Hacker News new | past | comments | ask | show | jobs | submit login
Voice Phishing Scams Are Getting More Clever (krebsonsecurity.com)
203 points by waffle_ss on Oct 1, 2018 | hide | past | web | favorite | 222 comments

The problem here is the ability to spoof caller ID. This should not be possible. Regulations set up the phone system, regulations need to make this change. I don't care what excuse anyone has, don't care about your stupid PBX or any of that. Caller ID should be mandatory and reliable.

Having said that, always assume someone calling you is a fraud. If your "bank" calls you, tell them you'll call back and don't call a number they provide over the phone or in caller ID. If you can't find a reliable number to the bank, drive over there. The bottom line is that you can't trust anyone who calls you.

The problem here is the ability to spoof caller ID. This should not be possible.

Think of incoming CLID in the same way that you do email From: addresses. Often and easily faked. Funnily enough both my office PBX and SMTP daemon check incoming CLID/HELO and drop attempts to spoof their own identity. Its not a particularly sophisticated protection these days but is one of many, many rules. Actually, now I come to think of it, my firewalls also check for inbound IP spoofing on their own IPs.

As the OP stories highlight, your mental firewall must make you bail out when asked for your PIN, regardless of how legitimate things sound. The only thing that should ever request your PIN is a machine that you have stuffed your card in first. I'm pretty certain that CVV requests should also only ever come from vendors that you are buying from, not your bank.

The problem with SS7 is that you extend your SMTP analogy, there is no way to implement the equivalent of SPF, DKIM and DMARC for verification of incoming traffic without breaking SS7-to-SS7 links between the vast majority of installed phone switching gear out there on the PSTN. Which nobody wants to pay money to completely replace.

> The problem with SS7 is that you extend your SMTP analogy, there is no way to implement the equivalent of SPF, DKIM and DMARC for verification of incoming traffic without breaking SS7-to-SS7 links between the vast majority of installed phone switching gear out there on the PSTN.

Why not? That's how it was done for email. SPF doesn't prevent interoperability for sending domains that don't use it or recipients that don't verify it. What it does is inhibit forged messages from a domain that does use it to a recipient that does verify it.

Then the more senders who have an SPF record, the stronger a spam signal it is for a domain to not have one, and the stronger the incentive gets for senders to use it. It's already in the recipient's interest to verify it when it's used.

They could even use DNS for this exactly like email. Create a lookup zone equivalent to in-addr.arpa but for phone numbers.

Because it's a huge installed base of non-upgradeable equipment that is 15, 20, 25 years old. People doing oldschool SS7 telco stuff are just not going to upgrade. They'll sue their upstream carriers if they suddenly cut them off because their new re-implementation of SS7 is incompatible with their old gear. I'm a senior network engineer for a mid sized regional ISP, and encounter this shit on a fairly regular basis.

It is not as simple as getting everyone who runs public facing smtpd on the Internet to upgrade their software and practices. Telco and PSTN phone stuff is the very opposite of being up to date and continually evolving best practices for security.

It isn't the upstream forcing the upgrade. It isn't forced at all. You can keep using your old equipment as long as you want. But there would come a point that enough people are using the new protocol that recipients start auto-blocking calls from anyone who doesn't use it.

You may not even have to upgrade the old equipment. For an out of band protocol, the upstream may be able to implement it for you.

When you get a scam call, you know that somewhere there is a company that got paid for that call, because telcos -- even and really especially scummy shady scam-enabling telcos -- don't offer access to their network for free out of the goodness of their hearts.

Turning those companies into smoking holes in the ground doesn't require anyone to upgrade their equipment. All it takes is willingness on the part of lawmakers and regulators to track them down and make them regret their business practices.

Cut them off unless they upgrade, their upstream probably has that option in the agreement anyways. Ptsn should just die. The technicians and customer service are so incompetent that every day I had to call to get a line disabled at the switch because it got re-enabled. After a hundred days in a row I finally just shorted the damn line and problem solved.

True, but you can use your firewall for SIP'n'RTP or IAX2.

Creative use of firewall rules can be really powerful. For a very simple example: block VoIP from AWS's address ranges (serious gain).

A classic response for anon calls in telephony is to make the caller record a short identifying message and then play that to the potential recipient. The potential recipient then decides whether or not to accept the call - your staff (family, whatever) become the firewall. Remember that calls are billed to the caller by the terminating provider so this is OK (caller pays).

Those are two simple examples of using IP and humans to firewall telephony. Just because telephony is a bit crap on the identification side does not mean that you can't deploy lots of other weaponry to keep yourself safe. If you look deeply into SIP and IAX2, you get loads more options as well.

A better analogy that I use (especially with nontechnical folks) is the return address on an envelope.

You can, technically, write anything in it and there’s no way to guarantee it’s authentic.

In email the From: address rarely delivers the mail. From: and To: are the ones that you see in your mail client and correspond to the addresses on the letter within.

For example here are some headers from some spam I received:

  From: "Jeremy Adamson" <jeremyadamson@illusion24.com>
  Reply-To: "Jeremy Adamson" <jeremyadamsonr@yahoo.com>
From: is what I see in my client and Reply-To: is where a reply would go to.

This one is much better, note how I'm BCCd and To: is complete bollocks:

  Reply-To: dr.ahmed.faruk@outlook.com
  From: Dr Faruk Ahmed <dr.faruk.ahmed1@gmail.com>
  To: undisclosed-recipients:;
  BCC: <gerdesj@blueloop.net>
  Return-Path: dr.faruk.ahmed1@gmail.com
Given that Reply-To and Return-Path are in different domains, where would a reply go to?

What about an out of band verification by the carriers?

Basically a large registry. When I call someone I tell t-mobile who I'm calling, and they register it. Then on the receiving end Verizon checks with T-mobile or a central registry, and says yep James's number is calling this number. Then it marks it as a verified call.

Bear in mind that it is not in a carrier's (financial) interest to drop a call. Carriers are not required to verify CLID either.

There are lots of good things that telephony could be required to do but they are not and they wont.

iOS/Android could do something like this. You register your number with Apple/Google and link your account with them. When you call someone you set a field on your account that you're calling someone. When the person who you're dialing gets rung, their dialer can look up Apple/Google and see if that number was indeed calling them, and add a "verified" checkmark to the call.

This leads down a privacy/metadata rabbit hole, but there are probably ways to make this a lot better. In any case, the phone OS can do some out-of-band signaling and just avoid dealing with the carriers altogether.

Although if you're doing all that then why not just make a call using voip...

Curious: how does the PBX verify caller ID? Do you know how it works in practice?

It doesn't actually verify it, all it can do is read it. Just like email. When the PBX is told that the caller is say 01460223344 (I'm in the UK) then it would infer that the caller is from Crewkerne in Somerset due to the 01460 which is a designated area code. It may also be able to look up the whole number and infer a source.

However, just like email the CLID can be trivially faked and just like email, the lookup in your contacts is then wrong and potentially dangerous. In the case of telephony, if you subscribe to the BT service (I presume it still exists) that will return a name given a CLID (just like DNS for a price!) then you may end up with completely the wrong thing on your display.

Just to re-iterate the point: a PBX/phone/whatever cannot ... CANNOT ... verify CLID (Calling Line IDentification) it can only show what is presented to it.

Remember this, please: CLID is nominally under the control of the caller and could also be changed in transit. It should absolutely NOT be considered authoritative in any way.

It's not quite "Just like email" because email has systems in place to authenticate this, while phone systems do not.


Have you ever tried to implement DMARC? DKIM and SPF are OK but DMARC breaks mail lists. Yes there are ways to mitigate but it might not be worth it unless you also do DNSSEC as well. Well actually I believe that every little helps and use every weapon available.

