Having said that, always assume someone calling you is a fraud. If your "bank" calls you, tell them you'll call back and don't call a number they provide over the phone or in caller ID. If you can't find a reliable number to the bank, drive over there. The bottom line is that you can't trust anyone who calls you.
Think of incoming CLID in the same way that you do email From: addresses. Often and easily faked. Funnily enough both my office PBX and SMTP daemon check incoming CLID/HELO and drop attempts to spoof their own identity. Its not a particularly sophisticated protection these days but is one of many, many rules. Actually, now I come to think of it, my firewalls also check for inbound IP spoofing on their own IPs.
As the OP stories highlight, your mental firewall must make you bail out when asked for your PIN, regardless of how legitimate things sound. The only thing that should ever request your PIN is a machine that you have stuffed your card in first. I'm pretty certain that CVV requests should also only ever come from vendors that you are buying from, not your bank.
Why not? That's how it was done for email. SPF doesn't prevent interoperability for sending domains that don't use it or recipients that don't verify it. What it does is inhibit forged messages from a domain that does use it to a recipient that does verify it.
Then the more senders who have an SPF record, the stronger a spam signal it is for a domain to not have one, and the stronger the incentive gets for senders to use it. It's already in the recipient's interest to verify it when it's used.
They could even use DNS for this exactly like email. Create a lookup zone equivalent to in-addr.arpa but for phone numbers.
It is not as simple as getting everyone who runs public facing smtpd on the Internet to upgrade their software and practices. Telco and PSTN phone stuff is the very opposite of being up to date and continually evolving best practices for security.
You may not even have to upgrade the old equipment. For an out of band protocol, the upstream may be able to implement it for you.
Turning those companies into smoking holes in the ground doesn't require anyone to upgrade their equipment. All it takes is willingness on the part of lawmakers and regulators to track them down and make them regret their business practices.
Creative use of firewall rules can be really powerful. For a very simple example: block VoIP from AWS's address ranges (serious gain).
A classic response for anon calls in telephony is to make the caller record a short identifying message and then play that to the potential recipient. The potential recipient then decides whether or not to accept the call - your staff (family, whatever) become the firewall. Remember that calls are billed to the caller by the terminating provider so this is OK (caller pays).
Those are two simple examples of using IP and humans to firewall telephony. Just because telephony is a bit crap on the identification side does not mean that you can't deploy lots of other weaponry to keep yourself safe. If you look deeply into SIP and IAX2, you get loads more options as well.
You can, technically, write anything in it and there’s no way to guarantee it’s authentic.
For example here are some headers from some spam I received:
From: "Jeremy Adamson" <firstname.lastname@example.org>
Reply-To: "Jeremy Adamson" <email@example.com>
This one is much better, note how I'm BCCd and To: is complete bollocks:
From: Dr Faruk Ahmed <firstname.lastname@example.org>
Subject: MANAGER AUDIT AND ACCOUNT DEPT
Basically a large registry. When I call someone I tell t-mobile who I'm calling, and they register it. Then on the receiving end Verizon checks with T-mobile or a central registry, and says yep James's number is calling this number. Then it marks it as a verified call.
There are lots of good things that telephony could be required to do but they are not and they wont.
This leads down a privacy/metadata rabbit hole, but there are probably ways to make this a lot better. In any case, the phone OS can do some out-of-band signaling and just avoid dealing with the carriers altogether.
Although if you're doing all that then why not just make a call using voip...
However, just like email the CLID can be trivially faked and just like email, the lookup in your contacts is then wrong and potentially dangerous. In the case of telephony, if you subscribe to the BT service (I presume it still exists) that will return a name given a CLID (just like DNS for a price!) then you may end up with completely the wrong thing on your display.
Just to re-iterate the point: a PBX/phone/whatever cannot ... CANNOT ... verify CLID (Calling Line IDentification) it can only show what is presented to it.
Remember this, please: CLID is nominally under the control of the caller and could also be changed in transit. It should absolutely NOT be considered authoritative in any way.
