OP here. Just a couple of the things I learned since I posted the Twitter thread:
- The caller spoofed the phone number of the bank. The bank was not in my contacts, so I did not notice. Someone else in the thread noted that they did have the bank's phone number stored, which upped the credibility of the call to them.
- The caller called me twice in rapid succession (First ignore the call from a number you do not know. Then they call back again immediately: "maybe this is urgent / important"). Another person in the thread, who fell for the scam, noted this same pattern.
- It is better if banks include a security warning / specific reason the code is sent with the password reset pins and similar credentials. My bank did not. Another twitter user noted being subject to the scam, and just glancing over the warning copy. So it helps, but it is not perfect. Especially pre-coffee.
- My bank no longer allows me to reset my password without calling them (thanks bank).
When I read the thread now, it's obviously full of red flags. I was successfully manipulated, and whilst I'm certainly not as clever as all the people pointing out they would have caught this from sentence one, I believe I'm also not the lowest hanging fruit in terms of a target :-) Makes you wonder what this will look like when these scams evolve another couple of generations in terms of complexity ...
I've got a number of calls from my bank over the years (usually the Visa department asking about international charges) and my standard response has always been "I'm sorry, as a rule I do not discuss personal details with someone who called me, since I don't know who you are" and they typically respond with "no problem, please call the number on the back of your credit card". I still wish they wouldn't try to initiate a call (usually they launch straight away into verifying who I am, asking me a ton of personal details before I even know that they're legit... sigh) and would just ask me to call them back on an official number (not one they give me over the phone, obviously) instead. If that were standard practice, I think these kind of scams would be a lot easier to detect.
>my standard response has always been "I'm sorry, as a rule I do not discuss personal details with someone who called me, since I don't know who you are"
Amex got quite offended when I did this, and almost chastised me when I got through to an agent after making the outbound call myself. They argued that because they only asked for limited personal information (DOB) it was fine...
I had that same issue with Amex, they phoned, said there was a concern with my card and then wanted me to go through identity checks before saying more. They also got quite stroppy when I refused and asked them to prove their own identity first!
Eventually they did suggest I call the number on the back of my card, but I was annoyed by their lack of professionalism by this point (I mean, they are asking me to do stuff - giving out information to unknown callers - which they themselves always tell customers never to do!) I said I wasn't going to phone a general number and get stuck on hold for hours over an unknown issue - either give me some reference to get through quickly to the right person, tell me what the problem is now, or send me a letter. But they kept claiming that they couldn't send out letters in the post :-(
In the end, I finally received a letter by mail telling me that there were problems with my direct debit payments. So it was a genuine call but their inability to securely make these calls is frustrating.
Call the number of the back of the card - "Press X if you have been given a code by us". Effectively, you're calling <number on the back of the code> + <reference to queue skip>.
I was just thinking about how the agent could generate ephemeral PBX extensions. OTP-like would definitely be the way to go.
Edit: perhaps the extension would be per transaction, not per-agent, and when the customer calls the extension, the agents system can automatically pull up the customer’s account. These extensions should expire, but given the length of some customer calls, and how often I’ve been disconnected from customer service lately, perhaps it should be on the order of hours, not minutes or seconds
Not a different number to call, but instead a shortcut through the usual automated phone menus - e.g. I've had a bank tell me to phone their number and then enter an extension to take me straight through to the right person.
Phone calls are cheap especially for nonconnected or robocalls (which would cost for a postal contact).
Postal mail costs $0.50 US in postage alone. The full-up cost of a mail campaign is often several dollars per mailed item, though in bulk, and with bulk rate, I believe it's closer to $0.40 (postage plus a few cents for paper and envelope).
That would cover many thousands of email contacts, possibly nearly as many phone/VOIP attempts.
And the systems required to successfully and accurately generate a postal response on request are also high.
Not sure if it’s true, but I’ve heard that mail (at least in the US) is safer because the cost to send letters is high enough to deter bulk sends vs email/phone, that postal inspectors are relatively effective at catching people, and that the laws around mail fraud make prosecutions easier.
It might not be genuine. But what one should do to resolve the problem described in the letter is to go to the regular amex website, log in, and update your debit information.
My preference is to have multiple points of contact. Email+phone and the alert is sent simultaneously both ways. This happened recently when a purchase I made was flagged. I got a text asking to approve the charge. Not trusting SMS I checked my email and saw the same message as the text and a link to take further action.
I was disappointed that no alert was sent through the banking app. That would be the most secure option but is explicitly disallowed in the notification settings.
I also do this every time when my doctor's office or insurance calls. They have to verify your identity to give you medical information. I need to verify their identity to give them my personally identifiable information.
I think eventually they got the point because now they have a secure online email system and just leave a message asking me to call back. They still leave a return phone number, but it's getting better.
At least with an email you can hopefully verify the headers. A phone number is too easily spoofed these days and the end user has no real means of verification.
My bank always says "There is an issue with your credit card/account, please call the number on the back of the card/your branch as soon as possible." and has for years.
The only time they do otherwise is on very specific instances where they provide the info, "did you just buy something at store XXX for approximately $YYY"
All banks and credit institutions should be required by law to do this.
Capital One has an app, every time my card is used I get a push notification. This is the best solution in my mind. I can actively monitor my card usage and call if I see something suspicious.
I'm surprised that this isn't a requirement for banks considering the very large number of scams going on in the US.
In India, getting an SMS/Email confirming every card usage is a legal requirement imposed by the Rserve Bank of India. The same goes for card usage itself. All credit and debit card POS transactions need the card PIN to be approved. Likewise, all online transactions require MFA.
applepay, for all my cards, gives me an immediate push notification, despite some cards not doing so for regular chip/swipe transactions. really like that feature & also wish all cards did it for all transactions.
These are what I usually see, or else an automated call with the same approximate script. Is there anything insecure about doing this one? The only thing I can think of is a MiTM where your account credentials are already compromised and they are using your answers to reset your password.
These fraud alert calls (in my experience of course) generally don't have any ID verification so there's no real danger from the user side in interacting with them. They just ask do you recognize these charges and that's it and then initiate any fraud response. From the bank side the worst is if the number has been hijacked but the user would still be able to dispute the charges later through the normal means but CC cloners probably rarely do that so it's not a huge issue.
You should be careful even about doing that if you are on a landline. There is a landline scam where they don't let the call disconnect, so when you hangup and then think you are dialing the bank, you are actually still connected to the scammer.
Always use your mobile phone to make the call (although I'm sure its only a matter of time before even that is compromised).
While spoofing numbers on incoming calls is far easier, it is also possible for an attacker to redirect your outgoing calls from the right place in the phone network.
You just shouldn't consider any aspect of the phone network to provide authenticity or confidentiality.
I had an experience indistinguishable from the phishing attack being discussed - with the only difference that I initiated the phone call. A transaction I had initiated had triggered some fraud warnings and my account was locked.
They asked for my account number, name, and address for verification. When they got to the point that they sent me a code over SMS and wanted me to tell it to them over the phone, I stopped them and explained that this is also the exact set of steps required to reset my account and that I wouldn’t do it.
I went to a branch in person to unlock my account and the person helping me asked me to enter my password on their terminal so that they could “see the error message”.
I’m still not sure if some parts of this were a more advanced phishing scheme than I had thought was possible, even though it does just seem like a set of confusing practices by the bank.
I wonder if bank staff are in on it sometimes. I once was at a bank branch and had the teller pick up the phone, call another teller and tell her my balance in a foreign language that I happen to speak fluently (but don’t look like I should).
I wanted to ask her why she would be doing that, but I was a bit more meek in my younger days.
I had something not exactly like this occur to me. It wasn't something I overheard, but I'm pretty sure it went something like this:
1. You talk to a teller at a branch, and they bring up your account details. The teller see's you have a mortgage with the bank, but registered to a different branch.
2. They have some sort of incentive from the mortgage specialists at their own branch or management, to refer those accounts to their own mortgage team.
3. The mortgage department at the new branch calls me, and says I can do an early renewal at a lower rate, if I come in and see them.
Anyways, I did the early renewal at my original branch, as I had a connection to a manager at that location. Either way, I ended up shaving a good chunk of interest by renewing a year early.
Ah sorry, maybe it's a Canadian thing. I have a mortgage with an amortization that's say 20 years. But I actually enter into an agreement and a rate for say 3 years. At 3 years myself and the bank need to enter into a new agreement, or I can shop around for the best rate for the next term with other providers (although some banks have been clever in the rules trying to prevent this).
An early renewal would be doing a renewal with the same bank at say the 2 year mark for a new term and interest rate. The bank allows the old contract to expire early, since they're getting the new one for an extended period, like another 3 years. These terms can vary, with 5 years being the most common, but can be shorter or longer and apply to both variable and fixed rate mortgages.
Note: I'm not an expect on this or how it compares to other regions.
Ah, that's interesting and subtly different from the way it works in the US. The most common mortgage loan here is simply a 30-year fixed rate loan. We do have 3 and 5 year fixed loans, but they just revert to a floating rate after the fixed term so there's no presumption that you have to get a new loan at the end of the fixed term even though it's often a good idea. Those loans have also fallen out of favor substantially since 2008. Are full-term fixed loans not a thing in Canada?
My understanding is that this style of loan, balloon payment mortgage, used to be common in the US too, but government intervention in the form of Fannie Mae loan purchases made the 30-year fixed loan widely available.
As a borrower, there's a big risk with a balloon payment that you may not be able to find financing when it's due, so having a full term loan is very desirable.
Nope, 5 years is a maximum term you can get for residential mortgages, fixed or variable, with 25 years amortization most commonly (so you'll renew it at least 4 times).
Maybe there are other weird types of mortgages but they are usually not available for individuals I think.
You initiated the call to what number? The number on your card? If so, that's ridiculous.
