[gregmac]

Can you explain a bit more of this? The service reps are using customers voices to get into what? Is this a targeted attack against specific people?

The secret word thing over time sounds even stranger. A single rep would need to take (length of secret word) calls with that customer to get their password. Where are they storing it, and what are they doing with it (that they can't already do using their customer rep-level system access)?

[jdee]

Certainly activity is higher amongst teams that deal with higher wealth individuals, so your question about specific people is broadly correct. To get into what? Bypass biometric ID systems that are common in telephone banking systems. Audio was recorded in high fidelity via smartphones from customers and then manually pieced together in an audio editor and played back down the phone to a biometric system in order to bypass detection. As an adjunct, certain banks in the U.K. have microphones hidden in the counters of physical branches that cross reference your voice with known patterns such is the prevalence of such systems. In regard to secret words, it was a team working within the bank that shared information to crack words. High value CS teams are traditionally very small to keep "the personal touch". CS teams never get access to the full secret word. They get prompted with which questions to ask and what response to expect, so therefore gluing small answers together is the trick.

[literallycancer]

Wouldn't all these issues be solved by the customer reading a one time key over the phone?

[jdee]

Banks are nowhere near to being on this page yet. 99% haven't even committed to primary authentication method. It's a jumble of mobile apps, pin sentry devices, fobs, voice, logic engines, SS7 network squanning via back door agreements with smaller telco network providers, location. It's a real mess.

Can someone bookmark this post where I say the first billion dollar external bank fraud success will happen within the next 18 months please.

[tim333]

I had something close to that with Bank Sabadell. They had 40 four digit numbers on a card and you gave them one of the 40 which they chose. They've now moved to a fancier app based system,

[jacquesm]

Guess who would have access to the software that generates and distributes the one time keys.

[literallycancer]

Why? Have a page with a QR code seed in the internet banking. Scan it with a phone app, no interaction with customer service (unless you lose the phone).

If a bitcoin exchange can do it, I don't see why a bank couldn't (banking is easier - you can cancel transactions).

[Markoff]

Insurance companies are doing this to detect stress levels and other factors to figure out if you are commiting insurance fraud when reporting accident.

TLDR - purpose can be to detect lying