Hacker News new | past | comments | ask | show | jobs | submit login
I was just subjected to the most credible phishing attempt I’ve experienced (twitter.com)
781 points by vinnyglennon 13 days ago | hide | past | web | favorite | 353 comments

OP here. Just a couple of the things I learned since I posted the Twitter thread:

- The caller spoofed the phone number of the bank. The bank was not in my contacts, so I did not notice. Someone else in the thread noted that they did have the bank's phone number stored, which upped the credibility of the call to them.

- The caller called me twice in rapid succession (First ignore the call from a number you do not know. Then they call back again immediately: "maybe this is urgent / important"). Another person in the thread, who fell for the scam, noted this same pattern.

- It is better if banks include a security warning / specific reason the code is sent with the password reset pins and similar credentials. My bank did not. Another twitter user noted being subject to the scam, and just glancing over the warning copy. So it helps, but it is not perfect. Especially pre-coffee.

- My bank no longer allows me to reset my password without calling them (thanks bank).

When I read the thread now, it's obviously full of red flags. I was successfully manipulated, and whilst I'm certainly not as clever as all the people pointing out they would have caught this from sentence one, I believe I'm also not the lowest hanging fruit in terms of a target :-) Makes you wonder what this will look like when these scams evolve another couple of generations in terms of complexity ...

I've got a number of calls from my bank over the years (usually the Visa department asking about international charges) and my standard response has always been "I'm sorry, as a rule I do not discuss personal details with someone who called me, since I don't know who you are" and they typically respond with "no problem, please call the number on the back of your credit card". I still wish they wouldn't try to initiate a call (usually they launch straight away into verifying who I am, asking me a ton of personal details before I even know that they're legit... sigh) and would just ask me to call them back on an official number (not one they give me over the phone, obviously) instead. If that were standard practice, I think these kind of scams would be a lot easier to detect.

>my standard response has always been "I'm sorry, as a rule I do not discuss personal details with someone who called me, since I don't know who you are"

Amex got quite offended when I did this, and almost chastised me when I got through to an agent after making the outbound call myself. They argued that because they only asked for limited personal information (DOB) it was fine...

I would still do it again!

I had that same issue with Amex, they phoned, said there was a concern with my card and then wanted me to go through identity checks before saying more. They also got quite stroppy when I refused and asked them to prove their own identity first!

Eventually they did suggest I call the number on the back of my card, but I was annoyed by their lack of professionalism by this point (I mean, they are asking me to do stuff - giving out information to unknown callers - which they themselves always tell customers never to do!) I said I wasn't going to phone a general number and get stuck on hold for hours over an unknown issue - either give me some reference to get through quickly to the right person, tell me what the problem is now, or send me a letter. But they kept claiming that they couldn't send out letters in the post :-(

In the end, I finally received a letter by mail telling me that there were problems with my direct debit payments. So it was a genuine call but their inability to securely make these calls is frustrating.

I think if they gave you a number to bypass the general queue that you’re still vulnerable to an attack, right?

The only way to ensure you’re calling amex is to call the number you know, otherwise the scammer will have you call another one.

Call the number of the back of the card - "Press X if you have been given a code by us". Effectively, you're calling <number on the back of the code> + <reference to queue skip>.

It would be reasonably trivial to build a phone system that lets the agent generate a OTP of sorts.

"Hey, we need to talk about your account. Call our general enquiries number on our website, press 9 and enter 'XXXXXX' to be reconnected to me."

I was just thinking about how the agent could generate ephemeral PBX extensions. OTP-like would definitely be the way to go.

Edit: perhaps the extension would be per transaction, not per-agent, and when the customer calls the extension, the agents system can automatically pull up the customer’s account. These extensions should expire, but given the length of some customer calls, and how often I’ve been disconnected from customer service lately, perhaps it should be on the order of hours, not minutes or seconds

Not a different number to call, but instead a shortcut through the usual automated phone menus - e.g. I've had a bank tell me to phone their number and then enter an extension to take me straight through to the right person.

Just ask for an extension to reach them at when you call their public number.

Why would a letter be genuine? That seems easier to spoof then phone or email?


Email is pennies per thousands.

Phone calls are cheap especially for nonconnected or robocalls (which would cost for a postal contact).

Postal mail costs $0.50 US in postage alone. The full-up cost of a mail campaign is often several dollars per mailed item, though in bulk, and with bulk rate, I believe it's closer to $0.40 (postage plus a few cents for paper and envelope).

That would cover many thousands of email contacts, possibly nearly as many phone/VOIP attempts.

And the systems required to successfully and accurately generate a postal response on request are also high.

Low-cost systems are high-fraud systems.

Not sure if it’s true, but I’ve heard that mail (at least in the US) is safer because the cost to send letters is high enough to deter bulk sends vs email/phone, that postal inspectors are relatively effective at catching people, and that the laws around mail fraud make prosecutions easier.

I got a scam letter from someone claiming to be Canada Revenue Agency, so I wouldn't bank on that either.

It might not be genuine. But what one should do to resolve the problem described in the letter is to go to the regular amex website, log in, and update your debit information.

My preference is to have multiple points of contact. Email+phone and the alert is sent simultaneously both ways. This happened recently when a purchase I made was flagged. I got a text asking to approve the charge. Not trusting SMS I checked my email and saw the same message as the text and a link to take further action.

I was disappointed that no alert was sent through the banking app. That would be the most secure option but is explicitly disallowed in the notification settings.

It's not so much that the letter is guaranteed to be genuine.

They can include information in the letter they can't include on a phone call, as the mail service is performing the authentication.

My health insurer won't talk to me on the phone without me confirming identity, even if they called me, but they'll happily mail the info.

Never call the number off the letter, though.

I also do this every time when my doctor's office or insurance calls. They have to verify your identity to give you medical information. I need to verify their identity to give them my personally identifiable information.

I think eventually they got the point because now they have a secure online email system and just leave a message asking me to call back. They still leave a return phone number, but it's getting better.

At least with an email you can hopefully verify the headers. A phone number is too easily spoofed these days and the end user has no real means of verification.

My bank always says "There is an issue with your credit card/account, please call the number on the back of the card/your branch as soon as possible." and has for years.

The only time they do otherwise is on very specific instances where they provide the info, "did you just buy something at store XXX for approximately $YYY"

All banks and credit institutions should be required by law to do this.

Capital One has an app, every time my card is used I get a push notification. This is the best solution in my mind. I can actively monitor my card usage and call if I see something suspicious.

I'm surprised that this isn't a requirement for banks considering the very large number of scams going on in the US.

In India, getting an SMS/Email confirming every card usage is a legal requirement imposed by the Rserve Bank of India. The same goes for card usage itself. All credit and debit card POS transactions need the card PIN to be approved. Likewise, all online transactions require MFA.

AMEX does this and it's honestly great. Unfortunately my credit union doesn't, but I use credit for most transactions anyway.

chase does this too.

applepay, for all my cards, gives me an immediate push notification, despite some cards not doing so for regular chip/swipe transactions. really like that feature & also wish all cards did it for all transactions.

My AmEx does that too. I really like that feature.

I wish all banks and CCs offered this feature.

It's worth searching on their site / calling them, since in my experience every time over the last couple years I have dug, I have found it offered.

My bank does this. Two texts:

1: "We need you to verify some transactions. You will receive a text from <number> with the transaction details"

2: "Do you recognise these transactions? <date/store/amount x 3> Reply Y if yes, N if no"

Y -> "Thank you for verifying the transactions. If any transactions have been declined, you may been to repeat them"

N -> "Your card has been blocked and a new one ordered. Please contact us if you need any further advice"

These are what I usually see, or else an automated call with the same approximate script. Is there anything insecure about doing this one? The only thing I can think of is a MiTM where your account credentials are already compromised and they are using your answers to reset your password.

These fraud alert calls (in my experience of course) generally don't have any ID verification so there's no real danger from the user side in interacting with them. They just ask do you recognize these charges and that's it and then initiate any fraud response. From the bank side the worst is if the number has been hijacked but the user would still be able to dispute the charges later through the normal means but CC cloners probably rarely do that so it's not a huge issue.

You should be careful even about doing that if you are on a landline. There is a landline scam where they don't let the call disconnect, so when you hangup and then think you are dialing the bank, you are actually still connected to the scammer.

Always use your mobile phone to make the call (although I'm sure its only a matter of time before even that is compromised).


Luckily I don’t have a landline so it’s all mobile :)

While spoofing numbers on incoming calls is far easier, it is also possible for an attacker to redirect your outgoing calls from the right place in the phone network.

You just shouldn't consider any aspect of the phone network to provide authenticity or confidentiality.

I had an experience indistinguishable from the phishing attack being discussed - with the only difference that I initiated the phone call. A transaction I had initiated had triggered some fraud warnings and my account was locked.

They asked for my account number, name, and address for verification. When they got to the point that they sent me a code over SMS and wanted me to tell it to them over the phone, I stopped them and explained that this is also the exact set of steps required to reset my account and that I wouldn’t do it.

I went to a branch in person to unlock my account and the person helping me asked me to enter my password on their terminal so that they could “see the error message”.