(Obviously, initiating a call to a number provided by a potential scammer offers no protection. If someone is intercepting and redirecting your outgoing calls via the phone network, I'd say you probably have a bigger problem than a declined transaction.)
I get these calls from time to time, and any bank with proper training should be 100% okay with you questioning their authenticity. There are some replies which indicate that the agent is annoyed... That's just poor training.
As for them initiating a phone call, it still does remain the best way to contact someone urgently, usually falling back to SMS and/or email when/if you don't answer (this was our SOP when I was in a fraud detection team years ago). We'd also usually tell them to call the number on the bank of your card (because not everyone is able to look up the bank's website, shockingly, so this is the most universally applicable way to give people a number) but my usual spiel was "call us on the number on the back of your card or from our website".
There's also no real way for you to know that they're legit, but an interesting reassurance one bank I know uses is to provide your month and day of birth and ask you for the year (as just part of the verification process). The partial info probably helps some people but I still wouldn't go for it - too many people know my birthday.
I always say to them: I can not identify myself to you because I cannot authentic who you are.
And explain to them that we, as a society, need to come up a way of authenticating inbound and outbound calls to ensure we are connect with who the other party claims to be because when you do this it conditions society in to responding and that’s how phishing attacks occur.
Banks have this in place already - EMV cards have powerful cryptoprocessors. In Germany we can use chipTAN, it's a small cheap reader for your card where you scan a six-binary-blinking screen that transmits the transaction data, then the card signs it and you get a six-digit TAN back. You can also manually enter the hash to be signed ("start code" is the technical term) and you get the TAN.
Customer support could ask you to authenticate using the TAN already, the hurdle is that you would need to carry the reader at all times.
Unrelated to banks, I believe it could be possible to extend SS7 signalling to not just transmit the caller ID but also a crypto signature/public key which the phone then can verify - or your phone provider could. Think of something like HSTS with a global database, if there is no match for the phone number the provider patches the call through, but if there is an entry, all providers can check for the public key transmitted by the caller and refuse to patch the call if it's missing or faked.
I am grossed out by proprietary protocols but proprietary encryption algorithms just make me laugh. Who even though that this would be a good idea? Are they seriously trusting their money with this?
My bank seems to use a similar scheme. It appears akin to TOTP with 8 numbers. But the secret is inside the black box. They also have something like a QR code but with RGB colors (does not work with blue light reducing features).
> "I'm sorry, as a rule I do not discuss personal details with someone who called me, since I don't know who you are"
Correct. If someone calls me, the onus is on them to prove to me that they are who they say they are.
However, I usually just block ALL unscheduled phone calls, period. Not only do I not have time for unscheduled interruptions, but banks have secure websites and if they can't make proper use of them, too bad, they aren't going to reach me by trying to call me. They should know that phones are easy to phish with, and stop using phone calls to initiate communication.
Ideally what I want is an e-mail saying "we saw some suspicious transactions, please /log in/ to check that there is no fraudulent activity" or even a more general "please log in for an urgent message" with a suspend button in the online interface.
Good point, and in fact I haven’t gotten such a call in a long time. All the “did you make transaction X” type calls now go through their app or via sms, so don’t get those calls anymore. I can’t actually remember the last time the bank called me, but maybe 6 or 7 years ago they called me a good few times. Nowadays I actually also block incoming calls unless in my contacts or I’m expecting it. I communicate mostly online and outside family, rarely get phone calls. So I really don’t care to answer a random call.
Why would they need to verify you when they call your phone? When I got theses calls personnaly it was a robot voice that was simply asking if a few of my transactions were done by me. It only happened twice, and I feel they make sure to include both actual transactions and a few fake ones to verify your truthfulness because in both case I had one that was clearly wrong that I never saw in my transaction log and they didn't replace my card.
Hey, this is actually how it works in Turkey. All SMS messages for transaction purposes from banks have a disclaimer, which indicates whether to share the code with customer service representative or not.
For example, for online transactions, the SMS includes a warning to not share the code with anyone, while SMS codes for telephone banking tells you to share the number with the representative.
The only text messages I get from my bank are descriptive confirmations of actions I did. At the end of every message it says to contact them by phone if you don't recognise the action.
My bank uses a scanner to authorize pretty much all actions. It scans some sort of RGB QR code [0].
When scanned you'll see the IBAN you're sending the money to and the amount you're sending. I think that when the IBAN is in your contacts it shows the name instead of the IBAN.
But most importantly it shows a descriptive message of what action you're verifying.
I think the only actions that don't require the scanner are small transactions through their app and marking your card as broken/stolen in the app.
>When I read the thread now, it's obviously full of red flags. I was successfully manipulated, and whilst I'm certainly not as clever as all the people pointing out they would have caught this from sentence one, I believe I'm also not the lowest hanging fruit in terms of a target :-) Makes you wonder what this will look like when these scams evolve another couple of generations in terms of complexity ...
I think this is a social skills moment. For those that claim it's "easy" to spot: This is not the right time for people to brag about how they would have totally spotted it. This is mostly for protecting people who (as most people in this world) don't have time to build up a solid understanding of all aspects of internet security. If you don't care about these people, as some sort of Darwinian schadenfreude, stfu. If you do, focus on their perspective, not your brilliant detective skills.
I'd wager >50% of those that claim "Ah ha! I'd spot it here!" would fail in real life. Arm-chair quarterbacking is easy. Spotting the scam in real life, when you're walking down the street or otherwise distracted with life? Much harder.
I don’t know... this is not a “social skills” thing. It’s a very simple rule that should be easy for anyone to follow: never talk to any business who calls you. Ask who they are, hang up, and call the official customer support number. That’s it. No wizardry, charisma, or smooth talking ability needed. Get who they are and hang up.
Personally, I don’t even answer the phone anymore unless the number is one of my contacts. Looking at the last 30 days of call history, a good 95% of my incoming calls were spammers who didn’t leave a message or spammers who did.
The last time a legitimate number called me I didn’t recognize was probably a year ago. It was my daughter’s school. They left a message and I called them back immediately. That’s probably the safest way of dealing with the security trash fire called the phone system.
Most people claiming they would have spotted it are probably wrong anyway. They're reading the messages with the knowledge that they were sent by a scammer. Any idiot can identify these things in hindsight knowing what they're looking at. Without that context, with other things on their mind, it's much more likely they'd have been duped too.
Absolutely. You're in the middle of something else. Your "bank" calls you. You're thinking "What the hell do they want and how can I deal with this as quickly as possible?" Etc. I like to think that I'd never fall for any of these scams and I'm sure I'm more conscious of the possibility than I would have been at one point. But I can't really swear that distracted me whose mind is 75% focused on some other task is as security-aware as I like to think I am.
They say the generic rule of thumb here is urgency. If you can't take your time, it's a scam. I was previously scammed several times with urgency, but as a rhetoric trick under a premise of impatience.
Just realizing that a phishing-attack like this is nowadays impossible in the EU: proper two-factor authentication is mandatory now (Revised Directive on Payment Services, PSD2), even just for login. TAN-codes generated for transactions need to incorporate the data of the transaction (recipient and amount), so that a phished TAN cannot be used to authorize a different transaction. I think even a simple SMS TAN may not be allowed any more (could be MITM-abused to authorize a different than the intended transaction).
Here is a summary of what customers and phishers have to face since september:
The security part of PSD2 is starting to look like another cookie law. Banks of course didn't implement any proper 2FA like U2F but rather send you scrounging for the phone with their app every time you want to look up a transaction or an account number, something that didn't require second factor until the directive.
In fact, because it makes checking recent transactions that much less convenient, it probably made me less safe because I do it much less often.
TOTP is in terms of usability not very different from PhotoTAN or ChipTAN, so I don't see how these methods aren't "proper 2FA".
U2F is a useful method, but it's not common at all (even in IT most companies don't provide it, not even the website we're on right now, nor PayPal), and it's not understandable how this isn't "proper 2FA".
In addition, the directive requiring the purpose of the code to be fixed and shown aside it, either in the app generating it, or in the push notification, is a very useful security aspect which most other 2FA solutions miss — even U2F can't differentiate between a login and a transaction authorization.
I don't like TOTP. U2F, however, is both convenient and secure. You touch a dongle, you're in, and at the same time there is no way to get access to your account without physically stealing the dongle. It's a proper second factor to a password.
Other solutions are either or. There is a benefit to confirming particular actions (with the info about the action) in the app but it's unnecessarily inconvenient for mere login.
U2F isn't widely supported but I managed to secure virtually my entire high-value Internet presence with it. Google, OVH, Coinbase, and Stripe all support it. Let's be honest, for HN I wouldn't bother with any second factor. I have the password saved in the browser and that's more than enough.
Here we have ChipTAN - I put my card into a special reader (some photodiodes plus keypad and display), hold the diode-end of the reader onto my PC display and a flickering image on the website transfers some info to the reader. On the reader I then see some info on the transaction (IBAN and amount), plus a TAN. I then enter that TAN on the banks website.
So an attacker would need to alter the image (simple) and cause a collision (hopefully difficult) or somehow abuse an error in the reader firmware.
It seems there is now a QR variant of that (which increases the attack surface since now it has to understand a more complex data format).
If my bank would have had me install an App or use SMS 2FA I would have kindly asked them to .... off (or, if they think their "2FA" is safe, just connect their mobile phones to this totally unsuspicious looking USB device).
One thing that I've frequently heard is that in any type of fraud call you should always hang up right at the beginning and call the bank back.
Seems like no matter how sophisticated the attackers, this defense will always foil anything along the same lines of what happened to you. The only way I can see this countermeasure failing is if the scammers can somehow manage to intercept inbound calls to the bank's customer service number.
I agree. The same goes for email obviously. But some financial institutions are actively luring customers into doing the wrong thing.
Paypal really stands out on this one. They are regularly sending me emails with a link to their login page to view my recent transactions (regardless of whether or not there are any transactions). This is clearly negligent.