I do think that the analogy works really well. PBXs can have quite a few weapons of their own to attempt to authenticate callers. For example you can pass "anonymous" calls to a dialplan that gets the caller to identify themselves and then play that to the recipient who then gets to allow/disallow the call - basically make the (human) recipient part of the firewall. Also, PBXs that deal with VoIP can use IP rules just like a firewall to make decisions on what to do.

Traditionally, "telephony" and "systems" have been considered separate. Personally I'm a sysadmin AND telephony bod with around 25/15 (respectively) years experience. My PBXs (generally Asterisk with FreePBX) have quite a few sources of intelligence about what is inbound, beyond CLID. I also look after quite a few email systems, often fronted by an Exim MTA with an attendant rspamd or spamassassin (int al).

There is a new standard called Authenticated Received Chain (ARC) designed specifically to address the DMARC authentication failure issue caused by mailing lists. Basically what ARC does is to preserve SPF/DKIM authentication results, and use them to override DMARC authentication result when deemed appropriate. There is a Quora post here for a more detailed explanation: https://www.quora.com/What-is-Authenticated-Received-Chain-A....

I haven't set it up, but how does it break mail lists? Do you mean like using third party providers to send emails with your own domain in the From address?

It is (or was) common for mailing lists to keep the From header when forwarding mail to a list. The envelope sender is commonly changed to refer to the mailing list for bounce processing, and often a mailing list footer is added, sometimes the subject is adjusted and other administrative headers are added.

Changing the subject or adding a footer will almost always break the DKIM signature, and DMARC won't like it anyway, because the From address and the envelope sender don't have the same domain (alignment). This makes it pretty hard to use DMARC for a public domain.

It's not so bad to use it for a corporate domain, and it helps a bunch if your domain is being used to source phishing; except that people still think you sent it when it comes from admin@yourlocaldentist.crappyhosting.example.org which is clearly some ancient web mailer script that was compromised 20 years ago, but still remains online. (I'm totally not bitter!)

My domain, lolware.net, has a total of three email accounts. I'm usually happy to move and break things because it's largely a personal playground. For example, my website's SSL ciphers have frequently veered into the "not many browsers support" solutions.

I cannot properly enable DMARC. I have working SPF and DKIM on everything I send, but as soon as I enforce it, people stop getting my email. The sticking points are mailing lists, and anyone with a forwarder. I've been on this merry go round a few times. If it's this bad on this personal domain, I'm a long way from considering it in a business.

There is no way to fix the ability to spoof caller ID with the way SS7 is built. Not without breaking functionality to something like 85% of the installed base of PBX and phone switch equipment, most of which is anywhere from 10 to 45 years old. The legacy telco SS7 phone system needs to be burnt to the ground and rebuilt, but it never will be, because people have moved on to friend-opt-in based message platforms like whatsapp, signal, telegram, facebook messenger, and the domestic chinese equivalents (wechat etc).

Compelling telcos to do that is the regulator's job.

Not sure about the US, but in most of the rest of the world regulators come up with new rules and regulations requiring some form of network upgrade all the time – SLAs, connectivity and routing requirements, legal interception, data residency, etc.

And telcos have no other way but to spend billions to protect some monopoly or enable more surveillance power for the governments. It's a matter of priorities, really.

I just want the major cellphone companies numbers to show up correctly and everything else can be ???. That does not require fixing all these other systems.

Exactly, If your provider can't be certain that the number is real (i.e. they generated it themselves or it came from a trusted/liable source) then they shouldn't be charging for it and held liable if they allow a spoofed number for fraud. Maybe that would be the mean the end of caller-ID and associated fees, but if I'm not sure that it's useful today with the level of spam. If someone spoofs your ph# to make 5000 spam calls, I guarantee it's not useful to you.

Find another in/out of band way of providing caller-ID services.

How exactly could they do that for calls originating outside their network? Most spammers are using VoIP, not cell phones on major US companies.

They could not fix it. However, it would be a big value-add to me if, say, the big 4 US carriers could add an out-of-band security check and block calls to their networks from numbers they control but which are spoofed.

I get way too many calls from area codes and prefixes I recognize. This would help me get some of that back.

There are legitimate use cases like Google Voice for sending caller ID that another carrier owns. Despite that, a basic authorized users list would be an easy fix, doubt that'll ever happen though. Look at the mess that LRN and CNAM data are, providers will nickel and dime for access to data that doesn't cost much to maintain...

Google Voice could A join the system or B have ??? as their caller ID either one would be useful. Again, they can say whatever number they want as long as I can opt out and block unknown numbers.

However, the current system is largely useless when you get spoofed calls from numbers you recognize.

they can't, because as things currently exist they have to trust the caller ID data in the SS7 links coming from other wholesale carriers where the calls are coming from. possibly several hops away from the grey market voip sip trunking providers.

They know who to Bill for the call. Fix the rest. I don't care about excuses for this.

Yeah, it's hard not to think that basically rebuilding the entire phone system would be a massive case of fighting the last war. People won't stop needing the phone system entirely but it becomes a piece of quirky legacy technology.

And probably just have to live with the fact that there will be situations where people are harder to reach quickly than they are today.

Rebuilding SS7 with new modern features, and making it talk natively to all the existing 10 to 50 year old SS7 equipment deployed in the world would basically be polishing the brass doorknobs on the titanic.

Agreed, caller ID should not be able to be spoofed. My rule of thumb is if it is important, they will leave a voicemail with a call back number. This screens out 90% of the spoofed calls I get. The visual voicemail is a nice feature too, I can immediately check the voicemail that is left and decide if I need to follow up, or if it is spam.

Yeah I get spam phone calls almost daily, and it's always from a local area code and ANI which I recognize as being from a nearby city. So, it _seems_ legit. But I no longer answer phone calls from numbers I don't already have in my Contacts... :P

One thing I hadn’t thought of until a friend who is a parent mentioned it, is that if you have a young child and that child is currently out of your sight you basically have to pick up a call from any possibly local number, it’s just too risky not to. I would imagine that accounts for a lot of the success of this strategy.

I inadvertently solved this by keeping my old, out of state number. I can pretty much block all numbers that match my prefix if they aren't in my contacts.

Any actual local number is always legit since spammers have no way of knowing where I actually live.

In my case I have a bit of an outlier combination so it never seems legit when I get a call from a number like that. Makes it easier to spot the spammers, however!

It looks like Canada is moving in this direction.

Here is a PR piece (by a telecom technology vendor) that explains that the Canadian telecom regulator will require non-spoofable caller id by March 2019 [1]. The technology is called STIR and SHAKEN. (That's all I know; I'm no expert).

The US FCC doesn't seem to be moving as quickly, if at all.

[1] https://transnexus.com/blog/2018/canadian-regulators-mandate...

> Having said that, always assume someone calling you is a fraud. If your "bank" calls you, tell them you'll call back and don't call a number they provide over the phone or in caller ID.

I did this to a student loan company. The caller ID was that of my parent's house, and the woman on the other end was incredulous that anyone would demand that she prove who she was.

And it turned out to be legitimate, incredibly, though I certainly did not think so at the time.

If you can actually identify the company or individual on the other end of a spoofed call, please report them to the FCC.

The problem is the lack of motivation: VOIP service providers aren't being smacked with multi-thousand dollar penalties per call when their customers spoof caller ID.

If Peerless Networks was starting at millions of dollars in fines fake IRS scams originated on it because there's no way for someone else to find who actually originated the fraudulent calls, you would be able to bet a farm that a concept of a fake caller ID coming from Peerless Networks would go away.

> don't call a number they provide over the phone

It's OK to ask for their extension. A lot of times you can't call the fraud department directly, but if you have their extension you can ask to be transferred to it. But yeah, always call the number printed on the card, not what they tell you.

