Quite a while ago, I received a call from a reputed bank’s customer representative about offering me the extended credit limit for credit card. In lieu of that, the bank executive wanted to know some of my personal identity data like- Card number, DOB, or Mother’s maiden name etc.
I refused to give card number and DOB as this was the unique and crucial piece of information which could result into serious data breaches of my banking account (As I have been hearing already a lot on such mobile frauds). Although, the customer representative kept me assuring that this is not a fake call and all this information is being enquired to vouch my identity as part of their verification process.
Well, this situation arises with many of us almost every day when we get such calls asking our personal traits and it baffles us to share the identity metadata or not? This is a very generic topic to discuss as lots of articles are penned down by the author on mobile banking security and there are general precautionary ways to avoid such false happenings. To my view, we can vigil the situation before answering the same and in-fact, IAM functions -Identity management (IdM) and Access management can be applied for the same:
- See if you are not revealing the direct identity data (user ID, PIN, password) which can allow the requester to authenticate on behalf of you. Authentication to your account should be managed by you only and should be safeguarded from the others. The customer representatives already have some kind of privileged accounts through which they can be authenticated and be authorized to enter into their customer’s profiles.
- See if you are not providing extra authorization to the requester to access your account information e.g. step up authentication details to view the more information. See if it’s really following the “Need to know” principal before sharing the information? If you reveal the information, does it really need to be known by the requester to carry out the particular request? Being the customer care representative, they already have basic pre-defined rights to view/monitor the customer profiles but of-course these are without enabling them to see the private and client identifying data e.g. PIN, Password, DOB etc. which is usually enforced by the governments as per the regulatory and compliance requirement for any banking application. Revealing a single but unique piece of identity data might hurt you in terms of giving extra access to the requester and your personalized view may be compromised. See if sharing the indirect identifying data is sufficient to fulfill the request. E.g. Gender, Year of birth etc.
From the above, the inference can be made out that the less we reveal about ourselves the safest we are. This situation can be gauged by the individual to some extent and information can be shared accordingly. However, there is no as such general guideline on deciding that what information is considered public information and what information is not.
Authored by Neetu Agrawal