaction, at which time ID would be requested. Their customer service folks consistently asked the right questions, and weren’t interested in being much helpful otherwise (I’m not going to name the institution for obvious reasons).

Not sure whether your financial institution supports verbal passwords? Ask them. If they agree to set one up for you, take a moment or two over the next few days to call in and see if you can get the customer service folks at that institution to talk about your account without hearing that password.

While a great many people are willing to trade security for more convenience, it’s nice when those of us who are paranoid can opt-in for more security. A great, recent example of this is Google‘s optional “advanced protection” feature, which makes it much harder for password thieves to hack into your Gmail, Drive or other Google properties — even if the attackers already know your password.

“The opt-in, ultra-secure mode is intended for truly high-risk users, including those who face the threat of state-sponsored, highly resourced cyberespionage,” writes Andy Greenberg for Wired. “Think politicians and officials, high net-worth individuals, activists, dissidents, and journalists.”

Greenberg continues:

“As such, it’s a strict and unforgiving system, designed to reinforce every possible weak link that hackers could use to hijack your account. Logging in from a desktop will require a special USB key, while accessing your data from a mobile device will similarly require a Bluetooth dongle. All non-Google services and apps will be exiled from reaching into your Gmail or Google Drive. Google’s malware scanners will use a more intensive process to quarantine and analyze incoming documents. And if you forget your password, or lose your hardware login keys, you’ll have to jump through more hoops than ever to regain access, the better to foil any intruders who would abuse that process to circumvent all of Google’s other safeguards.”

Gartner fraud analyst Avivah Litan says she has long relied on verbal passwords for her most important accounts.

“I think a verbal password is a good step and definitely adds more security than does KBA built on top of heavily compromised credit bureau and life history data,” Litan said. Plus it’s free and convenient.  It’s of course not perfect and consumers should try to use verbal passwords that are unique for them and which they don’t use for online passwords —  in case the latter have been compromised by hackers.”

Verbal passwords should not be confused with voice biometrics, a technology some financial institutions are now adopting that can help authenticate customers while profiling and blocking fraudsters who repeatedly call in to customer service representatives. Even if your institution offers voice biometrics, adding a verbal password/passphrase is still a good idea.

Julie Conroy, research director at market research firm Aite Group, said financial institutions are still very concerned about putting up too many hurdles for good customers, so many are treading lightly on verbal passwords.

“Many FIs are moving in the direction of not just asking for the password, but also behind the scenes they are performing analysis of the call characteristics as well as the consumer’s voice print,” Conroy said.

Have you asked your financial institution(s) to add a unique verbal password/passphrase for your most important accounts? If so, sound off about your experience in the comments below.

Tags: , , , , , , , ,

73 comments

  1. > Logging in [to Google’s ultra-secure mode] from a desktop will
    > require a special USB key

    Details, please? Proprietary / limited to Google? Can other on-line non-Google services utilize the same device? Can mere mortals request / obtain this service?

    This sounds like an excellent, indeed, preferred alternative compared to 2-factor-authentication relying on text messages to Yuppie fones.

    • It’s just a Yubikey and it supports a bunch of protocols like U2F, fido, Yubico auth among others.

    • Carl 'SAI' Mitchell

      Any FIDO U2F key will work. Yubico[1] sells them, and their keys seem to be the best in the business in terms of security. According to that the VASCO SecureClick is also fine. They’re not limited to Google, several other services can use them.[3] Sadly banks tend to be extremely lax in terms of computer security, I’m not aware of any that use U2F keys. And they are closed-source, though the specification is open.

      [1] https://www.yubico.com/
      [2] https://www.imperialviolet.org/2017/10/08/securitykeytest.html
      [3] https://www.yubico.com/solutions/#all

    • When Google announced this security augmentation, I bought five of those Yubi branded universal second factor (U2F) USB keys (one for me, four for colleagues). They were US$18 apiece (cheaper than other Yubi products).

      I put mine on my key ring. I’m not babying it. I want to know how long it lasts jangling around in my pocket.

      Multiple online services use the U2F key, in place of 2F tech like the Google Authenticator app. There’s an API for web applications that want to add it. There’s a plugin for WordPress.org-based sites that uses it.

      The authentication protocol, at present, is built into the latest Google Chrome browser, so the key won’t work if you use some other browser make or model. (But authentication falls back to a smartphone app in that case.)

