
When in doubt: hang up, look up, and call back - todsacerdoti
https://krebsonsecurity.com/2020/04/when-in-doubt-hang-up-look-up-call-back/
======
riantogo
This also applies to offline solicitation. Someone came to my door and asked
me to sign on to switching my gas supplier. He said it is a supply chain
change and will not affect anything beyond I getting a smaller monthly bill,
still coming from PG&E. I told him that it sounds wonderful but this is the
first I'm hearing of such a thing and I need to research online what it is
about before signing anything. He said he has all the details in his paper
folder and I can read it. I insisted on doing my own research. He said the
deal is off once he leaves and it is my last chance. I told him, "so be it,
such is life".

Did a quick Google search the next day and figured the process is legit but
people out there have gotten higher bills than before.

Moral is to fight the human-interaction pressures and be adamant on doing your
own research. No shame in that.

~~~
StanislavPetrov
If someone knocks on my door and I haven't invited them over I don't even
consider answering it. It doesn't matter to me what sort of uniform they are
wearing. The same goes phone calls. I don't understand the obligation people
feel to engage in unsolicited meetings and conversations.

~~~
copperx
I get what you're saying, but I get irate at people who don't answer calls
from unknown numbers. Spam or soliciting? Hang up and block caller. It doesn't
take more than 5 seconds.

I've been in situations when I don't have access to my cell phone and I need
help from friends, so I call from a stranger's cellphone. I never get an
answer. I have to text them from the stranger's phone (and see their text
messages), wait for them to see the message, then accept the call. It's
incredibly frustrating.

~~~
ganstyles
One problem here is that by answering at all, you're confirming your phone
number as one with a real live person on the end. They track this and will
keep calling. Anecdotally I noticed after I stopped picking up, the number of
calls I was getting decreased.

~~~
Jarwain
I like to pick up and immediately hit mute. If they say something, maybe I
reply, but typically the spam callers just hang up after a few seconds. I read
somewhere that picking up but not saying anything can take you off the
rotation or something

~~~
sk5t
I've done the same for a span of a couple months--immediate mute, no
interaction. It didn't seem to make a difference one way or other other though
with regard to call frequency.

------
nicolas_t
Not so long ago, I got a legitimate phone call from my bank's fraud department
(HSBC HK) regarding a dispute I had made (someone had used my credit card to
book on booking.com).

The bank employee asked me to give him my passport number and acted annoyed
when I refused. He couldn't understand why I would not give this kind of
private information on a phone call and why it was a breach of security. I
then called the bank's customer service hotline and they had no record of the
call from the fraud department being made because it's a separate department
and they didn't have access to that data. It took 3 days before I got a
confirmation from my bank that that call had indeed been legitimate (and
that's only because I have a relationship manager)...

So I think Banks are part of the problem, they need to massively step up their
training in security so as not to make this kind of demands on phone calls
they have themselves initiated.

~~~
djaychela
Funny you should say that, I've had several calls from my bank - HSBC UK - who
have then asked me for information to 'prove my identity. When I've said "you
phoned me, you could be anyone, I'm not doing that", they got pretty annoyed,
and didn't see why I was saying that I wouldn't give away the information. I
phoned them back and then it was OK - when I spoke to the same person (she'd
given me an extension to give once I'd phoned the main, publicly verifiable
number), she seemed surprised that I'd take such steps.

It's not just banks - I get the same spiel from my insurers, who say they have
to check the information "for data protection" \- oblivious of the fact that
them regularly doing this means that they're setting the scene for people
inadvertently leaking the information they take as sacrosanct!

~~~
ChrisRR
I'm with HSBC too and they seem to be a bit too cautious with their debit card
fraud. I get my card blocked a couple times a year.

Whenever they've phoned me and I've told them I don't want to give out my info
they just tell me to call the number on the back of my card. Never had anyone
act annoyed towards me. Maybe it's because I never act annoyed or accusatory
towards them, so they don't act the same towards me. I just tell them that I'd
rather not give my info out to someone who's phoned me

------
munificent
_> But he said he still feels like a chump for not observing the golden rule:
If someone calls saying they’re from your bank, just hang up and call them
back — ideally using a phone number that came from the bank’s Web site or from
the back of your payment card. As it happened, Mitch only followed half of
that advice._

Banks could normalize this behavior by having their customer service reps ask
customers to do this at the beginning of every call.

"Hi, this is <csr> calling from <bank>. We'd like to talk to you about
<subject>. To ensure to you that this is not a fraudulent call, please look up
the phone number for this bank and call us back. Thank you."