Okay, so it's not just me. I've never clicked on what are apparently real paypal emails, because I have legitimately always assumed they were phishing e-mails that made it past my spam filter.
They're real. They're really real paypal e-mails. Wow.
I believe them to be genuine, but if you need incontrovertible proof, Paypal has you covered! :-)
All messages contain the following "clarification":
"How do I know this is not a Spoof email?
Spoof or 'phishing' emails tend to have generic greetings such as "Dear PayPal member". Emails from PayPal will always contain your full name."
So unless the bad guys can get their hands on a database full of names and email addresses, we're safe. And Paypal can honestly claim that "the security of our customers is very important to us!".
It is a pretty good idea, but only sufficient if you don't have much money. For large balances it might be worth someone's time to bribe your local telco worker or subvert your SS7/Diameter routing so that your calls route via an intermediary (i.e. make your phone a roaming number, route it's calls to an attacker controlled exchange in e.g. India). It is even simpler to listen in to your legitimate call and hear your phone banking password and secret Q&As.
Calling via a landline or via an operator assisted call would make such tricks much more difficult.
There seems to be broad consensus amongst the commenters that this is the most reliable defense against this kind of attack. Makes sense. If they are able to intercept my outbound calls, it's probably an entirely different level of sophistication and targeting.
I read about a landline attack that would keep the line open when you put the receiver down, play a dial tone, and then wait until you’d entered a number before putting you back on with the scammer
Analogue telephones are creating (or at least in modern times simulating) a circuit, which doesn't close until the caller hangs up.
But almost everybody today has a digital phone, any kind of mobile telephone or desk VoIP phone is digital, "hanging up" ends the call because the telephone itself decided to do that, everything is just packets. So this trick won't be effective against most people today.
Likewise "dialling" today is an out-of-band digital step rather than a bunch of pulses or tones sent in-band that an attacker can just ignore.
> I read about a landline attack that would keep the line open when you put the receiver down
I experienced this once, but not as a scam, I think there must have been some kind of fault at the exchange... the other end was a mobile phone and they didn't end the call, just putting the phone back in their pocket - the landline wouldn't disconnect, whatever signal was send, even disconnecting the phone entirely and plunging it back in. I didn't understand how exactly, but it made it pretty clear the (landline) telephone is not in control of the connection.
IMHO this should be the law for financial and medical institutions tc. They should not be allowed to call and ask the receiver to provide verification information.
You're set, then. But the reason a law would be beneficial is it would condition everyone's parents and people who aren't as awesome as you to stop trusting callers and start calling a known-good number.
>It is better if banks include a security warning / specific reason the code is sent with the password reset pins and similar credentials. My bank did not. Another twitter user noted being subject to the scam, and just glancing over the warning copy. So it helps, but it is not perfect. Especially pre-coffee.
I'm seriously surprised there are banks that send SMS codes without a reason for the code. All banks I deal with always send the reason for the code. For example: "This is a new payee addition authorisation code. Last 4 digits of the payee's account number are XXXX, the code is: XXXXXX" or "This a transaction authorisation code for the amount of $XX.XX, to an account ending digits XXXX. The number is XXXXXXX."
I would seriously reconsider giving your business to a bank that doesn't do that.
Interestingly there was an EU regulation passed recently that sets certain standards requiring 2FA for certain operations performed by bank customers. Having set up the 2FA auth app on an elderly relative's android phone and having to set up a pin to unlock a device as this is one of the 2FA app requirements and then spending 2 hours explaining how to unlock the phone, how to use it with a tablet to log in, how to authorise payments etc I have mixed feelings. On one side, it is a pretty secure system that will lower the number of victims of fraud. On the other hand it is a massive inconvenience for elderly people. I like the SMS verification system if done right. I think 2FA is a bit of an overkill.
Elderly are the most common subject of these attacks. So it is especially important to set strong protection for them. The inconvenience is regrettable but necessary.
I have seriously reconsidered giving my business to a bank that does do that: I'm not a fan of sending transaction amounts or account info via text. My bank does this (and over email!); their security posture is fairly decent otherwise, but why oh why send transaction amounts out into the world where they can be intercepted by anyone between here and there?
Think about the useful information for an attacker in messages like that: Recent transaction details can help an attacker auth on a call, account numbers can do the same. And large transactions are catnip, alerting attackers to worthwhile victims.
I noticed a political robocall taking advantage of this just yesterday, and there went any possibility that I would vote for this person. Your robocall did not constitute an emergency _you asshole_.
The biggest mistake was offering any information. You never offer information, you only confirm or deny things that they tell you. If they insist on things like member id, or email, you hang up, and call the bank yourself.
We as a society need some form of standardized ISO 9001-level protocol where ALL companies handle security the same way. They all ask the same questions, they don't allow first-tier support access to passwords or changing password, only specialized tier-2 support has this power, etc.
If all companies like banks, Amazon, Facebook, etc standardize their procedures in a way that leaks no information, or engage customers in a way that leaks no information, then it will make it harder to phish people because phisher will be forced to ask weird questions that customers will detect as weird.
The problem right now is that some companies ask for last 4 digits of SSN, last 4 digits of credit card, some ask for email address, etc, etc. A phisher can put all those together so if you reduce the attack surface it makes it very very hard.
To me, the biggest red flag is asking for any identifying info in a conversation they initiated, especially without them initially providing some sort of privledged information to you first.
Unfortunately, some banks do this. (I'm looking at you, U.S. Bank.)
It's like someone calling me and then asking me who they're speaking to. Really? You called me! (Assuming they're not returning a missed call, of course.)
If (someone claiming to be) a bank calls/texts you, (and it's not immediately after a declined transaction) you always hang up and call the number you already have for the bank.
Even if it is after a declined transaction, you still don't provide any info. If they ask if you attempted a $101.89 purchase at "big box store," you should simply respond yes/no, and provide no other info.
If you didn't attempt that transaction, they especially don't need to confirm any other info.
In your tweets you mention "And now... joyfully resetting all my passwords, filing a police report, getting additional fraud detection in place". What passwords are you talking about and why do you need to reset them? As far as I can tell no passwords have been compromised in the attack as you describe it.
Or do you suspect that there's been an other, undisclosed breach that the scammer used to get your name and phone number? I suppose it's plausible but it seems like it wouldn't be too difficult to get that info.
Should have written that more clearly. More accurate verbiage would have been "changing all my banking credentials, and enabling all possible notifications". I have no reason to believe other credentials were compromised, and have unique pw in place for nearly everything.
"Can you give a reference number (they will have a case number), and tell me where I can find your department's number on your website please. [Edit] I will call you back."
I've never had a bank or other financial institution have a problem with this approach. I don't give myself the opportunity to be fooled, because all of us can be fooled, it's how I respond to every single call from a business.
It should be noted that Caller ID spoofing is possible with pretty basic equipment. It's illegal in most countries but there's nothing technically preventing you from doing it. Which is crazy IMO.
Of course it’s illegal! All developed countries have strict rules about how you can use Telecomms networks. Of course scam artists don’t care about these rules ... Its not hard to find out further information abour this. Check with your local Telecomms regulator, google or even the Wikipedia page!
Fraud tends to be illegal. That’s as far as I’m willing to believe your “of course”.
I do not believe most countries have laws regarding caller ID spoofing.
I know that in my country IMEI spoofing is (Bizarrely!) sort-of prohibited as forgery (as in IDs, documents or “anything of evidential/testimonial(?) value”), but can’t find anything regarding phone numbers.
I know that in the US it’s only illegal to spoof your number for fraudulent purposes.
How is that semantics? Fraud is already illegal literally everywhere, so spoofing your number for fraudulent purposes will obviously be a part of that crime.
If this is intended to defend your original claim, you’re being utterly ridiculous. You made a specific claim about caller id spoofing, not fraud.
For example, If you’re spoofing a random number for telemarketing calls that’s just not fraud.
> If you’re spoofing a random number for telemarketing calls that’s just not fraud.
It absolutely is, and in most civilised countries is illegal.
Like, I can totally believe that in the USA where any old lunatic can own an automatic weapon amd nobody gets concerned until he shoots up a school thats the case ye
There’s probably some constitutional argument that you can spoof your number based on something ridiculous like free speech
I feel like we’re moving goalposts here and “civilised countries” will sooner than later become “English-speaking countries”, in which case I’m totally willing to concede that you’re probably right.
Very few countries have found it necessary to prohibit CID spoofing.
Its a common feature for PBX'es to rewrite their outgoing caller ID on forwarded calls to match the origin caller ID. Say you've got an office desk phone that you have set to forward to your cell phone while you're out. Someone calls your desk phone, it forwards the call to your cell phone, what caller ID should be displayed? Technically the call to your phone is coming through your desk phone (well, your office's PBX), but doing that would mask who is actually calling. So the PBX rewrites its caller ID info to appear to be as the origin when it calls your cell phone.
This is technically spoofing caller ID, but is clearly not fraud.
That’s not spoofing in principal though is it? This just reinforces my point that its very easy to do this with ordinary equipment. There isn’t really any kind of technical safeguards against this stuff, probably just for the convenience of this kind of stuff.
> The caller called me twice in rapid succession (First ignore the call from a number you do not know. Then they call back again immediately: "maybe this is urgent / important").
With regard to the phone number spoofing: I recently had an actual call from American Express's security department marked by AT&T as "Fraud Risk," presumably because it's been spoofed in the past. It delayed the detection and resolution of the theft of my card number (not by much, but still...). It's criminal that we haven't better secured the Caller ID system.
Same approach, they also pretended to be from the bank calling about an irregular transaction. In this scam, it seems they hijacked her home phone line. She tried to call from her cell phone, then they called back to her home phone and said all communication should be from it, to ensure she was at a different location.
