
I was just subjected to the most credible phishing attempt I’ve experienced - vinnyglennon
https://twitter.com/digitallawyer/status/1181348689756864513
======
digitallawyer
OP here. Just a couple of the things I learned since I posted the Twitter
thread:

\- The caller spoofed the phone number of the bank. The bank was not in my
contacts, so I did not notice. Someone else in the thread noted that they did
have the bank's phone number stored, which upped the credibility of the call
to them.

\- The caller called me twice in rapid succession (First ignore the call from
a number you do not know. Then they call back again immediately: "maybe this
is urgent / important"). Another person in the thread, who fell for the scam,
noted this same pattern.

\- It is better if banks include a security warning / specific reason the code
is sent with the password reset pins and similar credentials. My bank did not.
Another twitter user noted being subject to the scam, and just glancing over
the warning copy. So it helps, but it is not perfect. Especially pre-coffee.

\- My bank no longer allows me to reset my password without calling them
(thanks bank).

When I read the thread now, it's obviously full of red flags. I was
successfully manipulated, and whilst I'm certainly not as clever as all the
people pointing out they would have caught this from sentence one, I believe
I'm also not the lowest hanging fruit in terms of a target :-) Makes you
wonder what this will look like when these scams evolve another couple of
generations in terms of complexity ...

~~~
dkersten
I've got a number of calls from my bank over the years (usually the Visa
department asking about international charges) and my standard response has
always been "I'm sorry, as a rule I do not discuss personal details with
someone who called me, since I don't know who you are" and they typically
respond with "no problem, please call the number on the back of your credit
card". I still wish they wouldn't try to initiate a call (usually they launch
straight away into verifying who I am, asking me a ton of personal details
before I even know that they're legit... sigh) and would just ask me to call
them back on an official number (not one they give me over the phone,
obviously) instead. If that were standard practice, I think these kind of
scams would be a lot easier to detect.

~~~
lol768
>my standard response has always been "I'm sorry, as a rule I do not discuss
personal details with someone who called me, since I don't know who you are"

Amex got quite offended when I did this, and almost chastised me when I got
through to an agent after making the outbound call myself. They argued that
because they only asked for limited personal information (DOB) it was fine...

I would still do it again!

~~~
joosters
I had that same issue with Amex, they phoned, said there was a concern with my
card and then wanted me to go through identity checks before saying more. They
also got quite stroppy when I refused and asked them to prove their own
identity first!

Eventually they did suggest I call the number on the back of my card, but I
was annoyed by their lack of professionalism by this point (I mean, they are
asking me to do stuff - giving out information to unknown callers - which they
themselves always tell customers never to do!) I said I wasn't going to phone
a general number and get stuck on hold for hours over an unknown issue -
either give me some reference to get through quickly to the right person, tell
me what the problem is now, or send me a letter. But they kept claiming that
they couldn't send out letters in the post :-(

In the end, I finally received a letter by mail telling me that there were
problems with my direct debit payments. So it _was_ a genuine call but their
inability to securely make these calls is frustrating.

~~~
kerng
Why would a letter be genuine? That seems easier to spoof then phone or email?

~~~
bearcobra
Not sure if it’s true, but I’ve heard that mail (at least in the US) is safer
because the cost to send letters is high enough to deter bulk sends vs
email/phone, that postal inspectors are relatively effective at catching
people, and that the laws around mail fraud make prosecutions easier.

~~~
SuoDuanDao
I got a scam letter from someone claiming to be Canada Revenue Agency, so I
wouldn't bank on that either.

------
mhandley
My simple policy is I never give out any information if I'm cold-called. If
they claim they're my bank, I say I'll call them back on the number printed on
the card, and ask the caller which department I should be put through to.
Legitimate callers have never objected to this approach, and it saves me any
stress - same policy, no matter the caller, no exceptions, no need for me to
try and figure out if I'm being phished.

~~~
ljf
Good idea - but here in the UK there was a scam where they called you and THEN
suggested you call the number on the back of the card.

They then don't hang up, but play a dialling tone down the line until you dial
the number. At which time they 'answer'. This only works on home phones, not
mobile, but is worth considering, and warning your family/friends about.

~~~
bloak
Have you any idea _when_ this worked in the UK?

It's such an old story that you'd have thought there would be an explanation
online by now of exactly which telephone exchanges had this problem and when
those telephone exchanges were in use.

For what it's worth, it didn't work when I tried it, probably in the 1980s.
Perhaps it worked in the 1970s in some places?

~~~
dspillett
On POTS lines, the call doesn't drop until the initiator hangs up so even if
you put down the phone the connection is still there, pick up the phone again
and you resume the same call. I used to use this to move to the upstairs phone
to continue a call (back then we had two wired handsets on the same line). The
last time I can personally cite it working that way is the late 90s, but I'm
sure it has more recently than that, possible even still now for some lines.

I can't test as I've not had a voice capable land-line for some time. It may
not work on newer exchange equipment. It won't work if you have a service
whereby calls are directed over a digital connection. It has never worked for
mobile phone services. It doesn't work on some (most? all?) office PBX
arrangements, either.

As well as allowing this sort of scam to operate, the "feature" can also be
used as a DoS attack, blocking calls to and from a line for a time.

------
stakhanov
Go to the police? Let us know how that works out for you. I did that once,
after a highly credible phishing attempt (that, ultimately, I did not fall
for). This was in Germany.

Me: Here is what happened to me, I'd like to file a police report.

Police: Well, with these internet scams, the fraudster is usually in another
country, meaning we can't really do anything about it.

Me: They used perfect German, used information that I only ever provided into
a non-public database of a German-based business that must have had a breach
of some sort. The fraudster also used pictures of apartments in Germany that
must have been taken here.

Police: Well, still. The person actually doing all of that could have been
doing all of that from another country. Usually Russia or China or something.

Me [thinking to myself]: Yeah, Russia, or China, or some country where law
enforcement generally presumes, even against all evidence, that any and all
cybercrime is happening outside their jurisdiction and therefore not doing any
law enforcement at all when it comes to cybercrime. Like what is happening
right here right now.

Me: Well, I realize that nobody is going to start an investigation into this
specific thing that happened here, but still: Isn't anyone at least compiling
a database so that, once patterns become bigger and more apparent, an
investigation of sorts may become warranted, etc?

Police: Nope. Nobody doing that. You can file a report. But I can tell you
right now that nobody is going to look at it or do anything with it. Also, we
kind of have more important things to do, here at the station. I mean: It's
your choice. I can't stop you. Just telling you how it is.

Me: Okay, thank you, goodbye.