I do think that the analogy works really well. PBXs can have quite a few weapons of their own to attempt to authenticate callers. For example you can pass "anonymous" calls to a dialplan that gets the caller to identify themselves and then play that to the recipient who then gets to allow/disallow the call - basically make the (human) recipient part of the firewall. Also, PBXs that deal with VoIP can use IP rules just like a firewall to make decisions on what to do.
Traditionally, "telephony" and "systems" have been considered separate. Personally I'm a sysadmin AND telephony bod with around 25/15 (respectively) years experience. My PBXs (generally Asterisk with FreePBX) have quite a few sources of intelligence about what is inbound, beyond CLID. I also look after quite a few email systems, often fronted by an Exim MTA with an attendant rspamd or spamassassin (int al).
Changing the subject or adding a footer will almost always break the DKIM signature, and DMARC won't like it anyway, because the From address and the envelope sender don't have the same domain (alignment). This makes it pretty hard to use DMARC for a public domain.
It's not so bad to use it for a corporate domain, and it helps a bunch if your domain is being used to source phishing; except that people still think you sent it when it comes from email@example.com which is clearly some ancient web mailer script that was compromised 20 years ago, but still remains online. (I'm totally not bitter!)
I cannot properly enable DMARC. I have working SPF and DKIM on everything I send, but as soon as I enforce it, people stop getting my email. The sticking points are mailing lists, and anyone with a forwarder. I've been on this merry go round a few times. If it's this bad on this personal domain, I'm a long way from considering it in a business.
Not sure about the US, but in most of the rest of the world regulators come up with new rules and regulations requiring some form of network upgrade all the time – SLAs, connectivity and routing requirements, legal interception, data residency, etc.
And telcos have no other way but to spend billions to protect some monopoly or enable more surveillance power for the governments. It's a matter of priorities, really.
Find another in/out of band way of providing caller-ID services.
I get way too many calls from area codes and prefixes I recognize. This would help me get some of that back.
However, the current system is largely useless when you get spoofed calls from numbers you recognize.
And probably just have to live with the fact that there will be situations where people are harder to reach quickly than they are today.
Any actual local number is always legit since spammers have no way of knowing where I actually live.
Here is a PR piece (by a telecom technology vendor) that explains that the Canadian telecom regulator will require non-spoofable caller id by March 2019 . The technology is called STIR and SHAKEN. (That's all I know; I'm no expert).
The US FCC doesn't seem to be moving as quickly, if at all.
I did this to a student loan company. The caller ID was that of my parent's house, and the woman on the other end was incredulous that anyone would demand that she prove who she was.
And it turned out to be legitimate, incredibly, though I certainly did not think so at the time.
If Peerless Networks was starting at millions of dollars in fines fake IRS scams originated on it because there's no way for someone else to find who actually originated the fraudulent calls, you would be able to bet a farm that a concept of a fake caller ID coming from Peerless Networks would go away.
It's OK to ask for their extension. A lot of times you can't call the fraud department directly, but if you have their extension you can ask to be transferred to it. But yeah, always call the number printed on the card, not what they tell you.
With text to speech software becoming so amazing, see Google's Duplex, I'm not that concerned with caller ID and am massively concerned for aging boomers who will have to contend with nearly perfect speaking bots.
It all took precious time, they really should anticipate this more.
SPF, implemented by most major email providers, helps to prevent FROM: spoofing.
Hell, I'm pretty sure our VoIP product drops external calls where the Caller ID matches one of its' own numbers.
These are problems we are solving. These are problems we should be solving in telephony too.
If it wasn't for https://hiya.com/, I'd be at the end of my wits. Seems like the number of fake calls has ramped up exponentially in the last months. I finally just set it up completely block all telemarketing, spam, scam, fraud calls.
That gets the job done, but rather than modify each of your existing contacts (and each new one), consider just turning on Do No Disturb and setting your Do Not Disturb level to "Allow Calls From All Contacts" (or a particular Group or Favorites). These are iOS options but I assume there's an equivalent in Android.