~~~
pdonis
_> "Hi, this is <csr> calling from <bank>. We'd like to talk to you about
<subject>. To ensure to you that this is not a fraudulent call, please look up
the phone number for this bank and call us back. Thank you."_

This would be great as long as your call back was recognized and immediately
routed to the right person instead of being placed on infinite hold, as is
usually the case when you call a bank's or credit card company's number.

~~~
jaredsohn
>as long as your call back was recognized and immediately routed to the right
person

It would be great if more companies had this functionality. It would also be
useful in the situations where you get disconnected while talking with
someone.

~~~
TheHypnotist
Most contact centers have some sort of virtual hold - i wonder if they can
leverage that tech for this type of functionality.

~~~
WorldMaker
Or use something really old school such as "extension numbers".

~~~
jaredsohn
Basically, I'd prefer if pbxes used by these companies providing support did
the equivalent of storing short-term 'cookies' that remember you had just
called rather than requiring remembering and reentering 'share urls'.

------
habosa
I got an call on my Verizon phone. It showed up as Verizon on the caller ID.
The guy said there was a problem with my payment but I was busy and said I'd
call back later. When I called that number back later they didn't know what I
was calling about. I said "you called me" and they said "oh that's a scam, we
never call you. If we call don't pick up"

If Verizon can't stop people from spoofing their own customer support number
on their own network, we're all screwed.

~~~
aviditas
They (all phone providers) can stop the caller ID spoofing. They just don't
want to invest the time and money to do so. It's finally a bipartisan issue
but as long as Ajit Pai is the FCC chairman, nothing will happen aside from a
few pay to block gambits.

~~~
skrause
"FCC requires carriers to deploy STIR/SHAKEN caller ID authentication" \-
[https://www.fiercewireless.com/operators/fcc-requires-
carrie...](https://www.fiercewireless.com/operators/fcc-requires-carriers-put-
stir-shaken-caller-id-tech-place)

~~~
alteria
iirc the FCC moved from "recommending" STIR/SHAKEN to requiring it due to
foot-dragging on the carrier's part

------
ipython
I just had this experience from pnc bank. I don’t even bank with them, but a
member of my household does.

The incoming message was automated, asking for (person who lives here) with a
visa debit card that has fraudulent transactions. The caller id was a number
not listed on the back of the card.

Pressing “1” puts you into the next phase, which asks you to “verify” your
identity by - guess what - typing in your full 16 digit debit card number!

At this point I am convinced this is a scam. You google the phone number and
you see tons of links saying it’s a scam.

The person calls their regular number on the back of her card and they claim
no fraudulent activity.

A few days later I still get these calls so I decide to investigate. Pressing
zero a bunch and asking for an agent finally gets me to a live individual. He
claims they’re from pnc and they are a different section not connected to the
“main” number. He’s able to recite details about the account that only pnc
would know, so now I’m not sure.

I email abuse@pnc.com asking them to please either say the calls are
fraudulent or acknowledge that the phone number associated with these calls is
legitimate (it doesn’t appear anywhere on pnc’s web site)

I did get a response - good! But they didn’t actually change the site ... so I
suppose in this case anyone who receives notification of fraud on their pnc
debit card should email abuse@pnc.com to validate the calls are legitimate?

~~~
xur17
> I email abuse@pnc.com asking them to please either say the calls are
> fraudulent or acknowledge that the phone number associated with these calls
> is legitimate (it doesn’t appear anywhere on pnc’s web site)

Note that faking the number you are calling from is fairly trivial, so do not
trust the callerid as proof of identity.

~~~
ipython
I should have clarified: I called the number back (from the caller ID)

------
xvector
> _“When the representative finally answered my call, I asked them to confirm
> that I was on the phone with them on the other line in the call they
> initiated toward me, and so the rep somehow checked and saw that there was
> another active call with Mitch,” he said. “But as it turned out, that other
> call was the attackers also talking to my bank pretending to be me.”_

Jesus Christ. This is some Inception-level shit. I do not operate on this many
levels of meta in real life.

