
Why I willingly handed over my credit card and PIN to a fraudster - tomsaffell
http://www.newstatesman.com/voices/2013/07/why-i-willingly-handed-over-my-credit-card-and-pin-fraudster
======
nemothekid
>If you call a landline, it’s up to you to end the call. If the other person,
the person who receives the call, puts down the receiver, it doesn’t hang up
the call, meaning that when I went to find my bank card, the fraudster was
still on the other end, waiting for me to pick up the phone and call ‘the
bank’.

Can someone explain this? This seems like a pretty glaring and obvious issue
that I'm sure I would have experienced before. Is he saying that if he hangs
up the phone and picks it up again and the person at the other end doesn't
hang up, then the conversation isn't over?

~~~
joshka
Phone systems allow this so that the called party can answer on one handset
and then easily transfer to another handset on the same line by hanging up the
first and picking up the second handset within a certain duration. In
Australia, IIRC this is around 45 seconds. I'm not sure if this is universal.
It's certainly unnecessary for mobile (cell) phones.

~~~
nwh
I've not observed this at all, it must only happen with some exchanges. For me
when the phone is hung up, that's it.

~~~
venomsnake
For A29 and other analog PBX this is the default behavior. It is the way the
relay based operate.

~~~
nwh
Are there even any of them in use? I was talking to a Telstra employee a few
years ago who mentioned that there were only one or two in country towns that
didn't warrant replacement.

------
hartator
Something similar has happened to me.

I was in Barcelona, regular tourist. Here come a guy saying he is a cop, in
civil but showing some kind of ID. Saying I might have stolen my own credit
card and asking to dial the PIN on his phone. I've fallen for it. They've
taken 400 euros from my bank account.

I guess we don't have to blame ourself, scheme exists, we might fall for we
might not fall for it. This guys have training we don't, we have good reason
to not act in the smartest way!

I hate Barcelona.

~~~
kaoD
Why do you tourists choose Barcelona? Spain has many places to go, but
Barcelona seems to be the first choice... while it isn't even the capital
city!

~~~
megablast
It is a fantastic city, has a beautiful beach right there in the city, a great
old town, fantastic events on all the time, nice parks, good food, great
architecture, is easy for Europeans to get too. And as long as you are a bit
savvy, and don't accept whatever some strange guy coming up to you says, you
will be fine.

~~~
omegant
Also ALWAYS keep a look at your wallet. Keep it in front of your pants and the
hand over it when walking the most touristical places. Also keep an eye while
eating or having a coffee. They are very fast and creative.

------
taf2
This is why I'm terrible to my bank over the phone... I always ask them to
prove to me they are from the bank and when they can't - i hang up. It's kind
of annoying except I work above my bank so it's pretty easy to walk
downstairs. Maybe someday the bank will implement a kind of certificate to
help me identify i'm really talking to the bank...

~~~
bhauer
Precisely. I've had the legitimate fraud-prevention department of my bank
contact me but be unable/unwilling to authenticate themselves. I told them
that until they were willing to authenticate, they would never receive any
identifying information from me.

At some point I said that I would accept the account number as authentication
and they were unwilling to provide that. I don't know why they--a legitimate
fraud-prevention department--expected to be able to cold-call a customer and
receive identifying information. They should be actively working to prevent
customers from turning over this information to "just anyone who rings them at
home."

I ended the call and contacted my bank via their online banking system and via
that system they vouched for the original call and provided a number to call
back. I lodged my complaint that their own fraud department was calling
customers without any ability to self-authenticate. Not sure what happened
from there; I've not had to deal with that process again since.

~~~
lessnonymous
I challenge my bank all the time. The answer I get is "Certainly sir. The best
way to validate is to find our free-call phone number in a place you trust -
the phone book, or anywhere else you trust - then call it and type in the
following number: X X X X X. That will route the call directly back to me".

~~~
cheeseprocedure
> "[...] call it and type in the following number: X X X X X. That will route
> the call directly back to me."

I wish every bank did this as standard practice! Hang up, dial the customer
care number on the back of the card, then dial the digits supplied by the
support rep.

