I'm fascinated by the ritual of interbank verifications of transactions, which sometimes look like:
Bank A: Prove you're you.
You: *does*
Bank A: Alright let me put you on hold while I call Bank B's 1-800 number and explain situation.
*20 minutes passes*
Bank A: Prove you're you.
You: *does*
Bank A: Alright let me put you on hold while I call Bank B's 1-800 number and explain situation.
*20 minutes passes*
Bank A: OK.
Bank B: Prove you're you.
You: *does*
Bank B: I'm satisfied. OK, what do you want to know?
Bank A: Can you confirm they have an account with you and read the most current balance?
Bank B: Yes. $X.
Bank A: OK we're done.
Bank B: Bye.
Bank A: Thanks for banking with us.
Bank B: Prove you're you.
You: *does*
Bank B: I'm satisfied. OK, what do you want to know?
Bank A: Can you confirm they have an account with you and read the most current balance?
Bank B: Yes. $X.
Bank A: OK we're done.
Bank B: Bye.
Bank A: Thanks for banking with us.
You: So what about that transaction?
Bank A: Oh we're going to bank the heck out of it now.
Bank A: Oh we're going to bank the heck out of it now.
"Is there any rational purpose to this, Patrick?
It depends exactly why the transaction got held up in the first place, but there is a subtle side effect here.
It is possible someone can defeat one bank's identity verification and fraud screen. Has been known to happen.
It depends exactly why the transaction got held up in the first place, but there is a subtle side effect here.
It is possible someone can defeat one bank's identity verification and fraud screen. Has been known to happen.
The more times you have to do it, the harder it gets, and the gradient is *extremely steep.* So even in this relatively short conversation, Bank A gets one extremely important Bayesian update on the likelihood that you're actually you.
"But aren't they going to be extremely similar verification screens that you'd pass with the same data, which a fraudster might plausibly have grabbed off the dark web?"
It is far less likely that the credentials for multiple banks leaked into same place and there are also...
It is far less likely that the credentials for multiple banks leaked into same place and there are also...
... non-obvious bits of metadata / profiling happening which broadly means the financial system gets a correlated-but-still real second bite at the apple to weed out a fraudster.
Another thing I find fascinating is that there is no real "handshake" happening in most cases. The 1-800 number is public information, and the "Press 4 if you're a financial institution" is public information.
You'd think there would be a callback, lookup, etc. Largely not.
You'd think there would be a callback, lookup, etc. Largely not.
The security of the interaction almost entirely rests on:
Bank A: "I'm calling to verify a transaction with customer of your bank."
Bank B: "You certainly sound like a banker. I should know, I am a banker."
Bank A: "We are both totes bankers, and you did answer the right phone."
Bank A: "I'm calling to verify a transaction with customer of your bank."
Bank B: "You certainly sound like a banker. I should know, I am a banker."
Bank A: "We are both totes bankers, and you did answer the right phone."
"Shouldn't there be a database involved here?"
I mean there are two databases. The protocol between them is English and the transport layer between them is a three-way phone call.
"Could they just blockchain this?"
Oh believe me that has been pitched.
I mean there are two databases. The protocol between them is English and the transport layer between them is a three-way phone call.
"Could they just blockchain this?"
Oh believe me that has been pitched.
Another fun note: Yeah, Bank A hears all your account information with Bank B. There's no way for them to reliably conference out of the call and back into the call.
"Is that secure?"
Both Bank A and Bank B have a very similar training lesson in week one for new employees.
"Is that secure?"
Both Bank A and Bank B have a very similar training lesson in week one for new employees.
That training lesson emphasizes how much they trust their new employees, so much so that their every interaction with anyone is ruthlessly surveilled, and then they recount the story of a few people who were not worthy of trust, and for how long they will be guests of the state.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