~~~
mcv
It's not the first time I've heard of a scam like this. Scammers are
increasingly sophisticated about this, basically performing a kind of man-in-
the-middle attack on the phone between you and your bank. And phone protocols
aren't secure enough to deal with this.

------
soulofmischief
Krebs mentioned that Mitch logged into his bank account while on the phone
with the scammers. That's a HUGE no. We live in a threshold period where
acoustic emanation attacks are about to become much more commonplace due to
increasing computational capabilities. [0]

Getting you to browse your computer for 10-20 minutes and then log into your
bank account could be enough to gain access to your account.

And 2FA is proven insecure with SIM hijacking. These methods have a high up
front time investment but will take even less effort than Mitch's gambit once
deployed.

[https://www.cs.cornell.edu/~shmat/courses/cs6431/zhuang.pdf](https://www.cs.cornell.edu/~shmat/courses/cs6431/zhuang.pdf)
[0]

~~~
vngzs
Do you think a phone call is high enough bitrate for these attacks, or are you
implying parabolic microphones could be used to make this happen?

The mentioned paper contains a remark:

> While recording from the third keyboard, we get several seconds of
> unexpected noise from a cellphone nearby.

But that's the only mention of a phone in the paper ...

~~~
soulofmischief
I don't think the techniques and technology have become quite refined enough
for this to be widely deployed, at most people are simply experimenting with
the idea. But people are taking this seriously because it represents quite an
attack vector once things fall into place. The thing is we won't know when
we've reached that threshold until the first news stories about a widespread
phishing scam using the technique emerge.

It seems VoIP will be the first low-hanging fruit:
[https://arxiv.org/pdf/1609.09359.pdf](https://arxiv.org/pdf/1609.09359.pdf)

------
dantiberian
On first read, I didn't understand how the call to the bank's customer service
department went wrong.

 _Something about that conversation didn’t seem right, and so Mitch decided to
use another phone to place a call to his bank’s customer service department —
while keeping the first caller on hold._

 _“When the representative finally answered my call, I asked them to confirm
that I was on the phone with them on the other line in the call they initiated
toward me, and so the rep somehow checked and saw that there was another
active call with Mitch,” he said. “But as it turned out, that other call was
the attackers also talking to my bank pretending to be me.”_

What happened is that the attackers made one call to Mitch, and another call
to the bank posing as Mitch. When Mitch called the real bank to check up if
there was a call in progress, they said yes (the call with the attackers).

~~~
overheadnoise
I don’t know if I’m just really tired or if the post was just badly written,
but I’ll go with the latter since you were confused too.

My understanding is this happened:

1\. Attacker got a hold of Mitch’s bank card, PIN, and some personal details.

2\. Attacker starts pulling out money and buying things here and there to see
if Mitch ever notices.

Mitch never notices so...

3\. Attacker calls Mitch on Friday and pretends to be Mitch’s bank. Attacker
doesn’t ask for any details, just alerts Mitch that something was going on
with his account to get him to think the bank was looking into it.

4\. Attacker calls Mitch’s bank and also Mitch at the same time the next day.

5\. Attacker asks the bank to send the SMS verification code to Mitch.

6\. Mitch gets the code and reads it back to the Attacker.

7\. Attacker repeats code to the bank.

~~~
wingerlang
I think it was perfectly clear.

------
prodave
Side lessons seems to be that scammers have access to a lot of your personal
info, which can fool you, and that you should never ever give an OTP over the
phone.

~~~
alexpetralia
One-time PIN for the curious

------
hanoz
An anti nuisance call policy that has served me well and I try to get my folks
to adopt is that if there is the merest hint of a delay between my hello and
the caller's response, I put the phone down immediately.

I don't think I've ever had an identifiable repeat call, from which I conclude
it's both effective and has a low false positive rate.

~~~
mvexel
I take this a step further and don't say anything for the first few seconds if
I pick up a call from a number I don't recognize. I used to not pick up those
calls at all, but now that spam callers are using local area code caller IDs
more and more, that is getting more difficult.

------
duxup
That's what I always told my older family.

If it is about finances, YOU call them at a number on your billing statement
that you know is correct, or just go to the bank.

Never make a decision / give info if "they" called you.

