
Would You Have Fallen for This Phone Scam? - todsacerdoti
https://krebsonsecurity.com/2020/04/would-you-have-fallen-for-this-phone-scam/
======
cmdshiftf4
Unless it's friends/family calling, of which most calls are likely Facetime or
Whatsapp video these days, I don't bother answering and let it go to voicemail
and I'd never call back purely based on a number given in a voicemail.

Virtually all call traffic I receive that doesn't fit the above is outright
scam attempts, fake IRS / CRA threats, bizarre calls in Mandarin or Cantonese
or post-sales "check-ins" to see if I want to spend more money with a service
I've already paid for.

So it's unlikely I'd personally fall for this, simply due to a lack of
opportunity for the would-be scammers.

That said, with the level of sophistication they're employing I could very
easily see how people get trapped by it.

~~~
james-skemp
In case you're curious, the calls in a foreign language are, I understand,
generally immigration scare attempts.

They were a big thing a few years back when Trump was talking about walls and
kicking people out of the US; I thought they had died off, but I've also
stopped answering my phone.

~~~
tdrp
I got my first call in Chinese a couple of days after I applied for for my
visa to China so I assumed it was legit and related initially (e.g. they want
more documents or something). Fortunately I don't speak Mandarin so once I
tracked down my coworker and asked him to translate he told me it was a known
scam.

~~~
QUFB
If I can figure out the right button to press to get a human, I explain to the
Chinese scammers that my Mandarin is really poor, but that I would love to
hear what they think about the 6/4 Incident.

------
mikekchar
Got a letter in our letterbox the other day. It was purportedly from the real
estate company that manages the apartment we live in. It said "Starting next
month we would like you to change the bank account that you transfer money
to". My wife was just going to do it because the letter looked legitimate and
even seemed to have a stamp from the company (in Japan stamps are used instead
of signatures). I stopped her and asked her to call the real estate company
(using the number we already had on file) for confirmation. I pointed out that
the stamp appeared to have been printed on the letter, not actually stamped.
Indeed, it turns out to have been fraud. The real estate company had no idea
about the letter.

~~~
ganafagol
With all those fraud stories up here, I'm wondering: Has anybody describing
such a story in this thread reported the incident to the police after
realizing it was fraud?

~~~
mikekchar
To be honest, I didn't. I expected the real estate agent to do it... But now
that you mention it, I should probably follow up. Thanks for the idea!

------
exmadscientist
From the article comments:

> Many banks including TD Bank on the East Coast of The US, and throughout
> Canada are now using voice recognition technology for their telephone
> banking.

> You can only imagine how easily that is spoofed as well.

That's absolutely hilarious... because the technology that allows a person's
voice to be recognized is the exact same technology that allows it to be
imitated.

~~~
dave5104
Schwab Bank started using voice recognition "passwords" as well. Luckily, it
requires you to log into their website after talking through voice password
tutorial to activate the voice password--which I refused to do at the time.
Good to know I made a decent choice.

~~~
lotsofpulp
Fidelity has you put in your online password via the number pad. Have fun if
you use a secure 20 digit randomly generated password.

~~~
mindslight
Never mind the insanity of leaking a secret that would otherwise only travel
over TLS. Banks wouldn't know actual security if it fell into their lap. They
got spoiled by pretending SSNs were somehow private, and are still trying to
use "identification" as a crutch rather than focusing on proper authorization
- eg a hierarchy of auth levels with the master being a public key on a
hardware token, ideally that you go into a branch to replace. The only thing a
person can do is refuse their snake oil voiceprints etc wherever possible, and
most importantly monitor your accounts religiously at least every 40 days.

Even worse, the snake oil is leaking to non-banks as well. For example, Amazon
now seems to insist on doing an email challenge for every login. Very
unfriendly UX. Eventually I'll get around to writing a procmail recipe that
grabs the codes out of emails/texts, and spits them to a terminal ready to be
pasted.

~~~
Nursie
Most banks in the UK have given out hardware 2fa devices for years. I have one
for my company accounts that's activated with its own PIN that gives out logon
and authorisation codes.

Is this not true in the US?

They are often now replaced by banking apps that offer a similar feature, as
my consumer account with the same bank has done.

~~~
lotsofpulp
When it comes to banks, if it makes life easy for the customer, it’s probably
not true in the US.

We still don’t have chip and PIN, and we most certainly don’t have TOTP 2FA.

------
diebeforei485
On iPhones you could go to Settings > Phone and turn on Silence Unknown
Callers.