Note that on many land-lines this will fail, as the calling party simply does not hang up, waits for silence on the line, then plays dial-tone down it. When you pick up again, it seems like you are connected to the exchange, but when they hear DMTF they just play ringing tones back at you, then pretend to answer as your bank and continue the scam. Bonus points to the scammers if they actually call the number you dialed and MITM the call for extra realism, only jumping in when you get transferred... ;) In fact, I bet you could program Asterisk to do this for you, or similar VOIP PBX software?

If only there was a way to register a Public Key that only a corresponding Private Key could use.

Won't this rapidly become beside the point?

With text to speech software becoming so amazing, see Google's Duplex, I'm not that concerned with caller ID and am massively concerned for aging boomers who will have to contend with nearly perfect speaking bots.

I did this to my bank. They called me, I told them that I'll not talk to them as I can't identify them and that I'll call them back in standard number. Bank was really not prepared for this. They blocked my card (call was about suspicious transaction that was ok) and the transaction. I called to unblock transaction, but card remained blocked. So I had to call again.

It all took precious time, they really should anticipate this more.

Speculating, but Would fixing that break things like dialing a local number which is answered overseas without a toll charge? Or is that separate?

If we make a regulation that requires protocols to change so that the caller ID to be unspoofable, we might as well also require to make it impossible to spoof an IP address or a sender email address...

I work for an ISP. We filter packets spoofing their IP source address.

SPF, implemented by most major email providers, helps to prevent FROM: spoofing.

Hell, I'm pretty sure our VoIP product drops external calls where the Caller ID matches one of its' own numbers.

These are problems we are solving. These are problems we should be solving in telephony too.

You mean like we are trying really hard to get everyone to use https and most people here would love some easy to use, widely adopted email signing? Yeah, that would be awesome!

This is 100% destroying the phone for younger generations ... my kids answer nothing, not even my own phone calls because they set their phones on do not disturb to curb the endless robo, scam, and cold calls.

If it wasn't for https://hiya.com/, I'd be at the end of my wits. Seems like the number of fake calls has ramped up exponentially in the last months. I finally just set it up completely block all telemarketing, spam, scam, fraud calls.

It's completely destroyed the phone for me... I get about 10 calls a day from scams. I don't answer my phone anymore unless it's from a number I already have programmed. Once the scammers get a hit on some of those numbers my phone is toast.

I do this too.. And then they started hitting my work number, which forwards to my phone, and only displays as my company's number so I have to check, just in case.

I suggest downloading a silent ring tone. I got one for a dollar. The silent ringtone is my default ringtone. I went into my contacts and changed the ringtone associated with them to be one that makes noise. I no longer am bothered by scam calls as a result.

> I went into my contacts and changed the ringtone associated with them to be one that makes noise.

That gets the job done, but rather than modify each of your existing contacts (and each new one), consider just turning on Do No Disturb and setting your Do Not Disturb level to "Allow Calls From All Contacts" (or a particular Group or Favorites). These are iOS options but I assume there's an equivalent in Android.

On my particular Android phone (Pixel) this is not a great solution because setting Do Not Disturb alters the behavior of other things like Calendar reminders or email alerts. You could make DND not do that, but sometimes I do want to mute other things. If you're using DND all the time, you essentially lose that feature on your phone.

The best solution I've found is to just go into the Google Dialer app and set the option to not ring on any call suspected to be spam. I still do get spam calls that haven't yet been reported, but it's down to only about 3-4 a month.

Not sure if Samsung phones / other android flavors have a similar feature or not.

A great improvement to that would be an option to silently reject all suspected spam calls and send them to the voicemail. This has been suggested many times on Google's product feedback and suggestion boards but for some reason they have not gotten around to doing it. The hard part of detecting spam calls is already there; all it should take is adding a couple of new check boxes.

There are apps like youmail and nomorerobo. I use youmail and it has the option to give a disconnected message when a scammer calls.

Just wait. You will get scammers that can pass the "scam likely" threshold, and then your scam call volume will go up.

Just checked on my Samsung phone and there is a setting 'Caller ID and spam protection' apparently backed by Hiya.

That is probably a better solution. I have do not disturb for 10 pm to 8 am and have it set to not allow anyone to disturb me. But thinking about it now maybe I should allow calls from contacts during those times.

You can also (in Android, at any rate) set it to allow your favourites to by-pass it.

I don't know the end game here. It's easy to say that phone calls as a medium just slides into oblivion and this all becomes academic. But I don't really believe that. There's a real and continuing place for voice conversations and that requires someone to initiate a call.

Eliminating spoofing is probably impossible without infrastructure revamps that aren't realistic even augmenting with spam filtering at the telco level. But the current situation is at the edge of the tolerable and people will just stop letting calls ring through.

If the implementation of voice calls over the traditional networks do not improve (as you suggest, via improvements and regulations), then people will route around it. My kids only call me via FaceTime ... and the only way they communicate with their friends with voice is either facetime, or by sending videos of them talking over snapchat.

Obviously, my kids (and their friends/school) are only one data point ... but yeah, for them, it's already dead.

Hiya looks interesting. How do they make money if the app is free? How does it work? The site doesn't really say how it does what it does.

They have a premium subscription detailed here: https://hiyahelp.zendesk.com/hc/en-us/articles/360000872947-...

Another typical problem with the American system of deregulating everything and anything. In Europe (at least the parts I know) this is never an issue.

This is regulated in the US. You're not allowed to spam calls nor fraudulently impersonate someone's bank, the IRS, a healthcare provider, a collections agency, etc. There are dedicated lines for reporting these types of calls to the FTC, a nation Do Not Call registry.

I can't speak to the manpower dedicated to nor the pursuit of these reports by the FTC, but this is definitely a regulated issue.

I'm personally somewhat nervous about what voice phishers will be able to accomplish with call ID once voice sample synthesis gets good enough and cheap enough, which is well on the way from what I can tell. Shades of that old Uplink game, call up a family member or friend and just get them to talk into the phone at all, not even give up personal information but literally just speak enough. Then the phisher can call up the target, spoof that number, and directly have the voice sound just like someone the target knows. The voice and the Call ID will both check out, and this should actually be a lower target then the kind of voice synthesis work currently being done because phone calls are highly compressed and tend to be not great quality anyway.

Once that hits general usage along with the kind of ML and social network graphs being done up couldn't that just plain be it for phone usage if companies can't come up with a proper cryptographically verified call scheme (which would require new phones, for everyone)? I mean, if a call coming in directly from a "trusted contact's number" that is literally in their voice becomes generally a scam too I think that'd have to be a real tipping point for the general population. I can't see any choice at that point but to disable all incoming calls period, and move my family over to something else as well. And that tech train is coming down the tracks pretty fast, there have to be at least some phone providers who can see that right? Heavily automatically run personalized ML powered social media and ad network profile fed phishing calls in a relative's voice, yeah that'll be really fun.

Simple workaround - you call me and leave voicemail, I call you back on the # I know and we talk.

I'll give you the flip side of the scammer's deterioration of trust in the phone... a few months back I got a phone call from what appeared to be my bank, and they were asking me about a fraudulent charge that I didn't recognize. Worried that this was the beginning of a scam, I delayed a bit on the phone while I logged in independently to my bank account... and lo, yes, indeed, there was a fraudulent charge to my account just as they described. It really was my bank calling me about fraudulent charges. But I was definitely close to hanging up on them, assuming it was a scam. It stinks on both sides.

It makes me laugh when my banks fraud department calls me and then asks me to verify myself to them by giving personal information before asking me questions. I usually laugh at them and tell them they they are the unverified party in this phone call, not me.

I always pull up the website and confirm before telling them anything.

> I usually laugh at them and tell them they they are the unverified party in this phone call, not me.