I got a similar call a few months back. They didn't ask for my PIN, but did ask for some other sensitive information. Fortunately I was able to verify afterward that it was legitimate by initiating a call to the bank using the number on their website (in case the original was spoofed), and they confirmed a record of the call in their system. But this was after I'd given them some information.
Phone number spoofing has to stop. There is no excuse anymore.
> When I read the thread now, it's obviously full of red flags. I was successfully manipulated, and whilst I'm certainly not as clever as all the people pointing out they would have caught this from sentence one, I believe I'm also not the lowest hanging fruit in terms of a target :-)
I think it's soo easy to spot scams because 99% of them are so shit, poor spelling, talking nonsense.
If scammers simply spell checked their scams I would fall for them all.
Step one for me when I am giving sensitive information is always "let's end this call and let me call you". I had gotten an e-mail from my bank and I called the number in the e-mail without thinking to lookup the support number on my own first. The number was legit and it gave the fraud dept a chuckle but it very well could've been a fake number
Calling twice in rapid succession is an emergency feature for Android (possibly other) phones when in Do Not Distrub mode. It bypasses the DND when you call twice like that. Usually, only the numbers on your Starred list can call without getting blocked by DND.
The recipient may believe they had starred the number because of this, making them more likely to pick up the call.
On iOS you can choose whether to allow or block repeated calls, but as far as I can tell it's an all or nothing toggle. If it's enabled, anyone can get through by calling twice.
I never give any information to anyone who calls me, apart from people I already know like friends and family. If they say they are from the bank I apologize and say that I will contact them independently via the number that is on my card.
I don't even confirm my name.
Some banks think I am being difficult, but I stick to this principle regardless.
Once I gave my member number, the attacker used the password reset flow to trigger a text message from the bank.
--> They used this to gain access to the account.
How did they to gain access from "password reset flow"?
How could they tell your last transactions?
This is actually fairly common now, unfortunately. Many reports of Uber drivers being tricked into getting their account hacked using this method to obtain the 2FA pin sent via SMS so they can drain their balance or switch the bank account on file.
Sorry for OT, but I'm Belgian, a software developer, and have a law degree too - can I pick your mind on legal tech in Europe a bit? I can only find your twitter handle, do you have an email address I can reach you on?
thanks for sharing and sorry it happened to you. sad to say but, i would be suspicious with if any interaction with a bank is going this easy and is this convenient...
If the password reset procedure is over SMS, wouldn't any interception of that token have allowed the attackers to access your account and even initiate outgoing transfers?
A scam phone call seems like a clumsy way of doing it. It also risks alerting the victim to what's going on.
It surprises me that it is legal to conduct banking operations to the general public in this way. In many countries (including all of EU since SCA) that is not the case.
My simple policy is I never give out any information if I'm cold-called. If they claim they're my bank, I say I'll call them back on the number printed on the card, and ask the caller which department I should be put through to. Legitimate callers have never objected to this approach, and it saves me any stress - same policy, no matter the caller, no exceptions, no need for me to try and figure out if I'm being phished.
Good idea - but here in the UK there was a scam where they called you and THEN suggested you call the number on the back of the card.
They then don't hang up, but play a dialling tone down the line until you dial the number. At which time they 'answer'. This only works on home phones, not mobile, but is worth considering, and warning your family/friends about.
I don't think this works any more. My parents always did this when kids did prank calls. Kept the phone open for hours blocking their line. Did not work last time I tested. Uncertain how long you have to wait before next call though.
But, if I don't hang up the received and the counterparty hangs up, then the line tone is the one of the "busy", not the one of the "free", and I'm unable to dial anyone until I physically hang up to reset the line. Or at least that's how it works back home. Is it different in UK ? I suppose it's something that less attentive people might fall for anyways.
In the scam in question, you (as the victim) - hang up the line. You then pickup the receiver to call your bank, via the number on your card.
The scammer, when they hear you hangup, plays a dial-tone down the line, so when you pickup the receiver, you have the impression that the line is clean.
You start to dial, they stop the 'dial tone', play a fake calling tone, and then 'answer' the call.
This would be incredibly malicious and difficult to detect even for the most skeptical of users.
Wow, this really is something if done right. I don't use a landline now, but if I remember, the caller needs to disconnect for the line to actually be disconnected. So even if the callee tries to disconnect by hanging up, the caller is still actually connected. If the callee picks up the receiver again and hears a dial tone, they'd be none the wiser. But I guess the scammer would also need to detect a key-press tone on the line and stop the fake dial tone, start the ring tone, etc.
That's not how it works with digital lines. Disconnect on any side breaks the whole circuit presuming they conform to even ancient PDH, much less SONET or SDH. Oh and this includes even more ancient ISDN. The trunk will immediately tear down the DS0 slot and circuit.
GSM and VoIP also do not allow this behavior without engaging call waiting on subscriber side.
This only happens with old fully analog connections. Not sure which country or public operator still has this kind of PSTN.
For the difference, peruse ITU-T G.175 and Q.522 standards. SE (switching element) will disconnect the routing on your side.
It took me a while to find the actual standard number.
Perhaps it worked on Strowger exchanges when the call is local? I definitely remember this being "a thing" back in the 1970s but I don't remember ever succeeding in reproducing it. Obviously there must have been some time out because otherwise you could DoS anyone's phone by just calling them then not hanging up.
In the UK, when exchanges moved to digital, they deliberately kept the old behaviour because some people relied on it (eg, hanging up their main phone, then walking to another room and picking up the call on an extension phone), with a timeout of a few minutes.
In 2014 they reduced the timeout to 10 seconds to make this fraud harder to pull off.
It's such an old story that you'd have thought there would be an explanation online by now of exactly which telephone exchanges had this problem and when those telephone exchanges were in use.
For what it's worth, it didn't work when I tried it, probably in the 1980s. Perhaps it worked in the 1970s in some places?
On POTS lines, the call doesn't drop until the initiator hangs up so even if you put down the phone the connection is still there, pick up the phone again and you resume the same call. I used to use this to move to the upstairs phone to continue a call (back then we had two wired handsets on the same line). The last time I can personally cite it working that way is the late 90s, but I'm sure it has more recently than that, possible even still now for some lines.
I can't test as I've not had a voice capable land-line for some time. It may not work on newer exchange equipment. It won't work if you have a service whereby calls are directed over a digital connection. It has never worked for mobile phone services. It doesn't work on some (most? all?) office PBX arrangements, either.
As well as allowing this sort of scam to operate, the "feature" can also be used as a DoS attack, blocking calls to and from a line for a time.
Mechanically it's more or less unavoidable that call circuits are opened by the caller and can't close until the caller is disconnected with a Strowger exchange (electro-mechanical, pulse dialled). Once they moved to System X (the first digital exchanges, which introduced tone dialling though they can still interpret pulses) it becomes a matter of software engineering in the face of two conflicting considerations
1. Users do not expect the call to drop if for some reason the connection to the recipient momentarily is interrupted - there doesn't seem to be any obvious reason it should be right? Remember users don't understand how any of this actually works.
2. But, when they hang up, which to you as the exchange looks essentially the same as the connection being interrupted, they expected the call to end.
As an extreme example of (1) suppose you have a rotary telephone and idly while talking on a call you put a finger in the dial and dial a '4'. What do you expect to happen? Nothing right? Maybe it makes some click noises, and you apologise to the person at the other end. But those click noises are the same - for a fraction of a second - as hanging up. So if we just naively code the system to drop calls whenever it thinks anybody has hung up, the call drops. You can bet customers will not be happy.
So the providers would pick a plausible delay. OK, let's say after two minutes with the call recipient showing as closed we'll give up and end the call, the caller can always just call back if that's a mistake anyway.
Well this fraud comes into the picture, adding a third consideration to the balancing act. Most UK providers would go in and choose a new smaller timeout. One second seems to cause false positives. How about five seconds?
So there's going to have been a window, and it will vary depending on where you live. System X was definitely not everywhere in the 1980s. It will also depend how you tested. If you tried waiting 5 minutes and the timer was set for 30 seconds then your test seems fine, but a victim who hangs up, counts to five and then tries their bank will get stung.
This is probably the best security technique in terms of simplicity vs effectiveness, one that everyone and their grandma can use. I wish there was more effort in educating people to use it.
I even remember a thread here in HN were one three-letter agency authenticated themselves to a user with this method, calling his numbers and saying, this is the FBI/NSA/etc but for you to be sure, please hang, look the website for the public number, call, and ask to be put through with $Agent from $Department.
> My simple policy is I never give out any information if I'm cold-called.
That's what I do. When someone calls me and then proceeds to ask me security question to allegedly assert my identity I reply "well, you called me so how do you prove to me who you are first?"
I usually get a "err..." but on one occasion the guy was rather rude and hanged up.
The worst thing is that most of the time these calls are genuine. This means that my bank does think it's fine to do that.
My bank did this once - called me out of the blue and started asking for answers to security questions. I asked them how I could be sure it was definitely them and they said to call the number on my card and ask for a particular department, which I did, and it turned out it was indeed genuine.
The fact that they had an immediate answer to the question obviously means that they were asked this question all the time. I wonder how many people happily handed over the info?
It seems that they now just play a recorded message asking to call, and then automatically hang up.
Makes me wonder, what if a bank just started all phone calls like that with: "Hi this is Bank, we need to get in contact with you, for security reasons could you please hang up and call the number on the back of your card?"
I usually receive soft objections to this. They don't even seem to understand the problem most of the time. In fact, they speak rather like I would expect a scammer to: "but we just need to verify who you are, and you will still have to do this if you call the number on your card, so it's easier if I do it now".
Go to the police? Let us know how that works out for you. I did that once, after a highly credible phishing attempt (that, ultimately, I did not fall for). This was in Germany.
Me: Here is what happened to me, I'd like to file a police report.
Police: Well, with these internet scams, the fraudster is usually in another country, meaning we can't really do anything about it.