~~~
ccozan
Thinking of this I would have continued like:

Me: are you confirming that if I start a scam you will not investigate it?

Police:...?

Me: Ok , then thanks a lot, I know now.

Police: umm, wait maybe..

~~~
0xffff2
Of course the local police department isn't likely to investigate it. That
doesn't mean no one is.

~~~
stakhanov
But, formally speaking, it actually really is within their responsibility to
serve as the first point of contact for the individual citizen (think "retail
customer") and put it through to the proper channels within law enforcement.

The Bavarian police (this was in Bavaria) even has a "center for cybercrime"
which, according to press releases and stuff, sounds like precisely the office
that should take note of things like that. But they don't have any public-
facing communication channels of any kind[1], and I'm unclear whether they
actually do stuff or whether they exist purely on paper as a public relations
and politics stunt.

Maybe if I was politically connected or willing to spend a pile of dough to
put a lawyer on it, things would be different, but this was just one man
trying to do his civic duty and there's only so much trouble that I'm willing
to go to for that.

[1] EDIT: After doing some more research, it looks like, meanwhile they do.
This was just announced two months ago, so seems to be a new development.

[https://www.polizei.bayern.de/kriminalitaet/internet/index.h...](https://www.polizei.bayern.de/kriminalitaet/internet/index.html/294475)

------
codingdave
I can understand how people would fall for this one. With 20/20 hindsight,
asking for the member number is fishy - it doesn't actually verify anything.
And when my bank calls me, it is always automated - I only get a person
talking to me if I ask for it through the automated systems. So in a way, any
actual person calling would be a red flag. But in the moment, I can see why it
sounded legit.

My parents have taken their precautions against phishing to extreme levels.
They don't speak into the phone when unknown numbers call. At all. If they
choose to answer, they wait for someone on the other end to talk and then
decide whether to speak or hang up. They have heard horror stories of people
getting their voices recorded and replayed into automated systems, so if
someone calls and asks, "Hi, Is this <name>?", they avoid even saying "Yes",
and instead ask who is calling. It may be paranoia, but as the saying goes...
just because you are paranoid doesn't mean that they are not out to get you.

~~~
theseadroid
I wonder if the criminals start to use automated voice systems, especially if
those systems prompt and allow you to input numbers/password from the dialpad,
how many more people would fall to the scam.

~~~
codingdave
If done well, it likely would be highly effective. Maybe we should not give
them any ideas.

------
maaaats
One I almost fell for, was a tab that changed to a Gmail login screen in the
background. When I switched to it, I thought I had gotten logged out and
entered my password. Luckily 2fa saved me. Did not use a pwd-manager at the
time, that also would probably have prompted some red flags when it didn't
auto-fill.

------
cyberferret
Saw this on Twitter this morning. Sounds like they must have engineered it and
set things up beforehand because they (a) knew which bank he was with and (b)
had everything set up ready to log in when they got his ID number and received
the password reset code from his text message.

I guess one thing that could have mitigated this quicker is if the text from
the bank had said "Here is the code you requested to reset your online
password" instead of a generic "Your authorisation code is..."

~~~
mcv
Which bank you have is not very secret information. Any payment exposes that
information.

It's a very clever scam, but it's also a very insecure bank if this is enough
to authorise payment. Get a different bank that uses 2FA, makes it clear what
an authorisation code is for, and doesn't call you for this kind of sensitive
information.

If they really do need to reach you quickly to stop a fraudulent transaction,
a simple "that's not mine" should suffice. They know they're talking to you
because they're the ones calling you. If the person making that payment has
also stolen your phone (entirely possible) they will not deny they made that
transaction, because they want that transaction to stand. That means only
confirming it's your transaction in this situation is suspicious, not denying
it.

~~~
krab
> Which bank you have is not very secret information. Any payment exposes that
> information.

Still, it means they had to spend some time to prepare for this specific
person.

Aside - here in Europe, the account numbers including bank code is pretty much
public information. Something like e-mail address. After all, you can only
send something in there. To withdraw, you need login credentials.

~~~
icebraining
> After all, you can only send something in there. To withdraw, you need login
> credentials.

Unfortunately, that's no longer true; with the SEPA Direct Debit system, money
can be taken from an account with just the person's name, address, IBAN and
BIC (the info required to fill a "SDD mandate"). I think there are some
verifications you need to pass to be able to create direct debits, but it
still seems like a move in the wrong direction, in my opinion.