Better yet, print instructions right on the back of the card: "don't engage
any support representative you did not call directly." Training customers to
do this (perhaps even through proactive callouts?) would work to significantly
reduce this kind of fraud.

~~~
nshepperd
> Hang up, dial the customer care number on the back of the card, then dial
> the digits supplied by the support rep.

Except apparently to prevent this form of fraud you need to hang up, then call
_from your mobile_ , so that the "support rep" can't just stay on the line and
do what the guys in this story did (fake a dial tone, make it seem like you've
called the customer care number).

~~~
sneak
Hang up, dial your friend. If your "bank" answers, offer to sell them a
ppppppowerbook.

~~~
Avenger42
Wow, that's so simple and clever. It seems so obvious but I wonder if I'd
remember to do that if I was shaken up by my "bank" calling to tell me my
account had been compromised. I'll write it down for future reference.

------
harshreality
The phone thing I can understand, but why would a bank ever send a courier to
pick up a card (and why would someone believe that they would)? I've never
heard of such a thing.

Even if it's got a chip, what could possibly be stored on the chip's memory
that would help? If there's a problem with a card being compromised or cloned,
they issue a new one.

~~~
toble
That's the part the alerted me the most. You are always told to destroy the
card, not even throw it away.

Getting the customer to call a number is another, they could have transferred
the customer. Instead, they wanted to provide a shot of confidence before
extracting info that no one, not even the bank should ask for.

~~~
coldpie
> Getting the customer to call a number is another, they could have
> transferred the customer.

No way. If someone claiming to be a bank cold-calls you, you tell them you'll
call them back at their official number. Only deal with bank information on a
call that you initiated.

I don't know how to work around the flaw in the article. Luckily it's not
something we have to deal with here in the US, as far as I know. What a dumb
"feature."

~~~
toble
I can understand ending the call if they start asking for personal
information, but if you get a call from the bank to take you through a
suspected fraud case then all they do is ask you some 'pick-the-odd-one-out'
style questions to verify your identity. They then list all your transactions,
including the fraudulent ones and ask if you recognise them. After that they
cancel the account and start a new one.

------
sitharus
I once got an SMS to the tone of "This is <my bank>, you have to call us
urgently on <some 0800 number> and quote reference <blah>". So the first thing
I did was ring the number printed on my card and have a nice talk to them.

Turns out it was the bank, but they don't do themselves any favours.

~~~
jlgaddis
I've received similar (legitimate) texts from Chase a few times.

A couple months ago I was in the pharmacy to pick up a prescription. I handed
the pharmacist my card and she walked back to her computer to run it.

A moment later, as she gets back to the counter where I'm standing, my phone
(which I was holding) buzzes. I look down at an SMS "fraud alert" from Chase
just as she says, "I tried running it twice but it won't go through."

The SMS from Chase had the name of the pharmacy and the total amount and told
me I could reply to the message to state whether it was a legitimate
transaction (I don't recall exactly what I had to reply with but effectively I
was responding "yes" or "no").

I quickly sent back a reply stating it was legitimate and almost
instantaneously received a "thanks" message. I asked the pharmacist to run the
card again and it went right through.

~~~
Avenger42
I got the same from Discover once; I was at a computer shop picking up a new
PC. They ran it once and told me "it didn't work" as my phone started ringing.
It was an automated call asking me whether the charge was legitimate. I told
it "yes" and asked them to run it again. Makes sense considering that to
Discover, it's an out-of-the-blue $1k+ purchase at a store I rarely visit.

------
cupcake-unicorn
Wow, that admittedly had a lot of effort going into it. I'd like to say that I
wouldn't have fallen for it, but I'm not so sure. I think I wouldn't have
physically given them the card, though. Something about the whole thing just
seems really odd they'd go so much out of their way for one victim.

But is this something more common in the UK, perhaps? The only scams I run
into are these laughable phone calls I get from time to time - recorded
messages like, "This is card services from (fake phone static). Your card has
been compromised. Please call us back." I never called the number back but
from looking up online it seems that pretty much straight off the bat they ask
you for your SSN, and I'm guessing they wouldn't have any personal info about
you.

~~~
jakejake
It's a pretty convincing scam for sure - especially if they get you to think
that you called your own bank.

I wouldn't be surprised if they got this information from a receipt or
something rather than following him home though. As he said, it would be
easier to just mug the guy in that case. Following somebody home seems like a
lot of investment and risk for a scam that only works on certain percentages
of the victims.

