johne@hp-vcd.HP.COM (John Eaton) (02/09/91)
<<<<< I've noticed that more and more institutions are installing "Phone Droids" as an aid to customer service. You can call a 1-800 number 24 hours a day from a Touch-Tone(tm) phone and the computer will let you do all sorts of wierd and wonderful things with your account. While some of these services do address privacy issues, I suspect that others have no idea of the trouble that they can cause. There is an article in comp.risks (Dig 11.03) about Fidelity investments new droid ad what it does. If you know Peter Lynch's SSN then you can call it up and find out where Mr Lynch keeps his personal money invested. My bank (Security Pacific) has a line that gives current account balances and lists recent checks and deposits that have cleared. All you need is an account number and SSN. Any merchant you write a check to can run a credit check and get your SSN. Why should they ask Lotus for an estimate of my income when my bank will tell them the exact amount that I deposited on my last payday? If you send alimony or child support to an ex-wife who knows your SSN then she can call up anytime and find out how much you are currently making. That way she can be sure to drag you back into court as soon as you are making enough money to make it worthwhile. This is truly full service banking at its best. I would like to start a discussion about phone droid security and what should and should not be done. It would be nice to develop a set of guidelines to evaluate the security aspects of these things. Some initial thoughts: 1) Customers must actively request that their accounts be accessable via phone. Defaulting everyone on is not acceptable. 2) Customer defined and redefinable PIN numbers are a must. 3) System must be able to identify and thwart any brute force attack on a PIN. 4) Customer statments should list a count of the number of accesses on that account every month. Personally I have moved my direct deposit paycheck from Insecurity Pacific to another institution because of their droid. I suspect that there are a lot of banks out there that do similar things. We need to be aware of the privacy implications and how we can protect ourselves. John Eaton !hp-vcd!johne