~~~
krab
All banks I had an account at required verification for any payment order,
including the direct debit. Some time ago (before widespread internet
banking), you could issue an order that would be verified just against the
details you mention _plus your signature_.

I hope it's not possible anymore. At least my current bank lets you authorize
direct debit in internet banking app. Anything you do in person requires
either logging-in to the internet banking account at the branch or presenting
an ID.

------
bjt2n3904
So here's a problem with banking "2FA". It's not clear what the number they
send you by SMS is used for.

My Gmail account has 2FA. The token is only used for login. If anyone asks me
for it over the phone, there's only one reason.

Banks use 2FA sometimes at login, sometimes over the phone, and sometimes to
authorize transactions. That should be made transparent in the message, but it
usually isn't.

Imagine: "Your temporary pin for identity verification is 373123, and expires
in 5 minutes."

"Your temporary pin to authorize a transfer for an amount ending in $xxx4.23
is 522185 and expires in 5 minutes."

~~~
Lycake
My bank here in Germany does exactly this. The message I get is something
along the lines of "Here is your authorization code for transaction number XXX
for 5€ to RECIPIENT issued at 14:23: 12345"

------
jgrahamc
This is very scary for the average person. I've taken to simply not answering
any questions (not even to confirm my name) if someone calls me. If my bank
calls me then I call them back on a number that's on their web site.

~~~
gmac
_If my bank calls me then I call them back on a number that 's on their web
site._

I'm always amazed at how stupid the security situation is in these cases.
Banks, telecoms services, etc. do actually call up and try to 'take me through
security', and when I say "tell me something you know about me first so I know
you're who you say you are", the best they can usually manage is "well, uh,
you bank with [Bank]". It just perfectly trains us to fall for scams.

~~~
gnicholas
I’ve tried getting them to give me a checksum to verify validity. For example,
tell me the sum of the last four digits of my card number. They always refuse,
so I always hang up and call back. Too bad they don’t understand that giving
out a checksum is not insecure.

~~~
3JPLW
Well, yeah, if it's not standard operating procedure I'd hope they'd refuse.

Now, it should be supported, but I don't want the folks on the front lines
guessing (or figuring out on their own) what sorts of mathematical games are
safe. Erring on the side of caution is the right approach for CSRs.

------
anaisbetts
The easiest way to avoid this entire class of attack, is to never be willing
to answer any kind of question from someone who calls you. Always hang up,
Google the customer support line for the business, then call _them_.

~~~
upwardbound
How easy would it be for an attacker to (at least temporarily) outrank the
bank in SEO so that when people google the bank's number they find the top
result being the attacker's number?

~~~
afghanPower
Extremely hard. Maybe you could buy an ad space and "outrank" them that way.
Have to pass Google's ad approval process though.

------
whalesalad
A rover scammer called my wife yesterday. She felt pretty quick that it was a
scam.

I tried to call the number back from _my_ phone (it was seemingly a regular
local phone number in the LA area and I love fucking with scammers) and an
automated response told me that “no Rover account could be found for my
number, please visit Rover.com/help for more” which I thought was very
sophisticated of them to really try and prove authenticity.

So then we called it back, from her phone, and it connected right away. The
person on the other end said, “Ashley?” and I responded (in my non-female
voice, not that there aren’t many men named Ashley) “yes, hello, how are you?”
- they hung up immediately.

Ultimately my wife called Rover via their 1-800 number and it was indeed a
scam. People try to ascertain your login creds to redirect funds. Basic
stuff... but I was impressed at whatever basic twilio system was built to try
and mask the scamminess with that automated message.

------
paxys
The most surprising part is that they were able to gain access to your account
using just the code texted to you. It's called _second factor_ for a reason.
The bank should still have sent you a password reset email.

~~~
momania
My bank doesn't even allow password resets like that. If you forget, you can
request a new one, but that goes just like the initial setup: you get 2
separate documents per post, one with a new password, and one with a new
activation code.

------
dboreham
Reading this thread reminds me of when I was subject to a social engineering
attack by people who claimed to be the FBI. The voice messages they left
sounded unconvincing so I ignored them on the basis the real FBI would have
better ways to contact me.

Couple days later two FBI agents show up in my driveway asking why I didn't
respond to their voicemail..

~~~
AnIdiotOnTheNet
Well, you weren't wrong.

------
jimsug
Interestingly the most... clever, if not necessarily convincing, phishing
attempt I've heard of, went like this:

1\. Phishers call someone and pretend to be from their bank. If they've
guessed the right bank and the person gives away their details, they win!

2\. If they don't, and question the phishers authenticity, the scammers say
"sure, just call us on the number on the back of your card".

3\. The cardholder hangs up, and then dials the number for their bank, which
they know and trust, because they've called it before or it's come from their
card.

4\. They get connected to a service representative, answer security questions,
confirm that the transactions are valid, and then can relax.

5\. A few days later, they get a call from their bank saying there's a whole
lot of fraud on the account.

The trick to this one is that the phishers (a) call the cardholder on a
landline and (b) when the cardholder thinks they've hung up, they haven't -
the phishers just play a hook tone and then a dial tone.

In Australia at least (not sure about elsewhere?) if you call a landline
number, the caller must end the call, or at least it used to be that way (I
haven't owned a landline phone for a _long_ time. There's probably also a
significant skew towards the elderly in landline owners, and in susceptibility
to scam calls.

------
LeonM
I don't understand why there are still banks that do SMS verification. It has
been proven so many times now that that it is vulnerable to both phishing
(proven here), sim swapping attacks, etc.