This is one of the related reasons why I finally got my ducks in a row and switched away from Chase three years ago. Their potential-fraud-has-happened outreach department was, in my experience, terrible about this. It didn't help that their potential-fraud-detection department was similarly bad. ("You used your debit card at an AM/PM in Washington State!!!!" Yes, I know, it is about 900 feet from my house; I go there regularly.)

Point being, I got quite a few calls from their (real) fraud prevention department about (supposed) fraud. Each time, the rep who called me would get mad at me for not handing over the last four of my SSN and my complete address to the calling party. I pointed out, each time, that they were the ones who called me so I should be verifying them. "But, sir, WE are the bank and you could be anyone who just answered your phone."

The credit union I now use just presents a message with their name and a request to call back. "We may have detected a fraudulent purchase; please give us a call at the number on the back of your card and reference case number [digits]." Fortunately, their system is much better; I've only heard this message once.

I pointed out, each time, that they were the ones who called me so I should be verifying them. "But, sir, WE are the bank and you could be anyone who just answered your phone."

There has got to be a word for this and similar behavior. Banks, credit card agencies, mobile phone companies are getting really aggressive with how they handle these sort of transaction based interactions and I'm leaning towards wanting to see them get slapped with regulation for it.

I bring it up because a few years back I fell into some hard times, resulting in missing some payments. In a good faith attempt to get caught back up once I found a new job and could right the ship, I called my creditors immediately and tried to make payments and setup payment plans the first paycheck I got.

None of them failed to ask what I thought was a very annoying and horrifically invasive question: "Why were you late on your payments?"

Each time I rebutted asking if disclosing my living situation was required to make a payment or if I should request an escalation to someone who will just take the money. One creditor kept trying to say "We're asking because we want to do you a favor/we understand things are hard sometimes" and I kept asking them if failure to disclose my life situation would prevent payment until they gave up and took the payment.

It strikes me as an offensive, invasive and utterly worthless question and whenever asked I just hang up and call back. Same thing when some entity calls and immediately starts asking for sensitive info. "Send me a letter in the mail with a phone number and I'll call you back when I'm good and ready, otherwise no I'm not just giving you my SSN because you called me at 7:30 on a Monday evening and asked for it".

Fiduciaries are getting bold, I tell you.

The reason they are asking you why you missed a payment is because creditors have hardship payment plans for people in certain hardships. They were trying to see if you were eligible.

"You should probably lead with that next time" is all I have to say in response to that.

I'm far more likely to respond positively, even if ultimately I decline if they were to say "We have a program in place-if you think you're going to miss a payment that will help keep your account on track, would you like to enroll?"


"Why were you late making this payment?"

Of the two, when I went through that period of long-term underemployment, I only ever heard the latter, never the former. Such a curt and abrupt question to ask that comes across much more invasive than helpful.

They tried to tell you that, you just didn't want to hear the message for some reason

"We're asking because we want to do you a favor/we understand things are hard sometimes"

There's more than "a program," creditors have different options/programs, etc. Special options exist for people who were effected by certain natural disasters. They probably would have offered to waive the late fee if you missed a payment because you were in the hospital or something. They were starting a dialog with you about your account status in order to work with you; no need to get all offended about it.

their potential-fraud-detection department was similarly bad. ("You used your debit card at an AM/PM in Washington State!!!!" Yes, I know, it is about 900 feet from my house; I go there regularly.)

A year ago I had an awful experience with this.

We were on vacation at Big Bend National Park, which is hours away from everything in southwest Texas. When trying to pay for breakfast, our card was denied. I tried to call the card company to tell them that it was OK, but couldn't get through - there was no cell service. Outside the restaurant was a pay phone (remember them?) that I was able to use to call their 800 number.

I learned then that they'd actually flagged my card as stolen, so I could no longer use it at all, and to get it turned back on I needed to receive the code they were sending by SMS and read it back to them. The thing was, we were in a dead cell area, we couldn't get the SMS. And Big Bend is mind-bogglingly huge - 1,252 of square miles of mostly desert (there's a whole mountain ranged entirely contained within the park). As far as I could tell, I didn't have enough gas to drive out of the park to get to cell service to achieve this (the park is so big that it's got its own gas station in the middle, and I'd intended to use this - but without my card, how can I?).

It seemed a perfect trap, there was no way we were going to be able to get out. What eventually saved us was that the hotel manager overheard me shouting at the card people, and came out to give me a map, with the places inside the park that can get SMS text highlighted. Using that I was able to fulfill their requirement.

They never were able to tell me why they flagged the card in the first place. They told me that they advise all card holders to warn them when they plan to go out of state. But I live in Texas, and I was in Texas when the charge triggered. They just shrugged that off.

As someone who travels in remote corners of deserts very frequently, I can say that you can never have too much water, fuel, or cash.

And when you're in a scrape, you can often barter with all three.

My wife and I (we are both Brits) were driving in the middle of nowhere in Washington state. We stopped at a garage to get petrol/gas and discovered that the credit card machines in the unmanned gas station only seemed to accepted credit cards issued in the US - IIRC the PIN equivalent was a US zip code. Our personal credit cards (UK cards) and cash (no teller) were thus useless. Luckily my wife had a corporate credit card issued in the US that we were able to use, on the principle that she could ask for forgiveness from her company when we got back.

For foreign credit cards oftentimes entering 00000 or 99999 for zip code works.

The other thing that sometimes works is entering the digit part of your postal code and padding it out with zeros. Ex: if your postal code was 1A2B3C you'd enter 12300.

If you're visiting remote parts of Texas, always have a hat with a brim (there's a reason that cowboy hats are shaped the way they are), bottled water, and a few hundred dollars in cash.

I would add Imodium AD, analgesics, some power bars and jerky, condoms, tampons if you’re female or traveling with women, a compass, weatherproof matches, a small mirror, and a good knife.

Condoms? No emergency so dire as to miss a chance to get laid?

For keeping your matches in if it rains.

Never underestimate the value of condoms for purposes other than intercourse. They’re highly portable, durable, can hold a lot of liquid, and are waterproof. You can use them to waterproof anything from a car’s spark plugs to some tinder or even food. They’re useful as part of dressing certain minor wounds too.

I've had really random declines from time to time for no apparent reason--sometimes for very small amounts. I make a point these days of having backup cards across multiple networks (i.e. both Visa and Mastercard).

Also spare ID and cash. The one time I broke this last rule on a trip I was nearly really screwed. (I lost my license and the hotel didn't want to let me check in. They only relented when I showed other ID and was able to make a just large enough withdrawal from an ATM and pay cash.)

I learned not travel with just one credit card after my CU botched a software update while I was in a middle of the trip in Prague - already checked out from the hotel but not yet taken the rental car to drive to the next hotel in a different city. The looming possibility of sleeping in the street was rather instructive.

Since then I always carry three credit cards when traveling, from three different banks, and each from a different payment system in case if a systemic issue.

Card fuckup is the only reason I have even a little cash on hand. Even the second hand store near me takes cards now. It is my policy if I am any distance from home to carry a spare car key, and enough cash to fill the tank and get home.

Considering that we could eliminate fraud with a private key chip card, this is really, really sad.

Another reason to have some cash is so if you're mugged, the mugger won't be so disappointed they take it out on you.

Oh I don't carry the cash on me.

I probably should worry more about muggers, but I just can't get myself to be afraid, so.

It's fairly common to read a story about how some carjackers abandoned a car because it unexpectedly had a manual transmission, but I think I also read about a case where they shot the driver out of pique.

This is the reason I always travel with >1 debit cards (different banks) and >1 credit cards (different banks)

The fellow that publishes YouTube videos under VinWiki was setting a NYC<->LA driving race record (the Cannonball).

While making their second gas stop, their credit cards were being rejected because Amex erroneously thought it was impossible to legitimately use their credit cards between two locations that quickly.