Works like a charm. If they have something important they'd leave a voicemail
or text message or email anyway.

~~~
zeta0134
Android has a similar feature in its Do Not Disturb mode. If you're not
already in my address book, my phone simply does not ring. Everyone I need to
hear from on a moment's notice is in there, and everyone else can leave a
voicemail. It's maybe a bit sad that it's come to this, but the robocalls are
_rampant_ and this is the only solution that even puts a dent in the volume.

------
zahrc
Moving from Germany to the uk was very easy and there hasn’t been a lot
“unexpected” things I couldn’t cope with... Robo, spam and scam calls. I’m
still only using my German number which only my family and friends have, who
know, only call me in case of emergency.

Banks, insurances, institutes etc will never get my phone number. And my money
will never be in a place where I have to worry about it getting scammed.
Stolen maybe - but that thief would be very lucky.

And all this fuzz and lack of comfort (simply ordering stuff) [especially
during times like these] because I’ve become very paranoid, because of
situations like that...

~~~
C1sc0cat
I just don't do online banking apart from my backup NetWest account that only
has £50-100 in it.

------
barbegal
What is the best practice for preventing these man in the middle (MITM)
attacks? Brian Krebs seems to suggest the only way of doing so using a phone
alone is to put down the phone and ring back, that way the initiation of the
connection can be guaranteed to be secure.

I suspect there are better schemes that can be adopted when the user has
access to both a phone and another connected device that can foil MITM attacks
using SSL but you can't always guarantee that a user has access to a web
browser or app.

In this case all phone calls from the bank should proceed like so (and it
should be made illegal to act otherwise): "Hi I'm calling from Example Bank
fraud department. Please go to your banking details and find the phone number
for the fraud department and call the number listed and quote the reference
ABC. I will now hang up and await your callback"

------
Ndymium
How does caller ID spoofing work technically? I mean if the attackers do not
have the contents of your SIM card stored, how can they pretend to the network
that they are you? Isn't that the purpose of the SIM?

------
asdff
Nope because I don't answer calls from outside of my contacts. So much spam
these days. If it's important they will leave a voicemail, and I can just skim
the transcript rather than listening.

------
pochamago
I strongly recommend getting a phone number from an area where you don't know
anyone. Any time I get a phone call from Dallas, I know it's a scammer
spoofing my misleading area code.

~~~
lxmorj
I recently got a call from a Chinese supplier on a presumably VOIP call,
routing through my local area code and it has thrown my "avoid the 315
unknown" strategy out the window...

------
darepublic
How about this for a scam idea -- you call someone innocuously, without any
purpose but to get them talking to you. Record their voice and then create a
deep audio fake of them. Then mass dial the area code spoofing their number
and try to get someone else on the phone with you using as your bot the audio
fake and record their voice and repeat

------
caf
There sure must be a bunch of lousy online shopping sites storing CVVs in
flagrant opposition to the entire point of CVVs.

------
schnischna
"This data, known as “CVVs” in the cybercrime underground, is sold in packages
for about $15 to $20 per record"

Would it be terribly complicated to make single use credit cards? Like if you
have an app from your bank (which they push on you these days, anyways), you
could generate a new virtual credit card for every transaction?

~~~
mstade
Revolut has a feature that does exactly this, and it works great! It's the
sole reason I have a Revolut account. I know my usual bank used to do this as
well, but they stopped some time ago unfortunately.

------
bravura
It seems like the greater risk described in this blog is attackers using
social engineering against your bank to gain access to it. How do you prevent
that?

~~~
dylan604
You don't. Social engineering has been the best tool in the kit since long
ago. Used to do it in the phone phreaking days. The majority of the time, the
person being "engineered" is some sort of customer service type who is
essentially there to help customers. It takes a robo-level self-control to
essentially say "tough cookies, I cannot help you for fear of being scammed".

------
amiga_500
Another piece of USA infra that is just miles behind most western countries.

Phone numbers cannot be used as sole auth.

This also shows the total flaw in the phone infra. Why can't I rely on the
phone number I see?

~~~
shakna
> Another piece of USA infra that is just miles behind most western countries.

There are massive holes in most government institutions. You just need to
encounter them.

Just one example from many of the Australian government failings:

You may receive a phonecall from Centrelink. It'll be from a private number,
so there's no need to even spoof it. They ask for your date of birth,
Centrelink ID and address to validate you, which just also happens to be
everything you need to steal someone's account.

If you refuse to identify without them first identifying, or if you ask if you
can call Centrelink directly to be reconnected, you'll find, you can't.

I received a call from Centrelink, in a week when I also received three other
calls purporting to be from Centrelink. I can't tell you which one was the
legitimate one, just that I was punished for refusing to communicate over the
phone, and had my account closed.

(An account that it took the Minister of Health intervening on my behalf to
open - Centrelink are incapable of assessing my illness, and thus my account
always ends up in a limbo of processing, without me receiving benefits, whilst
still being incapable of most work.)

Similar things exist with the Tax Office, the security puss that is mygov, and
so on.

I've had similar stories from friends out of the UK and France. Governments
don't know how to deal with situations where they cannot just say that they
are the authority.

~~~
amiga_500
Agreed, but the entire usa non government retail banking system is behind
Europe.