The banks here in the Netherland all have (well, except for one maybe)
hardware authentication devices. They are portable smartcard readers, you
insert your card, enter your PIN on the device itself (not your computer or
phone) and transfer a digest from your PC to the reader by typing or scanning
a QR code (some readers have a little camera). You then type the signature
into your computer or phone.

The readers for my bank even have a screen, that tells you what you are
signing, like a login, or transfer of which amount to which bank account.
Photo here [0].

The banks are very clear that they will never ask you to use the device over
the phone. And that double confirmation by showing the sign action on the
screen of the reader makes any form of phishing really hard.

IMO these smart card readers are the best compromise between convenience and
security for banking.

[0]
[https://4.bp.blogspot.com/-6c1NGHew1P8/VBqvTeqDQdI/AAAAAAAAf...](https://4.bp.blogspot.com/-6c1NGHew1P8/VBqvTeqDQdI/AAAAAAAAfZs/j65cjnqU6-0/s1600/649931.jpg)

~~~
tomp
IMO smart card readers are the worst solution for everything. They are
invariable less capable _and_ less secure than my phone. Why would I carry 2
devices (one of these quite primitive) if I could only carry one?

~~~
LeonM
Can you elaborate why you believe smartcards are less secure than your mobile
phone?

~~~
tomp
All the ones I've seen have no security, either it's just a changing password
(e.g. RSA key), or you input your card (optionally entering your PIN which you
share with every POS terminal / shop) and get a password.

My phone requires a password (which I can set to be arbitrarily secure, not
4-digit PIN (LOL)) or a fingerprint (which is something noone can steal,
unlike a credit card... or at least I'd notice it's missing much sooner!)

~~~
LeonM
As I expected: you don't appear have a clue on what a smartcard actually is.

> My phone requires a password (which I can set to be arbitrarily secure, not
> 4-digit PIN (LOL)) or a fingerprint (which is something noone can steal,
> unlike a credit card... or at least I'd notice it's missing much sooner!)

Anyone can steal your fingerprint, and you can't reset your fingerprint like
you can with a password or PIN.

A smartcard will self-destruct (wipe the key material) after a number of
unsuccessful PIN entries, so the chance of someone successfully guessing the
PIN is ~1:3333 for a 4 digit PIN with 3 attempts. This is good enough for
banks to offer fraud insurance, in the off-chance that your card gets cracked
your bank will reimburse the damage.

> optionally entering your PIN which you share with every POS terminal / shop)
> and get a password.

Yes, but that would still require physical access to your card. So they'll
need to have both your card and your PIN. At that point you'll need to have
your card/account blocked ASAP anyway. Your bank will supply you with a new
card and PIN, which is a way better solution compared to cutting off your
fingers and attaching new ones ;-)

------
gnud
I keep getting astonished by how bad online banking security is in the UK and
US.

Here in scandiavia, we've had hardware tokens (or phone apps) to offer 2fa for
ages. And you need a new token for every transaction. In addition to the
password for logging in. When you reset your password, you get an email and an
SMS saying that your password was reset.

Last time I needed a new token issuer dongle, I had to actually visit the bank
and sign stuff.

~~~
NeedMoreTea
Oh it gets worse.

My UK bank had a hardware token for years. They recently "upgraded" my
security for online banking, and now use SMS 2FA codes for login and
authorising new transfers. The hardware token is now unusable.

I'd change banks, but I doubt the others are better.

~~~
aclelland
To send money over £250, RBS still use hardware card readers for their MFA
flow. You put your debit/credit card in the device, entry your normal pin and
then a code that is displayed on the website. It's a little inconvenient of
you don't have the device with you when you need to send large amounts of
money but in general it's great to have rather than SMS.

Of course, I expect that eventually they'll move to SMS too since it's easier
for them and more on line with the rest of the industry.

~~~
imtringued
Under the new EU rules 2FA over SMS is not allowed because it is possible to
transfer phone numbers to other devices (through social engineering or simply
because providers reuse old numbers) and thereby intercept the code. Instead
most banks use an authentication app so that 2FA is bound to a single device.

~~~
jwilk
Citation needed?

Some Polish banks definitely allow using SMS as a second-factor.

(And some even let you use a permanent cookie for that. :-O)

------
moviuro
The bank I'm currently at has this "obnoxious" text around verification
numbers:

    
    
      Don't EVER communicate the following verification number to anyone, including <bank> collaborators: 123456
    

SMS OTP should always have that or similar text.

~~~
cpuguy83
Also maybe a less predictable otp

------
sandrobfc
It sounded sketchy from the moment they asked for a pin code that they sent to
your phone. It's easier to talk from the outside, but that should always be a
red flag. What exactly would they be confirming by sending a PIN to the same
number they were already contacting?

But that's a great heads up. Phishing is not just about obviously fake e-mails
to hotmail accounts.

~~~
aerique
There's so many outside circumstances that might even make a technically adept
person like the original poster fall for this: bad day at work, fight with the
girlfiend, getting called in traffic, having loud kids playing at home, not
feeling well, etc.

Like you said, spam and phising used to be obviously bad but I'm afraid I'm
going to fall for it some day now.

------
jonplackett
Banks have such shitty security over the phone and they train us to do stupid
stuff like giving out personal info when they call.

For example, your real bank in the U.K. ask for your date of birth and address
for ‘data protection purposes’ when they call you, or they won’t even tell you
what the call is about.

How are people supposed to understand what is OK to give out and what isn’t
when these details, often used as security questions are somehow fine?