Supposedly they also track flights worldwide to assess legitimacy of card-present transactions through distance-time bounding.

I contacted Wells Fargo because their survey emails come from a third party email address and link to a different third party site. I was very specific in my feedback that I thought the survey was legitimate but that they shouldn't habituate their customers to entering even general data on unaffiliated sites. They called me and I reiterated the above and even got a fancy case number. After a month I got a voicemail that they completed their investigation and the survey was non-fraudulent... Hooray.

Don’t despair. If large companies were efficient there would be no place for startups. And what kind of world would that be?

("You used your debit card at an AM/PM in Washington State!!!!" Yes, I know, it is about 900 feet from my house; I go there regularly.)

Bank of America has an interesting optional feature where they geolocate the transaction, and if it's a certain distance away from your cell phone, it triggers the fraud process.

I think if more banks did this, it could cut down on a certain percentage of these problems.

The downside is that you have to trust your bank enough to let it track your phone 24/7. And having recently gone through the privacy notices of several of my bank apps and web sites, I'm not entirely sure that's a good idea, either.

And for what? To protect their money. It's their responsibility to stop fraud and cover losses. Not mine. I'm paying them my monthly service fee to safely store my money. People don't seem to understand this. If I want to saddle all the risk myself I'll use cash in my mattress.

> ... Chase ... It didn't help that their potential-fraud-detection department was similarly bad

I dropped Chase after about the 4th time they flagged my monthly payment to my ISP as potential fraud.

The real pros know that and will request you call them back. Bank of America didn’t ask me to do this but I was able to verify what they said on my banking app.

Nordstrom was actually one of the few places that I’ve encountered who does this. Someone stole my identity and tried to open a credit card at their store. As soon as I verified it’s wasn’t me in the store she asked me to call back immediately. She wouldn’t even give me a call back number told me to go their website and find it.

IMO even that's not sufficient. I've had calls claiming to be my bank that new dollar amounts and dates of 2 charges I had recently disputed. But I've been fooled once before, so I went into my local branch and spoke to the manager face to face. No one from the bank had placed a call regarding my account and there was no issue with my dispute. The phone number was not owned by the bank and after 2 voice mails they stopped trying to contact me and I never had an issue with the charge back. So there is literally no way I would ever trust an inbound phone call again.

To be honest even after I had seen that the charges being described to me on the phone were indeed on my account I was still running through scenarios where this could be a fraudulent call. However, I eventually came up with the logic that somebody had already managed to put the charge on my account, and once they'd gotten that far, I couldn't think of any reason for the scammer to call me. Basically, scammers had visibly already won prior to the call, so the odds of the call being fraudulent were low.

True. On the other hand, I don't want bank employees to have never been told that cold-calling people to discuss their accounts is a bad practice.

Had a fantastic example of this recently. I called my bank, for some reason they weren't able to connect me to the department I needed immediately, so I arranged to have them call me back when they were able to reach them. Little later, as expected, the bank call me back - same person I spoke to earlier, so I'm satisfied that it's the bank. She routes my call through to the department we needed to reach. That's where things get surreal, because that department isn't set up to have an outgoing call routed to them, so they decide they need to authenticate me.

The method they choose to do that, though, is to ask me for a phone number to which they can send an authentication code. I give them the phone number I'm using - the one they called me on. They ask if I want a text or a voice call. Tempting though it would be to put them on hold while I accept the voice call with the security code, I opt for the text message. Phone buzzes, I read out the number, and they seem happy with the result.

I really hope that when they asked me for a phone number they verified it against a list of known numbers associated with the account, but... it really wasn't clear in the context of the interaction.

This works as long as you're not talking to the scammers who themselves made the fraudulent transactions (which would be why they knew the times, locations and amounts involved).

A bit of a stretch perhaps :)

This is no longer a valid tactic. The phone number can, has, and will be spoofed.

For those worried about a situation like this, I set up automated purchase alerts on my credit cards and withdrawal alerts on my bank accounts. I see it all in close-enough-to-real-time, and it's helped me catch fraud before the banks did at least twice in the past few years.

I do the same. At Chase you can set up push alerts for any transaction greater than $0.01 (it won't accept zero).

It's nearly real-time. In any drive-thru I'll have the notification on my phone before the card is handed back to me.

Super cool, thanks for sharing this!

Also, for anyone that doesn't know: you can request an old school ATM card (not a debit card, i.e. no MC/Visa logo) from your bank and use a credit card for purchases instead.

This reduces the exposure of a critical account. And if you do become a victim of fraudulent charges, you don't have to worry about your bank account being drained immediately (possibly resulting in overdrafts, etc).

Also have two accounts:

- Account #1: salaries and deposits go here, no ATM

- Account #2: gets regular transfers from account #1, whatever you spend each week on your ATM, has an ATM, blocked on overdraft

If ATM is compromised the only money at risk is whatever is left in Account #2

This minimizes your exposure

Card skimming has become so rampant where I live that I don't ever put a bank or credit card in a gas pump.

I got a gas company card (non-Visa/MC) with a super-low limit, and when I need to buy gas I make a payment online with my phone, then pump away knowing if it got skimmed, the perps would probably throw the info out because it's not usable anywhere else, and even if they used it at the gas station, they'd only get $10.

The local sheriff was on TV last year telling everyone to only pay cash for gas — never put a credit or debit card in a gas pump card reader.

How quick does the payment from your phone go through? Australia's only just implemented fast cross-bank transfers (PayID) but the implementation compromised privacy and only works in some circumstances.

It’s not cross bank. But because I have a history of paying the gas card from a particular checking account, I get credited for it instantly.

Where do you live?

People have a lot of reason to shit on wells fargo for its previousl unethical practices (loan scandals, etc), but they do have a good feature for email notifications of every individual transaction on a credit card or debit card. The emails are quick, too, if you take out cash from an ATM the email arrives at my mail server in less than 60 seconds.

>it really stinks on both sides

I disagree. I think that a there has been a massive amount of misplaced trust in the random inbound calls and caller ID. We should have cleaned it up a long time ago. Now that there is widespread abuse of it, maybe there will finally be some security measures put in place.

Tell them you'll call them back, and call the number on the back of your card -- even without a case number, there should only be a limited number of things wrong with your account and you probably want to fix all of them :).

Otherwise the next scam will be to put an obviously-fraudulent transaction on a card, then phish for the rest of your details so they can get cash, rather than just charge-backs.

Here’s another trick that sometimes works: call the “collect” number instead of the toll-free one.

The company may put you in a faster queue because they think they’re paying $$$/minute for the call.

Always remember that any legit financial institution will (should) have no problem giving you a case or reference number and letting you call back in to their public customer service number.

My bank's fraud department sent me a voicemail saying my card had been deactivated and I needed to call them at 1-800...

Yeah, fuck you. I'm not calling a fraud prevention number that was given to me over the phone and more to the point, what is wrong with you for asking your customers to trust people that called them on the phone.

I called the main switchboard for the bank and couldn't find the fraud number from there. They got an earful about that too. None of this is okay, including why they flagged my card (Not for buying a TV and a bluray player, no. For getting a $8 car wash on the way home...)

Yes! This happened to me too and is very alarming. It’s training users to fall for phishing.

I’m not sure what a correction looks like though. Should they call customers and instruct them to find or verify a phone number and call back? Instruct them to log into their online account? That would be fine for you and me, but I’m thinking of the average cardholder.

Telling them to call the customer service number on their credit card seems pretty good?

I just got one of these that had me call a DIFFERENT number than the one that was on my credit card -- the whole time I was thinking it was probably a phishing thing as I was giving them all my info, but in the end it was to ask if I had really made a charge that I _had_ really made the day before (in a city I'm not normally in)... so I'm pretty sure it was legit. Probably?