The best solution I've found is to just go into the Google Dialer app and set the option to not ring on any call suspected to be spam. I still do get spam calls that haven't yet been reported, but it's down to only about 3-4 a month.
Not sure if Samsung phones / other android flavors have a similar feature or not.
Eliminating spoofing is probably impossible without infrastructure revamps that aren't realistic even augmenting with spam filtering at the telco level. But the current situation is at the edge of the tolerable and people will just stop letting calls ring through.
Obviously, my kids (and their friends/school) are only one data point ... but yeah, for them, it's already dead.
I can't speak to the manpower dedicated to nor the pursuit of these reports by the FTC, but this is definitely a regulated issue.
Once that hits general usage along with the kind of ML and social network graphs being done up couldn't that just plain be it for phone usage if companies can't come up with a proper cryptographically verified call scheme (which would require new phones, for everyone)? I mean, if a call coming in directly from a "trusted contact's number" that is literally in their voice becomes generally a scam too I think that'd have to be a real tipping point for the general population. I can't see any choice at that point but to disable all incoming calls period, and move my family over to something else as well. And that tech train is coming down the tracks pretty fast, there have to be at least some phone providers who can see that right? Heavily automatically run personalized ML powered social media and ad network profile fed phishing calls in a relative's voice, yeah that'll be really fun.
I always pull up the website and confirm before telling them anything.
This is one of the related reasons why I finally got my ducks in a row and switched away from Chase three years ago. Their potential-fraud-has-happened outreach department was, in my experience, terrible about this. It didn't help that their potential-fraud-detection department was similarly bad. ("You used your debit card at an AM/PM in Washington State!!!!" Yes, I know, it is about 900 feet from my house; I go there regularly.)
Point being, I got quite a few calls from their (real) fraud prevention department about (supposed) fraud. Each time, the rep who called me would get mad at me for not handing over the last four of my SSN and my complete address to the calling party. I pointed out, each time, that they were the ones who called me so I should be verifying them. "But, sir, WE are the bank and you could be anyone who just answered your phone."
The credit union I now use just presents a message with their name and a request to call back. "We may have detected a fraudulent purchase; please give us a call at the number on the back of your card and reference case number [digits]." Fortunately, their system is much better; I've only heard this message once.
There has got to be a word for this and similar behavior. Banks, credit card agencies, mobile phone companies are getting really aggressive with how they handle these sort of transaction based interactions and I'm leaning towards wanting to see them get slapped with regulation for it.
I bring it up because a few years back I fell into some hard times, resulting in missing some payments. In a good faith attempt to get caught back up once I found a new job and could right the ship, I called my creditors immediately and tried to make payments and setup payment plans the first paycheck I got.
None of them failed to ask what I thought was a very annoying and horrifically invasive question: "Why were you late on your payments?"
Each time I rebutted asking if disclosing my living situation was required to make a payment or if I should request an escalation to someone who will just take the money. One creditor kept trying to say "We're asking because we want to do you a favor/we understand things are hard sometimes" and I kept asking them if failure to disclose my life situation would prevent payment until they gave up and took the payment.
It strikes me as an offensive, invasive and utterly worthless question and whenever asked I just hang up and call back. Same thing when some entity calls and immediately starts asking for sensitive info. "Send me a letter in the mail with a phone number and I'll call you back when I'm good and ready, otherwise no I'm not just giving you my SSN because you called me at 7:30 on a Monday evening and asked for it".
Fiduciaries are getting bold, I tell you.
I'm far more likely to respond positively, even if ultimately I decline if they were to say "We have a program in place-if you think you're going to miss a payment that will help keep your account on track, would you like to enroll?"
"Why were you late making this payment?"
Of the two, when I went through that period of long-term underemployment, I only ever heard the latter, never the former. Such a curt and abrupt question to ask that comes across much more invasive than helpful.
