My bank has an option to start a regular call from their mobile app (logged in state) which they say is an "authenticated call". I will not have to provide any details on the phone with the service agent anymore.
The button opens my regular Google Phone dialer app.
HOW does that work? I mean, it's just my dialer calling a landline number. Can you send (hidden) metadata through the dialer app on a plain cell phone call? π€
I *really* hope it's not just through the insecure caller ID here π¬
I had to confirm some action (change to the service plan) from within their app, which went pretty smooth. A good experience overall for the user. I just feel like it's vulnerable to social engineering on the bank side if this "authenticated call" would be just caller ID based.
@gertvdijk Maybe the ID is signed through STIR/SHAKEN?
Caller ID authorization is a new system aimed at combating illegal caller ID spoofing. Such a system is critical to protecting Americans from scam spoofed robocalls and would erode the ability of callers to illegally spoof a caller ID, which scam artists use to trick Americans into answering their phones when they shouldn't. Industry stakeholders are working to implement caller ID authentication, which is sometimes called STIR/SHAKEN.
(edit 13:14: @towo had the actual answer -- https://mastodon.social/@gertvdijk/111941100769929578)
My best guess would be that it sends a flag to the customer service script software (e.g. Oracle Service Cloud or equivalent) indicating that the user has announced that they're going to call.
Then when the caller ID pops up the agent can see that whoever has access to the bank app 'requested' the call.
Gert van Dijk
lukasadr
π‘ Daan Berg ποΈ
towo
bert hubert πΊπ¦πͺπΊπΊπ¦
Edwin Groothuis
schiermi