Oh duh, thanks. You're obviously right. I was thinking of my experience when I was out and didn't have that card on me.

I believe that phone companies are complicit in this criminal activity, as they seem to have virtually no interest in actually stopping it. I've already turned off calls on my phone because "why bother", and more and more people I know are doing the same thing. The phone companies probably make so much on streaming that they don't give a shit about the phone system. This is a really bad thing for crime, but might help accelerate the death of a decades-obsolete technology.

> I've already turned off calls on my phone

How do you do that on an Android phone?

My phone is a Galaxy S5 with Android 6, but it's here:

Settings > Call > Call Rejection > Auto reject mode

Set it to "All incoming calls".

How come in 2018 we can't get a reliable CallerID. Surely this is something that could be simply regulated.

Perhaps there should be a few types of CallerID - verified, physical and nominated. Eg a company calls you with a verified ID (like TLS), a local number from a single line is physically authenticated and anything else is just a best guess. That way we can filter more reliably.

In Germany we separately transmit the actual caller ID, which you can get shown based on your phone's UI. This can't be spoofed, or rather, it's illegal to do so under https://www.gesetze-im-internet.de/tkg_2004/__66k.html . "mit einer Geldbuße bis zu hunderttausend Euro," is the wording for how much you'll pay if you, with intent or through negligence, transmit a number you are not assigned when you are user, or, if you are a telco, meddle with this header field _at_all_ if you didn't generate it, or didn't make sure it's a valid numbering scheme and not some premium number/short-dial-code. It's not limited to this, and so far this has not been a problem in Germany, at least as far as the CLIP itself goes, as the CLIP -no-screening- which the user can provide through his PBX if configured and contracted does sometimes, but rarely, mess up. Also we have a caller-pays system with a split between fixed-area landlines and floating mobiles, which seems to alleviate some of the problems with robocallers (the cost to even just waste the caller's time).

Most likely because majority of senate and congress-people want to always have option to hire cold calling companies to send their emergency message, be it some senator accused of using gov founds to sponsor his mistress or simply to get advantage in upcoming political race.

Same reason you still get junk mail. Money.

No options. Make it mandatory and make it unable to be faked.

It wouldn't really need to be mandatory, just something that cell providers and reputable businesses provided. Then phone companies could start rejecting anything that didn't provide it.

But how does the telco in the last node know the caller id is accurate? They can only tell that the data is coming in that direction but it could have been routed multiple times before (if phones work like the internet protocol). The only telco who can ensure that must be the one who initiated the call (exactly like IP spoofing).

... so, make it mandatory

I'm at the point where I don't answer the phone unless I know the number calling me or I'm expecting a call.

Yeah, even my friends don't call me (they use Whatsapp/SMS), so why should some random marketeer have the privilege of actually talking to me on the phone?

The issue, as I understand it, is that the SS7 telephone network is completely insecure assuming that you have the ability to connect to it. Shady gateway providers will allow you the privilege, and once you're in, you can do just about anything.

There is precious little within SS7 to prevent or respond to spoofing. It's a major nightmare for telephone companies.

It seems that what changed is that sometime in recent years it became much easier for shady gateway providers to remain in business. In earlier times, it would appear that originators of fraudlent caller ID data where shut down rapidly.

The telecom "industry" has seen massive market compression, with players who rarely innovate. Its sad that Scam ID is considered groundbreaking IMO, the implementation is pretty crummy.

How did spoofing work vis-a-vis those with 1-800 inbound lines? I was under the (mis?)impression that those users were protected against spoofing because they were (are?) billed by inbound call duration.

> It's a major nightmare for telephone companies.

Disagree. It's a bug for the telcos, and a major nightmare for the rest of us.

There's two means of number identification -- caller id (CID), and automatic number identification (ANI). ANI used to be a lot harder to spoof than CID; likely because ANI is always delivered out of band, and some early CID spoofing was done by just overplaying in-band CID. On the consumer side of things, you're allowed to disable CID on outgoing calls, but not to disable ANI.

Toll free routing may be less amenable to grey routes and things as well. International callers aren't "supposed" to be able to call US toll free numbers, which may make it harder to get to. I've seen some companies claim that they can use call routing information to toll free numbers to get accurate caller id information in some countries; but I would never trust it.

You also shouldn't trust the source IP, or the return address on a standard envelope in the mail, unless you have convincing evidence. It's hard to think of an example of a source address in communications that's really trustable.

Having spent a bit of time working on projects that touch the phone network, I think it is a 'major nightmare' in the Lovecraftian sense--I for one am forever changed by what I saw.

As for billing, it is usually based on the destination number, and your originating telco, unless I am misunderstanding your question.

Does this imply I should answer the 1-800 calls and keep them on the line as long as possible? :D

If you suspect a scammer called you, always keep them on the line as long as possible. Feed into the scam and act as gullible as possible, give them fake cc numbers, etc.

Best to extract as much iinfo as possible, business name, callback numbers, email addresses, etc. The more info, the easier it is for the FCC to bring enforcement action against fraudulent callers.

haha, "four-flag key" is still an inside joke with my family because of how many times we got a scammer to say it while they "provided tech support" to us :)

If it's "completely insecure," then why aren't there reports of people correctly dialing their banks phone number and being connected to a scammer?

The insecurity comes from the fact that once a call is in the network, it is mostly passed off without validation or verification. You only need to find someone willing to carry your call in to the network, and the rest takes care of itself.

To change the routing of a call other than yours would require you to access a carrier's systems and change where the call is routed to--which is substantially more difficult.

Kind of like ip routing, email routing, or even physical mail routing.

It's completely insecure because someone could call you, spoof your bank's number, and claim to be your bank.

http - ISP injects sales/billing garbage in the response. Completely insecure!

phone - I dial the number my bank gave me and no man in the middle ever answers or interrupts. But still completely insecure!

Now imagine you see me trying to enter my credentials over an http connection to AwfulBank.com. "Stop! That's completely insecure!" you say. "Sure, but so is calling a bank using the phone number they gave me."

If both cases are already completely insecure, why am I wrong?

Can anyone offer any insight into the latest series of odd phone calls I've been noticing, where you get either a private number or an out-of-state number call you, and then sit in silence until you utter a word in which it hangs up at that moment?

I've experienced a few so far over the previous months. I've even experimented by not saying anything for an extended time - up to about 30 seconds of silence (and then it usually hangs up itself). But the next time it happens, if you say 'hi' within a few seconds, it immediately hangs up afterwards. Like its waiting for a verbal prompt.

The apathetic part of me thinks 'maybe its a robocall thats bugging out', but then the pessimistic part of me wonders 'are they trying to sample my voice'.

One reason for calls that get instantly disconnected is that when these systems will call up, say, 10 people at a time, 8 won't answer, so there's no reason to tie up 10 operators waiting for someone to answer. So they don't connect you to an operator until you actually pick up the phone/interact. But if they miscalculated and 4 people answered, they don't have enough operators and they just hang up.

Interesting, I wasn't aware this could be the case.

We (Nomorobo) have a bunch of recordings of this type of scam. They're scary.


Love your service! I've been using it for a few years now I think and it's really helped. Thanks!

Thanks! I really appreciate the support. These voice spam calls have gotten out of control.

Who are the people manning the phones for the scam? Does it really pay better than a real job? I mean if you have the skills to scam like this you have skills that are valuable to legit business as well, no?

I knew a few criminally-minded people back in high school and my early 20's (I don't associate with them anymore.) The thing that always stuck me about the "criminal mind" is that they were ready and willing to work hard, as hard or often more as a real job, to try to make money. I asked one guy once about it and he basically said that it was the idea of getting over on society, or "the Man", or something. "Getting away with it."