"We're asking because we want to do you a favor/we understand things are hard sometimes"
There's more than "a program," creditors have different options/programs, etc. Special options exist for people who were effected by certain natural disasters. They probably would have offered to waive the late fee if you missed a payment because you were in the hospital or something. They were starting a dialog with you about your account status in order to work with you; no need to get all offended about it.
A year ago I had an awful experience with this.
We were on vacation at Big Bend National Park, which is hours away from everything in southwest Texas. When trying to pay for breakfast, our card was denied. I tried to call the card company to tell them that it was OK, but couldn't get through - there was no cell service. Outside the restaurant was a pay phone (remember them?) that I was able to use to call their 800 number.
I learned then that they'd actually flagged my card as stolen, so I could no longer use it at all, and to get it turned back on I needed to receive the code they were sending by SMS and read it back to them. The thing was, we were in a dead cell area, we couldn't get the SMS. And Big Bend is mind-bogglingly huge - 1,252 of square miles of mostly desert (there's a whole mountain ranged entirely contained within the park). As far as I could tell, I didn't have enough gas to drive out of the park to get to cell service to achieve this (the park is so big that it's got its own gas station in the middle, and I'd intended to use this - but without my card, how can I?).
It seemed a perfect trap, there was no way we were going to be able to get out. What eventually saved us was that the hotel manager overheard me shouting at the card people, and came out to give me a map, with the places inside the park that can get SMS text highlighted. Using that I was able to fulfill their requirement.
They never were able to tell me why they flagged the card in the first place. They told me that they advise all card holders to warn them when they plan to go out of state. But I live in Texas, and I was in Texas when the charge triggered. They just shrugged that off.
And when you're in a scrape, you can often barter with all three.
The other thing that sometimes works is entering the digit part of your postal code and padding it out with zeros. Ex: if your postal code was 1A2B3C you'd enter 12300.
Also spare ID and cash. The one time I broke this last rule on a trip I was nearly really screwed. (I lost my license and the hotel didn't want to let me check in. They only relented when I showed other ID and was able to make a just large enough withdrawal from an ATM and pay cash.)
Since then I always carry three credit cards when traveling, from three different banks, and each from a different payment system in case if a systemic issue.
Considering that we could eliminate fraud with a private key chip card, this is really, really sad.
I probably should worry more about muggers, but I just can't get myself to be afraid, so.
While making their second gas stop, their credit cards were being rejected because Amex erroneously thought it was impossible to legitimately use their credit cards between two locations that quickly.
Supposedly they also track flights worldwide to assess legitimacy of card-present transactions through distance-time bounding.
Bank of America has an interesting optional feature where they geolocate the transaction, and if it's a certain distance away from your cell phone, it triggers the fraud process.
I think if more banks did this, it could cut down on a certain percentage of these problems.
The downside is that you have to trust your bank enough to let it track your phone 24/7. And having recently gone through the privacy notices of several of my bank apps and web sites, I'm not entirely sure that's a good idea, either.
I dropped Chase after about the 4th time they flagged my monthly payment to my ISP as potential fraud.
Nordstrom was actually one of the few places that I’ve encountered who does this. Someone stole my identity and tried to open a credit card at their store. As soon as I verified it’s wasn’t me in the store she asked me to call back immediately. She wouldn’t even give me a call back number told me to go their website and find it.
The method they choose to do that, though, is to ask me for a phone number to which they can send an authentication code. I give them the phone number I'm using - the one they called me on. They ask if I want a text or a voice call. Tempting though it would be to put them on hold while I accept the voice call with the security code, I opt for the text message. Phone buzzes, I read out the number, and they seem happy with the result.
I really hope that when they asked me for a phone number they verified it against a list of known numbers associated with the account, but... it really wasn't clear in the context of the interaction.
A bit of a stretch perhaps :)
It's nearly real-time. In any drive-thru I'll have the notification on my phone before the card is handed back to me.