------
yalogin
At this point, we should really throw away the current phone system and use an
authenticated model. There should also be laws forcing the phone companies to
not allow this. I get at least 2 spam/scam calls a day and there is no hope
that it will reduce.

~~~
kccqzy
There are anti-spoofing requirements for carriers. The TRACED Act requires
carriers to implement voice call authentication which should make spoofing
caller IDs impossible. [https://www.congress.gov/bill/116th-congress/senate-
bill/151](https://www.congress.gov/bill/116th-congress/senate-bill/151)

Last time I checked, carriers have until June 2021 to implement it.
[https://arstechnica.com/tech-policy/2020/04/ajit-pai-
follows...](https://arstechnica.com/tech-policy/2020/04/ajit-pai-follows-
congress-instructions-requires-new-anti-robocall-tech/)

------
misnome
Does anyone know any good guides for being aware of these things, strategies
used by scammers, and what to be suspicious of? Something that isn't
patronisingly simple, but not aimed at teach expert users either.

> “But as it turned out, that other call was the attackers also talking to my
> bank pretending to be me.”

I don't understand this part - the _actual_ bank said that he was on a
different line with them? Wouldn't that mean that the scammers had authorised
as him already, in which case the account is already compromised? Also, the
bank asking for 2FA over the phone also sounds like training into bad habits,
but I appreciate there's different approaches with different banks.

This is a pretty similar sequence of events to one a reasonably intelligent
but non-tech friend of mine fell for this week: Got an email saying that the
TV licence needed to be renewed. They followed the link on the email, didn't
check the URL and filled out their account details to set up a direct debit.

Two days later, gets a call from their "bank", telling them that they filled
out a scam direct debit (gets victim flustered to compromise judgement) but
they need to authorise them first before they can speak any further... my
friend challenged their identity but they used the exact same "fake caller ID"
trick - to the correct bank number since they had the sort code from step 1,
and that identifies the bank. I knew this (caller ID) was possible in general,
but hadn't heard of it being actively used in the UK - only from stories in
the US. After "verifying" they asked for the 2FA device code, then (registered
a card for ApplePay and) asked them to "confirm" the code they had just been
texted, which is the point I walked in and was "WTF are you doing?"

About 10 minutes later while in the waiting queue for the actual bank, the
actual bank called them - when we said that we wouldn't trust the call they
instantly gave us a reference number to quickly recall the case and advised us
to call back quickly. Luckily, the bank reimbursed the amounts taken before
they locked it off (apparently some UK agreement from a couple of years ago.)

They were pretty shaken up from the experience, and want to know what to look
for in the future. It strikes me that a lot of these cases are hitting
otherwise reasonably cautious people who aren't aware that something they
think is authentication, really isn't, like caller ID.

~~~
overheadnoise
I think the attacker called the bank and Mitch at the same time. The attacker
knew that the bank would send Mitch a SMS code so the attacker asked the bank
to send it, Mitch told the attacker, the attacker told the bank.

The bank was on the phone with Mitch and the attacker at the same time. Mitch
thought the “other Mitch” was himself on the other line.

------
EGreg
Tips from my experience:

1\. If someone who calls you asks you for ANY sensitive personal info, just
tell them that your policy is to not give any personal info to those who
called you, but you’re happy to call the official number. That stops it right
there

2\. Use email aliases instead of your actual email when creating accounts with
eg Amazon Web Services. An email alias is like me+somethinghere@gmail.com —
this way the attacker can’t get the customer service rep to give them access
to your account easily.

3\. If you use your phone as a 2FA, be on the lookout for sim porting - that’s
when they trick the rep into porting your phone number.

I had the third one happen, luckily I acted fast. The attackers couldn’t get
into my G Suite email but they got into godaddy to port the domain and MX
records to their servers. So they could receive email sent to me, and send
email as me. They also changed my GoDaddy password. I had my phone as the 2FA
at the time. Better to not have one at all, or use an authenticator app.

I called in and luckily GoDaddy restored my account. Too bad they had no tool
to check what changed so I had to check every domain manually.

The attacker was too slow in that regard. But it was telling that I received
an email with the subject “Test”. That’s what tipped me off.

