A common tactic used by nefarious individuals (Private Investigators, Hackers, Debt Collectors, News of the World) to find out more about a person is to impersonate them on the phone, and try to extract information from customer services.
The person calling might have already done their ~Facebook~ research and already knows the Monzo user’s date of birth, place of birth, and first cat’s name, for example, in an effort to correctly answer security questions.
The information they might be after would include:
- Direct Debit info (which would include account/agreement/policy numbers),
- Latest transaction information (which provides approximate geographical location of the user)
- Current balance (which can be used to gauge financial status)
When a successful social engineering attack like this happens, typically the user has no idea, and neither do customer services.
What I propose is that when a customer calls up purporting to be a Monzo user, you add a notification into that user’s Monzo feed, saying a call was made to customer services by you.
Perhaps add some response options to the notification:
- “THIS WASNT ME WAT IS GOING ON OMFG”
- “Oh that’s cool, they notified me that I called them, Ok.”
If this notification is sent at the beginning of a call, then the victim has a good opportunity to interrupt the social engineer before the call is complete, by responding to the notification.
I’m aware of the existing Monzo customer services challenge-response mechanism, which is for the user to read back a secret value from the Monzo app screen, but this would be a nice casual addition to that, and a defeat for the “I don’t have my phone on me” excuse.