      So far, so good.

      Except for this: do banks use it to grant access to accounts like mine? I’ll give you three guesses, but I bet you can get it in one.

      • I bought my first Yubikey about 5 years ago and wore it around my wrist for several years. I wore it in the shower, it went rafting on the river, and it still works just fine.

      • We use them in our org and i have never had one fail and a decent number of my colleagues do not look after them well.

    • Google it.

  2. I don’t understand the point of testing the customer service staff since you already pointed out the high turnover of that staff. A criminal is probably not going to be talking to the same people that were tested.

    All it takes it one weak customer service rep who falls for a slick social engineering ploy.

    Until the process removes the possibility of subverting the process, it’s really not safe.

    • Testing is to see if a procedure is actually standard practice or lax.

      It isn’t failproof, but if it fails, you know you shouldn’t trust the org.

  3. I wonder if you might be willing to reveal the institutions that failed you customer service security test.

  4. This is standard for all customers for the ASB Bank in New Zealand. No opt out.

  5. I do business on line with one company that requires a verbal ‘PIN’ when dealing with them on the phone.

    I couldn’t tell you the name of the company though, since I’ve only ever called them once. I was clueless when they asked me for my PIN.

    There are two, four digit numbers I have committed to memory so I tossed both at them. Apparently, one of them was the correct one.

    This was many years ago. I thought it was a pita at the time. Now, it would seem they were ahead of the curve in on line security.

  6. Another way that I try to “improve” KBA’s at my financial institution is to make the answers completely ambiguous. For example: “What is your favorite sports team?” Answer: San Francisco Water Heaters. This way, if I am on the phone with a FA, I can answer it, but it means nothing that can be found in public searches (unless, of course, you really love water heaters and you live in San Francisco)!

    • Do not confuse security questions that you can set up with bogus answers to KBA.

      https://en.wikipedia.org/wiki/Knowledge-based_authentication

      Dynamic KBA is a high level of authentication that uses knowledge questions to verify each individual identity, but does not require the person to have provided the questions and answers beforehand. Questions are compiled from public and private data such as marketing data, credit reports, or transaction history.

      • Some years ago, I encountered one of those questioning brow-beatings. Can’t recall where I had called or for what reason. They asked many very private information questions, which were a shocking affront to me. I had gone through a lengthy process to extract myself from an abusive, scary marriage, during which I feared for my well-being and life. I was horrified by most of the questions, afraid to answer them, and after emotional escalation (mine, not the questioner’s — they were totally insensitive), I said I didn’t understand how they had gotten some of the information used in their questions, and I said forget it, whatever I was trying to do. Took me a while to recover. I was truly terrified at the time.

        So, I guess, my opinion is that for some of us, such questions may not be a healthy way of going about security, if the questions stir up a big stink that you are trying to quell and forget and move on from. The more you stir a stink, the worse it stinks.

        • Dee,

          Look upthread and consider investing $18 in a Yubikey. Of course, it makes logging in horrible if you lose your phone and your key, and obviously such losses are highly correlated.

          Hang in there!

          • I bought two yubikey’s for lastpass. One is on my keyring, the other is in my husband’s drawer of important things both as a backstop in case I lose mine, but also so he can access my accounts if I should die suddenly.

      • KBA fails when the information is wrong.

        Example: Social Security uses a third party that provides credit history information as authentication. The information is mostly wrong. For many people, it is completely wrong. People answer the questions based on this info correctly, truthfully that they don’t have the accounts shown, etc. Authentication fails. Social Security calls this a “rare occasion”. The wrong info cannot be corrected or challenged.

        • Social Security used/uses KBA questions derived from Equifax data. The questions derived would only be as good as an individuals ‘credit file’ data. I don’t know where you are gathering that ‘most of it is wrong’. The anecdotal reporting in the news at the time did say that ‘a lot’ of the people trying to get through it were failing. ‘A lot’ of the people who were trying to get through might have been drawn from the same majority of consumers who don’t check /correct their credit file…

          • I suppose I must say that the wrong credit history info was supposedly mine. Far from anecdotal. Please don’t excuse this as a mistake on anyone else’s part.

            It was completely wrong and absolutely none of the questions contained anything that was ever in my credit history. Worse, the same questions were asked every single time for a period of months and then were changed to other questions about info that were also not in my credit history. This happened with others as well. It happens more than you may care to believe.