------
castillar76
I've had this issue a few times with credit card companies, loan companies,
and on one or two occasions collections agents. Some very nice person calls in
order to discuss an issue with me, but wants me to tell them my birthdate,
last-four-of-SSN, and other stuff "in order to verify your identity". They
then act annoyed and puzzled that I won't just reel that information off to
some rando who called me out of the blue, and start pointing to the caller ID
as evidence that they're legitimate. The funniest part of the conversation is
when they warn me that we won't be able to discuss this problem if I won't
verify my identity, at which point I respond that _they_ called _me_ , so if
they don't want to spend any more time on the phone, I'm happy to go back to
whatever I was doing and they can try reaching me by some non-brain-dead
means.

I feel like if we ran a public education campaign about how easy it is to
spoof caller ID, a lot of these scams would stop working, but that's probably
just me being foolishly optimistic.

~~~
monksy
Try calling chase. They'll tell you that they'll "call you back". They claimed
that they would text me but the texts failed.

The guy claimed that "don't worry it's me". I told the guy that if you call me
back to "talk about my account/verify me" you're going to be met with a "go
fuck yourself". They do not have any protocols to confirm they are who they
claim when they call back.

------
kerkeslager
On landlines on some networks, it used to be that one person on the call hung
up but the other didn't, the call would remain connected for a while. So if
the person who had hung up, picked up the phone again, they'd still be
connected to the same person, and wouldn't hear a dial tone. This was useful:
if you wanted to move to a different phone connected to the same line, say,
for more privacy, you just tell the other person what you're doing, hang up,
and then pick up in the other room. But some scammers found a way to use this.

Basically, the scammer would instruct a suspicious mark to hang up, look up
their bank's phone number, and call back, just as Krebs is instructing. As
soon as the mark hung up, the scammer would begin playing a dial tone instead
of hanging up. When the mark picked up the phone, they would hear the dial
tone, so they would begin dialing at which point the scammer would end the
dial tone, wait for the dialing to stop, and then play a few ring tones and
then pretend to pick up the phone. This was in the 90s so the technology was
there to automate it, but it's simple enough it could have been done
completely manually by stopping and starting recordings. From the user's
perspective, it seemed they had hung up and made a call to the bank, so it
seemed impossible that they were connected to someone else.

Cell phones, which don't stay connected when only one party hangs up, are
totally immune to this hack. And this hack has probably fallen out of use
since the ubiquity of cell phones has deprived scammers of a viable pool of
marks.

------
Junious
Beware that there is also no-hang up scam. Below details are from wiki -

Another simple trick used by the fraudsters is to ask the called parties to
hang up and dial their bank, but after the victim hangs up, the fraudster does
not, keeping the line open and remaining connected when the victim picks up
the phone to dial.[4] When in doubt, calling a company's telephone number
listed on billing statements or other official sources is recommended, as
opposed to calling numbers received from messages or callers of dubious
authenticity. However, sometimes hanging up and redialing is insufficient: if
the caller has not hung up, the victim might still be connected, and the
fraudster spoofs a dial tone down the phone line to entice the victim to dial.
Then the fraudster's accomplice answers and impersonates whomever the victim
is trying to call.[5] This is known as a 'no hang-up' scam.[6] Hence consumers
are advised to use a different phone when dialing a company's number to
confirm.

When in doubt: hang up, look up, and call back "from a different number".

~~~
xvector
This seems like something that would only work on a landline.

~~~
Junious
True.

------
yhager
I had a legit call a few months ago from the CRA (Canada Revenue Agency). He
was nice enough and sounded calm, and I explained that with all due respect,
since he called, I have no way of knowing if he is a scammer or not, so I'd
like to call back. He was somewhat taken aback, but not annoyed. I asked where
to call, and what to say to get to the matter at hand. After hanging up, I
looked up the number, called them back, and got the issue settled. But I was
truly surprised that he expected me to talk to him when he called. The CRA is
probably the number one pretend-caller in Canada (Or two, after the RCMP - the
federal police), so I was surprised they do not employ this as a standard
practice and education for people to protect against scam calls. I was lucky
to keep my wits about me, and that the call indeed was legit, but it shows
there's a huge opening for scamming less savvy people.

------
grawprog
I was getting a bunch of those canada revenue scam calls a while back. They
left a message with some robot voice saying 'there was a lawsuit in my name
and blah blah blah blah bullshit' so I looked up the number and read about the
scam. Apparently they'd actually managed to rip some people off and they were
being searched for. So, the next time they called me, I called the number they
left me. Some dude with a French accent answered. I started ranting. I told
them if they ever called my number again I'd report them to the RCMP and swore
a bunch and was fairly rude.

Funny enough, I never got a call back from canada revenue agency for, being
less than polite to them, and the spam calls stopped.

My advice, if you actually get a real person on the line, call them out on
their shit and tell them to fuck off. It seems to work.