This reduces the exposure of a critical account. And if you do become a victim of fraudulent charges, you don't have to worry about your bank account being drained immediately (possibly resulting in overdrafts, etc).
- Account #1: salaries and deposits go here, no ATM
- Account #2: gets regular transfers from account #1, whatever you spend each week on your ATM, has an ATM, blocked on overdraft
If ATM is compromised the only money at risk is whatever is left in Account #2
This minimizes your exposure
I got a gas company card (non-Visa/MC) with a super-low limit, and when I need to buy gas I make a payment online with my phone, then pump away knowing if it got skimmed, the perps would probably throw the info out because it's not usable anywhere else, and even if they used it at the gas station, they'd only get $10.
The local sheriff was on TV last year telling everyone to only pay cash for gas — never put a credit or debit card in a gas pump card reader.
I disagree. I think that a there has been a massive amount of misplaced trust in the random inbound calls and caller ID. We should have cleaned it up a long time ago. Now that there is widespread abuse of it, maybe there will finally be some security measures put in place.
Otherwise the next scam will be to put an obviously-fraudulent transaction on a card, then phish for the rest of your details so they can get cash, rather than just charge-backs.
The company may put you in a faster queue because they think they’re paying $$$/minute for the call.
Yeah, fuck you. I'm not calling a fraud prevention number that was given to me over the phone and more to the point, what is wrong with you for asking your customers to trust people that called them on the phone.
I called the main switchboard for the bank and couldn't find the fraud number from there. They got an earful about that too. None of this is okay, including why they flagged my card (Not for buying a TV and a bluray player, no. For getting a $8 car wash on the way home...)
I’m not sure what a correction looks like though. Should they call customers and instruct them to find or verify a phone number and call back? Instruct them to log into their online account? That would be fine for you and me, but I’m thinking of the average cardholder.
How do you do that on an Android phone?
Settings > Call > Call Rejection > Auto reject mode
Set it to "All incoming calls".
Perhaps there should be a few types of CallerID - verified, physical and nominated. Eg a company calls you with a verified ID (like TLS), a local number from a single line is physically authenticated and anything else is just a best guess. That way we can filter more reliably.
There is precious little within SS7 to prevent or respond to spoofing. It's a major nightmare for telephone companies.
> It's a major nightmare for telephone companies.
Disagree. It's a bug for the telcos, and a major nightmare for the rest of us.
Toll free routing may be less amenable to grey routes and things as well. International callers aren't "supposed" to be able to call US toll free numbers, which may make it harder to get to. I've seen some companies claim that they can use call routing information to toll free numbers to get accurate caller id information in some countries; but I would never trust it.
You also shouldn't trust the source IP, or the return address on a standard envelope in the mail, unless you have convincing evidence. It's hard to think of an example of a source address in communications that's really trustable.
As for billing, it is usually based on the destination number, and your originating telco, unless I am misunderstanding your question.
To change the routing of a call other than yours would require you to access a carrier's systems and change where the call is routed to--which is substantially more difficult.
phone - I dial the number my bank gave me and no man in the middle ever answers or interrupts. But still completely insecure!
Now imagine you see me trying to enter my credentials over an http connection to AwfulBank.com. "Stop! That's completely insecure!" you say. "Sure, but so is calling a bank using the phone number they gave me."
If both cases are already completely insecure, why am I wrong?
I've experienced a few so far over the previous months. I've even experimented by not saying anything for an extended time - up to about 30 seconds of silence (and then it usually hangs up itself). But the next time it happens, if you say 'hi' within a few seconds, it immediately hangs up afterwards. Like its waiting for a verbal prompt.
The apathetic part of me thinks 'maybe its a robocall thats bugging out', but then the pessimistic part of me wonders 'are they trying to sample my voice'.
Probably something like this.
I knew a few criminally-minded people back in high school and my early 20's (I don't associate with them anymore.) The thing that always stuck me about the "criminal mind" is that they were ready and willing to work hard, as hard or often more as a real job, to try to make money. I asked one guy once about it and he basically said that it was the idea of getting over on society, or "the Man", or something. "Getting away with it."