I’m still not sure if some parts of this were a more advanced phishing scheme than I had thought was possible, even though it does just seem like a set of confusing practices by the bank.

I wonder if bank staff are in on it sometimes. I once was at a bank branch and had the teller pick up the phone, call another teller and tell her my balance in a foreign language that I happen to speak fluently (but don’t look like I should).

I wanted to ask her why she would be doing that, but I was a bit more meek in my younger days.

I had something not exactly like this occur to me. It wasn't something I overheard, but I'm pretty sure it went something like this:

1. You talk to a teller at a branch, and they bring up your account details. The teller see's you have a mortgage with the bank, but registered to a different branch. 2. They have some sort of incentive from the mortgage specialists at their own branch or management, to refer those accounts to their own mortgage team. 3. The mortgage department at the new branch calls me, and says I can do an early renewal at a lower rate, if I come in and see them.

Anyways, I did the early renewal at my original branch, as I had a connection to a manager at that location. Either way, I ended up shaving a good chunk of interest by renewing a year early.

What's an "early renewal" in this context? Mortgages aren't things I think of as requiring renewal at all.

Ah sorry, maybe it's a Canadian thing. I have a mortgage with an amortization that's say 20 years. But I actually enter into an agreement and a rate for say 3 years. At 3 years myself and the bank need to enter into a new agreement, or I can shop around for the best rate for the next term with other providers (although some banks have been clever in the rules trying to prevent this).

An early renewal would be doing a renewal with the same bank at say the 2 year mark for a new term and interest rate. The bank allows the old contract to expire early, since they're getting the new one for an extended period, like another 3 years. These terms can vary, with 5 years being the most common, but can be shorter or longer and apply to both variable and fixed rate mortgages.

Note: I'm not an expect on this or how it compares to other regions.

Ah, that's interesting and subtly different from the way it works in the US. The most common mortgage loan here is simply a 30-year fixed rate loan. We do have 3 and 5 year fixed loans, but they just revert to a floating rate after the fixed term so there's no presumption that you have to get a new loan at the end of the fixed term even though it's often a good idea. Those loans have also fallen out of favor substantially since 2008. Are full-term fixed loans not a thing in Canada?

My understanding is that this style of loan, balloon payment mortgage, used to be common in the US too, but government intervention in the form of Fannie Mae loan purchases made the 30-year fixed loan widely available.

As a borrower, there's a big risk with a balloon payment that you may not be able to find financing when it's due, so having a full term loan is very desirable.

Nope, 5 years is a maximum term you can get for residential mortgages, fixed or variable, with 25 years amortization most commonly (so you'll renew it at least 4 times).

Maybe there are other weird types of mortgages but they are usually not available for individuals I think.

At least if you're at the bank, the typical separation of powers would at least ensure they're caught promptly, should something go wrong.

You initiated the call to what number? The number on your card? If so, that's ridiculous.

(Obviously, initiating a call to a number provided by a potential scammer offers no protection. If someone is intercepting and redirecting your outgoing calls via the phone network, I'd say you probably have a bigger problem than a declined transaction.)

I don't do that. I say "are you crazy, you are a bank and asking me to prove who I am? You called me. You prove who you are first."

Yes, you’re right, I did say something like that once but the end result was the same: they asked me to call the number on my card.

I get these calls from time to time, and any bank with proper training should be 100% okay with you questioning their authenticity. There are some replies which indicate that the agent is annoyed... That's just poor training.

As for them initiating a phone call, it still does remain the best way to contact someone urgently, usually falling back to SMS and/or email when/if you don't answer (this was our SOP when I was in a fraud detection team years ago). We'd also usually tell them to call the number on the bank of your card (because not everyone is able to look up the bank's website, shockingly, so this is the most universally applicable way to give people a number) but my usual spiel was "call us on the number on the back of your card or from our website".

There's also no real way for you to know that they're legit, but an interesting reassurance one bank I know uses is to provide your month and day of birth and ask you for the year (as just part of the verification process). The partial info probably helps some people but I still wouldn't go for it - too many people know my birthday.

I always say to them: I can not identify myself to you because I cannot authentic who you are.

And explain to them that we, as a society, need to come up a way of authenticating inbound and outbound calls to ensure we are connect with who the other party claims to be because when you do this it conditions society in to responding and that’s how phishing attacks occur.

society could fix all sorts of problems if we had a public key infrastructure...

Banks have this in place already - EMV cards have powerful cryptoprocessors. In Germany we can use chipTAN, it's a small cheap reader for your card where you scan a six-binary-blinking screen that transmits the transaction data, then the card signs it and you get a six-digit TAN back. You can also manually enter the hash to be signed ("start code" is the technical term) and you get the TAN.

Customer support could ask you to authenticate using the TAN already, the hurdle is that you would need to carry the reader at all times.

Unrelated to banks, I believe it could be possible to extend SS7 signalling to not just transmit the caller ID but also a crypto signature/public key which the phone then can verify - or your phone provider could. Think of something like HSTS with a global database, if there is no match for the phone number the provider patches the call through, but if there is an entry, all providers can check for the public key transmitted by the caller and refuse to patch the call if it's missing or faked.

Would you happen to know what kind of signature scheme they use?

IIRC the German system is proprietary, the specs are available only after payment of a couple hundred euros.

I am grossed out by proprietary protocols but proprietary encryption algorithms just make me laugh. Who even though that this would be a good idea? Are they seriously trusting their money with this?

I don't know about the German system, but here they use EMV-CAP: https://en.wikipedia.org/wiki/Chip_Authentication_Program

No public key crypto?

My bank seems to use a similar scheme. It appears akin to TOTP with 8 numbers. But the secret is inside the black box. They also have something like a QR code but with RGB colors (does not work with blue light reducing features).

We are in some kind of Stone Age of The digital age...

Or maybe some sort of interconnected web of people who trust each other...

That would be pretty good privacy.

Like the web of trust from GPG?

The WoT originated with PGP (though obviously GPG implemented it as well), but yes, that was the joke.

Why would they need to verify you when they call your phone? When I got theses calls personnaly it was a robot voice that was simply asking if a few of my transactions were done by me. It only happened twice, and I feel they make sure to include both actual transactions and a few fake ones to verify your truthfulness because in both case I had one that was clearly wrong that I never saw in my transaction log and they didn't replace my card.

> "I'm sorry, as a rule I do not discuss personal details with someone who called me, since I don't know who you are"

Correct. If someone calls me, the onus is on them to prove to me that they are who they say they are.

However, I usually just block ALL unscheduled phone calls, period. Not only do I not have time for unscheduled interruptions, but banks have secure websites and if they can't make proper use of them, too bad, they aren't going to reach me by trying to call me. They should know that phones are easy to phish with, and stop using phone calls to initiate communication.

Ideally what I want is an e-mail saying "we saw some suspicious transactions, please /log in/ to check that there is no fraudulent activity" or even a more general "please log in for an urgent message" with a suspend button in the online interface.

Good point, and in fact I haven’t gotten such a call in a long time. All the “did you make transaction X” type calls now go through their app or via sms, so don’t get those calls anymore. I can’t actually remember the last time the bank called me, but maybe 6 or 7 years ago they called me a good few times. Nowadays I actually also block incoming calls unless in my contacts or I’m expecting it. I communicate mostly online and outside family, rarely get phone calls. So I really don’t care to answer a random call.

This. I always tell them I'll call them back if it is someone I don't know who needs to discuss sensitive matters. It's the only way to be sure.

> It is better if [...anyone...] include a security warning / specific reason the code is sent with the password reset pins and similar credentials.

I think anyone building such systems (either via e-mail or SMS or whatever) should at least remember THIS.

Send something like this via SMS:

> The password reset code you requested via our website is 12345. We will never ask you for this code except when you requested a password reset.

1. What is requested 2. How was it requested 3. Is it safe to pass this to some other human being

Okay, 4. in better English ;) As opposed to:

> Your caller verification code is 12345, please read this code to your banking agent to verify your identity.

Also, ChipTAN is great: https://en.wikipedia.org/wiki/Transaction_authentication_num... If your bank would use this, it would be require extraordinary smart social engineering (or a really naive user).

Hey, this is actually how it works in Turkey. All SMS messages for transaction purposes from banks have a disclaimer, which indicates whether to share the code with customer service representative or not.

For example, for online transactions, the SMS includes a warning to not share the code with anyone, while SMS codes for telephone banking tells you to share the number with the representative.

The only text messages I get from my bank are descriptive confirmations of actions I did. At the end of every message it says to contact them by phone if you don't recognise the action.

My bank uses a scanner to authorize pretty much all actions. It scans some sort of RGB QR code [0]. When scanned you'll see the IBAN you're sending the money to and the amount you're sending. I think that when the IBAN is in your contacts it shows the name instead of the IBAN.

But most importantly it shows a descriptive message of what action you're verifying. I think the only actions that don't require the scanner are small transactions through their app and marking your card as broken/stolen in the app.

[0] https://www.rabobank.nl/images/how_does_the_rabo_scanner_wor...

BofA gives a disclaimer when you have a 2FA code texted to you (still wish they supported TOTP, but whatever).