Me: They used perfect German, used information that I only ever provided into a non-public database of a German-based business that must have had a breach of some sort. The fraudster also used pictures of apartments in Germany that must have been taken here.
Police: Well, still. The person actually doing all of that could have been doing all of that from another country. Usually Russia or China or something.
Me [thinking to myself]: Yeah, Russia, or China, or some country where law enforcement generally presumes, even against all evidence, that any and all cybercrime is happening outside their jurisdiction and therefore not doing any law enforcement at all when it comes to cybercrime. Like what is happening right here right now.
Me: Well, I realize that nobody is going to start an investigation into this specific thing that happened here, but still: Isn't anyone at least compiling a database so that, once patterns become bigger and more apparent, an investigation of sorts may become warranted, etc?
Police: Nope. Nobody doing that. You can file a report. But I can tell you right now that nobody is going to look at it or do anything with it. Also, we kind of have more important things to do, here at the station. I mean: It's your choice. I can't stop you. Just telling you how it is.
But, formally speaking, it actually really is within their responsibility to serve as the first point of contact for the individual citizen (think "retail customer") and put it through to the proper channels within law enforcement.
The Bavarian police (this was in Bavaria) even has a "center for cybercrime" which, according to press releases and stuff, sounds like precisely the office that should take note of things like that. But they don't have any public-facing communication channels of any kind[1], and I'm unclear whether they actually do stuff or whether they exist purely on paper as a public relations and politics stunt.
Maybe if I was politically connected or willing to spend a pile of dough to put a lawyer on it, things would be different, but this was just one man trying to do his civic duty and there's only so much trouble that I'm willing to go to for that.
[1] EDIT: After doing some more research, it looks like, meanwhile they do. This was just announced two months ago, so seems to be a new development.
The police is more busy trying to catch victimless crimes instead of going after scams which have real victims. If you search for "fake dna test online" for example you will find a lot of relevant results even in the first page of google.
I had the exact opposite experience. The DAs office eventually called me to tell me that they didn't catch the perps but were able to kill the phone-number blocks which they had been using for years because no one ever reported them.
Sometimes cops are just lazy (or assholes). When thieves tried to steal the rain gutter from the appartment building on the other side of the road, the cops told me "don't expect us to rush in with sirens and screeching tyres", even after I told them the thieves were still there, in broad daylight.
Later my landlords told me they lost 50k Euros in the previous year because of stolen rain gutters.
Unfortunately with spoofed numbers it is, from what I've heard, incredibly difficult to track. The carrier that terminated the call to your carrier is likely not the originating carrier (the one that initiated the call) so it could involve subpoenas to many carriers to find the originator, which you then have to subpoena for the customer information.
Yeah, that's kind of what I've expected. However, having the police report often helps when dealing with the bank if there is any real fraudulent activity. It shows them you're serious.
I can understand how people would fall for this one. With 20/20 hindsight, asking for the member number is fishy - it doesn't actually verify anything. And when my bank calls me, it is always automated - I only get a person talking to me if I ask for it through the automated systems. So in a way, any actual person calling would be a red flag. But in the moment, I can see why it sounded legit.
My parents have taken their precautions against phishing to extreme levels. They don't speak into the phone when unknown numbers call. At all. If they choose to answer, they wait for someone on the other end to talk and then decide whether to speak or hang up. They have heard horror stories of people getting their voices recorded and replayed into automated systems, so if someone calls and asks, "Hi, Is this <name>?", they avoid even saying "Yes", and instead ask who is calling. It may be paranoia, but as the saying goes... just because you are paranoid doesn't mean that they are not out to get you.
I wonder if the criminals start to use automated voice systems, especially if those systems prompt and allow you to input numbers/password from the dialpad, how many more people would fall to the scam.
Anecdotally, I think answering and immediately muting calls from unknown numbers is a deterrent to repeated calls. They're almost always robocalls that wait for someone to start talking before launching into their shpeal. Without any audio input, they sit and wait exactly 10 seconds before giving up... and my hunch is that they put that number into a "dead" pool and won't try again.
One I almost fell for, was a tab that changed to a Gmail login screen in the background. When I switched to it, I thought I had gotten logged out and entered my password. Luckily 2fa saved me. Did not use a pwd-manager at the time, that also would probably have prompted some red flags when it didn't auto-fill.
Saw this on Twitter this morning. Sounds like they must have engineered it and set things up beforehand because they (a) knew which bank he was with and (b) had everything set up ready to log in when they got his ID number and received the password reset code from his text message.
I guess one thing that could have mitigated this quicker is if the text from the bank had said "Here is the code you requested to reset your online password" instead of a generic "Your authorisation code is..."
Which bank you have is not very secret information. Any payment exposes that information.
It's a very clever scam, but it's also a very insecure bank if this is enough to authorise payment. Get a different bank that uses 2FA, makes it clear what an authorisation code is for, and doesn't call you for this kind of sensitive information.
If they really do need to reach you quickly to stop a fraudulent transaction, a simple "that's not mine" should suffice. They know they're talking to you because they're the ones calling you. If the person making that payment has also stolen your phone (entirely possible) they will not deny they made that transaction, because they want that transaction to stand. That means only confirming it's your transaction in this situation is suspicious, not denying it.
> Which bank you have is not very secret information. Any payment exposes that information.
Still, it means they had to spend some time to prepare for this specific person.
Aside - here in Europe, the account numbers including bank code is pretty much public information. Something like e-mail address. After all, you can only send something in there. To withdraw, you need login credentials.
> After all, you can only send something in there. To withdraw, you need login credentials.
Unfortunately, that's no longer true; with the SEPA Direct Debit system, money can be taken from an account with just the person's name, address, IBAN and BIC (the info required to fill a "SDD mandate"). I think there are some verifications you need to pass to be able to create direct debits, but it still seems like a move in the wrong direction, in my opinion.
All banks I had an account at required verification for any payment order, including the direct debit. Some time ago (before widespread internet banking), you could issue an order that would be verified just against the details you mention _plus your signature_.
I hope it's not possible anymore. At least my current bank lets you authorize direct debit in internet banking app. Anything you do in person requires either logging-in to the internet banking account at the branch or presenting an ID.
as far as i know, to set up a periodic sepa transfer - at least here in SVK(EU), you need to do it in person (although more and more banks are starting to allow this through their web/phone app)
eg. issuing a sepa for my monthly ISP subscription, i put into the system that 1)from this account 2)this amount of money 3)to this exact account 4)with these aditional details/comments/etc...
and if it fails for whatever reason - in my case mostly because once in a while, the amount that should be withdrawn for that month is more than the pre-set money
- the payment gets witheld at my bank / simply fails;
- the other side contacts me via phone/mail/... that there was a failure (which i can check on my bank account, so "kinda-phishing-safe");
the other side is still able to withdraw only that specific amount once in a period (most likely a month), and if anything is amiss, the payment simply fails
So here's a problem with banking "2FA". It's not clear what the number they send you by SMS is used for.
My Gmail account has 2FA. The token is only used for login. If anyone asks me for it over the phone, there's only one reason.
Banks use 2FA sometimes at login, sometimes over the phone, and sometimes to authorize transactions. That should be made transparent in the message, but it usually isn't.
Imagine: "Your temporary pin for identity verification is 373123, and expires in 5 minutes."
"Your temporary pin to authorize a transfer for an amount ending in $xxx4.23 is 522185 and expires in 5 minutes."
My bank here in Germany does exactly this. The message I get is something along the lines of "Here is your authorization code for transaction number XXX for 5€ to RECIPIENT issued at 14:23: 12345"
This is very scary for the average person. I've taken to simply not answering any questions (not even to confirm my name) if someone calls me. If my bank calls me then I call them back on a number that's on their web site.
If my bank calls me then I call them back on a number that's on their web site.
I'm always amazed at how stupid the security situation is in these cases. Banks, telecoms services, etc. do actually call up and try to 'take me through security', and when I say "tell me something you know about me first so I know you're who you say you are", the best they can usually manage is "well, uh, you bank with [Bank]". It just perfectly trains us to fall for scams.
I’ve tried getting them to give me a checksum to verify validity. For example, tell me the sum of the last four digits of my card number. They always refuse, so I always hang up and call back. Too bad they don’t understand that giving out a checksum is not insecure.
Well, yeah, if it's not standard operating procedure I'd hope they'd refuse.
Now, it should be supported, but I don't want the folks on the front lines guessing (or figuring out on their own) what sorts of mathematical games are safe. Erring on the side of caution is the right approach for CSRs.
I've read many articles about people who were scammed, and the bank refuses to give them any money back, on the grounds it was the fault of the customer to get scammed.
So given banks have nothing to lose by scams, I suppose that explains why they just don't care about the fact they're training users to ignore them. The bank just does whatever's easiest for it, which in this case is just to call the customer.
I've even had a bank rep get angry at me for refusing to answer their questions on the cold call. I presume it wasn't phishing because when I called back on the legit number they did want to talk to me. It was a long time ago so I forget but I think they were trying to upsell me so maybe thats why he got angry - i.e. no commission for him.
Being on HN I don't think I'm the average person, but I wouldn't rule out falling for this at some point in the future as well. But doubly so for my non-technical parent or partner, I guess.
The easiest way to avoid this entire class of attack, is to never be willing to answer any kind of question from someone who calls you. Always hang up, Google the customer support line for the business, then call them.
There was a widespread phishing attack in the UK that used this approach.
On UK landlines the call is not terminated until the person who made the call hangs up. That is to say if I call you, you answered and then hung up, then waited a minute and picked up the phone again, I'd still be there and the connection still made.
Scammers phoned people, told them there is an account issue and to phone the number on the reverse of their credit or debit card. The scammers keep the line open and play a recording of a dial tone to the target phoning back and then go through garnering all the details needed to rinse the accounts.
