Dual Authentication

I had an interesting experience today. I recieved an SMS message telling me to “Please call Telstra on 1800XXXYYY (this is a local call in Australia) regarding this mobile service”.
I looked at the return number, and it was kinda weird but I didn’t recognise it (52xxx) as anything from the telco. So, I rang the number and was greeted with Telstra hold announcement, and a happy operator “Hello, this is Telstra, please can I have your phone number and password”.
At this point, I’m guessing the conversation went quite different from other calls that person received during the day. My response was “Prove it”. I got an unsolicited SMS from a number I didn’t recognise telling me to call a number that I didn’t know. This seems like the hallmarks of a classic scam to me.
The poor operator was a little confused with an “erm, this is really Telstra, you’ll need to give me your details”. I refused (guessing at this point that it probably was Telstra, but I wanted to see where this would go). I said, you’ll have to prove to me that you’re really Telstra.
This is the real crux of the problem. There is no way they could do that without leaking information about customers given the way that most large corporates deal with information. All of it is protected by the business, so that can lead to very successful scams. You never know if you’re actually talking to the people that you think you are.
Anyway, I asked what this was about, and they said it was likely I hadn’t paid a bill which is why I got the SMS. (They were right, I’d forgotten to pay it) When I got home I paid it, but still refused to give them any information about me.
However, companies need to start to investigate dual authentication schemes where they can prove they are the company when on the phone to consumers. It will only be a matter of time when scammers start to use the phone system to do these sorts of “man-in-the-middle” attacks.
Interesting, no ?


9 thoughts on “Dual Authentication

  1. Yes, very interesting idea on dual or two-way or reciprocal authentication…
    The idea would be they need to authenticate themselves if they initiated the communication? vs. you explicitly calling a well-know # for the company….
    But would that really work? The scammer could steal such authentication info and still impersonate and fool the customer…

  2. [quote]But would that really work? The scammer could steal such authentication info and still impersonate and fool the customer…[/quote]
    It would work if the two parties communicating were computers… or humans really good at doing multiplication.
    When you sign up with your telco, you could be given a 200 digit prime number, which is the telco’s password with you.
    Then, when you communicate with the telco, you would randomly choose a different 200 digit prime number in your head, multiply it with the prime number they gave you, tell them the product, and ask them to reveal to you what prime number you had randomly chosen.
    If they really are the teclo, they know the prime number they gave you, so the problem is simply doing division, which is relatively easy.
    If they aren’t the teclo, they don’t know what prime number you were given, so they’d have to perform prime factorization, which is a lot more difficult.
    Of course, this assumes that your line is secure, because if a scammer just wiretaps your phone, and hears your challenge, and the telco’s responce, the scammer could perform a division to find out what prime number you were given.

  3. Or…
    They could give you a reference number to quote, and ask you to call their main advertised number – something you could verify in the White Pages or on telstra.com.
    Asking you to call a number which they don’t advertise is problematic. If they rely on their advertised contact methods, there shouldn’t be an issue – you know it’s them, so the only burden of proof is on you.

  4. Robert, that was pretty much the mechanism that I came to as the only “reliable” means. I can authenticate the number, and when I provide them a token, things should be ok.

  5. I had the same issue with 3. I received a call from a guy claiming he’s from 3 and saying that he needs to discuss my account. In order to discuss it he said he needs to authenticate my details and asked for my 4 digit pin number, at which point I said that he may certainly not get my pin number since I have not way of knowing who is actually calling.
    I asked what’s this about but he couldn’t say without confirming who I was… catch 22 later I asked him to send me an email.
    I still can’t believe it, they call me and want me to provide proof of my identity?!

  6. Same thing goes with banks / credit cards. I get Amex calling me for crap all the time and when they ask me for authentication, I say: You called MY number, how do I know who YOU are? Go away.
    It’s especially bad when the “authentication” is name, date of birth, address and perhaps a password. Your co-workers would all have overheard you with all of these (most of which are readily obtainable). The only other authenticator is the timbre of your voice. If it’s for a Mr Eaves then you need to have a male voice. That must be a problem Jon šŸ˜‰

  7. I got exactly the same thing from American Express. They called me, announced they were American Express, then immediately asked me to I.D. myself to them. They were completely unprepared for my response of “I’m not identifying myself until you identify yourself”. I had to call their regular service number and complain about it later (also to find out what they wanted in the first place).

  8. I’m sure the credit card company or bank would be more than happy to just not authenticate you, but at least here in the US there tend to be all kinds of laws about disclosure of things without at least some sort of cursory validation. The person could live with multiple people at that address, the phone number could be wrong, etc., and the company opens themselves up to liability if they disclose private information (like you didn’t pay your bill) to the wrong person.
    They do need a way to authenticate themselves though if they plan on querying you for private or authentication related information.

  9. It’s not an issue with a company asking for authentication information. The issue here is that many commenters (and myself) have been asked to authenticate to somebody without knowing if that person is the person you think it should be.
    It’s a classic man-in-the-middle attack.
    As Robert described the appropriate means is to contact the company via a published/authenticated means and start the dialogue that way. Not calling a random number, or having a random person call you.

Comments are closed.