#StackBounty: #authentication #phone What is the best protocol for an organisation to make phone calls to clients, where the client is …

Bounty: 100

I’ve experienced a couple of times, an organisation has called me, but they require me verify who I am with security questions.

Most recently, this was my credit card company who left a voice message with a number to call re: possible fraud on my account.

The obvious security risk here, is that it could be a scammer, who is then going to use those details gain access to my account.

In these scenarios, having a modicum of security conscientiousness, what I do is acknowledge the call, request a ticket number if there is one, and look their phone number up on the website, and call back that way.

In my credit card example – the number they’d given me wasn’t listed, so I called their general helpline and requested to be transferred.

I think from a end user/consumer’s point of view, this is the right protocol.

The question is – what should the organisations themselves be doing to encourage good security? It seems like a very bad habit to teach their customers – to reveal identifying information to people who call them.

Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.