This same guy also refused to open a saving account, but he would buy CD's (certificate of deposit) with ~3 month terms, and pay down the payments, because it felt like having twice as much money. To him it felt like he got to spend the money (that he used to secure the CD) twice: once with the money the bank loans him, and then again when he pays off the CD and they give him his original money back.
Now, this is insane. He's just giving the bank some money.
I asked him about this because it's so crazy, and he said "I can pay bills", meaning that he can psychologically deal with the idea of having to hustle to pay the ongoing payments on the CD, but (for whatever reason) he can't just give some of his money to the bank and not touch it. He literally can't feel right about savings. So he does this weird thing that basically inverts the whole idea of banking. He even knows it's crazy but it's a working equilibrium for him.
Anyhow, I wrote all that in the present tense but this was years ago and I lost touch with the guy.
I am astonished that the scammer-telemarketers who can sit there and carefully run these scam-scripts on marks don't just go get legit jobs. I wonder what economic context they are in? Or are they just, uh, morally corrupt, or something? The mystery of the criminal mind.
Hmmm... Here's a strange thought: What if that was a way of deal with a gambling addiction (or something similar, since I understand risk to be part of the addiction), except you lose significantly less than you would have gambled without the loan?
I’ll generally get a phone call like this, and hang up and re-initiate a request myself starting from the phone number listed on my card.
The sticky ones are things that seem to somehow be tied into people at the actual company scamming - my parents recently got a scam Openreach call within a few hours after calling to complain that their telephone had been disconnected a week earlier than promised. They had knowledge of the complaint call, but did the standard scam walkthrough of looking at event viewer and asked for the router ip address.
See also the conveyancing scams whilst buying houses where phishers impersonate the exact solicitors email format and know exactly when the monetary transfer is supposed to take place in order to get you to pay a different bank account.
A new ID system using PKI could eliminate the spoofing problem completely. Yes, I'm sure it would require a huge coordinated effort. Given spam calls will exceed 50% of all calls next year , this should be seen as an existential crisis for phone companies.
(Could even use some kind of PoW as another option, for calls where the receiver is unlikely to have received your public key yet.)
Then I would get a text saying, "sorry, bad signal or it's loud where they are" At that point, a chat bot takes over asking questions about the car and talking about how they really want to buy it but need to make sure that it has no accident and that I should get a car verification report and if it has a clean history they will buy it. A link is then sent to me via text.
What I haven't figured out is if they are going to steal the CC info if entered in the link or give me some bogus report that costs $5 to acquire and charge me $100 for it.
You see this a lot with job listings and rentals where the scammer will link to a background check as a condition of hiring/renting.
I've had a conversation with my cell carrier where I asked to block Texas and Florida, every area code in those states. Apparently that is not possible.
It won’t let you specify a ‘global’ wildcard, but I find blocking my own area code is generally sufficient. Most scammers and spammers spoof your local area code these days, and Nomorobo is pretty good at filtering out those that don’t.
Between those two apps, I go months without unwanted calls. I used to get them daily.
Set a custom ringtone for people you will accept calls from.
How are scammers able to generate a physical card in first place to perform ATM transaction? Is it something similar to card skimming with cards having magnetic stripe? Can this attack be performed with cards using chips?
Also I often come across a fraudulent transaction being performed even if only credit card number is disclosed, while cvv and expiry date are not. As per my understanding all 3 info is needed to perform a transaction.
Do anyone have some resource where these attacks are discussed in detail and how they are carried out.
> Even technology experts are getting taken in by some of the more recent schemes (or very nearly).
Rule number one about phone scams, which I've seen repeated numerously so "technology experts" should know this ... _always_ verify and call the number back. I was under the impression that was common knowledge?
The scams iterated in this article, no matter how complex, would all have been prevented by that simple and pervasive rule.