------
devchix
I'm sorry, I'm missing something between

> Me: <gives member number> (that number, by itself, is useless).

and

> Once I gave my member number, the attacker used the password reset flow to
> trigger a text message from the bank. > They used this to gain access to the
> account.

What happened here? How does an exposed useless member number trigger a
password reset? Would the reset request not have come to an email account,
presumably a well-protected one?

~~~
invalidusernam3
I might be wrong, but I think the fraudster used the member number (which is
basically the online banking login username) to perform a password reset on
the banks website. The website sends a confirmation code via SMS, which would
be used for 2 factor auth to reset the password.

But I also don't understand is: did OP give this number to the fraudster? And
even if they did, I would assume the bank would send a second SMS to confirm
the password reset. I don't know how it went from "useless" member number to
access to the account so quickly. Maybe I'm completely wrong

~~~
jawns
Yes, OP gave this number to the fraudster, not realizing it was a password
reset authorization code. OP thought it was a code that established that the
person they were speaking with was a legitimate representative of the bank,
since they had the power to generate a code that came from the bank.

------
zaarn
When sending SMS or other notifications, always include the purpose. "You
requested a password reset, the PIN to completel the reset is 112938181".

Ideally the pins are also in different formats, so your normal PIN to login is
a 6 digit number, the password reset is a 12 digit alphanumeric.

------
DoubleGlazing
I think it's interesting to see how hard we've worked on making the web secure
by adding all sorts of checks and protocols, but we've neglected to do the
same with basic telecoms.

When I first started using web based communication platforms like Twitter and
Nexmo I was really surprised to learn that I could put anything in the from
field when sending a text message. All I could think was that it was a
weakness that was ripe for abuse.

I believe there was a case in Germany a few years back where a group of
phishers had online banking login details for several hundred users but
couldn't initiate transfers without entering a PIN sent to the account holders
phone via SMS. So the phishers set up a fake telephone company so that they
could issue SS7 commands and have the account holders phone's temporarily
redirected to another number where the PIN could be intercepted.

I think there is a false assumption amongst many people that the telephone
system is inherently secure. Stuff like the above and all the robo calls
coming from false numbers should warn otherwise.

------
jaclaz
In EU, there is the (recent) implementation of a (new) directive, PSD2:

[https://en.wikipedia.org/wiki/Payment_Services_Directive#Rev...](https://en.wikipedia.org/wiki/Payment_Services_Directive#Revised_Directive_on_Payment_Services_\(PSD2\))

That carries with it the requirement of SCA:

[https://en.wikipedia.org/wiki/Strong_customer_authentication](https://en.wikipedia.org/wiki/Strong_customer_authentication)

In practice (here in Italy) you have a client number (secret) a password/PIN
(also secret) AND either a SMS to your mobile with a one time code or a
Smartphone app (yikes!), there used to be hardware tokens generating one time
authorization codes that have now been retired.

~~~
bonzini
Also, when you're wiring money to someone, my bank is now requesting to input
certain digits of the amount and destination account into the app. Those
digits are then factored into the 2FA algorithm. I am not sure if this adds
substantially to the security though.

~~~
tialaramex
The idea is, it defeats attacks not so different from the one the Tweet is
about, where you are misled about what will happen when you take an action.

If you only need "a code" whether it's to send $40 to a close friend or your
entire account balance to an account you've never heard of that was created
yesterday in a foreign country - then the scammers only have to trick you into
trying to do the former, even though what they want to achieve is the latter,
so that you'll give them a code which is what they need.

The bank can do a good or bad job of communicating what's going on and
actually preventing the fraud, depending on whether the understanding of what
they're trying to achieve was pushed down all the way from regulators to the
engineers building the system.

The best systems here don't give you (and thus the attackers manipulating you)
a lot of opportunity to manipulate things, but they do present you with
information that should be raising red flags if you're being tricked. For
example if the app says "Enter the six digits shown on the web page" and you
just mindlessly copy those digits, an ordinary customer may not know why it's
those six digits, bad guys with a fake web page can tell them to put whatever
they want. Whereas if the _app_ says "Enter the whole dollar amount to send"
then bad guys may struggle to explain why they want you to type 5839, your
entire account balance, when you wanted to send $40 to the supposed friend in
need and your suspicions might be raised enough for the scam to fail.

------
hmate9
Seems to me the bank should take more care for resetting a user's internet
banking password. For example as far as I know, all banks in the UK need you
to call them up and answer a couple of verification questions before reseting
any login details.

------
throwaway744678
Quick question: What would an attacker gain from getting into your bank
account?

From mine (french big bank), they could be annoying (asking the bank to close
accounts, ordering new checkbooks, getting all kind of information on past
transactions, wire money between my accounts), but I can't see how one would
effectively leverage that.

I mean, an attacker goal would be to draw money in some way; all money wirings
to external bank accounts are protected by a code (SMS or in-app
verification), with a 24h delay between the time one enters a destination
account and the actual wiring.

Is that any different with other banks? Is an attacker able to effectively
draw money as soon as they get access to the account?

~~~
SmellyGeekBoy
I'm not sure why you've been downvoted for this - it's a perfectly legitimate
question.

I'm in the UK and have a personal account with HSBC and a business account
with Lloyds. In both cases I need to generate a code to setup a new recipient
- using the app (HSBC) or a physical card reader (Lloyds). I also get an SMS
in both cases asking me to contact them if I didn't submit the request. So
anyone gaining access to my accounts wouldn't be able to transfer money out.

I suppose they could do other things - contact the bank's support staff using
their realtime chat thing maybe and social engineer something that way?
Perhaps they don't ask for further confirmation in that case but I haven't
checked.

------
erva
My wife had the same thing happen to her but luckily our bank clearly says
that this is a password reset pin code (don't share with anyone) type of
message along with the pin code in the SMS. So, my wife refused to give it to
the person on the phone.

A better sms password reset flow would be to first send a text asking "A
password reset has been initiated. Was this you? Reply: YES or NO". Then after
a YES confirmation they send the reset code along with the same big "Don't
share with anyone on the phone" message.

------
_carl_jung
This is partly an issue with phone calls as a medium. If the bank only
contacted you through the app, this couldn't happen unless the app itself was
compromised somehow.

E.g., the Monzo app has a chat functionality built in. If, upon a fraud
attempt, a notification appeared in the Monzo app, it would certainly be
legitimate.

If the ease of conversation offered by chatting with voice is necessary, add a
link in the chat that has the user call the bank, not the other way around.

You can't easily verify that someone is who they say they are over the phone.

------
rothron
His first mistake was to read back the verification number? Why would they
legitimately asked for this theoretically?

To verify he has the phone they just called him on?

You should never have to read back a verification code.

------
distant_hat
If someone is asking you the PIN so they can confirm it is you, you can ask
them to give you the PIN so that you can tell if it matches or not.

~~~
mcv
That PIN should not even be readable information. It's a password. It should
be salted and hashed. It should be useless for any kind of over-the-phone
confirmation of your identity.

------
Yhippa
Something nearly exactly the same happened to me. It was through my Venmo
account. I was stressed at the end of a long day and they got pretty far
before I realized what happened. The key thing is that the number listed on
Caller ID on my Android phone came from "Venmo" and matched their customer
service number so I completely let my guard down. Embarrassing.

------
codedokode
In Russia when a bank sends a code via SMS, there usually is a comment like
"don't tell this code to anyone, even to bank employees".

I have read about similar type of fraud. The scammers say that they are from
the bank and they saw suspicious transaction and want to verify whether it was
you, and try to get your card information and code from SMS.

------
trumbitta2
Since we also discussing personal strategies:

\- when you answer the call, stay completely silent: some systems will
automatically hang up after a few seconds

\- I never say the word "Yes" if I don't know the caller, so that they can't
record it and use it in some scam contracts. Yes, vocal consent is a thing in
some countries.

~~~
dillonmckay
I don’t stay silent, I will either make caveman grunting noises, push some
random digits, or ask for ‘Mom?’ in a fake accent.

And then they hang up.

------
dgudkov
From the Twitter thread:

"Never answer your phone. Seriously. Only use it to make outbound calls. You
cannot trust caller ID, and you should never answer unscheduled inbound
calls."

Makes sense. Phone calls as they are can no longer be used for security
verification. Just can't.

------
kovek
A few bits about me: Wells Fargo is the bank I use, I post things on
Craigslist and list my phone number, and T-Mobile is my mobile phone provider.

I almost always get text messages from numbers trying to scam me into
receiving their check or giving them my G-Voice verification code.

I looked into the phone numbers that contacted me and it's difficult to find
exactly who is trying to reach me.

A few things I learned:

\- Apparently phone number spoofing has legitimate use cases so it is a
"feature" that is do-able. I was asking different companies and they said for
example: checking for domestic violence or checking on someone if they have a
second spouse somehow.

\- It is difficult to look-up online who is the caller and what mobile
provider do they use.

\- Some private companies have an internal database that contains the
information. I asked one company and they told me what was the provider of the
phone number.

\- Spoofing makes it difficult to know where the actual call is coming from.
Someone can use my mom's number to call me. It might be difficult for my phone
provider to inspect the call further than what I would see on my phone
already.

What I'd like:

\- For T-Mobile not to forward to me calls that are known to be from
fraudulous callers or thought to be from fraudulous callers.

\- Know if T-Mobile can provide me with information on where the call is
coming from.

\- After I identify what company XYZ issued the phone number, or what company
provided the telephone service to the fraudsters, ask them more information on
the caller.

\- Ask such company XYZ to stop routing these calls to me.

\- Create a resource such that whenever there is a scam call coming in, we
could send the number to such a resource, and discover what company BCD issued
them a phone number and routed their call. I believe that once this company
BCD knows about their fraudulent customers, it is supposed to not do business
with them.

Hopefully with such steps, the situation should clear up over time.

------
q5jwB6bD
This happened to my wife a few months ago. I heard her part of the
conversation. We thought something was wrong. I logged in to my bank account
and watched the money drain out of our join account. My wife couldn't login to
her account (the phisher changed the password) but they drained all her
accounts. I called our bank within the hour. They were very reasonable with
resolving the issue and returning our money. The phisher was attempting to
purchase gift cards from a Walmart 500 miles away. It was easy to prove to the
bank that we were scammed. I hope others are just as lucky and can report it
in time.

ninja edit: we called and froze our credit immediately

------
ThomPete
I experienced the same thing Or something similar in august.

[https://news.ycombinator.com/item?id=20777046](https://news.ycombinator.com/item?id=20777046)

------
peterwwillis
Nit-pick: Phishing is sending out e-mails and hoping someone responds with
private info. Vishing is phishing via voicemail. Calling someone up and using
an elaborate set of mental tricks to gain unauthorized access is social
engineering.

Many fun stories here:
[https://www.youtube.com/results?search_query=social+engineer...](https://www.youtube.com/results?search_query=social+engineering+hackers+on+planet+earth)

------
zAy0LfpBZLC8mAC
And as always: The best defense is minimizing data other people have about
you. None of my banks needs my phone number, so none of my banks has my phone
number, so if someone called and claimed they were my bank, that would
obviously be bullshit.

It's not just the obvious "people can't abuse or lose data they don't have"
why keeping your info to yourself protects you against abuse.

~~~
throwaway744678
Wow, I am pretty sure most banks require a phone number when you open an
account. Or do you give them a random number?

~~~
zAy0LfpBZLC8mAC
Well, many require that you fill the phone number field, but just entering
zeros does the job. If anyone (not just banks) does extended validation, I
enter some syntactically valid but unallocatable number, that has always done
the job so far.

------
tinus_hn
Unfortunately it seems we went from one ineffective solution, knowledge of a
social security number and some useless ‘security questions’, to the next
ineffective solution.

Even if you don’t fall for this trick sms is not secure and most providers
don’t even bat an eye if a fraudster walks into one of their stores and
requests a sim registered to your phone number.

Password reset is a difficult problem.

------
vagab0nd
Unrelated question: I went to my bank for a wire transfer. And I was horrified
to find out that after verifying my info, they had full access to the same web
interface I use, with my accounts. They even showed it to me, asking me which
account I'd like the money to go out from. Is it common for banks to grant
this kind of access to employees?

------
yoz-y
In France at least you need to keep the member number a secret from everybody.
Since banks here are lazy bums with security they only ever implement the
_minimum_ recommended security. According to French data protection services
this is 5 digits!!! when the 'username' is secret.

Never disclose your member number.

------
gdy
It's even worse in Russia - fake caller ID makes you think you are talking
with the bank, mobile phone operators don't seem to be doing much, or at least
didn't a couple of months ago.

That said, all the banks I used send you along with the confirmation code a
description of what you are actually confirming.

~~~
walrus01
This is really a SS7 issue not a Russia issue, spoofing outbound caller ID in
the USA/Canada is also trivially easy using any major SIP trunking provider.

~~~
gdy
Thanks, I thought it could be fixed somehow

------
abstractbarista
Nice trick. I commend it. However my hard rule is to simply never continue
incoming calls.

If it really is a serious situation, they'll just have to chill until I call
back to a verified number.

As far as I'm aware, this will stop all attacks like this. Unless they've
hacked the phone network and can reroute my calls? :)

------
JTbane
This seems like a big problem, since my bank's SMS codes don't specify why
they are sending it:

"This is a verification code from [bank]. Enter online at prompt or in
password field w/in 30 minutes."

Nowhere does it mention the purpose, or to NOT read the code over the phone
under any circumstances.

~~~
stordoff
My bank starts with "SECURITY ALERT: NEVER REVEAL THIS CODE TO ANYONE" and
ends with "Contact us if you didn't request it".

------
wyldfire
> 3) "We've sent a verification pin to your phone."

> ~ Gets verification pin text from bank's regular number ~

> Me: <reads out the pin>

I _think_ I'd be able to stop them and refuse at this step. But I suppose it
depends on what sort of text shows up in the verification SMS message.

------
jokoon
Number 1 rule of banking and other services, they NEVER ask for your password
or other authentication code. Usually I don't even think they would contact
you by email or by phone.

If they really suspect a fraud, they would block your account, and eventually
ask for a meeting.

------
citizenpaul
No US bank will ever ask for a password/PIN so i'm not sure why this is any
more credible than any other attempt. It is just a little longer getting to
the point.

Scammers have been triggering password resets and 2factor to seem legit for
long as it has existed.

------
al_form2000
I used to hate it that my bank requires a physical trip to the branch for cred
reset. No more.

~~~
rb808
I used to pure online banks were the future, but no I wouldn't touch a bank
that doesn't have a physical branch somewhere close.

------
rcurry
I got hit by the exact same type of attack about two months ago, except it was
against my Verizon Wireless account. I was surprised at how convincing they
were - I'm a former intelligence guy and I almost fell for it, lol.

------
slackpad
I saw a variant of this where they used a very similar script but the text
came from Apple. They were attempting to add the card to Apple Pay so they
could easily use my stolen card number in physical stores.

------
jbombadil
I don’t understand why banks don’t add the reason for the text in the text
itself. This could have been detected earlier if the text said “Here’s the
code for the password reset you asked for: ______”

------
EugeneOZ
This trick is pretty old. In Russia people receive such calls so often that
they get used to ignore them. Most calls are from prisons - prisoners have a
chance to make decent amount of money this way.

------
jonathanstrange
The simple measure against any such attacks - whether online online, on the
phone, or in person - is to end the communication and then contact the bank
yourself in the way you would do it normally.

------
manigandham
Mobile apps from banks have eliminated my phone communications. I get real-
time notifications for every transaction and can report anything myself
through the app. No more risk of scams like these.

------
ttul
This is really an asymmetric authentication problem. The bank has ways of
authenticating that it’s you talking, but do you have ways of authenticating
that it’s really the bank?

------
jonnycomputer
I don't understand how step 4 was achieved. How did they get a list of recent
transactions? Or does the password reset functionality ask you to verify
certain transactions?

------
koolba
Never, never, _never_ trust inbound phone calls.

------
RocketSyntax
Yikes. Can't believe you gave out your PIN. The member number by itself is not
useless... it's half of the login credentials.

------
moodio
I mean, if they called you why do they need to send you a pin though? Safest
way is to just always call the bank back that’s what I do.

~~~
aeonflux
Be careful with trust if you call them back. There are possible ways to trick
you into either staying on line, or just taking over your connection. GSM has
pretty shitty security.

~~~
Nextgrid
The "staying on the line trick" is just fear mongering. On any digital phone
line (including landlines, which are just SIP with a SIP-to-analog converted)
the call is disconnected (as in a call clearing message is sent by the phone
or converter) as soon as you hangup (which will make it all the way to the
scammer's phone and disconnect the call on his end too). Re-initiating a call
after this would involve a call setup message, followed by a ringtone and
you'd have to explicitly pick up the phone for it to be reconnected. There's
just no way for this to happen on modern phone infrastructures.

------
cpuguy83
Same exact thing happened to me. They claimed to be from PayPal. About half
way through the ordeal I caught wind of it thankfully.

------
GistNoesis
Something quite similar happened to a relative of mine this summer in France.
A scammer impersonating bank support. He called Friday 16h30 mid holidays. He
proposed to help reduce fees by disabling not needed options, while in fact he
was triggering a text verification code. The text doesn't specify the reason
for the request.

He got in. Then did a few other useless operations during 15 minutes that
required email confirmation which state what they are requiring it for. Those
had mainly two purposes : help lower the guard and provide cover for the
initial false requests. He kept smooth talking explaining that because of the
various changes they should expect the bank app not be available and that
everything was normal. Then he went for the option which allows to activate
instantaneous bank transfers which required both email and phone verification
code.

My relative was about to read it to them, when his wife smelling something
fishy was happening put me with him on the phone. He was so convinced that
everything was normal that I almost can't convinced him to hang up. What did
the trick was telling him : "hang up and call back the bank before
continuing".

My relative thought he was safe because he never gave the password of the bank
app, nor the web password. But for our bank, this 4-digit pin password you put
in the phone app is not a real password it is just a per-device off-line
password you pick upon first device use to disallow someone stealing your
phone to have access to your bank account too easily.

After he hang up, and I succeeded to talk some sense into him. I convinced him
to call his bank. It was past 17h00, so it was closed. I told him to call
emergency security which he did. But the number is typically used for lost
credit card ; so they did the only thing that they usually do : revoke credit
card and send a new one. Which is basically useless because the scammer wasn't
about to use the credit card number to buy something online but he was
initiating some wire transfer via the app.

So I had him call again a few times reexplaining the problem more precisely,
or at least told them to block wire transfer for the account. Maybe it
succeeded to raise some red flags, but they always told him that they couldn't
do anything and that he needed to wait till Monday. From their point of view,
you can be the impersonator so they didn't told us they did anything.

He also sent an email to the local bank manager during the night.

Stressful week-end lock-out of all bank accounts information goes by. The bank
app is kind of deceitful because sometimes when it doesn't succeed in
connecting shows you the last available data like it would in off-line mode
and you think you are connected OK but you are not.

Monday they could reach the bank have the hack acknowledged and investigated ;
access to accounts restored and password changed ; no harm done (except for
the inconvenience of not having a credit card during the holiday, and info
leaked) ; Luck.

------
buboard
Who does "Phishing protection as a Service"? Like, a line you can call and ask
"Is this legit?" .

~~~
edent
Your bank. If someone rings you claiming to be from them, you hang up and call
the phone number printed on the back of your card.

~~~
buboard
My bank has terrible call waiting lines and they even overcharge for it! And
it's not just banks that are being phished

~~~
edent
Switch to a better bank. The only way you can make change happen is by using
your consumer power.

Switching accounts is easy - see
[https://www.currentaccountswitch.co.uk/](https://www.currentaccountswitch.co.uk/)
\- all your bills are autoswitched, your pay cheque gets redirected, and it
happens pretty quickly.

~~~
SmellyGeekBoy
I recently switched current accounts and it's ridiculous just how effortless
it is these days. Definitely recommended for anyone who is in the least bit
unhappy with their current provider.

------
hartator
Technically they gain access to his accounts but couldn’t do a transfer. So it
was successful in my book.

------
xycodex
I don’t understand how they were able to get the actual transactions, which op
verified as correct

------
soheil
Why is this the most sophisticated “phishing” attempt if they’ve already
hacked your bank account?

------
carlsborg
Tldr is: they call him posing as a fraud prevention team, "we are sending you
a pin to confirm its you", they trigger the password reset flow which sent him
a pin, he reads out the pin, they get into the account and read some recent
transactions, but needed another pin to transfer money, he wisens up.

Mitigation: password reset pins should say "this is your password reset pin".

~~~
aeonflux
If I try to reset my password bank screams at me in every possible way,
including the pope calling himself and asking if thats legit. Actually there
is a 50% chance I'll lock myself out of the account when doing this, because I
misstep at some point. Seriously what year is that?

------
sacado2
Well that's brillant, up to the moment when the ask for the PIN code.

------
kuu
I don't see the sophistication of this attack... Just a regular one...

~~~
buboard
that they had a DB with bank ids<->phone numbers already.

~~~
kamban
I think OP mentioned that the member number was obtained from him.

~~~
buboard
yeah, they had the phone number to match, which made it believable

------
ivanb
There is a wave of these exact scams in Russia right now.

------
Jsharm
Is there a way to detect a spoofed phone number?

~~~
Tepix
Depends on the type of phone you have. For VoIP phones you may have more
possibilities than on an analogue landline.

------
jakedub4d2
Anyone can be a victim. Thank you for sharing!