>When I read the thread now, it's obviously full of red flags. I was successfully manipulated, and whilst I'm certainly not as clever as all the people pointing out they would have caught this from sentence one, I believe I'm also not the lowest hanging fruit in terms of a target :-) Makes you wonder what this will look like when these scams evolve another couple of generations in terms of complexity ...

I think this is a social skills moment. For those that claim it's "easy" to spot: This is not the right time for people to brag about how they would have totally spotted it. This is mostly for protecting people who (as most people in this world) don't have time to build up a solid understanding of all aspects of internet security. If you don't care about these people, as some sort of Darwinian schadenfreude, stfu. If you do, focus on their perspective, not your brilliant detective skills.

I'd wager >50% of those that claim "Ah ha! I'd spot it here!" would fail in real life. Arm-chair quarterbacking is easy. Spotting the scam in real life, when you're walking down the street or otherwise distracted with life? Much harder.

I don’t know... this is not a “social skills” thing. It’s a very simple rule that should be easy for anyone to follow: never talk to any business who calls you. Ask who they are, hang up, and call the official customer support number. That’s it. No wizardry, charisma, or smooth talking ability needed. Get who they are and hang up.

Personally, I don’t even answer the phone anymore unless the number is one of my contacts. Looking at the last 30 days of call history, a good 95% of my incoming calls were spammers who didn’t leave a message or spammers who did.

The last time a legitimate number called me I didn’t recognize was probably a year ago. It was my daughter’s school. They left a message and I called them back immediately. That’s probably the safest way of dealing with the security trash fire called the phone system.

Yeah, hanging up and calling the 800 number on your card is the best route.

But, the responses on Twitter weren't "never talk", they were "I'd know it was a scam as soon as..." (implying they'd allow the call to get that far).

Most people claiming they would have spotted it are probably wrong anyway. They're reading the messages with the knowledge that they were sent by a scammer. Any idiot can identify these things in hindsight knowing what they're looking at. Without that context, with other things on their mind, it's much more likely they'd have been duped too.

Absolutely. You're in the middle of something else. Your "bank" calls you. You're thinking "What the hell do they want and how can I deal with this as quickly as possible?" Etc. I like to think that I'd never fall for any of these scams and I'm sure I'm more conscious of the possibility than I would have been at one point. But I can't really swear that distracted me whose mind is 75% focused on some other task is as security-aware as I like to think I am.

They say the generic rule of thumb here is urgency. If you can't take your time, it's a scam. I was previously scammed several times with urgency, but as a rhetoric trick under a premise of impatience.

Just realizing that a phishing-attack like this is nowadays impossible in the EU: proper two-factor authentication is mandatory now (Revised Directive on Payment Services, PSD2), even just for login. TAN-codes generated for transactions need to incorporate the data of the transaction (recipient and amount), so that a phished TAN cannot be used to authorize a different transaction. I think even a simple SMS TAN may not be allowed any more (could be MITM-abused to authorize a different than the intended transaction).

Here is a summary of what customers and phishers have to face since september:


The security part of PSD2 is starting to look like another cookie law. Banks of course didn't implement any proper 2FA like U2F but rather send you scrounging for the phone with their app every time you want to look up a transaction or an account number, something that didn't require second factor until the directive.

In fact, because it makes checking recent transactions that much less convenient, it probably made me less safe because I do it much less often.

TOTP is in terms of usability not very different from PhotoTAN or ChipTAN, so I don't see how these methods aren't "proper 2FA".

U2F is a useful method, but it's not common at all (even in IT most companies don't provide it, not even the website we're on right now, nor PayPal), and it's not understandable how this isn't "proper 2FA".

In addition, the directive requiring the purpose of the code to be fixed and shown aside it, either in the app generating it, or in the push notification, is a very useful security aspect which most other 2FA solutions miss — even U2F can't differentiate between a login and a transaction authorization.

I don't like TOTP. U2F, however, is both convenient and secure. You touch a dongle, you're in, and at the same time there is no way to get access to your account without physically stealing the dongle. It's a proper second factor to a password.

Other solutions are either or. There is a benefit to confirming particular actions (with the info about the action) in the app but it's unnecessarily inconvenient for mere login.

U2F isn't widely supported but I managed to secure virtually my entire high-value Internet presence with it. Google, OVH, Coinbase, and Stripe all support it. Let's be honest, for HN I wouldn't bother with any second factor. I have the password saved in the browser and that's more than enough.

Here we have ChipTAN - I put my card into a special reader (some photodiodes plus keypad and display), hold the diode-end of the reader onto my PC display and a flickering image on the website transfers some info to the reader. On the reader I then see some info on the transaction (IBAN and amount), plus a TAN. I then enter that TAN on the banks website.

So an attacker would need to alter the image (simple) and cause a collision (hopefully difficult) or somehow abuse an error in the reader firmware.

It seems there is now a QR variant of that (which increases the attack surface since now it has to understand a more complex data format).

If my bank would have had me install an App or use SMS 2FA I would have kindly asked them to .... off (or, if they think their "2FA" is safe, just connect their mobile phones to this totally unsuspicious looking USB device).

ChipTAN on wikipedia: https://en.wikipedia.org/wiki/Transaction_authentication_num...

Interesting thanks for the write-up.

One thing that I've frequently heard is that in any type of fraud call you should always hang up right at the beginning and call the bank back.

Seems like no matter how sophisticated the attackers, this defense will always foil anything along the same lines of what happened to you. The only way I can see this countermeasure failing is if the scammers can somehow manage to intercept inbound calls to the bank's customer service number.

I agree. The same goes for email obviously. But some financial institutions are actively luring customers into doing the wrong thing.

Paypal really stands out on this one. They are regularly sending me emails with a link to their login page to view my recent transactions (regardless of whether or not there are any transactions). This is clearly negligent.

Okay, so it's not just me. I've never clicked on what are apparently real paypal emails, because I have legitimately always assumed they were phishing e-mails that made it past my spam filter.

They're real. They're really real paypal e-mails. Wow.

I believe them to be genuine, but if you need incontrovertible proof, Paypal has you covered! :-)

All messages contain the following "clarification":

"How do I know this is not a Spoof email?

Spoof or 'phishing' emails tend to have generic greetings such as "Dear PayPal member". Emails from PayPal will always contain your full name."

So unless the bad guys can get their hands on a database full of names and email addresses, we're safe. And Paypal can honestly claim that "the security of our customers is very important to us!".

It is a pretty good idea, but only sufficient if you don't have much money. For large balances it might be worth someone's time to bribe your local telco worker or subvert your SS7/Diameter routing so that your calls route via an intermediary (i.e. make your phone a roaming number, route it's calls to an attacker controlled exchange in e.g. India). It is even simpler to listen in to your legitimate call and hear your phone banking password and secret Q&As.

Calling via a landline or via an operator assisted call would make such tricks much more difficult.

Some great papers on Diameter and telco security here: https://www.bell-labs.com/usr/silke.holtmanns

There seems to be broad consensus amongst the commenters that this is the most reliable defense against this kind of attack. Makes sense. If they are able to intercept my outbound calls, it's probably an entirely different level of sophistication and targeting.

I read about a landline attack that would keep the line open when you put the receiver down, play a dial tone, and then wait until you’d entered a number before putting you back on with the scammer

Analogue telephones are creating (or at least in modern times simulating) a circuit, which doesn't close until the caller hangs up.

But almost everybody today has a digital phone, any kind of mobile telephone or desk VoIP phone is digital, "hanging up" ends the call because the telephone itself decided to do that, everything is just packets. So this trick won't be effective against most people today.

Likewise "dialling" today is an out-of-band digital step rather than a bunch of pulses or tones sent in-band that an attacker can just ignore.

> I read about a landline attack that would keep the line open when you put the receiver down

I experienced this once, but not as a scam, I think there must have been some kind of fault at the exchange... the other end was a mobile phone and they didn't end the call, just putting the phone back in their pocket - the landline wouldn't disconnect, whatever signal was send, even disconnecting the phone entirely and plunging it back in. I didn't understand how exactly, but it made it pretty clear the (landline) telephone is not in control of the connection.

Learned about this too today. With the scammers playing the dial tone sound to trick the victim... Clever.

Yes, this has been the recommendation for a long while. Always call back on the official number you got elsewhere, not the caller ID number.

Sometimes the one calling you is already suggesting you to do this just to verify. Especially bank and police I noticed.

IMHO this should be the law for financial and medical institutions tc. They should not be allowed to call and ask the receiver to provide verification information.

It doesn't need to be the law: I never provide any information to someone who calls me, unless I have a way of authenticating them.

You're set, then. But the reason a law would be beneficial is it would condition everyone's parents and people who aren't as awesome as you to stop trusting callers and start calling a known-good number.

>It is better if banks include a security warning / specific reason the code is sent with the password reset pins and similar credentials. My bank did not. Another twitter user noted being subject to the scam, and just glancing over the warning copy. So it helps, but it is not perfect. Especially pre-coffee.