            Computers make it easier to screw things up and yet they are considered infallible gods.

            I have had dealings with the Equifax org before, where they list items beyond 10 years, list the same item multiple times, et cetera. But they have never listed a completely fictitious item, or items that belong to someone else, including those items that Social Security used as questions.

          • BTW, Please — how does one go about to correct the wrong info in one’s credit file that does not exist?

            • Check the credity “bureau” website for the disputing contact.

              • It’s worth keeping in mind that incorrect information in your credit file possibly indicates identity theft activity. The credit bureau fraud desk may be able to assist you in sorting errors from ID theft efforts.

  7. Just checked: Etrade has them. Set them up. Thanks for the pointer.

    Now, will have to call them to see if the feature works.

    • Etrade was ahead of the curve maybe 10-15 years ago when it offered RSA authentication for a nominal $20 fee (cost of the RSA fob).

  8. If you’ve researched the ones that passed your test, why not let us know who that is? It’d probably send a bigger message if everyone that reads this makes the same move to a more secure bank at the same time, no?

    • I agree!

      • I think Brian’s reticence in disclosing banks either way would be to essentially you his financial institutions or to let you defuce them.

    • Brian’s enemies read this blog as well, and naming who the FI is makes their job easier. If your attack list went from 100 targets to 1, that means you can focus all of your attention on that one, making it inherently weaker. It’s also one of the principles behind tarpit services.

  9. I have used a password with my FI (credit union) for a few years. It is required even for in-person (such as cashier window) transactions, and for any email (not online banking, which I do not do) inquiries.

    • I hymbully suggest you never change your passphrase to “This is a stick-up”, especially if you do a lot of banking at the teller window.

    • I’d be a little nervous about sending my single passphrase (or other banking info) by email. How do you mitigate that risk?

  10. My bank asked for it when the account was created and has asked for it when I have called in to resolve one issue or another. It was just a matter of course with them. It is a small local bank.

  11. I set up a verbal password with my FI many years ago after my paycheck with attached pay stub was stolen from a careless secretary’s desk at lunch. Between the check and the stub, SSN, address, DOB, etc.! I’m still with that FI, and customer service ALWAYS challenges me for the password when I call.

  12. How do you handle the trade-off between the technical competence at larger banks (e.g., their certificates are decent, they stay patched) and the human security provided at smaller banks?

    We did an examination of certificates at FDIC entities and found that larger banks are qualitatively better at this core security practice. But they also tend to be very bad at knowledge-based authentication, and their customer service representatives more tolerant of errors. Please forgive the vague descriptions, this was written for a policy audience: https://techscience.org/a/2016041501/

  13. “Hi, my name is Werner Brandes. My voice is my passport. Verify Me.”

    • SeymourB stated: “Hi, my name is Werner Brandes. My voice is my passport. Verify Me.”

      Nice, “sneaking” that one in here. Voice prints today would be way harder to imitate than years ago (I hope). But anything they offer, passphrase, password, pin, sending a text to you, is way better than garden variety KBA questions.

      Just to cause some grief, Capitol One’s phone banking system will greet you with, “thanks, the number you are calling from matches our records allowing you secure access.” Which means (I assume) that anyone spoofing my phone number gets a “bye” in bypassing the initial security system and gets access to your account without the need for a pin or password. Just thought some hacker would like to know 😉

    • It took enough comments to get this one! Haha
      +1

  14. The only part of banking I understand how to verify is through protection and command, the entire point is for fdic not to pay out a claim to a bank that is by far superior and more competent than I in accessing favor to availble lending processors, there must be valid signals to protection services that legal and governance work t ogther, often the left hand is unaware of the right hand. Overall my statement is that for a lower than that value or roi , I would listen to everyone in the room that is certain of her or his place and included each as a part of the team that if was lost, cannot and will not be exchanged unless by death the commitment was lost.
    Hope ur signal from this enterprising protection service manager is in full clarity to whom every had a big boat wish list on the brain next time.

  15. Verbal password sounds like a bad idea.

    Banks here have either a pin, entered before you’re connected to the human. You should never tell the person your PIN, they only need to know whether you’re authenticated or not.

    The other option is bank id, a system of 2fa, similar to Microsoft authenticators new login scheme but without the notification (you need to open the app yourself, a good thing imo).

    Having these solutions since 2010, for everyone, makes a verbal password a strange solution in today’s world.

    • You’ve always had the verbal passphrase before, it was simply your mother’s maiden name. Now it’s slowly just being replaced with a generic string.

    • Well, it’s better than it’s previous incarnation, your mother’s maiden name. Now they (sometimes) accept any string in that field.

  16. Which US/UK banks are ahead of the curve in terms of security? Would be great to know that

  17. Had to call Citibank once. After initial authentication, the rep sent a verification code on my mobile which i then had read back to the rep before the change was made. Few banks are doing this in addition to voice prints.

  18. Verbal passwords are great. The only thing is to have some imagination.

    Challenge question : Worst password ever : Password1

    Think creatively:

    Challenge Question: Best weather to go hiking in : sandstone

    • Where were you born? Rutabega

      What was your first pet’s name? Mine Shaft #7

      Any time you get a precanned question always answer it non-truthfully. If you can’t remember the answer then record it someplace, preferably offline or, worst case, encrypted. Hell, generate some one-time pads and keep those offline, then use them to encode the answer on your computer. If your computer gets compromised, all you can do is laugh at the poor slob who gets stuck trying to make sense of it.

  19. Mikey Doesn't Like It

    I agree that a verbal password is another layer of defense.

    But I also think it’s naive to assume that the bank’s own system(s) are immune from hacking. (And I don’t have great confidence that a bank would even admit it had been hacked.)

    So even the verbal password doesn’t give me much more comfort about my security.

    Whatever happened to such simple ideas as having the bank’s CSR tell me, “Let me call you right back at your phone number of record.” And 2FA may not be perfect, but even that adds a major layer of security if I have to phone my bank.

    • Hopefully they would allow more than one phone number of record.

    • >But I also think it’s naive to assume that the bank’s own system(s) are immune from hacking.

      Of course. But a bank’s systems are not something you have control over. There’s regulatory and business needs to keep them secure, but ultimately you have /no/ control over their security practices or lack thereof. Challenge-response to call ins you do, which is the point of a verbal password.

  20. Mikey Doesn't Like It

    Verbal p/w is certainly a good added layer of protection.

    But banks’ systems are probably as vulnerable as any others, to hacking. Which means that my verbal p/w would then be compromised, too. (And I don’t trust most banks to readily admit it if their systems were ever hacked.)

    Why not have the bank’s CSR tell me (when I call) “let me call you right back at your phone number of record.”

    And even 2FA, while not perfection, still adds a major layer of protection.

  21. I thought this article was about “Simple Bank” – the Fintech (with whom I have an account and they DO use phrasing).

    Sterling Archer: Is phrasing still a thing?

    As for other banks’ security measures. Since the Equifax breach most of my accounts (3 different FIs), and especially our enterprise accounts, have added much stricter authentication rules. Sending a wire/ACH is so much more difficult and more time consuming now. But safer. <—— (key thing here)

  22. I’ve been in the banking industry for 25 years, and our industry has been using verbal passwords for at least a decade. Not all customers want them. We have almost 200,000 members at our credit union. Collecting and forcing everyone to use verbal passwords are not realistic.

    The ultimate solution is voice biometrics when calling and fingerprint or facial biometrics when visiting a branch.

    Otherwise, we will always be reactive to the next big breach since majority of financial institutions rely on personal/sensitive data to authenticate identity.

  23. I have used this in the past, but wasn’t cognizant to test the social engineering to get around the passphrase. How hard was it to social engineer the bypass of the phrase to gain access?

    Also, it looks like this article, and two others, have the wrong date associated with them.

  24. Why not just use nonsense answers for KBA? First pet: Chewbacca

  25. If voice biometrics are being implemented, there needs to be a workaround for deaf consumers using VRS (video relay services), to validate themselves.

  26. Thank goodness there aren’t any malware on phones that have access to cameras and microphones,,, what, oh,, Never mind.
    At least there isn’t any listening devices just sitting in your house like Echo or google home, and the knockoffs.
    meh, I give up

  27. I like that any transaction at the teller required the presence of your atm cards chip to authorize their use of account.

  28. FWIW –

    Due to an incident, ETrade issued me a RSA key and had me add a verbal password. However, the last time I called ETrade, I wasn’t asked for the password.

  29. I would highly recommend FTsafe USB keys
    https://www.ftsafe.com/products/FIDO/NFC