This same guy also refused to open a saving account, but he would buy CD's (certificate of deposit) with ~3 month terms, and pay down the payments, because it felt like having twice as much money. To him it felt like he got to spend the money (that he used to secure the CD) twice: once with the money the bank loans him, and then again when he pays off the CD and they give him his original money back.

Now, this is insane. He's just giving the bank some money.

I asked him about this because it's so crazy, and he said "I can pay bills", meaning that he can psychologically deal with the idea of having to hustle to pay the ongoing payments on the CD, but (for whatever reason) he can't just give some of his money to the bank and not touch it. He literally can't feel right about savings. So he does this weird thing that basically inverts the whole idea of banking. He even knows it's crazy but it's a working equilibrium for him.

Anyhow, I wrote all that in the present tense but this was years ago and I lost touch with the guy.

I am astonished that the scammer-telemarketers who can sit there and carefully run these scam-scripts on marks don't just go get legit jobs. I wonder what economic context they are in? Or are they just, uh, morally corrupt, or something? The mystery of the criminal mind.

Reply All decided to try to get to the bottom of a specific "tech support" scam, which might shed some light.


> because it felt like having twice as much money

Hmmm... Here's a strange thought: What if that was a way of deal with a gambling addiction (or something similar, since I understand risk to be part of the addiction), except you lose significantly less than you would have gambled without the loan?

Number one advice I give my family: never give out any information (no matter how inconsequential it seems) to a person purporting to be from a company calling you. Hang up and call the company yourself using a trusted number (e.g., the number on the back of a credit card).

Banks should really just stop calling customers and taking them through security. If there's something urgent, the protocol should be that they call you, give you a ticket number, and tell you to call them back on the bank's standard number for customer service. Anything else just conditions people to expect incoming calls with security questions which will always result in scammers finding a way through.

This can also be scammed due to the timeout "feature" in telephone systems. Ie, the scammer calls, tells you to call the number on your card. You believe they hung up, but they are still on the line. When you pick up your phone again, you're still contected, and they're playing a dial tone.


How many people still use landline phones? I don't know anyone.

Now the real trick is to get this to work with cellphones :)

More and more, my plan seems wiser.

I’ll generally get a phone call like this, and hang up and re-initiate a request myself starting from the phone number listed on my card.

This. I'm also happy to phone a direct number that they give me (e.g. subdepartment), as long as I can find the telephone number listed on their public web site.

The sticky ones are things that seem to somehow be tied into people at the actual company scamming - my parents recently got a scam Openreach call within a few hours after calling to complain that their telephone had been disconnected a week earlier than promised. They had knowledge of the complaint call, but did the standard scam walkthrough of looking at event viewer and asked for the router ip address.

See also the conveyancing scams whilst buying houses where phishers impersonate the exact solicitors email format and know exactly when the monetary transfer is supposed to take place in order to get you to pay a different bank account.

Do we need a certificate authority for phone numbers now?

That would actually be a very good idea to cut down on number spoofing.

Yeah I figured as such. You could pass a hash to a certificate via caller ID

You can still be scammed by this technique if you're answering on a landline:


If I were able, I would disable incoming telephone calls entirely (consider that a feature request, Apple). The phone system today is fundamentally untrustworthy because of caller ID spoofing, and the phone companies involved are culpable for not addressing this problem.

A new ID system using PKI could eliminate the spoofing problem completely. Yes, I'm sure it would require a huge coordinated effort. Given spam calls will exceed 50% of all calls next year [1], this should be seen as an existential crisis for phone companies.

[1]: https://finance.yahoo.com/news/spam-robocalls-will-soon-acco...

Public-key identity verification wouldn't even require substantial upgrades to anything except the phone hardware itself - when making the call, just convey the signature upon connection via a dialup-modem-like encoding, and the receiver may at their discretion neglect to connect their audio hardware to the line until after verifying that data.

(Could even use some kind of PoW as another option, for calls where the receiver is unlikely to have received your public key yet.)

The latest scam I've experienced is when I last sold my car through craigslist recently. I would get voice calls, they person says hello, starts asking about my car and the call would cut off.

Then I would get a text saying, "sorry, bad signal or it's loud where they are" At that point, a chat bot takes over asking questions about the car and talking about how they really want to buy it but need to make sure that it has no accident and that I should get a car verification report and if it has a clean history they will buy it. A link is then sent to me via text.

What I haven't figured out is if they are going to steal the CC info if entered in the link or give me some bogus report that costs $5 to acquire and charge me $100 for it.

Usually, the scammer is getting an affiliate commission whenever you complete the verification report.

You see this a lot with job listings and rentals where the scammer will link to a background check as a condition of hiring/renting.

It's typically not CC theft, but CPA spam. CPA spam is incredibly common on craigslist. - https://en.wikipedia.org/wiki/Cost_per_action

I've gotten that request via email before and nearly fell for it once. I also ended up buying a Carfax just in case people started referring me to other sites just to push them a bit ("I have a carfax, is that okay?").

The amount of spam calls is fucking insane, the fcc needs to seriously crack down. Start fining telecom companies a buck a call and I think the problem would go away. Hell make it 5 dollars for every call after the first ten thousand, I receive at least 5-10 day. If it is an obviously spoofed number make it 50 dollars. The telecoms have the capability to deal with it, they simply have no incentive to bother.

I've had a conversation with my cell carrier where I asked to block Texas and Florida, every area code in those states. Apparently that is not possible.

What do I have to do to get my iPhone to only allow calls from my contact list, without using DND 24x7. Something has to happen for this setting to come out. Will it take enough spam calls to a CEO of a major company to come out with it?

I like this but it will only help a little and temporarily. I've received calls from my own number. Given the amount of data out there in social media and seeing friends of friends, the scammers will be able to call you from a number that is in your contact list. The phone system needs a new layer but one that is optional. If a call comes from via the old layer, your phone warns you that this call may be fraud.

NumberShield lets you block wildcards while letting your contacts through.

It won’t let you specify a ‘global’ wildcard, but I find blocking my own area code is generally sufficient. Most scammers and spammers spoof your local area code these days, and Nomorobo is pretty good at filtering out those that don’t.

Between those two apps, I go months without unwanted calls. I used to get them daily.

Set your default ringtone to a minute of silence.

Set a custom ringtone for people you will accept calls from.

I am interested to understand how does these attacks work. The article states, after the victim disclosed the CC number there were ATM transactions performed using it.

How are scammers able to generate a physical card in first place to perform ATM transaction? Is it something similar to card skimming with cards having magnetic stripe? Can this attack be performed with cards using chips?

Also I often come across a fraudulent transaction being performed even if only credit card number is disclosed, while cvv and expiry date are not. As per my understanding all 3 info is needed to perform a transaction.

Do anyone have some resource where these attacks are discussed in detail and how they are carried out.

Yes, some countries still use the magnetic stripe for authentication, or allow fall-back onto it if the chip “fails”.

We all make mistakes, so I'm hesitant to ever say they should have known better. But...

> Even technology experts are getting taken in by some of the more recent schemes (or very nearly).

Rule number one about phone scams, which I've seen repeated numerously so "technology experts" should know this ... _always_ verify and call the number back. I was under the impression that was common knowledge?

The scams iterated in this article, no matter how complex, would all have been prevented by that simple and pervasive rule.

> “People I’ve talked to about this say there’s no way they’d fall for that, but when someone from a trustworthy number calls, says they’re from your small town bank, and sounds incredibly professional, you’d fall for it, too,” Haughey said.

When someone from a trustworthy number calls, says they're from your small town bank, and sounds incredibly professional, you follow the exact same rule. Hang up. Verify the number. Call back.

Again, even the best of us make mistakes, so I'm not trying to be critical of the victims here. I'm just surprised is all.

> _always_ verify and call the number back

Fine in principle, but banks do call, and often have no direct dial, as a matter of policy, for whoever you're speaking to.

