Posts Tagged: Andy Greenberg


6
Nov 17

Simple Banking Security Tip: Verbal Passwords

There was a time when I was content to let my bank authenticate me over the phone by asking for some personal identifiers (SSN/DOB) that are broadly for sale in the cybercrime underground. At some point, however, I decided this wasn’t acceptable for institutions that held significant chunks of our money, and I began taking our business away from those that wouldn’t let me add a simple verbal passphrase that needed to be uttered before any account details could be discussed over the phone.

Most financial institutions will let customers add verbal passwords or personal identification numbers (PINs) that are separate from any other PIN or online banking password you might use, although few will advertise this.

Even so, many institutions don’t properly train their customer support staff (or have high turnover in that department). This can allow clever and insistent crooks to coax customer service reps into validating the call with just the SSN and/or date of birth, or requiring the correct answers to so-called knowledge-based authentication (KBA) questions.

As noted in several stories here previously, identity thieves can reliably work around KBA because it involves answering¬† questions about things like previous loans, addresses and co-residents — information that can often be gleaned from online services or social media.

A few years ago, I began testing financial institutions that held our personal assets. I was pleasantly surprised to discover that most of them were happy to add a PIN or pass phrase to the account. But many of the customer service personnel at those institutions failed in their responses when I called in and said I didn’t remember the phrase and was there any other way they could verify that I was me?

Ultimately, I ended up moving our investments to an institution that consistently adhered to my requirements. Namely, that failing to provide the pass phrase required an in-person visit to a bank branch to continue the transaction, at which time ID would be requested. Their customer service folks consistently asked the right questions, and weren’t interested in being much helpful otherwise (I’m not going to name the institution for obvious reasons).

Not sure whether your financial institution supports verbal passwords? Ask them. If they agree to set one up for you, take a moment or two over the next few days to call in and see if you can get the customer service folks at that institution to talk about your account without hearing that password. Continue reading →


4
Mar 13

KrebsOnSecurity Wins Awards

I recently returned from San Francisco, which last week hosted the annual RSA Security conference. I had the pleasure of moderating a panel discussion on Raising the Costs of Compromise with some very smart guys, and also shared a stage with several security authors who were recognized for their contributions to infosec media.

Bruce Schneier, Jack Daniel & Krebs. Image: Alan Shimel.

Bruce Schneier, Jack Daniel & Krebs. Image: Alan Shimel.

Krebsonsecurity.com was honored with the “Blog That Best Represents the Industry,” award at the RSA Security Blogger Meetup. This was the third year in a row that judges bestowed that honor on this blog. Krebsonsecurity.com also won the award for “Most Educational Security Blog.”

Paul Dotcom won for “Best Security Podcast”; J4VV4D’s Blog earned the “Most Entertaining Security Blog” award; Sophos’s Naked Security Blog took home the “Best Corporate Security Blog” prize; and the “Single Best Blog Post or Podcast of the Year” went to Forbes’ Andy Greenberg, for Meet the Hackers Who Sell Spies the Tools to Crack Your PC (And Get Paid Six-Figure Fees). Finally, security blogger Jack Daniel was the latest greybeard inducted into the Security Bloggers Hall of Fame (Bruce Schneier¬†and I shared that honor last year, which is why we’re both pictured on stage flanking Jack in this shot from last week).

Yours truly also was named one of 10 winners of the SANS Institute‘s “Top Cyber Security Journalist” award. I am truly honored for the recognition, and want to thank all the loyal readers of this blog for their constant encouragement and support.