A study in mutual authentication

Home | Blog | Bio and Contact | CSLA .NET | CSLA Store

25 July 2007

Today I received a letter from a large (the largest?) US bank, offering me a special discount rate on charges made to my credit card. To my knowledge, I have no account at this bank at all, including no such credit card. That’s never good! So I called the number on the letter to find out what’s going on. Of course I got to the bank’s credit card service center, where they asked me my credit card number, let’s pick up there: “That’s why I’m calling. I don’t have such a credit card” said I. “I can look it up using your social security number” said she. And this is when my brain finally kicked in. I had dialed the number from the suspicious letter!! While the letter looked authentic, and the automated answering system on their end sounded authentic, how did I actually know I was talking to this large bank? “I’m not sure I want to provide that” I answered. “Can I have you spell your name then?” she asked. I did that, as my name is easily found, and the letter already had that. She then confirmed that I had an account with them, and asked “Can you confirm your birth date?” “Umm, I’m not sure I want to provide that either. I need to look on the web site and see if your phone numbers match.” “OK, can I put you on hold?” “Sure.” So I did. I went to their web site, clicked “Contact Us” and found different phone numbers. In the meantime she came back on the line. “Did you find what you needed?” she asked. “No, the numbers don’t match.” “Well you have reached ____, and we do have an account in your name. If you provide your birthdate I can give you the account details.” “Yeah, see that’s the problem. You can confirm my identity, but there’s nothing you can give me that can confirm your identity. I’m going to have to call the number on the web site to be sure.” “This really is ____” she said in an exasperated tone. “Well, I can’t be sure” I replied. “Then do what you need to” she said, and hung up rather abruptly. So I did call the number from the web site. I did have an account there. Some credit card I haven’t used since the middle of 2000. I was able to find that out without even talking to a human: their automated system handled the whole process, including my canceling the card. But it sure goes to show just how complex bi-directional authentication can be. Makes a person really appreciate the work done to design Kerberos, SSL, Windows Card Services and all the other authentication schemes out there we take for granted every day…