~~~
harshreality
Mugging:

\- Less effort but requires willingness to use force.

\- Doesn't require any knowledge of the phone system or victim's details
beforehand

\- High risk, since violent crimes can go bad.

\- Police care more (although depending on jurisdiction they may take a report
and be unable to do anything unless you get lucky and there are leads for them
to follow).

Con game:

\- Requires more preparation and knowledge

\- Allows more time to abuse the card because the victim doesn't know
anything's wrong for days.

\- Virtually zero risk during the acquisition of the card

\- Police care less... these crimes are more difficult to solve/clear.

~~~
jakejake
I shouldn't have mentioned mugging because that wasn't really my point - and I
usually know better than to provide ammunition for arguing a tangential point!

Anyway, I was trying to muse that spying and following somebody to their home
is a lot of work and carries the risk of being noticed and/or caught on
camera, getting attacked by their dog, or at the very least consuming your
entire evening. Who knows if the victim is going to drive 10 miles out of town
or stay at the bar until 4am. Maybe they'll go to their girlfriends place
instead leaving you with a bogus address. Maybe they'll notice you from the
bar and wonder what the fuck you're doing following them..? It just seems
impractical just to get your address.

Whereas getting info from a receipt could be safe & easy and you don't have to
get physically close to a victim until you have them on the hook. You could
pre filter. You probably don't even need to be at any particular location.
Just go through a pile of receipts in the comfort of your own home.

But then again what do I know? Maybe it's ridiculously easy to find a mark and
then follow them home.

------
EGreg
"As for the call, well, credit where it’s due, it’s pretty clever. If you call
a landline, it’s up to you to end the call. If the other person, the person
who receives the call, puts down the receiver, it doesn’t hang up the call,
meaning that when I went to find my bank card, the fraudster was still on the
other end, waiting for me to pick up the phone and call ‘the bank’. As I did
this, he first played a dial tone down the line, and then a ring tone, making
me think it was a normal call. He will have been sitting next to the first
person that called me, no doubt laughing their heads off at how stupid I’d
been."

Wow, what? This seems pretty crazy. I was wondering how they did it until I
got to this point.

~~~
Anderkent
Indeed, I had the same reaction - and I live in UK! I haven't ever used a
landline though. I'd be more than happy to cooperate with a bank when I'm
calling them (though asking for PIN would probably make it suspicious - AFAIK
there are ways of intercepting calls anyway, so by that point I'm all
'actually, I'll just come over to your branch').

------
zorlem
A clever scam with the land-line call.

I wonder where the fraudsters have got all his personal info (including his
land-line phone number) from. Even if they got a hold of his receipt that
shouldn't contain enough info to get all the other details.

~~~
jrockway
The government doesn't make much of an effort to keep your personal
information secure. Let's see an example:

[http://wireless2.fcc.gov/UlsApp/UlsSearch/license.jsp?licKey...](http://wireless2.fcc.gov/UlsApp/UlsSearch/license.jsp?licKey=3460235)

Yup, that's my home address!

~~~
cjfont
Apparently you don't make much of an effort yourself ;)

~~~
katbyte
he doesn't have much of a choice if he want to have his ham radio license.

~~~
techsupporter
The FCC (and a bunch of other government agencies in the U.S.) will happily
take a post office box as an address. That's the official address on my ham
ticket.

~~~
katbyte
The GP did use a PO box, and even if you use a PO box you still now know
someones name, state and general area pretty much unless you are willing to
drive far away for some remote box.

------
Kurtz79
A good strategy is not to depend on a single bank or account.

At least in Europe it's fairly easy to find banks offering accounts with no
maintenance/transactions costs , just open two accounts at two different
banks, keep the same level of cash in both and if something happens you don´t
have to go on a diet of canned beans waiting for the compromised account to be
restored.

(Then again, some might argue that now you have twice the chance of being
targeted by a scammer).