~~~
Gatsky
Although satisfying, this isn’t a good idea, they have your number and are
capable of asymmetrical warfare eg spoofing your number for the next 10000
scam calls they make.

------
frandroid
> Armed with a counterfeit copy of his debit card and PIN, the fraudsters
> could pull money out of his account at ATMs and go shopping in big box
> stores for various items. But to move lots of money out of his account all
> at once, they needed Mitch’s help.

Whoa, a double-tap attack

~~~
maowtm
But how...

Isn't bank cards designed to be non-cloneable (with crypto chips)?

------
StanislavPetrov
>But if your response to such a scam involves anything other than hanging up
and calling back the entity that claims to be calling, you may be in for a
rude awakening.

My response is not picking up the phone at all.

------
pontifier
I was recently scammed by either a man in the middle attack or a replay attack
due to insufficient authentication of a new party I did business with.

When you are starting a new person to person transaction with an unknown
party, it seems impossible to verify that an attack like this is not
happening. The attacks could get arbitrarily complex and every defense I can
think of has repucussions.

Even trying to start a transaction could be replayed to someone to make it
look like I was the one that was doing the scamming.

------
tomxor
> The investigator said another man had called in on Saturday posing as Mitch,
> had provided a one-time code the bank texted to the phone number on file for
> Mitch’s account.

Wow. In the UK as far as i'm aware no bank uses auth codes over txt, we have a
physical devices to generate one time codes for identification or transaction
signing using chip and pin.

Most people here are aware txt messaging is not secure, it's enough of an
issue for email hijacking, I'm very surprised banks are using it in US.

~~~
perl4ever
Banks and brokers.

Sometimes a device is an option. Some organizations use a software token app
on your phone, or something physical they send you.

------
Pxtl
> Mitch received a call from what he thought was his financial institution,
> warning him that fraud had been detected on his account. Mitch said the
> caller ID for that incoming call displayed the same phone number that was
> printed on the back of his debit card.

Imho, this is where the phone company should be liable. If I let people
masquerade as other users in my software, it would be a critical security bug
and I'd be in deep trouble. But we just accept this crap from phone companies.

~~~
kerkeslager
Your software probably isn't a multinational network of literally billions of
pieces of hardware ranging in manufacturer and age by half a century, which
isn't even owned and operated by a unified group of companies in a unified
group of nations, which is used by all sorts of people in situations where its
failure could cause people to literally die, so that changes have to be
unequivocally backward compatible.

So there's that minor difference. If you decide to do a security upgrade and
your software breaks, it probably doesn't mean that an 85-year-old woman dies
because her only form of communication, a rotary phone, suddenly stops working
and she can't get out of the house.

STIR/SHAKEN[1] is the solution to this problem, but the rollout is scheduled
to be completed by June 2021 in the US, and September 2020 in Canada. It's
slow, but this is something that you don't want to be rushed. Yes, I get it
that Robocalls are terrible: I got 3 calls which I didn't pick up but I assume
were robocalls today. But this upgrade is a difficult problem and the stakes
are high.

[1]
[https://en.wikipedia.org/wiki/STIR/SHAKEN](https://en.wikipedia.org/wiki/STIR/SHAKEN)

~~~
Pxtl
This prompted me to do some digging, and I learned something fascinating:

Caller ID and Email are just about the same age.

------
dificilis
I had someone claiming to be from my bank phone me in relation to certain
transactions that actually happened, and like a fool I just answered their
questions, without verifying who they were.

Later on I called back, to verify that it was someone from the bank who had
phoned me.

The call-centre person in the bank who answered my call was unable to confirm
or deny if someone from the transaction-checking department had actually
phoned me, because it was all very confidential.

------
grey-area
How much time and money is lost to this kind of scam?

We need verified identity for phone numbers and email, with consequences
attached to bad behaviour.

------
shrimpx
There’s basically no reason to ever answer a call from an unknown phone
number, let alone engage and divulge private data. If it’s important they’ll
leave a voicemail. Going further, I’d say it’s basically safe to always block
missed calls from unknown numbers that didn’t leave a voicemail. If it’s
important, you’ll hear about it via some other channel.