I believe in response UK phone networks are implementing time limits on one sided terminations
My bank does that. They call you and say "we need to talk about some fraudulent transactions, can you please ring the helpline and ask to talk to Dave".
Sadly this is my approach, too. If it's important they can leave a voicemail message and I'll call back at my convenience.
I always thought the expectation of interrupting whatever you're doing at a few seconds notice was incredibly rude anyway, even more so now we have so many other ways of communicating.
Yeah but people expect when calling a business to be put on hold for 20 minutes and be dicked around on a phone tree. They don't want to deal with that.
We should have learned this one a long time ago from email. If something comes through from a service which may require action, then go directly to the service and stop interacting with the email.
Phones seem just as dangerous these days. I don't answer them at all. Anyone who really needs to get in touch knows multiple services that will get through to me.
How easy would it be for an attacker to (at least temporarily) outrank the bank in SEO so that when people google the bank's number they find the top result being the attacker's number?
Or have your regular representative call you; an attacker may guess their name and hope you won't be able to recognize their voice, but it adds a level a complexity
A rover scammer called my wife yesterday. She felt pretty quick that it was a scam.
I tried to call the number back from my phone (it was seemingly a regular local phone number in the LA area and I love fucking with scammers) and an automated response told me that “no Rover account could be found for my number, please visit Rover.com/help for more” which I thought was very sophisticated of them to really try and prove authenticity.
So then we called it back, from her phone, and it connected right away. The person on the other end said, “Ashley?” and I responded (in my non-female voice, not that there aren’t many men named Ashley) “yes, hello, how are you?” - they hung up immediately.
Ultimately my wife called Rover via their 1-800 number and it was indeed a scam. People try to ascertain your login creds to redirect funds. Basic stuff... but I was impressed at whatever basic twilio system was built to try and mask the scamminess with that automated message.
The most surprising part is that they were able to gain access to your account using just the code texted to you. It's called second factor for a reason. The bank should still have sent you a password reset email.
My bank doesn't even allow password resets like that.
If you forget, you can request a new one, but that goes just like the initial setup: you get 2 separate documents per post, one with a new password, and one with a new activation code.
Reading this thread reminds me of when I was subject to a social engineering attack by people who claimed to be the FBI. The voice messages they left sounded unconvincing so I ignored them on the basis the real FBI would have better ways to contact me.
Couple days later two FBI agents show up in my driveway asking why I didn't respond to their voicemail..
Interestingly the most... clever, if not necessarily convincing, phishing attempt I've heard of, went like this:
1. Phishers call someone and pretend to be from their bank. If they've guessed the right bank and the person gives away their details, they win!
2. If they don't, and question the phishers authenticity, the scammers say "sure, just call us on the number on the back of your card".
3. The cardholder hangs up, and then dials the number for their bank, which they know and trust, because they've called it before or it's come from their card.
4. They get connected to a service representative, answer security questions, confirm that the transactions are valid, and then can relax.
5. A few days later, they get a call from their bank saying there's a whole lot of fraud on the account.
The trick to this one is that the phishers (a) call the cardholder on a landline and (b) when the cardholder thinks they've hung up, they haven't - the phishers just play a hook tone and then a dial tone.
In Australia at least (not sure about elsewhere?) if you call a landline number, the caller must end the call, or at least it used to be that way (I haven't owned a landline phone for a _long_ time. There's probably also a significant skew towards the elderly in landline owners, and in susceptibility to scam calls.
I don't understand why there are still banks that do SMS verification. It has been proven so many times now that that it is vulnerable to both phishing (proven here), sim swapping attacks, etc.
The banks here in the Netherland all have (well, except for one maybe) hardware authentication devices. They are portable smartcard readers, you insert your card, enter your PIN on the device itself (not your computer or phone) and transfer a digest from your PC to the reader by typing or scanning a QR code (some readers have a little camera). You then type the signature into your computer or phone.
The readers for my bank even have a screen, that tells you what you are signing, like a login, or transfer of which amount to which bank account. Photo here [0].
The banks are very clear that they will never ask you to use the device over the phone. And that double confirmation by showing the sign action on the screen of the reader makes any form of phishing really hard.
IMO these smart card readers are the best compromise between convenience and security for banking.
In my bank (Poland here) they have a mobile app which receives push notifications instead of SMS messages. The notification also contains the reason for the code. So in OP's case it would say "Code for resetting your account password", which would probably trigger a red flag sooner.
IMO smart card readers are the worst solution for everything. They are invariable less capable and less secure than my phone. Why would I carry 2 devices (one of these quite primitive) if I could only carry one?
All the ones I've seen have no security, either it's just a changing password (e.g. RSA key), or you input your card (optionally entering your PIN which you share with every POS terminal / shop) and get a password.
My phone requires a password (which I can set to be arbitrarily secure, not 4-digit PIN (LOL)) or a fingerprint (which is something noone can steal, unlike a credit card... or at least I'd notice it's missing much sooner!)
As I expected: you don't appear have a clue on what a smartcard actually is.
> My phone requires a password (which I can set to be arbitrarily secure, not 4-digit PIN (LOL)) or a fingerprint (which is something noone can steal, unlike a credit card... or at least I'd notice it's missing much sooner!)
Anyone can steal your fingerprint, and you can't reset your fingerprint like you can with a password or PIN.
A smartcard will self-destruct (wipe the key material) after a number of unsuccessful PIN entries, so the chance of someone successfully guessing the PIN is ~1:3333 for a 4 digit PIN with 3 attempts.
This is good enough for banks to offer fraud insurance, in the off-chance that your card gets cracked your bank will reimburse the damage.
> optionally entering your PIN which you share with every POS terminal / shop) and get a password.
Yes, but that would still require physical access to your card. So they'll need to have both your card and your PIN. At that point you'll need to have your card/account blocked ASAP anyway. Your bank will supply you with a new card and PIN, which is a way better solution compared to cutting off your fingers and attaching new ones ;-)
RSA SecurID is not a smartcard. It's basically equivalent to TOTP except as a physical object rather than a phone app. There's secret baked into the SecurID and the issuer knows that secret so they can use it to generate the same one time code.
You seem to imagine that your phone, on which you run most likely not only a wild variety of apps from potentially untrustworthy sources, but also a web browser, which is a huge attack surface facing the Internet, is more secure than a simple smart card and that doesn't make a whole lot of sense.
In both cases the main real world security is that bad guys will probably need to _steal them_ which is difficult and a completely different skillset from the skills to make phishing emails or lie on the phone. But the phone is a bit worse here because maybe they can attack that remotely via, as I mentioned, your web browser, instant messaging stack or other components of a very complicated device.
I keep getting astonished by how bad online banking security is in the UK and US.
Here in scandiavia, we've had hardware tokens (or phone apps) to offer 2fa for ages. And you need a new token for every transaction. In addition to the password for logging in. When you reset your password, you get an email and an SMS saying that your password was reset.
Last time I needed a new token issuer dongle, I had to actually visit the bank and sign stuff.
My UK bank had a hardware token for years. They recently "upgraded" my security for online banking, and now use SMS 2FA codes for login and authorising new transfers. The hardware token is now unusable.
I'd change banks, but I doubt the others are better.
HSBC did this to me as well. The battery had died in my old token so I had to jump through so many hoops as the default assumption seemed to be that the customer would have a working token to set up the 2FA.
To send money over £250, RBS still use hardware card readers for their MFA flow. You put your debit/credit card in the device, entry your normal pin and then a code that is displayed on the website. It's a little inconvenient of you don't have the device with you when you need to send large amounts of money but in general it's great to have rather than SMS.
Of course, I expect that eventually they'll move to SMS too since it's easier for them and more on line with the rest of the industry.
Under the new EU rules 2FA over SMS is not allowed because it is possible to transfer phone numbers to other devices (through social engineering or simply because providers reuse old numbers) and thereby intercept the code. Instead most banks use an authentication app so that 2FA is bound to a single device.
They are better. One of my banks offer a hardware token which requires my card to be physically present and for a correct PIN to be entered. The other has an app with push notifications which can be used to approve or deny transactions.
Aye, that's what they used to use. Great News! Now I don't have to remember to have my card reader and I can use app, SMS or email to get codes instead. Err WTF? Apparently these changes help protect my accounts from fraud better, or some similar Orwellian doublespeak.
I did wonder if it was some unintended consequence of the EU banking interop changes, but that didn't seem especially convincing. OK, changing bank it is then. At least it's so much easier than it used to be. :)
I hate hardware tokens. Recently got one from my bank. I'm switching banks. I just don't see any advantage over a phone app (plus a phone app can offer better notifications).
Yes, but then it's not 2FA, it's notifications in the app you're probably using for banking, so now it's 1FA.
That's fine for sending £100 to an account already in your list of payees, but to set up a new account, where's the second factor in an app? That, to me, seems a large step backwards.
Well, you need (1) my phone and (2) my fingerprint, so technically it is 2FA. They could easily require (1) my password and (2) my phone, so still 2FA.
2FA is usually fake anyways, there's usually a way to reset stuff with only one factor (e.g. use phone number to reset password, or login with password and change phone number, ... same with PIN), so it's all a misnomer anyways.
> Last time I needed a new token issuer dongle, I had to actually visit the bank and sign stuff.
I'm glad UK banks try to avoid physical dongles because having to go to the bank and sign stuff to get one is not always convenient, not to mention you need to carry around the dongle everywhere, and if you lose it while you're in vacation it's yet more troubles.
Phone 2FA would be good but a bit pointless because the 2FA app is on the phone, and so is the banking app. Personally I'm satisfied with the way UK banks handle security - it's secure, they block suspicious transactions, etc. yet it doesn't get too much in your way.
I don't think UK banks are less competent, it's just a fine balance between usability and security.
> Phone 2FA would be good but a bit pointless because the 2FA app is on the phone, and so is the banking app.
This is exactly like having a physical token with you. If it gets stolen, they have the tokens.
But, at least, having token on the phone app is waymore convenient for customers and also has another layer of protection (think of the fingerprint/passcode ecc you need to access your phone)
I don't think having 2FA in phone app is pointless. It's still second factor, if someone got to your bank account. They need to get access to that 2FA app as well. And of course you protect that app with password/ping. Do you know of cases when 2FA app was defeated when someone stole money from bank account?
What I mean is that if a user has access to my bank mobile app on my phone, they also have access to the Google Authenticator app. With Lloyds, the app is locked by finger print or password which in this particular scenario is actually more secure.
This is so true. My wife (US) just needs user+pwd to access her bank. Me (Italy), had physical tokens or at least SMS 2fa for years.
Also EU is now going through a major security upgrade for banks with SCA (Strong Customer Authentication)
As a child in Sweden in the late 90s and early 2000s I recall that my dad had a hardware token to access his bank account. Though nowadays people in Sweden use BankID for the most part which is 2FA in the form of a mobile app. BankID is also used to login to most government websites in Sweden which is nice.
Meanwhile, banking security in the US is stuck in the Stone Age. Last I checked Wells Fargo, one of the largest US banks, still does not allow passwords greater than 14 characters in length and passwords are not case sensitive.
In the Netherlands we used to have dongles or card-readers for all online banking but we are now downgrading to apps, 5-digit number codes and 2FA without an external device. This is all for ease of use but I think from a security standpoint it's not the right direction to go. For instance, in an app you can't view the certificate and wether or not the connection is secure. If you are in a foreign country with dubious leadership it could be hijacked using a rogue SIM-card or some dictator driven root CA (looking at you Kazakhstan).
The worst offender is ING, you can set a payment limit in the app but then you can also change the payment limit in the app itself. If I take a nap on the train, you can drain my bank account my pressing my thumb on the reader.
Unfortunately the BankID has been scammed a lot, where fraudsters have simple asked people on the phone to sign BankID stuff for them.
It is far from perfect and in fact the scam here would be possible to do with BankID as well.
Not as easily. As I understand it, with Mobile BankID, the attacker goes to the bank web site and then asks the victim to authenticate with their BankID app.
With the real BankID, the computer accessing the bank web site needs access to the smart card. Exploitation is still possible of course, but the bar seems higher.
This is the same system I'm talking about.
You can use your smartphone and a PIN, or you can get a hardware dongle. Same authentication API from the banks POV.
It sounded sketchy from the moment they asked for a pin code that they sent to your phone. It's easier to talk from the outside, but that should always be a red flag. What exactly would they be confirming by sending a PIN to the same number they were already contacting?
But that's a great heads up. Phishing is not just about obviously fake e-mails to hotmail accounts.
There's so many outside circumstances that might even make a technically adept person like the original poster fall for this: bad day at work, fight with the girlfiend, getting called in traffic, having loud kids playing at home, not feeling well, etc.
Like you said, spam and phising used to be obviously bad but I'm afraid I'm going to fall for it some day now.
Banks have such shitty security over the phone and they train us to do stupid stuff like giving out personal info when they call.
For example, your real bank in the U.K. ask for your date of birth and address for ‘data protection purposes’ when they call you, or they won’t even tell you what the call is about.
How are people supposed to understand what is OK to give out and what isn’t when these details, often used as security questions are somehow fine?
> Me: <gives member number> (that number, by itself, is useless).
and
> Once I gave my member number, the attacker used the password reset flow to trigger a text message from the bank. > They used this to gain access to the account.
What happened here? How does an exposed useless member number trigger a password reset? Would the reset request not have come to an email account, presumably a well-protected one?
I might be wrong, but I think the fraudster used the member number (which is basically the online banking login username) to perform a password reset on the banks website. The website sends a confirmation code via SMS, which would be used for 2 factor auth to reset the password.
But I also don't understand is: did OP give this number to the fraudster? And even if they did, I would assume the bank would send a second SMS to confirm the password reset. I don't know how it went from "useless" member number to access to the account so quickly. Maybe I'm completely wrong
Yes, OP gave this number to the fraudster, not realizing it was a password reset authorization code. OP thought it was a code that established that the person they were speaking with was a legitimate representative of the bank, since they had the power to generate a code that came from the bank.
I think it's interesting to see how hard we've worked on making the web secure by adding all sorts of checks and protocols, but we've neglected to do the same with basic telecoms.
When I first started using web based communication platforms like Twitter and Nexmo I was really surprised to learn that I could put anything in the from field when sending a text message. All I could think was that it was a weakness that was ripe for abuse.
I believe there was a case in Germany a few years back where a group of phishers had online banking login details for several hundred users but couldn't initiate transfers without entering a PIN sent to the account holders phone via SMS. So the phishers set up a fake telephone company so that they could issue SS7 commands and have the account holders phone's temporarily redirected to another number where the PIN could be intercepted.
I think there is a false assumption amongst many people that the telephone system is inherently secure. Stuff like the above and all the robo calls coming from false numbers should warn otherwise.
In practice (here in Italy) you have a client number (secret) a password/PIN (also secret) AND either a SMS to your mobile with a one time code or a Smartphone app (yikes!), there used to be hardware tokens generating one time authorization codes that have now been retired.
Also, when you're wiring money to someone, my bank is now requesting to input certain digits of the amount and destination account into the app. Those digits are then factored into the 2FA algorithm. I am not sure if this adds substantially to the security though.
The idea is, it defeats attacks not so different from the one the Tweet is about, where you are misled about what will happen when you take an action.
If you only need "a code" whether it's to send $40 to a close friend or your entire account balance to an account you've never heard of that was created yesterday in a foreign country - then the scammers only have to trick you into trying to do the former, even though what they want to achieve is the latter, so that you'll give them a code which is what they need.
The bank can do a good or bad job of communicating what's going on and actually preventing the fraud, depending on whether the understanding of what they're trying to achieve was pushed down all the way from regulators to the engineers building the system.
The best systems here don't give you (and thus the attackers manipulating you) a lot of opportunity to manipulate things, but they do present you with information that should be raising red flags if you're being tricked. For example if the app says "Enter the six digits shown on the web page" and you just mindlessly copy those digits, an ordinary customer may not know why it's those six digits, bad guys with a fake web page can tell them to put whatever they want. Whereas if the _app_ says "Enter the whole dollar amount to send" then bad guys may struggle to explain why they want you to type 5839, your entire account balance, when you wanted to send $40 to the supposed friend in need and your suspicions might be raised enough for the scam to fail.
Seems to me the bank should take more care for resetting a user's internet banking password. For example as far as I know, all banks in the UK need you to call them up and answer a couple of verification questions before reseting any login details.
Quick question: What would an attacker gain from getting into your bank account?
From mine (french big bank), they could be annoying (asking the bank to close accounts, ordering new checkbooks, getting all kind of information on past transactions, wire money between my accounts), but I can't see how one would effectively leverage that.
I mean, an attacker goal would be to draw money in some way; all money wirings to external bank accounts are protected by a code (SMS or in-app verification), with a 24h delay between the time one enters a destination account and the actual wiring.
Is that any different with other banks? Is an attacker able to effectively draw money as soon as they get access to the account?
I'm not sure why you've been downvoted for this - it's a perfectly legitimate question.
I'm in the UK and have a personal account with HSBC and a business account with Lloyds. In both cases I need to generate a code to setup a new recipient - using the app (HSBC) or a physical card reader (Lloyds). I also get an SMS in both cases asking me to contact them if I didn't submit the request. So anyone gaining access to my accounts wouldn't be able to transfer money out.
I suppose they could do other things - contact the bank's support staff using their realtime chat thing maybe and social engineer something that way? Perhaps they don't ask for further confirmation in that case but I haven't checked.
My wife had the same thing happen to her but luckily our bank clearly says that this is a password reset pin code (don't share with anyone) type of message along with the pin code in the SMS. So, my wife refused to give it to the person on the phone.
A better sms password reset flow would be to first send a text asking "A password reset has been initiated. Was this you? Reply: YES or NO". Then after a YES confirmation they send the reset code along with the same big "Don't share with anyone on the phone" message.
This is partly an issue with phone calls as a medium. If the bank only contacted you through the app, this couldn't happen unless the app itself was compromised somehow.
E.g., the Monzo app has a chat functionality built in. If, upon a fraud attempt, a notification appeared in the Monzo app, it would certainly be legitimate.
If the ease of conversation offered by chatting with voice is necessary, add a link in the chat that has the user call the bank, not the other way around.
You can't easily verify that someone is who they say they are over the phone.
That PIN should not even be readable information. It's a password. It should be salted and hashed. It should be useless for any kind of over-the-phone confirmation of your identity.
Something nearly exactly the same happened to me. It was through my Venmo account. I was stressed at the end of a long day and they got pretty far before I realized what happened. The key thing is that the number listed on Caller ID on my Android phone came from "Venmo" and matched their customer service number so I completely let my guard down. Embarrassing.
In Russia when a bank sends a code via SMS, there usually is a comment like "don't tell this code to anyone, even to bank employees".
I have read about similar type of fraud. The scammers say that they are from the bank and they saw suspicious transaction and want to verify whether it was you, and try to get your card information and code from SMS.
- when you answer the call, stay completely silent: some systems will automatically hang up after a few seconds
- I never say the word "Yes" if I don't know the caller, so that they can't record it and use it in some scam contracts. Yes, vocal consent is a thing in some countries.
"Never answer your phone. Seriously. Only use it to make outbound calls. You cannot trust caller ID, and you should never answer unscheduled inbound calls."
Makes sense. Phone calls as they are can no longer be used for security verification. Just can't.
A few bits about me: Wells Fargo is the bank I use, I post things on Craigslist and list my phone number, and T-Mobile is my mobile phone provider.