~~~
TeMPOraL
> _(Then again, some might argue that now you have twice the chance of being
> targeted by a scammer)._

Twice the chance for half the money. Significantly less for the whole sum
(assuming scams are independent events). I think it's a good tradeoff ;).

------
James_Duval
I found the title slightly misleading.

I was expecting an interesting article about a deliberate handing-over of
credit card and PIN to a known fraudster, in an attempt to examine their
behavioural patterns and maybe offer some anecdotal insight.

I felt the actual article was much less interesting.

------
wnevets
I like to think having to send my card so they can inspect it would of been a
huge red flag. What is there to inspect?

------
Aqueous
I wouldn't be too hard on yourself. I would have probably fallen for it after
the phone call. The answer isn't that you're stupid - the answer is, when
other human beings exert a ton of effort to deceive you, sometimes you're
going to be deceived. Especially if it's out of the blue and you're not on
guard. Human beings are pretty cunning and deceitful bastards.

~~~
Sven7
People taking advantage of people is why legal systems emerged. If they didnt
the law would be redundant. And who can even imagine such a world...

~~~
eru
Not quite. There are other uses for the law, too. Like, just setting defaults
and clarifying rights.

------
ChuckMcM
Pretty dicey, I can see a day when your bank calls and you say, "Thanks for
calling, I know you're my bank but I wonder if you wouldn't mind answering a
couple of security questions for me ..."

The big risk though is going out to pick up your card, that gives you the
opportunity to film them. If you know which ATM they are watching you set up a
sting to catch them in the act.

------
jasey
It wasn't explained how the crims got the pin number after he entered them
into his phone.

I assume because each number on the keypad has a unique tone, they could
extrapolate which keys were pressed?

Also how did they get his phone number? The phone directory?

Most shocking is how did they get date of birth and mothers maiden name!?!?

~~~
matthiasl
About the PIN: your guess is right. The tone system for dialling numbers works
like this: there are four "low" frequencies (697, 770, 852, 941 Hz) and four
"high" frequencies (1209, 1336, 1477, 1633 Hz). Each key plays exactly one
"low" and one "high" frequency, e.g. when you press "1", your phone plays 697
and 1209 Hz.

The telephone exchange listens for those tone combinations to know what number
you're dialling. If you have an audio recording of a number being dialled, you
can actually figure out the number just by listening to each tone separately
and comparing it to the sound made by pressing keys on your own phone.
Wouldn't surprise me if the fraudsters did just that, or maybe they used a
"spectrum analysis" feature on a PC audio program.

~~~
sophacles
There are programs that will do this for you... probably even for your
smartphone. I mean - it is built into asterisk and other pbx software already,
code for it can't be that hard to find.

------
D9u
I was once SE'd (socially engineered) into providing the caller with my full
name, address, DOB, but no financial information.

The caller had spoofed their caller ID to reflect a police agency, albeit out
of my jurisdiction, but like the OP it was early on a weekend morning and I
was quite well hungover, so I readily supplied the requested info.

It was a valuable learning experience and I admit to being "schooled" by the
perpetrator but seeing that no actual harm was done I let the matter drop like
the lead it was worth.

------
prawn
I imagine that a great many of us would be fooled by that sequence. It's easy
to consider yourself paranoid or careful and then be thrown off-guard by a
well-optimised routine.

------
Groxx
Phones in general are ridiculous for authentication. You can spoof nearly
every bit of data, and there's no way to know, and little weird bits of
flotsam like this float to the surface occasionally and make it even worse
than it normally seems.

If only I could ask them what _their_ favorite restaurant is, maybe we'd
_finally_ have two-way verification. Nobody else picked McDonalds, right?
That's a safe choice?

------
noonespecial
Wait: The fraudster _gave you his license plate number?!_

~~~
brazzy
Stolen car?

~~~
noonespecial
And a description of the driver?

That's bold.

------
lifeformed
Who pays for fraud cases? Do the credit card companies end up paying for all
the merchandise when they reinstate the victims cards and forgive his debts?

~~~
m_eiman
In the chip+PIN case the card company pays, IIRC. If it's a signature purchase
the merchant gets no money.

------
mathattack
Social engineering trumps hacking.

