Surely phoning your bank back is secure?

I’ve made a few big (unusual) purchases on my credit card recently. My credit card provider called me up and asked me to provide my security details.

Being a suspicious kind of person, I enquired

How do I know you are my bank?

Quite politely and correctly the caller suggested I look at my credit card, and phone them back on the telephone number provided, and quoting the reference XXXX.
This I did, and confirmed the purchases as genuine. No problems.

A few months later, I relayed the above story to at a security industry event. It turns out I could still have been easily scammed. Here’s how it works:

  1. Having made the (fake) call to me to report an issue on my card, the attacker does not hang up the phone their end.
  2. The attacker plays a fake dial-tone down the line.
  3. The victim, picks up the phone, hears the (fake) dial tone and punches in the trusted bank phone number.
  4. They perpetrator plays a ringing sound, then ‘answers’ the call.
  5. They take you through security by asking for you password etc…
  6. Whack – you’ve been done.

To avoid this, the advice I was given was do one of the following if your bank calls, and you need to call them back.

  1. Use a different phone to call the bank back.
  2. Call someone else you trust first, and make sure the call connects and you speak to the right person.
  3. Hang up, and wait 30 minutes – after which the call will normally clear itself.

While this is good advice, I doubt it is widely known. Is this an education issue, or do we need a ‘stronger’ security ‘protocol’ over the phone?

Ideas welcome…