------
gorgoiler
Poor Mitch. The core of this sounds like another variant of the Mig-in-the-
middle attack.

Page 126 (page 10 of the PDF) from RJA’s Security Engineering being my
reference...

[https://www.cl.cam.ac.uk/~rja14/Papers/SEv3-ch4-dec18.pdf](https://www.cl.cam.ac.uk/~rja14/Papers/SEv3-ch4-dec18.pdf)

------
mannykannot
"He said he checked his account online several times over the weekend, but saw
no further signs of unauthorized activity."

If, in retrospect, you feel someone was attempting to scam you, a better
option - I hope - might be to contact the bank's fraud line, explain that you
are suspicious, and have them look for suspicious activity.

~~~
overheadnoise
Mitch was satisfied thinking that the bank was already looking into it, since
the attacker pretending to be the bank didn’t ask for any details /raise any
flags.

~~~
mannykannot
For the point I am making, it does not really matter what Mich was thinking,
but his behaviour over the weekend suggests that he was not entirely
comfortable with the outcome. What do you suppose he was checking for? I would
guess that he did not need to see his balance more than once.

He says that his suspicions were tweaked, near the end of the call, by the
scammer giving an old address for him, and apparently his girlfriend was a
good deal more suspicious: "Anyway, the whole time my girlfriend is sitting
next to me listening to this conversation and she’s like, ‘This sounds like
bullshit.'”

------
mikece
Among many other things in this article, it's a good reminder to simply never
use a debit card: use a credit card instead as the most you can be out is $50
for any incident of fraud. And if you need cash? How about going to the bank
and talking to a teller (or going through the drive-through during social
distancing)?

------
choeger
So the scammers expected the victim to callback the bank to get the secret
code? That is pretty sophisticated. But when they first called they knew about
fraudulent discharges, and presumably had caused them, right? Or did they
break into the victim's computer? Tbh., something is missing in that story.

~~~
overheadnoise
I think the attackers had Mitch’s bank card and PIN and was making those
fraudulent charges to see if Mitch would notice. If he did, the attackers
would have been shut out then and there.

Mitch didn’t notice, so the attackers called Mitch pretending to be the bank.
They didn’t ask him for any details so no red flags were raised, they just
said “we noticed fraudulent charges and rest assured we are fixing it.”

Next day, attackers call the bank and Mitch at the same time. They needed the
code the bank would send to the # on the account, so the attacker requested it
from the bank, the bank sent it to Mitch, Mitch read it to the attacker, and
the attacker repeated it to the bank.

At some point, Mitch got suspicious and called the bank to ask if they were on
another call with him. The bank was on a call with the attacker pretending to
be Mitch, so they said yes. Mitch thought the other Mitch was himself.

~~~
choeger
This is exactly what I meant. If the attackers already could make fraudulent
discharges, then why should they put up such a complicated and risky attack?
Could they not simply have gotten the money via the debit card?

~~~
mannykannot
Probably not anything like $9,800 dollars in one go - there's usually a daily
limit. And the scammers may know (e.g. from doing it before) that after a few
small transfers, the victim's bank will call him if he had not already
noticed, in which case they preempted that call and effectively subverted it
for their purpose.

The risk of the scheme not working might be high, but I am not sure that the
risk of being caught is much increased.

------
onionjake
This doesn't work for everyone, but if you can do it then it works well. Don't
answer any calls from a number outside your contact list. If it is important,
they will leave a message. You can then call them back by looking up their
number on the website.

------
dsfyu404ed
This should also be a lesson about having $9k in an account tied to a debit
card and not following up on suspicious transactions. If the thieves had done
an ATM balance check and seen a combined balance of a number of hundreds of
dollars that could be counted on one hand they likely would have settled for
withdrawing that and wouldn't have bothered hitting Mitch with the advanced
scam to gain the bank info needed for a wire transfer. If Mitch had noticed
the test withdrawals he could have called his bank and stopped the fraud
there.

For how often you need that kind of cash readily accessible it's simply not
worth the risk for the overwhelming majority of people.

This was a really sophisticated attack and fooled even a security conscious
person but defense in depth (not having the big bucks accessible from your
general use card and/or following up on unknown transactions) would have
stymied it. With a good security protocol breaking one rule (not hanging up
and calling back) shouldn't screw you.

------
paddlesteamer
How do these scammers hide their identities? Is there a tor network or some
kind of proxy for gsm?

------
bosswipe
VoIP has not been worth the billions in thefts that it has enabled via easy
call id spoofing. I would happily give up VoIP to have restored trust in the
telephone network. But unfortunately that is not where our captured regulators
are heading.