I'm seriously surprised there are banks that send SMS codes without a reason for the code. All banks I deal with always send the reason for the code. For example: "This is a new payee addition authorisation code. Last 4 digits of the payee's account number are XXXX, the code is: XXXXXX" or "This a transaction authorisation code for the amount of $XX.XX, to an account ending digits XXXX. The number is XXXXXXX."

I would seriously reconsider giving your business to a bank that doesn't do that.

Interestingly there was an EU regulation passed recently that sets certain standards requiring 2FA for certain operations performed by bank customers. Having set up the 2FA auth app on an elderly relative's android phone and having to set up a pin to unlock a device as this is one of the 2FA app requirements and then spending 2 hours explaining how to unlock the phone, how to use it with a tablet to log in, how to authorise payments etc I have mixed feelings. On one side, it is a pretty secure system that will lower the number of victims of fraud. On the other hand it is a massive inconvenience for elderly people. I like the SMS verification system if done right. I think 2FA is a bit of an overkill.

Elderly are the most common subject of these attacks. So it is especially important to set strong protection for them. The inconvenience is regrettable but necessary.

2FA for banking is not overkill!

You can make 2FA really easy if you want to, now that EU req. 2FA there will probably be more banks with reasonable solutions.

I have seriously reconsidered giving my business to a bank that does do that: I'm not a fan of sending transaction amounts or account info via text. My bank does this (and over email!); their security posture is fairly decent otherwise, but why oh why send transaction amounts out into the world where they can be intercepted by anyone between here and there?

Think about the useful information for an attacker in messages like that: Recent transaction details can help an attacker auth on a call, account numbers can do the same. And large transactions are catnip, alerting attackers to worthwhile victims.

"The caller called me twice in rapid succession" this is to bypass the "Do not disturb" functionality on iOS if you have "Repeated calls" enabled. https://cdn.cultofmac.com/wp-content/uploads/2014/04/Do-Not-...

I noticed a political robocall taking advantage of this just yesterday, and there went any possibility that I would vote for this person. Your robocall did not constitute an emergency _you asshole_.

The biggest mistake was offering any information. You never offer information, you only confirm or deny things that they tell you. If they insist on things like member id, or email, you hang up, and call the bank yourself.

We as a society need some form of standardized ISO 9001-level protocol where ALL companies handle security the same way. They all ask the same questions, they don't allow first-tier support access to passwords or changing password, only specialized tier-2 support has this power, etc.

If all companies like banks, Amazon, Facebook, etc standardize their procedures in a way that leaks no information, or engage customers in a way that leaks no information, then it will make it harder to phish people because phisher will be forced to ask weird questions that customers will detect as weird.

The problem right now is that some companies ask for last 4 digits of SSN, last 4 digits of credit card, some ask for email address, etc, etc. A phisher can put all those together so if you reduce the attack surface it makes it very very hard.

To me, the biggest red flag is asking for any identifying info in a conversation they initiated, especially without them initially providing some sort of privledged information to you first.

Unfortunately, some banks do this. (I'm looking at you, U.S. Bank.)

It's like someone calling me and then asking me who they're speaking to. Really? You called me! (Assuming they're not returning a missed call, of course.)

If (someone claiming to be) a bank calls/texts you, (and it's not immediately after a declined transaction) you always hang up and call the number you already have for the bank.

Even if it is after a declined transaction, you still don't provide any info. If they ask if you attempted a $101.89 purchase at "big box store," you should simply respond yes/no, and provide no other info.

If you didn't attempt that transaction, they especially don't need to confirm any other info.

In your tweets you mention "And now... joyfully resetting all my passwords, filing a police report, getting additional fraud detection in place". What passwords are you talking about and why do you need to reset them? As far as I can tell no passwords have been compromised in the attack as you describe it.

Or do you suspect that there's been an other, undisclosed breach that the scammer used to get your name and phone number? I suppose it's plausible but it seems like it wouldn't be too difficult to get that info.

Should have written that more clearly. More accurate verbiage would have been "changing all my banking credentials, and enabling all possible notifications". I have no reason to believe other credentials were compromised, and have unique pw in place for nearly everything.

> My bank no longer allows me to reset my password without calling them (thanks bank).

So how are they going to verify it’s you who is calling them?

Ask for things like postcode, birthdate, etc.

None of these are secret, asking for these things provides no security.

Pro-tip, perform mutual authentication:

"Can you give a reference number (they will have a case number), and tell me where I can find your department's number on your website please. [Edit] I will call you back."

I've never had a bank or other financial institution have a problem with this approach. I don't give myself the opportunity to be fooled, because all of us can be fooled, it's how I respond to every single call from a business.

It should be noted that Caller ID spoofing is possible with pretty basic equipment. It's illegal in most countries but there's nothing technically preventing you from doing it. Which is crazy IMO.

SMS number spoofing is even easier, and available via almost all programatic SMS services. Usually used to set the sender name.

>It’s illegal in most countries

Would love to see a citation for this.

Of course it’s illegal! All developed countries have strict rules about how you can use Telecomms networks. Of course scam artists don’t care about these rules ... Its not hard to find out further information abour this. Check with your local Telecomms regulator, google or even the Wikipedia page!

>Of course it’s illegal?

Fraud tends to be illegal. That’s as far as I’m willing to believe your “of course”.

I do not believe most countries have laws regarding caller ID spoofing.

I know that in my country IMEI spoofing is (Bizarrely!) sort-of prohibited as forgery (as in IDs, documents or “anything of evidential/testimonial(?) value”), but can’t find anything regarding phone numbers.

I know that in the US it’s only illegal to spoof your number for fraudulent purposes.

> it’s only illegal to spoof your number for fraudulent purposes

Seems like you’re gettig bogged down in semantics sir

How is that semantics? Fraud is already illegal literally everywhere, so spoofing your number for fraudulent purposes will obviously be a part of that crime.

If this is intended to defend your original claim, you’re being utterly ridiculous. You made a specific claim about caller id spoofing, not fraud.

For example, If you’re spoofing a random number for telemarketing calls that’s just not fraud.

> If you’re spoofing a random number for telemarketing calls that’s just not fraud.

It absolutely is, and in most civilised countries is illegal.

Like, I can totally believe that in the USA where any old lunatic can own an automatic weapon amd nobody gets concerned until he shoots up a school thats the case ye

There’s probably some constitutional argument that you can spoof your number based on something ridiculous like free speech

>in most civilised countries is illegal.

I feel like we’re moving goalposts here and “civilised countries” will sooner than later become “English-speaking countries”, in which case I’m totally willing to concede that you’re probably right.

Very few countries have found it necessary to prohibit CID spoofing.

> I feel like we’re moving goalposts

More semantics. Yawn. Save it for debate club.

When you're wrong you're wrong :)

Its a common feature for PBX'es to rewrite their outgoing caller ID on forwarded calls to match the origin caller ID. Say you've got an office desk phone that you have set to forward to your cell phone while you're out. Someone calls your desk phone, it forwards the call to your cell phone, what caller ID should be displayed? Technically the call to your phone is coming through your desk phone (well, your office's PBX), but doing that would mask who is actually calling. So the PBX rewrites its caller ID info to appear to be as the origin when it calls your cell phone.

This is technically spoofing caller ID, but is clearly not fraud.

That’s not spoofing in principal though is it? This just reinforces my point that its very easy to do this with ordinary equipment. There isn’t really any kind of technical safeguards against this stuff, probably just for the convenience of this kind of stuff.

It is in the literal sense spoofing caller ID and using the same tech you earlier claimed was clearly illegal.

> The caller called me twice in rapid succession (First ignore the call from a number you do not know. Then they call back again immediately: "maybe this is urgent / important").

This also gets past some Do Not Disturb modes.

With regard to the phone number spoofing: I recently had an actual call from American Express's security department marked by AT&T as "Fraud Risk," presumably because it's been spoofed in the past. It delayed the detection and resolution of the theft of my card number (not by much, but still...). It's criminal that we haven't better secured the Caller ID system.

I've recently read about a similar attack, but in Brazil.

Translated: https://translate.google.com/translate?sl=pt&tl=en&u=https%3...

Original (Portuguese): https://threadreaderapp.com/thread/1179903474244444160.html

Same approach, they also pretended to be from the bank calling about an irregular transaction. In this scam, it seems they hijacked her home phone line. She tried to call from her cell phone, then they called back to her home phone and said all communication should be from it, to ensure she was at a different location.

I got a similar call a few months back. They didn't ask for my PIN, but did ask for some other sensitive information. Fortunately I was able to verify afterward that it was legitimate by initiating a call to the bank using the number on their website (in case the original was spoofed), and they confirmed a record of the call in their system. But this was after I'd given them some information.

Phone number spoofing has to stop. There is no excuse anymore.

> When I read the thread now, it's obviously full of red flags. I was successfully manipulated, and whilst I'm certainly not as clever as all the people pointing out they would have caught this from sentence one, I believe I'm also not the lowest hanging fruit in terms of a target :-)

I think it's soo easy to spot scams because 99% of them are so shit, poor spelling, talking nonsense.

If scammers simply spell checked their scams I would fall for them all.

Not sure if still the case, but this used to be done specifically to weed out people who weren't quite gullible enough.