I almost always get text messages from numbers trying to scam me into receiving their check or giving them my G-Voice verification code.
I looked into the phone numbers that contacted me and it's difficult to find exactly who is trying to reach me.
A few things I learned:
- Apparently phone number spoofing has legitimate use cases so it is a "feature" that is do-able. I was asking different companies and they said for example: checking for domestic violence or checking on someone if they have a second spouse somehow.
- It is difficult to look-up online who is the caller and what mobile provider do they use.
- Some private companies have an internal database that contains the information. I asked one company and they told me what was the provider of the phone number.
- Spoofing makes it difficult to know where the actual call is coming from. Someone can use my mom's number to call me. It might be difficult for my phone provider to inspect the call further than what I would see on my phone already.
What I'd like:
- For T-Mobile not to forward to me calls that are known to be from fraudulous callers or thought to be from fraudulous callers.
- Know if T-Mobile can provide me with information on where the call is coming from.
- After I identify what company XYZ issued the phone number, or what company provided the telephone service to the fraudsters, ask them more information on the caller.
- Ask such company XYZ to stop routing these calls to me.
- Create a resource such that whenever there is a scam call coming in, we could send the number to such a resource, and discover what company BCD issued them a phone number and routed their call. I believe that once this company BCD knows about their fraudulent customers, it is supposed to not do business with them.
Hopefully with such steps, the situation should clear up over time.
This happened to my wife a few months ago. I heard her part of the conversation. We thought something was wrong. I logged in to my bank account and watched the money drain out of our join account. My wife couldn't login to her account (the phisher changed the password) but they drained all her accounts. I called our bank within the hour. They were very reasonable with resolving the issue and returning our money. The phisher was attempting to purchase gift cards from a Walmart 500 miles away. It was easy to prove to the bank that we were scammed. I hope others are just as lucky and can report it in time.
ninja edit: we called and froze our credit immediately
Nit-pick: Phishing is sending out e-mails and hoping someone responds with private info. Vishing is phishing via voicemail. Calling someone up and using an elaborate set of mental tricks to gain unauthorized access is social engineering.
And as always: The best defense is minimizing data other people have about you. None of my banks needs my phone number, so none of my banks has my phone number, so if someone called and claimed they were my bank, that would obviously be bullshit.
It's not just the obvious "people can't abuse or lose data they don't have" why keeping your info to yourself protects you against abuse.
Well, many require that you fill the phone number field, but just entering zeros does the job. If anyone (not just banks) does extended validation, I enter some syntactically valid but unallocatable number, that has always done the job so far.
Unfortunately it seems we went from one ineffective solution, knowledge of a social security number and some useless ‘security questions’, to the next ineffective solution.
Even if you don’t fall for this trick sms is not secure and most providers don’t even bat an eye if a fraudster walks into one of their stores and requests a sim registered to your phone number.
Unrelated question: I went to my bank for a wire transfer. And I was horrified to find out that after verifying my info, they had full access to the same web interface I use, with my accounts. They even showed it to me, asking me which account I'd like the money to go out from. Is it common for banks to grant this kind of access to employees?
In France at least you need to keep the member number a secret from everybody. Since banks here are lazy bums with security they only ever implement the minimum recommended security. According to French data protection services this is 5 digits!!! when the 'username' is secret.
It's even worse in Russia - fake caller ID makes you think you are talking with the bank, mobile phone operators don't seem to be doing much, or at least didn't a couple of months ago.
That said, all the banks I used send you along with the confirmation code a description of what you are actually confirming.
This is really a SS7 issue not a Russia issue, spoofing outbound caller ID in the USA/Canada is also trivially easy using any major SIP trunking provider.
Number 1 rule of banking and other services, they NEVER ask for your password or other authentication code. Usually I don't even think they would contact you by email or by phone.
If they really suspect a fraud, they would block your account, and eventually ask for a meeting.
No US bank will ever ask for a password/PIN so i'm not sure why this is any more credible than any other attempt. It is just a little longer getting to the point.
Scammers have been triggering password resets and 2factor to seem legit for long as it has existed.
I got hit by the exact same type of attack about two months ago, except it was against my Verizon Wireless account. I was surprised at how convincing they were - I'm a former intelligence guy and I almost fell for it, lol.
I saw a variant of this where they used a very similar script but the text came from Apple. They were attempting to add the card to Apple Pay so they could easily use my stolen card number in physical stores.
I don’t understand why banks don’t add the reason for the text in the text itself.
This could have been detected earlier if the text said “Here’s the code for the password reset you asked for: ______”
This trick is pretty old. In Russia people receive such calls so often that they get used to ignore them. Most calls are from prisons - prisoners have a chance to make decent amount of money this way.
The simple measure against any such attacks - whether online online, on the phone, or in person - is to end the communication and then contact the bank yourself in the way you would do it normally.
Mobile apps from banks have eliminated my phone communications. I get real-time notifications for every transaction and can report anything myself through the app. No more risk of scams like these.
This is really an asymmetric authentication problem. The bank has ways of authenticating that it’s you talking, but do you have ways of authenticating that it’s really the bank?
I don't understand how step 4 was achieved. How did they get a list of recent transactions? Or does the password reset functionality ask you to verify certain transactions?
Sorry, I still don't see how the attacker would have seen the information necessary to do that, unless the victim's answer's to questions over the phone enabled that.
Be careful with trust if you call them back. There are possible ways to trick you into either staying on line, or just taking over your connection. GSM has pretty shitty security.
The "staying on the line trick" is just fear mongering. On any digital phone line (including landlines, which are just SIP with a SIP-to-analog converted) the call is disconnected (as in a call clearing message is sent by the phone or converter) as soon as you hangup (which will make it all the way to the scammer's phone and disconnect the call on his end too). Re-initiating a call after this would involve a call setup message, followed by a ringtone and you'd have to explicitly pick up the phone for it to be reconnected. There's just no way for this to happen on modern phone infrastructures.
Something quite similar happened to a relative of mine this summer in France. A scammer impersonating bank support. He called Friday 16h30 mid holidays. He proposed to help reduce fees by disabling not needed options, while in fact he was triggering a text verification code. The text doesn't specify the reason for the request.
He got in. Then did a few other useless operations during 15 minutes that required email confirmation which state what they are requiring it for. Those had mainly two purposes : help lower the guard and provide cover for the initial false requests. He kept smooth talking explaining that because of the various changes they should expect the bank app not be available and that everything was normal. Then he went for the option which allows to activate instantaneous bank transfers which required both email and phone verification code.
My relative was about to read it to them, when his wife smelling something fishy was happening put me with him on the phone. He was so convinced that everything was normal that I almost can't convinced him to hang up. What did the trick was telling him : "hang up and call back the bank before continuing".
My relative thought he was safe because he never gave the password of the bank app, nor the web password. But for our bank, this 4-digit pin password you put in the phone app is not a real password it is just a per-device off-line password you pick upon first device use to disallow someone stealing your phone to have access to your bank account too easily.
After he hang up, and I succeeded to talk some sense into him. I convinced him to call his bank. It was past 17h00, so it was closed. I told him to call emergency security which he did. But the number is typically used for lost credit card ; so they did the only thing that they usually do : revoke credit card and send a new one. Which is basically useless because the scammer wasn't about to use the credit card number to buy something online but he was initiating some wire transfer via the app.
So I had him call again a few times reexplaining the problem more precisely, or at least told them to block wire transfer for the account. Maybe it succeeded to raise some red flags, but they always told him that they couldn't do anything and that he needed to wait till Monday. From their point of view, you can be the impersonator so they didn't told us they did anything.
He also sent an email to the local bank manager during the night.
Stressful week-end lock-out of all bank accounts information goes by. The bank app is kind of deceitful because sometimes when it doesn't succeed in connecting shows you the last available data like it would in off-line mode and you think you are connected OK but you are not.
Monday they could reach the bank have the hack acknowledged and investigated ; access to accounts restored and password changed ; no harm done (except for the inconvenience of not having a credit card during the holiday, and info leaked) ; Luck.
Switch to a better bank. The only way you can make change happen is by using your consumer power.
Switching accounts is easy - see https://www.currentaccountswitch.co.uk/ - all your bills are autoswitched, your pay cheque gets redirected, and it happens pretty quickly.
I recently switched current accounts and it's ridiculous just how effortless it is these days. Definitely recommended for anyone who is in the least bit unhappy with their current provider.
Tldr is: they call him posing as a fraud prevention team, "we are sending you a pin to confirm its you", they trigger the password reset flow which sent him a pin, he reads out the pin, they get into the account and read some recent transactions, but needed another pin to transfer money, he wisens up.
Mitigation: password reset pins should say "this is your password reset pin".
If I try to reset my password bank screams at me in every possible way, including the pope calling himself and asking if thats legit. Actually there is a 50% chance I'll lock myself out of the account when doing this, because I misstep at some point. Seriously what year is that?
- The caller spoofed the phone number of the bank. The bank was not in my contacts, so I did not notice. Someone else in the thread noted that they did have the bank's phone number stored, which upped the credibility of the call to them.
- The caller called me twice in rapid succession (First ignore the call from a number you do not know. Then they call back again immediately: "maybe this is urgent / important"). Another person in the thread, who fell for the scam, noted this same pattern.
- It is better if banks include a security warning / specific reason the code is sent with the password reset pins and similar credentials. My bank did not. Another twitter user noted being subject to the scam, and just glancing over the warning copy. So it helps, but it is not perfect. Especially pre-coffee.
- My bank no longer allows me to reset my password without calling them (thanks bank).
When I read the thread now, it's obviously full of red flags. I was successfully manipulated, and whilst I'm certainly not as clever as all the people pointing out they would have caught this from sentence one, I believe I'm also not the lowest hanging fruit in terms of a target :-) Makes you wonder what this will look like when these scams evolve another couple of generations in terms of complexity ...