~~~
cactus2093
That's interesting, I come to the exact opposite conclusion (I am admittedly
not a telephone network expert, maybe I am missing some important things).

But I don't see why having voice conversations over the internet is the issue.
The issue is these systems keeping compatibility with old telephone networks
which prevents solving these problems. If we dropped that compatibility
requirement we could require a certificate authority and be able to verify
callers and use end-to-end encryption, just like with https.

Or maybe better would be a compromise where all these systems can still fall
back to unencrypted/unsigned connections, but on any modern phone or cell
phone it would show a big insecure warning like modern browsers do for http.

------
pbhjpbhj
My problem with the whole thing is that even the companies doing it right
aren't initiating it. They need to verify at their end first; and they need to
initiate that.

This is our password & credentials, now please confirm your identity.

------
ydnaclementine
Banks do this themselves too I think. I seem to have the recent memory where I
called Chase, then they called me back. For the life of me I can't remember
what I as calling about though

------
earthboundkid
How long until black hat SEO elevates the wrong numbers? If you search for
Apple support, you already get ads for sketchy people in India that look like
regular Apple support.

------
dandare
It is 2020 and this prominent blog is not responsive for mobile device. You
have to scroll horizontally to read at decent font size. Shame

------
rhacker
I have done this every time it involves money. Banks, Credit Companies, etc...
don't let an incoming call end up with your money.

------
jariel
If phone companies had any initiative or product brains at all, they would
have initiated 'real caller ID' a decade ago.

------
Havoc
Especially with deepfake voices. That CEO instructing you to move cash right
now might now because of an emergency...

------
AndrewKemendo
I've been in Intelligence and Law Enforcement for the better part of two
decades and I put situations like this into the bin of:

If someone really wants your stuff, they are going to get it.

The cost of getting this guy's money was very high relative to the average
scam - but it's important to note that the cost of sophisticated multi-
factored scams is dropping.

------
icelancer
Maybe if banks and other companies didn't have a 10-level nested phone tree,
we would.

------
AzzieElbab
Well, do not call back overseas numbers or numberz that stat with 8

------
yodelinghambone
I just: Don't answer, look up and maybe call back.

------
kgwxd
I just don't answer. Haven't been scammed yet.

------
p2t2p
Unknown number? Don't pick up in the first place.

------
dwoot
Anyone else notice that Krebs' site lacks TLS?

~~~
dddddaviddddd
I get a 301 redirect to the HTTPS version. SSL Labs shows the site supports
TLS 1.0 - 1.3.
[https://www.ssllabs.com/ssltest/analyze.html?d=krebsonsecuri...](https://www.ssllabs.com/ssltest/analyze.html?d=krebsonsecurity.com)

------
jokoon
shouldn't be banks liable for providing those security code to a stranger if
it can be proven they were tricked?

------
willart4food
TL;DR: Always hang up, look up, and call back.

------
NKosmatos
> he quickly logged into his account and saw that there were indeed multiple
> unauthorized transactions going back several weeks. Most were relatively
> small charges — under $100 apiece — but there were also two very recent $800
> ATM withdrawals from cash machines

How is it possible for someone not to check his/her bank account all this
time? There were unknown transactions for several weeks and no one noticed?

IMHO not having alerts for your cards/accounts and not noticing strange
transactions is a bigger security risk than trusting the telephone number
calling you.

I fully agree that we should call back on the official number for any banking
issues and don’t blindly trust whoever is pretending to be from the bank.

~~~
bityard
Most people I know check their credit card, debit card, and/or bank statements
once a month, if ever.

You and I are the outliers, my friend.

~~~
0xff00ffee
Count me in. Text alerts on all financial institutions to a google voice # and
monthly reconciles of all acounts plus weekly investment checks.

I have had two fraudulent CC charges in 25+ years, and they both were reversed
immediately so I'm not worried about that. More worried about my credit union
so I keep as little in there as possible. (Interest rates are a joke so it
doesn't matter.)