Step one for me when I am giving sensitive information is always "let's end this call and let me call you". I had gotten an e-mail from my bank and I called the number in the e-mail without thinking to lookup the support number on my own first. The number was legit and it gave the fraud dept a chuckle but it very well could've been a fake number

Calling twice in rapid succession is an emergency feature for Android (possibly other) phones when in Do Not Distrub mode. It bypasses the DND when you call twice like that. Usually, only the numbers on your Starred list can call without getting blocked by DND.

The recipient may believe they had starred the number because of this, making them more likely to pick up the call.

On iOS you can choose whether to allow or block repeated calls, but as far as I can tell it's an all or nothing toggle. If it's enabled, anyone can get through by calling twice.

I never give any information to anyone who calls me, apart from people I already know like friends and family. If they say they are from the bank I apologize and say that I will contact them independently via the number that is on my card. I don't even confirm my name. Some banks think I am being difficult, but I stick to this principle regardless.

I think it's more likely that some scammers think you're being difficult. Shouldn't that be standard procedure for a bank?

Once I gave my member number, the attacker used the password reset flow to trigger a text message from the bank. --> They used this to gain access to the account.

How did they to gain access from "password reset flow"? How could they tell your last transactions?

This is actually fairly common now, unfortunately. Many reports of Uber drivers being tricked into getting their account hacked using this method to obtain the 2FA pin sent via SMS so they can drain their balance or switch the bank account on file.

Sorry for OT, but I'm Belgian, a software developer, and have a law degree too - can I pick your mind on legal tech in Europe a bit? I can only find your twitter handle, do you have an email address I can reach you on?

Hi Roel, Twitter DMs are open.

Every financial institution has a mobile app now. They should just add a secure voice chat feature to the app instead of relying on phone calls.

The best defense against a scam is familiarity. Thanks for sharing this, hopefully it protects someone else.

I would say Thanks for the call. I'm hanging up now to call my bank to verify this.

How do we know you are the OP?

Sorry for the nitpick on grammar but

"I was just subjected to the most credible phishing attempt I’ve experienced"

Everyone has been subjected to the most credible phishing attempt they've experienced. Need to find another qualifier ;)

thanks for sharing and sorry it happened to you. sad to say but, i would be suspicious with if any interaction with a bank is going this easy and is this convenient...

If the password reset procedure is over SMS, wouldn't any interception of that token have allowed the attackers to access your account and even initiate outgoing transfers?

A scam phone call seems like a clumsy way of doing it. It also risks alerting the victim to what's going on.

It surprises me that it is legal to conduct banking operations to the general public in this way. In many countries (including all of EU since SCA) that is not the case.

My simple policy is I never give out any information if I'm cold-called. If they claim they're my bank, I say I'll call them back on the number printed on the card, and ask the caller which department I should be put through to. Legitimate callers have never objected to this approach, and it saves me any stress - same policy, no matter the caller, no exceptions, no need for me to try and figure out if I'm being phished.

Good idea - but here in the UK there was a scam where they called you and THEN suggested you call the number on the back of the card.

They then don't hang up, but play a dialling tone down the line until you dial the number. At which time they 'answer'. This only works on home phones, not mobile, but is worth considering, and warning your family/friends about.

I don't think this works any more. My parents always did this when kids did prank calls. Kept the phone open for hours blocking their line. Did not work last time I tested. Uncertain how long you have to wait before next call though.

Generally with digital phone lines (almost every line out there) this does not work, and teardown on your side is at most few seconds.

This is also impossible to pull off on cellphone lines. (There are other attacks but these require access to your BTS.)

In the UK - it was only the person that calls you who could hold the line open. Looks like BT stopped this happening in 2014/2015

Read more about steps taken to prevent this here: https://www.mirror.co.uk/news/technology-science/technology/...

But, if I don't hang up the received and the counterparty hangs up, then the line tone is the one of the "busy", not the one of the "free", and I'm unable to dial anyone until I physically hang up to reset the line. Or at least that's how it works back home. Is it different in UK ? I suppose it's something that less attentive people might fall for anyways.

In the scam in question, you (as the victim) - hang up the line. You then pickup the receiver to call your bank, via the number on your card.

The scammer, when they hear you hangup, plays a dial-tone down the line, so when you pickup the receiver, you have the impression that the line is clean.

You start to dial, they stop the 'dial tone', play a fake calling tone, and then 'answer' the call.

This would be incredibly malicious and difficult to detect even for the most skeptical of users.

Wow, this really is something if done right. I don't use a landline now, but if I remember, the caller needs to disconnect for the line to actually be disconnected. So even if the callee tries to disconnect by hanging up, the caller is still actually connected. If the callee picks up the receiver again and hears a dial tone, they'd be none the wiser. But I guess the scammer would also need to detect a key-press tone on the line and stop the fake dial tone, start the ring tone, etc.

That's not how it works with digital lines. Disconnect on any side breaks the whole circuit presuming they conform to even ancient PDH, much less SONET or SDH. Oh and this includes even more ancient ISDN. The trunk will immediately tear down the DS0 slot and circuit.

GSM and VoIP also do not allow this behavior without engaging call waiting on subscriber side.

This only happens with old fully analog connections. Not sure which country or public operator still has this kind of PSTN.

For the difference, peruse ITU-T G.175 and Q.522 standards. SE (switching element) will disconnect the routing on your side. It took me a while to find the actual standard number.

I haven't heard of this working since the 80's, with rotary pulse dial phones.

Never heard of the systems with this flaw. It was always "if you hang up then it's completely cut".

Perhaps it worked on Strowger exchanges when the call is local? I definitely remember this being "a thing" back in the 1970s but I don't remember ever succeeding in reproducing it. Obviously there must have been some time out because otherwise you could DoS anyone's phone by just calling them then not hanging up.

In the UK, when exchanges moved to digital, they deliberately kept the old behaviour because some people relied on it (eg, hanging up their main phone, then walking to another room and picking up the call on an extension phone), with a timeout of a few minutes.

In 2014 they reduced the timeout to 10 seconds to make this fraud harder to pull off.


Have you any idea when this worked in the UK?

It's such an old story that you'd have thought there would be an explanation online by now of exactly which telephone exchanges had this problem and when those telephone exchanges were in use.

For what it's worth, it didn't work when I tried it, probably in the 1980s. Perhaps it worked in the 1970s in some places?

On POTS lines, the call doesn't drop until the initiator hangs up so even if you put down the phone the connection is still there, pick up the phone again and you resume the same call. I used to use this to move to the upstairs phone to continue a call (back then we had two wired handsets on the same line). The last time I can personally cite it working that way is the late 90s, but I'm sure it has more recently than that, possible even still now for some lines.

I can't test as I've not had a voice capable land-line for some time. It may not work on newer exchange equipment. It won't work if you have a service whereby calls are directed over a digital connection. It has never worked for mobile phone services. It doesn't work on some (most? all?) office PBX arrangements, either.

As well as allowing this sort of scam to operate, the "feature" can also be used as a DoS attack, blocking calls to and from a line for a time.

Mechanically it's more or less unavoidable that call circuits are opened by the caller and can't close until the caller is disconnected with a Strowger exchange (electro-mechanical, pulse dialled). Once they moved to System X (the first digital exchanges, which introduced tone dialling though they can still interpret pulses) it becomes a matter of software engineering in the face of two conflicting considerations

1. Users do not expect the call to drop if for some reason the connection to the recipient momentarily is interrupted - there doesn't seem to be any obvious reason it should be right? Remember users don't understand how any of this actually works.

2. But, when they hang up, which to you as the exchange looks essentially the same as the connection being interrupted, they expected the call to end.

As an extreme example of (1) suppose you have a rotary telephone and idly while talking on a call you put a finger in the dial and dial a '4'. What do you expect to happen? Nothing right? Maybe it makes some click noises, and you apologise to the person at the other end. But those click noises are the same - for a fraction of a second - as hanging up. So if we just naively code the system to drop calls whenever it thinks anybody has hung up, the call drops. You can bet customers will not be happy.

So the providers would pick a plausible delay. OK, let's say after two minutes with the call recipient showing as closed we'll give up and end the call, the caller can always just call back if that's a mistake anyway.

Well this fraud comes into the picture, adding a third consideration to the balancing act. Most UK providers would go in and choose a new smaller timeout. One second seems to cause false positives. How about five seconds?

So there's going to have been a window, and it will vary depending on where you live. System X was definitely not everywhere in the 1980s. It will also depend how you tested. If you tried waiting 5 minutes and the timer was set for 30 seconds then your test seems fine, but a victim who hangs up, counts to five and then tries their bank will get stung.

Pretty sure I tried it in the 70's with a TXE4. Didn't work.

Fuck that's clever

This is probably the best security technique in terms of simplicity vs effectiveness, one that everyone and their grandma can use. I wish there was more effort in educating people to use it.

I even remember a thread here in HN were one three-letter agency authenticated themselves to a user with this method, calling his numbers and saying, this is the FBI/NSA/etc but for you to be sure, please hang, look the website for the public number, call, and ask to be put through with $Agent from $Department.

> My simple policy is I never give out any information if I'm cold-called.

That's what I do. When someone calls me and then proceeds to ask me security question to allegedly assert my identity I reply "well, you called me so how do you prove to me who you are first?"

I usually get a "err..." but on one occasion the guy was rather rude and hanged up.

The worst thing is that most of the time these calls are genuine. This means that my bank does think it's fine to do that.

My bank did this once - called me out of the blue and started asking for answers to security questions. I asked them how I could be sure it was definitely them and they said to call the number on my card and ask for a particular department, which I did, and it turned out it was indeed genuine.

The fact that they had an immediate answer to the question obviously means that they were asked this question all the time. I wonder how many people happily handed over the info?

It seems that they now just play a recorded message asking to call, and then automatically hang up.

Makes me wonder, what if a bank just started all phone calls like that with: "Hi this is Bank, we need to get in contact with you, for security reasons could you please hang up and call the number on the back of your card?"

I usually receive soft objections to this. They don't even seem to understand the problem most of the time. In fact, they speak rather like I would expect a scammer to: "but we just need to verify who you are, and you will still have to do this if you call the number on your card, so it's easier if I do it now".

They always ask if I want to pay over the phone. I say nope, I'll mail you a check.

The Twitter thread points out that you need to call from a different phone, else the scammer could leave the line open (even after you hang up!).

Go to the police? Let us know how that works out for you. I did that once, after a highly credible phishing attempt (that, ultimately, I did not fall for). This was in Germany.

Me: Here is what happened to me, I'd like to file a police report.

Police: Well, with these internet scams, the fraudster is usually in another country, meaning we can't really do anything about it.

Me: They used perfect German, used information that I only ever provided into a non-public database of a German-based business that must have had a breach of some sort. The fraudster also used pictures of apartments in Germany that must have been taken here.

Police: Well, still. The person actually doing all of that could have been doing all of that from another country. Usually Russia or China or something.

Me [thinking to myself]: Yeah, Russia, or China, or some country where law enforcement generally presumes, even against all evidence, that any and all cybercrime is happening outside their jurisdiction and therefore not doing any law enforcement at all when it comes to cybercrime. Like what is happening right here right now.

Me: Well, I realize that nobody is going to start an investigation into this specific thing that happened here, but still: Isn't anyone at least compiling a database so that, once patterns become bigger and more apparent, an investigation of sorts may become warranted, etc?

Police: Nope. Nobody doing that. You can file a report. But I can tell you right now that nobody is going to look at it or do anything with it. Also, we kind of have more important things to do, here at the station. I mean: It's your choice. I can't stop you. Just telling you how it is.

Me: Okay, thank you, goodbye.

The good old self-reinforcing loop...

It's not a prevalent issue -> We won't do anything -> You filing a report will be just a waste of time -> Statistics show it's not a prevalent issue

Thinking of this I would have continued like:

Me: are you confirming that if I start a scam you will not investigate it?


Me: Ok , then thanks a lot, I know now.

Police: umm, wait maybe..

Of course the local police department isn't likely to investigate it. That doesn't mean no one is.

But, formally speaking, it actually really is within their responsibility to serve as the first point of contact for the individual citizen (think "retail customer") and put it through to the proper channels within law enforcement.

The Bavarian police (this was in Bavaria) even has a "center for cybercrime" which, according to press releases and stuff, sounds like precisely the office that should take note of things like that. But they don't have any public-facing communication channels of any kind[1], and I'm unclear whether they actually do stuff or whether they exist purely on paper as a public relations and politics stunt.

Maybe if I was politically connected or willing to spend a pile of dough to put a lawyer on it, things would be different, but this was just one man trying to do his civic duty and there's only so much trouble that I'm willing to go to for that.

[1] EDIT: After doing some more research, it looks like, meanwhile they do. This was just announced two months ago, so seems to be a new development.



The police is more busy trying to catch victimless crimes instead of going after scams which have real victims. If you search for "fake dna test online" for example you will find a lot of relevant results even in the first page of google.

File a written criminal complaint directly with the Staatsanwaltschaft, bypass the incompetent morons at the police.

I had the exact opposite experience. The DAs office eventually called me to tell me that they didn't catch the perps but were able to kill the phone-number blocks which they had been using for years because no one ever reported them.

Sometimes cops are just lazy (or assholes). When thieves tried to steal the rain gutter from the appartment building on the other side of the road, the cops told me "don't expect us to rush in with sirens and screeching tyres", even after I told them the thieves were still there, in broad daylight.

Later my landlords told me they lost 50k Euros in the previous year because of stolen rain gutters.

Unfortunately with spoofed numbers it is, from what I've heard, incredibly difficult to track. The carrier that terminated the call to your carrier is likely not the originating carrier (the one that initiated the call) so it could involve subpoenas to many carriers to find the originator, which you then have to subpoena for the customer information.

Yeah, that's kind of what I've expected. However, having the police report often helps when dealing with the bank if there is any real fraudulent activity. It shows them you're serious.

This is an uninsightful comment. You go to the police to get the report.

I can understand how people would fall for this one. With 20/20 hindsight, asking for the member number is fishy - it doesn't actually verify anything. And when my bank calls me, it is always automated - I only get a person talking to me if I ask for it through the automated systems. So in a way, any actual person calling would be a red flag. But in the moment, I can see why it sounded legit.

My parents have taken their precautions against phishing to extreme levels. They don't speak into the phone when unknown numbers call. At all. If they choose to answer, they wait for someone on the other end to talk and then decide whether to speak or hang up. They have heard horror stories of people getting their voices recorded and replayed into automated systems, so if someone calls and asks, "Hi, Is this <name>?", they avoid even saying "Yes", and instead ask who is calling. It may be paranoia, but as the saying goes... just because you are paranoid doesn't mean that they are not out to get you.

I wonder if the criminals start to use automated voice systems, especially if those systems prompt and allow you to input numbers/password from the dialpad, how many more people would fall to the scam.

If done well, it likely would be highly effective. Maybe we should not give them any ideas.

Anecdotally, I think answering and immediately muting calls from unknown numbers is a deterrent to repeated calls. They're almost always robocalls that wait for someone to start talking before launching into their shpeal. Without any audio input, they sit and wait exactly 10 seconds before giving up... and my hunch is that they put that number into a "dead" pool and won't try again.

One I almost fell for, was a tab that changed to a Gmail login screen in the background. When I switched to it, I thought I had gotten logged out and entered my password. Luckily 2fa saved me. Did not use a pwd-manager at the time, that also would probably have prompted some red flags when it didn't auto-fill.

Saw this on Twitter this morning. Sounds like they must have engineered it and set things up beforehand because they (a) knew which bank he was with and (b) had everything set up ready to log in when they got his ID number and received the password reset code from his text message.

I guess one thing that could have mitigated this quicker is if the text from the bank had said "Here is the code you requested to reset your online password" instead of a generic "Your authorisation code is..."

Which bank you have is not very secret information. Any payment exposes that information.

It's a very clever scam, but it's also a very insecure bank if this is enough to authorise payment. Get a different bank that uses 2FA, makes it clear what an authorisation code is for, and doesn't call you for this kind of sensitive information.

If they really do need to reach you quickly to stop a fraudulent transaction, a simple "that's not mine" should suffice. They know they're talking to you because they're the ones calling you. If the person making that payment has also stolen your phone (entirely possible) they will not deny they made that transaction, because they want that transaction to stand. That means only confirming it's your transaction in this situation is suspicious, not denying it.

> Which bank you have is not very secret information. Any payment exposes that information.

Still, it means they had to spend some time to prepare for this specific person.

Aside - here in Europe, the account numbers including bank code is pretty much public information. Something like e-mail address. After all, you can only send something in there. To withdraw, you need login credentials.

> After all, you can only send something in there. To withdraw, you need login credentials.

Unfortunately, that's no longer true; with the SEPA Direct Debit system, money can be taken from an account with just the person's name, address, IBAN and BIC (the info required to fill a "SDD mandate"). I think there are some verifications you need to pass to be able to create direct debits, but it still seems like a move in the wrong direction, in my opinion.

All banks I had an account at required verification for any payment order, including the direct debit. Some time ago (before widespread internet banking), you could issue an order that would be verified just against the details you mention _plus your signature_.

I hope it's not possible anymore. At least my current bank lets you authorize direct debit in internet banking app. Anything you do in person requires either logging-in to the internet banking account at the branch or presenting an ID.

yes and no

as far as i know, to set up a periodic sepa transfer - at least here in SVK(EU), you need to do it in person (although more and more banks are starting to allow this through their web/phone app)

eg. issuing a sepa for my monthly ISP subscription, i put into the system that 1)from this account 2)this amount of money 3)to this exact account 4)with these aditional details/comments/etc...

and if it fails for whatever reason - in my case mostly because once in a while, the amount that should be withdrawn for that month is more than the pre-set money

- the payment gets witheld at my bank / simply fails;

- the other side contacts me via phone/mail/... that there was a failure (which i can check on my bank account, so "kinda-phishing-safe");

the other side is still able to withdraw only that specific amount once in a period (most likely a month), and if anything is amiss, the payment simply fails

So here's a problem with banking "2FA". It's not clear what the number they send you by SMS is used for.

My Gmail account has 2FA. The token is only used for login. If anyone asks me for it over the phone, there's only one reason.

Banks use 2FA sometimes at login, sometimes over the phone, and sometimes to authorize transactions. That should be made transparent in the message, but it usually isn't.

Imagine: "Your temporary pin for identity verification is 373123, and expires in 5 minutes."

"Your temporary pin to authorize a transfer for an amount ending in $xxx4.23 is 522185 and expires in 5 minutes."

My bank here in Germany does exactly this. The message I get is something along the lines of "Here is your authorization code for transaction number XXX for 5€ to RECIPIENT issued at 14:23: 12345"

2FA is now mandatory in the EU with recent banking regulations (PSD2)

This is very scary for the average person. I've taken to simply not answering any questions (not even to confirm my name) if someone calls me. If my bank calls me then I call them back on a number that's on their web site.

If my bank calls me then I call them back on a number that's on their web site.

I'm always amazed at how stupid the security situation is in these cases. Banks, telecoms services, etc. do actually call up and try to 'take me through security', and when I say "tell me something you know about me first so I know you're who you say you are", the best they can usually manage is "well, uh, you bank with [Bank]". It just perfectly trains us to fall for scams.

I’ve tried getting them to give me a checksum to verify validity. For example, tell me the sum of the last four digits of my card number. They always refuse, so I always hang up and call back. Too bad they don’t understand that giving out a checksum is not insecure.

Well, yeah, if it's not standard operating procedure I'd hope they'd refuse.

Now, it should be supported, but I don't want the folks on the front lines guessing (or figuring out on their own) what sorts of mathematical games are safe. Erring on the side of caution is the right approach for CSRs.

I've read many articles about people who were scammed, and the bank refuses to give them any money back, on the grounds it was the fault of the customer to get scammed.

So given banks have nothing to lose by scams, I suppose that explains why they just don't care about the fact they're training users to ignore them. The bank just does whatever's easiest for it, which in this case is just to call the customer.

I've even had a bank rep get angry at me for refusing to answer their questions on the cold call. I presume it wasn't phishing because when I called back on the legit number they did want to talk to me. It was a long time ago so I forget but I think they were trying to upsell me so maybe thats why he got angry - i.e. no commission for him.

Being on HN I don't think I'm the average person, but I wouldn't rule out falling for this at some point in the future as well. But doubly so for my non-technical parent or partner, I guess.

The easiest way to avoid this entire class of attack, is to never be willing to answer any kind of question from someone who calls you. Always hang up, Google the customer support line for the business, then call them.

There was a widespread phishing attack in the UK that used this approach.

On UK landlines the call is not terminated until the person who made the call hangs up. That is to say if I call you, you answered and then hung up, then waited a minute and picked up the phone again, I'd still be there and the connection still made.

Scammers phoned people, told them there is an account issue and to phone the number on the reverse of their credit or debit card. The scammers keep the line open and play a recording of a dial tone to the target phoning back and then go through garnering all the details needed to rinse the accounts.

I believe in response UK phone networks are implementing time limits on one sided terminations

This BBC article from 2014 suggests that the call clearing time was reduced to a few seconds by most carriers: https://www.bbc.co.uk/news/technology-26559554

My bank does that. They call you and say "we need to talk about some fraudulent transactions, can you please ring the helpline and ask to talk to Dave".

I've already taken the most effective security measures against this kind of attack, which is to never answer the phone.

Sadly this is my approach, too. If it's important they can leave a voicemail message and I'll call back at my convenience.

I always thought the expectation of interrupting whatever you're doing at a few seconds notice was incredibly rude anyway, even more so now we have so many other ways of communicating.

Yeah but people expect when calling a business to be put on hold for 20 minutes and be dicked around on a phone tree. They don't want to deal with that.

We should have learned this one a long time ago from email. If something comes through from a service which may require action, then go directly to the service and stop interacting with the email.

Phones seem just as dangerous these days. I don't answer them at all. Anyone who really needs to get in touch knows multiple services that will get through to me.

How easy would it be for an attacker to (at least temporarily) outrank the bank in SEO so that when people google the bank's number they find the top result being the attacker's number?

Extremely hard. Maybe you could buy an ad space and "outrank" them that way. Have to pass Google's ad approval process though.

There's quite a few articles about this happening in India through Google Maps:


Or have your regular representative call you; an attacker may guess their name and hope you won't be able to recognize their voice, but it adds a level a complexity

A rover scammer called my wife yesterday. She felt pretty quick that it was a scam.

I tried to call the number back from my phone (it was seemingly a regular local phone number in the LA area and I love fucking with scammers) and an automated response told me that “no Rover account could be found for my number, please visit Rover.com/help for more” which I thought was very sophisticated of them to really try and prove authenticity.

So then we called it back, from her phone, and it connected right away. The person on the other end said, “Ashley?” and I responded (in my non-female voice, not that there aren’t many men named Ashley) “yes, hello, how are you?” - they hung up immediately.

Ultimately my wife called Rover via their 1-800 number and it was indeed a scam. People try to ascertain your login creds to redirect funds. Basic stuff... but I was impressed at whatever basic twilio system was built to try and mask the scamminess with that automated message.

The most surprising part is that they were able to gain access to your account using just the code texted to you. It's called second factor for a reason. The bank should still have sent you a password reset email.

My bank doesn't even allow password resets like that. If you forget, you can request a new one, but that goes just like the initial setup: you get 2 separate documents per post, one with a new password, and one with a new activation code.

Reading this thread reminds me of when I was subject to a social engineering attack by people who claimed to be the FBI. The voice messages they left sounded unconvincing so I ignored them on the basis the real FBI would have better ways to contact me.

Couple days later two FBI agents show up in my driveway asking why I didn't respond to their voicemail..

Well, you weren't wrong.

Or maybe it was just super persistent scammers dressed like FBI agents!

Interestingly the most... clever, if not necessarily convincing, phishing attempt I've heard of, went like this:

1. Phishers call someone and pretend to be from their bank. If they've guessed the right bank and the person gives away their details, they win!

2. If they don't, and question the phishers authenticity, the scammers say "sure, just call us on the number on the back of your card".

3. The cardholder hangs up, and then dials the number for their bank, which they know and trust, because they've called it before or it's come from their card.

4. They get connected to a service representative, answer security questions, confirm that the transactions are valid, and then can relax.

5. A few days later, they get a call from their bank saying there's a whole lot of fraud on the account.

The trick to this one is that the phishers (a) call the cardholder on a landline and (b) when the cardholder thinks they've hung up, they haven't - the phishers just play a hook tone and then a dial tone.

In Australia at least (not sure about elsewhere?) if you call a landline number, the caller must end the call, or at least it used to be that way (I haven't owned a landline phone for a _long_ time. There's probably also a significant skew towards the elderly in landline owners, and in susceptibility to scam calls.

I don't understand why there are still banks that do SMS verification. It has been proven so many times now that that it is vulnerable to both phishing (proven here), sim swapping attacks, etc.

The banks here in the Netherland all have (well, except for one maybe) hardware authentication devices. They are portable smartcard readers, you insert your card, enter your PIN on the device itself (not your computer or phone) and transfer a digest from your PC to the reader by typing or scanning a QR code (some readers have a little camera). You then type the signature into your computer or phone.

The readers for my bank even have a screen, that tells you what you are signing, like a login, or transfer of which amount to which bank account. Photo here [0].

The banks are very clear that they will never ask you to use the device over the phone. And that double confirmation by showing the sign action on the screen of the reader makes any form of phishing really hard.

IMO these smart card readers are the best compromise between convenience and security for banking.

[0] https://4.bp.blogspot.com/-6c1NGHew1P8/VBqvTeqDQdI/AAAAAAAAf...

Not disagreeing with you in general, but:

> The readers for my bank even have a screen, that tells you what you are signing, like a login, or transfer of which amount to which bank account.

That's information that could and should also be included in the SMS. The OP's bank did not do this, which is a huge fail on their part.

In my bank (Poland here) they have a mobile app which receives push notifications instead of SMS messages. The notification also contains the reason for the code. So in OP's case it would say "Code for resetting your account password", which would probably trigger a red flag sooner.

IMO smart card readers are the worst solution for everything. They are invariable less capable and less secure than my phone. Why would I carry 2 devices (one of these quite primitive) if I could only carry one?

Can you elaborate why you believe smartcards are less secure than your mobile phone?

All the ones I've seen have no security, either it's just a changing password (e.g. RSA key), or you input your card (optionally entering your PIN which you share with every POS terminal / shop) and get a password.

My phone requires a password (which I can set to be arbitrarily secure, not 4-digit PIN (LOL)) or a fingerprint (which is something noone can steal, unlike a credit card... or at least I'd notice it's missing much sooner!)

As I expected: you don't appear have a clue on what a smartcard actually is.

> My phone requires a password (which I can set to be arbitrarily secure, not 4-digit PIN (LOL)) or a fingerprint (which is something noone can steal, unlike a credit card... or at least I'd notice it's missing much sooner!)

Anyone can steal your fingerprint, and you can't reset your fingerprint like you can with a password or PIN.

A smartcard will self-destruct (wipe the key material) after a number of unsuccessful PIN entries, so the chance of someone successfully guessing the PIN is ~1:3333 for a 4 digit PIN with 3 attempts. This is good enough for banks to offer fraud insurance, in the off-chance that your card gets cracked your bank will reimburse the damage.

> optionally entering your PIN which you share with every POS terminal / shop) and get a password.

Yes, but that would still require physical access to your card. So they'll need to have both your card and your PIN. At that point you'll need to have your card/account blocked ASAP anyway. Your bank will supply you with a new card and PIN, which is a way better solution compared to cutting off your fingers and attaching new ones ;-)

RSA SecurID is not a smartcard. It's basically equivalent to TOTP except as a physical object rather than a phone app. There's secret baked into the SecurID and the issuer knows that secret so they can use it to generate the same one time code.

You seem to imagine that your phone, on which you run most likely not only a wild variety of apps from potentially untrustworthy sources, but also a web browser, which is a huge attack surface facing the Internet, is more secure than a simple smart card and that doesn't make a whole lot of sense.

In both cases the main real world security is that bad guys will probably need to _steal them_ which is difficult and a completely different skillset from the skills to make phishing emails or lie on the phone. But the phone is a bit worse here because maybe they can attack that remotely via, as I mentioned, your web browser, instant messaging stack or other components of a very complicated device.

I keep getting astonished by how bad online banking security is in the UK and US.

Here in scandiavia, we've had hardware tokens (or phone apps) to offer 2fa for ages. And you need a new token for every transaction. In addition to the password for logging in. When you reset your password, you get an email and an SMS saying that your password was reset.

Last time I needed a new token issuer dongle, I had to actually visit the bank and sign stuff.

Oh it gets worse.

My UK bank had a hardware token for years. They recently "upgraded" my security for online banking, and now use SMS 2FA codes for login and authorising new transfers. The hardware token is now unusable.

I'd change banks, but I doubt the others are better.

HSBC did this to me as well. The battery had died in my old token so I had to jump through so many hoops as the default assumption seemed to be that the customer would have a working token to set up the 2FA.

To send money over £250, RBS still use hardware card readers for their MFA flow. You put your debit/credit card in the device, entry your normal pin and then a code that is displayed on the website. It's a little inconvenient of you don't have the device with you when you need to send large amounts of money but in general it's great to have rather than SMS.

Of course, I expect that eventually they'll move to SMS too since it's easier for them and more on line with the rest of the industry.

Under the new EU rules 2FA over SMS is not allowed because it is possible to transfer phone numbers to other devices (through social engineering or simply because providers reuse old numbers) and thereby intercept the code. Instead most banks use an authentication app so that 2FA is bound to a single device.

Citation needed?

Some Polish banks definitely allow using SMS as a second-factor.

(And some even let you use a permanent cookie for that. :-O)

They are better. One of my banks offer a hardware token which requires my card to be physically present and for a correct PIN to be entered. The other has an app with push notifications which can be used to approve or deny transactions.

Seriously, switch bank.

Aye, that's what they used to use. Great News! Now I don't have to remember to have my card reader and I can use app, SMS or email to get codes instead. Err WTF? Apparently these changes help protect my accounts from fraud better, or some similar Orwellian doublespeak.

I did wonder if it was some unintended consequence of the EU banking interop changes, but that didn't seem especially convincing. OK, changing bank it is then. At least it's so much easier than it used to be. :)

I hate hardware tokens. Recently got one from my bank. I'm switching banks. I just don't see any advantage over a phone app (plus a phone app can offer better notifications).

Yes, but then it's not 2FA, it's notifications in the app you're probably using for banking, so now it's 1FA.

That's fine for sending £100 to an account already in your list of payees, but to set up a new account, where's the second factor in an app? That, to me, seems a large step backwards.

Well, you need (1) my phone and (2) my fingerprint, so technically it is 2FA. They could easily require (1) my password and (2) my phone, so still 2FA.

2FA is usually fake anyways, there's usually a way to reset stuff with only one factor (e.g. use phone number to reset password, or login with password and change phone number, ... same with PIN), so it's all a misnomer anyways.

> Last time I needed a new token issuer dongle, I had to actually visit the bank and sign stuff.

I'm glad UK banks try to avoid physical dongles because having to go to the bank and sign stuff to get one is not always convenient, not to mention you need to carry around the dongle everywhere, and if you lose it while you're in vacation it's yet more troubles.

Phone 2FA would be good but a bit pointless because the 2FA app is on the phone, and so is the banking app. Personally I'm satisfied with the way UK banks handle security - it's secure, they block suspicious transactions, etc. yet it doesn't get too much in your way.

I don't think UK banks are less competent, it's just a fine balance between usability and security.

> Phone 2FA would be good but a bit pointless because the 2FA app is on the phone, and so is the banking app.

This is exactly like having a physical token with you. If it gets stolen, they have the tokens. But, at least, having token on the phone app is waymore convenient for customers and also has another layer of protection (think of the fingerprint/passcode ecc you need to access your phone)

Over here in EU land the mobile identifier app is pin protected. Think Google Authenticator but with a pin to access the tokens.

You need my phone unlocked and my six digit pin in order to identify as me.

There are still possible social engineering attacks, though.

Yes, I actually am in EU land myself, and I forgot about that

I don't think having 2FA in phone app is pointless. It's still second factor, if someone got to your bank account. They need to get access to that 2FA app as well. And of course you protect that app with password/ping. Do you know of cases when 2FA app was defeated when someone stole money from bank account?

What I mean is that if a user has access to my bank mobile app on my phone, they also have access to the Google Authenticator app. With Lloyds, the app is locked by finger print or password which in this particular scenario is actually more secure.

The phone 2fa app asks you to verify the action, and you input your PIN.

My banks hardware token also needs a PIN before it generates a one-time code.

Some bank tokens just give you the code when you press a button, though. Those, you have to worry if stolen.

>Phone 2FA would be good but a bit pointless because the 2FA app is on the phone, and so is the banking app.

Can't you just lock the stolen phone?

This is so true. My wife (US) just needs user+pwd to access her bank. Me (Italy), had physical tokens or at least SMS 2fa for years. Also EU is now going through a major security upgrade for banks with SCA (Strong Customer Authentication)

My US bank added "two-factor" authentication at some point, requiring both a password and the answer to my secret question :-D

As a child in Sweden in the late 90s and early 2000s I recall that my dad had a hardware token to access his bank account. Though nowadays people in Sweden use BankID for the most part which is 2FA in the form of a mobile app. BankID is also used to login to most government websites in Sweden which is nice.

Meanwhile, banking security in the US is stuck in the Stone Age. Last I checked Wells Fargo, one of the largest US banks, still does not allow passwords greater than 14 characters in length and passwords are not case sensitive.

In the Netherlands we used to have dongles or card-readers for all online banking but we are now downgrading to apps, 5-digit number codes and 2FA without an external device. This is all for ease of use but I think from a security standpoint it's not the right direction to go. For instance, in an app you can't view the certificate and wether or not the connection is secure. If you are in a foreign country with dubious leadership it could be hijacked using a rogue SIM-card or some dictator driven root CA (looking at you Kazakhstan).

The worst offender is ING, you can set a payment limit in the app but then you can also change the payment limit in the app itself. If I take a nap on the train, you can drain my bank account my pressing my thumb on the reader.

In Sweden we have BankID - a two-factor, two-way authentication using public/private encrypted keys that's bound to a smartphone as a signature.

The process is user-friendly while keeping security high:

- The place where you want to login has to trigger the authentication from their server on every login - and have to be certified for BankID.

- You then have to open the app, enter your fingerprint or 6-pin code before you can enter.

It's available for all state-run services including all banks and post offices.

Unfortunately the BankID has been scammed a lot, where fraudsters have simple asked people on the phone to sign BankID stuff for them. It is far from perfect and in fact the scam here would be possible to do with BankID as well.


Sure, I'd assume that social engineering will always work as long as a person has no way to validate who's on the other end.

That's the Mobile BankID, and it gets scammed a lot. The smart-card based BankID is the only acceptable choice IMO

How is that different, since social engineering works there too?

Not as easily. As I understand it, with Mobile BankID, the attacker goes to the bank web site and then asks the victim to authenticate with their BankID app.

With the real BankID, the computer accessing the bank web site needs access to the smart card. Exploitation is still possible of course, but the bar seems higher.

Understood, you can only login at the actual computer, not from anywhere. Should be mandatory for the elderly that are the most targeted victims.

>that's bound to a smartphone as a signature.

Big yikes, that's a no for me.

This is the same system I'm talking about. You can use your smartphone and a PIN, or you can get a hardware dongle. Same authentication API from the banks POV.

OP (a big bank in Finland) is not offering a hardware dongle and I'm considering changing banks because of it.

I had one of those from a major UK bank nearly 15 years ago.

The EU has made 2FA mandatory for online banking as of September.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact