11-07-17 | Blog Post
Cybersecurity journalist Brian Krebs noted on his website the security and simplicity of adding a vocal password to your authentication process when you call a company such as a bank or investment firm to obtain access about your account.
Voice passwords are a great idea. They can be a very effective security measure if a hacker calls your bank to open a fraudulent account in your name or requests a large transfer out of your account. Most banks require only your date of birth or Social Security Number to authenticate identity, both of which are (conveniently) now available online, thanks to the Equifax breach. A voice password is an extra layer of security because it’s a phrase or word that’s known only to you (so don’t use any of your current online passwords) that must be uttered before the customer service representative will give you any information about your account.
Most financial institutions will add a voice password to your account, but it is not often advertised. Call your bank or investment firm to see if you can get one added to yours.
Remember though, voice passwords are just another layer in your defensive strategy, not the solution itself. They can fail–using voice passwords that are also for a different account increases the risk that your voice password is also compromised. Banks can also disregard their own rules and hand over valuable account information with little more than answers to a few knowledge-based questions, most of which are easily found on social media accounts and online. However, adding a voice password is still an extra step potential attackers will have to bypass, and some of them may be intimidated from doing so.
When you call, find out how firm the bank is about requiring a voice password even if you don’t remember it. Social engineers are very smooth talkers who can easily convince a call rep that they’ve “lost” the password and want to confirm their identity by some other means. If you set up a voice password, test it out! Do they grant the account access anyway because “you seem like a nice person,” or do they stand down and require a different identity verification method, such as an in-person visit?
Don’t assume your bank is following their security protocols without some testing. Security training is difficult enough for large organizations, and call centers in particular can have high turnover. Humans are only human, after all, and it’s our nature to want to help out someone in need. But it’s not safe to take chances with your money, especially with the plethora of personal information that’s now available online.