> “People I’ve talked to about this say there’s no way they’d fall for that, but when someone from a trustworthy number calls, says they’re from your small town bank, and sounds incredibly professional, you’d fall for it, too,” Haughey said.
When someone from a trustworthy number calls, says they're from your small town bank, and sounds incredibly professional, you follow the exact same rule. Hang up. Verify the number. Call back.
Again, even the best of us make mistakes, so I'm not trying to be critical of the victims here. I'm just surprised is all.
Fine in principle, but banks do call, and often have no direct dial, as a matter of policy, for whoever you're speaking to.
So it becomes verify the number, call back, and spend 30+ minutes in a queuing system before some lowly call centre worker on another continent incorrectly tells you they can't connect you to the xyz department.
It used to work before call centres and all the small banks became just branding on the front of one of the big 4. You were even allowed the phone number of the local branch! That's the UK market btw.
Verdict: It's not doable if you want it to work 100%. And in the US I would say it's not doable at all because Android/dumbphone users are still using SMS instead of a messenger app like Whatsapp, so you have no way of communicating with them at all.
The biggest problem for me was online services that want to verify your account via your phone number. They don't understand not having a phone number. And about 20% of the time, they block VOIP phone numbers for verification purposes, so your google voice number won't work there either. Literally no way to move forward there other than ask a friend to let you borrow their number or use your burner phone or something.
You also can't sign up for Whatsapp without a phone number, but luckily it does work with google voice.
Google voice also doesnt let you set it up so your device gets incoming calls unless you forward them to a real phone number. So you can only make calls with it, not receive. Maybe some other VOIP solutions are better at this. The google voice app on iOS is pretty shitty.
Now that I'm back in the US, I had to get a phone number because messenger app adoption is very very low. iOS users are fine because iMessage is awesome, but for people on Android, there's just nothing. They still use SMS. Maybe you can get around this with VOIP, but I didn't want to hassle with it.
I'm not concerned about Whatsapp, and I figured I use Twilio for text messages. Out of service phones can still call emergency services, 911. My main concern is being "that guy" who everyone has to make exceptions for when contacting.
Still, I've been paying too much for that crusty old landline, and finally got motivated to do something about it. I just ported it out last month, and the new VoIP service I'm using costs less per month than what AT&T was charging just for Caller ID. Even funnier, they offer telemarketer blocking like I've set up, at no extra charge.
Farewell and f*ck you very much, AT&T. You didn't even lift a finger to insure that the Caller ID I paid for was accurate.
Might make some good HN submissions ;-)
Of course, with Asterisk, you can get downright crazy if you wish.
Hardware, configuration, concepts.
Unrelated, but I'm pretty sure I know what credit union they're talking about. Super nice place that is focused on the tech workers in the Portland area, and I've always had good experiences with them.
Most are very noticeable for being in Chinese and tying up multiple lines at a time. That's not really great though, like in the example, when it's all the phones in the ED.
No, nobody has access to your PIN, if you forget it you need a new card.
That's not true- you can reset you PIN if you go to a physical Wells Fargo location, I've done it.
For apps, this could be a one-time code validated in the app. As a fall back there could be a unique shared "service pin" that gets rotated.
When I call my bank, they ask for verification by giving an account number, credit card and expiry details (!)
Also, there's no one who wants to pay extra for security, and the telecoms industry have the virtue of laser-like focus on money.
Now, when I go into a Chase or Citibank or whatever branch with a question, all the "banker" guy does is call the same 800 number I would have called, and wait on the same 40 minute hold as I would have. They don't even have special in-house IVR anymore.
Meanwhile, I drink all their free coffee.
Seems like this would solve almost all of these problems.
This should be the standard advice from banks to their customers.
> Cabel Sasser is founder of a Mac and iOS software company called Panic Inc. Sasser said he almost got scammed recently after receiving a call that appeared to be the same number as the one displayed on the back of his Wells Fargo ATM card.
Personally If someone needs to get a hold of me outside of my contacts email or text me and I’ll get back to you accordingly.