So it becomes verify the number, call back, and spend 30+ minutes in a queuing system before some lowly call centre worker on another continent incorrectly tells you they can't connect you to the xyz department.

It used to work before call centres and all the small banks became just branding on the front of one of the big 4. You were even allowed the phone number of the local branch! That's the UK market btw.

Yeah. I worked in banking during the crash. Upper mgmt literally told us to pretend we were XXX small bank (on a list of banks) if someone called and asked about it. Even though we were just large bank 1-4 that bought them.

Most robo-callers feel like Phishing scams. I've been contemplating giving up my cellphone and just using a Calyx mobile data (https://www.calyxinstitute.org) and use Signal, email and Mumble only. Anyone else do something like this successfully?

I did it for 6 years when I lived in Germany. I had a data only sim card and a google voice US phone number.

Verdict: It's not doable if you want it to work 100%. And in the US I would say it's not doable at all because Android/dumbphone users are still using SMS instead of a messenger app like Whatsapp, so you have no way of communicating with them at all.

The biggest problem for me was online services that want to verify your account via your phone number. They don't understand not having a phone number. And about 20% of the time, they block VOIP phone numbers for verification purposes, so your google voice number won't work there either. Literally no way to move forward there other than ask a friend to let you borrow their number or use your burner phone or something.

You also can't sign up for Whatsapp without a phone number, but luckily it does work with google voice.

Google voice also doesnt let you set it up so your device gets incoming calls unless you forward them to a real phone number. So you can only make calls with it, not receive. Maybe some other VOIP solutions are better at this. The google voice app on iOS is pretty shitty.

Now that I'm back in the US, I had to get a phone number because messenger app adoption is very very low. iOS users are fine because iMessage is awesome, but for people on Android, there's just nothing. They still use SMS. Maybe you can get around this with VOIP, but I didn't want to hassle with it.


I'm not concerned about Whatsapp, and I figured I use Twilio for text messages. Out of service phones can still call emergency services, 911. My main concern is being "that guy" who everyone has to make exceptions for when contacting.

I've had an Asterisk box for about 10 years now, mostly to deal with the tide of junk calls, and it has worked nicely. I first just blacklisted numbers (and sometimes whole prefixes), but now I use a CAPTCHA that handles the robocallers beautifully. Calls from known numbers get to ring through without the CAPTCHA.

Still, I've been paying too much for that crusty old landline, and finally got motivated to do something about it. I just ported it out last month, and the new VoIP service I'm using costs less per month than what AT&T was charging just for Caller ID. Even funnier, they offer telemarketer blocking like I've set up, at no extra charge.

Farewell and f*ck you very much, AT&T. You didn't even lift a finger to insure that the Caller ID I paid for was accurate.

Could you please point to guides / docs / references for setting this up?

Might make some good HN submissions ;-)

Here's a good starting point:


Of course, with Asterisk, you can get downright crazy if you wish.

A bit more a "getting started" guide than this, actually.

Hardware, configuration, concepts.

Yeah, I'd like to start simple, basic, and effective.

I haven't even had a debit card issued for my core bank account, and there is very little chance I ever would at this point. There just isn't a good reason to put my money at risk when I can use a variety of credit cards instead, and just pay them off every month. On the rare occasion I need cash, I can do a cash advance (with an associated charge....really useful motivation to avoid needing cash more than once or twice a year).

Unrelated, but I'm pretty sure I know what credit union they're talking about. Super nice place that is focused on the tech workers in the Portland area, and I've always had good experiences with them.

We deal with this on a semi-monthly basis at the hospital I work at. We'll here from one department ("Hi, this is the Emergency Dept, all our phones are busy with a robocaller") then it will roll across other departments for about 20-30 minutes. The best our telecom team has come up with is to take the numbers, give to the FBI, and ¯\_(ツ)_/¯. Last time, they had spoofed the number of FedEx so we couldn't even report that.

Most are very noticeable for being in Chinese and tying up multiple lines at a time. That's not really great though, like in the example, when it's all the phones in the ED.

>That made Sasser pause. Wouldn’t an actual representative from Wells Fargo’s fraud division already have access to his current PIN?

No, nobody has access to your PIN, if you forget it you need a new card.

> if you forget it you need a new card

That's not true- you can reset you PIN if you go to a physical Wells Fargo location, I've done it.

Reseting a PIN is different from having access to the old PIN number. Obviously some system in the bank has to verify that the PIN you enter at an ATM matches the one you selected but resetting is a separate operation that does not require the original number.

This highlights what I see as the biggest security weakness with banking and online services -- identity verification is only one-sided. Protocols like passwords , pins, biometrics, secret questions only authenticate the customer and not the service provider. moreover, no one is talking about this huge weakness. For there to be trust, both sides need to be trusted.

For apps, this could be a one-time code validated in the app. As a fall back there could be a unique shared "service pin" that gets rotated.

Well, I think these scammers will always try to steal our money by using hundreds of methods and tricks. Almost everyday I could read dozens of complaints and reports filed at social media and also sites like http://whycall.me about phone scams. We need to keep informing our family about these scams. They are never getting tired of trying.

One of the issues is that the scams adapt themselves to current "best practices" (use known information to reassure you, tell you not to divulge other pieces of information) - whereas the legitimate institutions use poor practices.

When I call my bank, they ask for verification by giving an account number, credit card and expiry details (!)

Good news, everyone, the industry is moving towards SIP! Bad news is that it's just as bad. There's no improvements in security because that would break backwards compatibility.

Also, there's no one who wants to pay extra for security, and the telecoms industry have the virtue of laser-like focus on money.

The sad thing is that I am old enough to remember when a call from the bank meant that the director of my local branch office or however someone I knew personally was on the phone, usually to ask to go to their offices because something needed my presence/signature.

I remember that, too. I was a huge deal if a bank called you.

Now, when I go into a Chase or Citibank or whatever branch with a question, all the "banker" guy does is call the same 800 number I would have called, and wait on the same 40 minute hold as I would have. They don't even have special in-house IVR anymore.

Meanwhile, I drink all their free coffee.

Why has Apple/Android not added the ability to reject (or at least send directly to voice mail) all calls outside of contacts, and make this the default setting?

Seems like this would solve almost all of these problems.

It’s a hard problem to solve since being able to set your own outbound caller ID number is so critical for the phone business. - Call Forwarding - Picking which trunking provider to send a call out -etc

When receiving a call from your bank's contact centre, always thank them, hang up and call the number on the back of your card.

This should be the standard advice from banks to their customers.

This is why I don't answer the phone unless it's a contact. Everyone else can leave a message.

Did you read the article? The Many people have their bank or credit union in the contacts. This won't help if they're spoofing a bank number.

> Cabel Sasser is founder of a Mac and iOS software company called Panic Inc. Sasser said he almost got scammed recently after receiving a call that appeared to be the same number as the one displayed on the back of his Wells Fargo ATM card.

Might as well put your social security and pin number in your phone too. Bank phone numbers in your contacts are a huge vulnerability. Just Google them when needed... or you know, look at the card.

FYI it's against the guidelines to suggest a commenter hasn't read the article. You can make the same point without being insulting or presumptuous in that way.

I dont think i even heard about such issue in EU.

Easy solution don’t answer phone calls from those not in your contacts.

Huh? The caller ID was spoofed. Read the article.

> Cabel Sasser is founder of a Mac and iOS software company called Panic Inc. Sasser said he almost got scammed recently after receiving a call that appeared to be the same number as the one displayed on the back of his Wells Fargo ATM card.

It didn’t say.. wife, friend, mom, joe, etc.. you know people you entered into your contacts.

Personally If someone needs to get a hold of me outside of my contacts email or text me and I’ll get back to you accordingly.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact