- The caller spoofed the phone number of the bank. The bank was not in my contacts, so I did not notice. Someone else in the thread noted that they did have the bank's phone number stored, which upped the credibility of the call to them.
- The caller called me twice in rapid succession (First ignore the call from a number you do not know. Then they call back again immediately: "maybe this is urgent / important"). Another person in the thread, who fell for the scam, noted this same pattern.
- It is better if banks include a security warning / specific reason the code is sent with the password reset pins and similar credentials. My bank did not. Another twitter user noted being subject to the scam, and just glancing over the warning copy. So it helps, but it is not perfect. Especially pre-coffee.
- My bank no longer allows me to reset my password without calling them (thanks bank).
When I read the thread now, it's obviously full of red flags. I was successfully manipulated, and whilst I'm certainly not as clever as all the people pointing out they would have caught this from sentence one, I believe I'm also not the lowest hanging fruit in terms of a target :-) Makes you wonder what this will look like when these scams evolve another couple of generations in terms of complexity ...
Amex got quite offended when I did this, and almost chastised me when I got through to an agent after making the outbound call myself. They argued that because they only asked for limited personal information (DOB) it was fine...
I would still do it again!
Eventually they did suggest I call the number on the back of my card, but I was annoyed by their lack of professionalism by this point (I mean, they are asking me to do stuff - giving out information to unknown callers - which they themselves always tell customers never to do!) I said I wasn't going to phone a general number and get stuck on hold for hours over an unknown issue - either give me some reference to get through quickly to the right person, tell me what the problem is now, or send me a letter. But they kept claiming that they couldn't send out letters in the post :-(
In the end, I finally received a letter by mail telling me that there were problems with my direct debit payments. So it was a genuine call but their inability to securely make these calls is frustrating.
The only way to ensure you’re calling amex is to call the number you know, otherwise the scammer will have you call another one.
"Hey, we need to talk about your account. Call our general enquiries number on our website, press 9 and enter 'XXXXXX' to be reconnected to me."
Edit: perhaps the extension would be per transaction, not per-agent, and when the customer calls the extension, the agents system can automatically pull up the customer’s account. These extensions should expire, but given the length of some customer calls, and how often I’ve been disconnected from customer service lately, perhaps it should be on the order of hours, not minutes or seconds
Email is pennies per thousands.
Phone calls are cheap especially for nonconnected or robocalls (which would cost for a postal contact).
Postal mail costs $0.50 US in postage alone. The full-up cost of a mail campaign is often several dollars per mailed item, though in bulk, and with bulk rate, I believe it's closer to $0.40 (postage plus a few cents for paper and envelope).
That would cover many thousands of email contacts, possibly nearly as many phone/VOIP attempts.
And the systems required to successfully and accurately generate a postal response on request are also high.
Low-cost systems are high-fraud systems.
I was disappointed that no alert was sent through the banking app. That would be the most secure option but is explicitly disallowed in the notification settings.
They can include information in the letter they can't include on a phone call, as the mail service is performing the authentication.
My health insurer won't talk to me on the phone without me confirming identity, even if they called me, but they'll happily mail the info.
Never call the number off the letter, though.
I think eventually they got the point because now they have a secure online email system and just leave a message asking me to call back. They still leave a return phone number, but it's getting better.
The only time they do otherwise is on very specific instances where they provide the info, "did you just buy something at store XXX for approximately $YYY"
All banks and credit institutions should be required by law to do this.
In India, getting an SMS/Email confirming every card usage is a legal requirement imposed by the Rserve Bank of India. The same goes for card usage itself. All credit and debit card POS transactions need the card PIN to be approved. Likewise, all online transactions require MFA.
applepay, for all my cards, gives me an immediate push notification, despite some cards not doing so for regular chip/swipe transactions. really like that feature & also wish all cards did it for all transactions.
1: "We need you to verify some transactions. You will receive a text from <number> with the transaction details"
2: "Do you recognise these transactions? <date/store/amount x 3> Reply Y if yes, N if no"
Y -> "Thank you for verifying the transactions. If any transactions have been declined, you may been to repeat them"
N -> "Your card has been blocked and a new one ordered. Please contact us if you need any further advice"
Always use your mobile phone to make the call (although I'm sure its only a matter of time before even that is compromised).
You just shouldn't consider any aspect of the phone network to provide authenticity or confidentiality.
They asked for my account number, name, and address for verification. When they got to the point that they sent me a code over SMS and wanted me to tell it to them over the phone, I stopped them and explained that this is also the exact set of steps required to reset my account and that I wouldn’t do it.
I went to a branch in person to unlock my account and the person helping me asked me to enter my password on their terminal so that they could “see the error message”.
I’m still not sure if some parts of this were a more advanced phishing scheme than I had thought was possible, even though it does just seem like a set of confusing practices by the bank.
I wanted to ask her why she would be doing that, but I was a bit more meek in my younger days.
1. You talk to a teller at a branch, and they bring up your account details. The teller see's you have a mortgage with the bank, but registered to a different branch.
2. They have some sort of incentive from the mortgage specialists at their own branch or management, to refer those accounts to their own mortgage team.
3. The mortgage department at the new branch calls me, and says I can do an early renewal at a lower rate, if I come in and see them.
Anyways, I did the early renewal at my original branch, as I had a connection to a manager at that location. Either way, I ended up shaving a good chunk of interest by renewing a year early.
An early renewal would be doing a renewal with the same bank at say the 2 year mark for a new term and interest rate. The bank allows the old contract to expire early, since they're getting the new one for an extended period, like another 3 years. These terms can vary, with 5 years being the most common, but can be shorter or longer and apply to both variable and fixed rate mortgages.
Note: I'm not an expect on this or how it compares to other regions.
As a borrower, there's a big risk with a balloon payment that you may not be able to find financing when it's due, so having a full term loan is very desirable.
Maybe there are other weird types of mortgages but they are usually not available for individuals I think.
(Obviously, initiating a call to a number provided by a potential scammer offers no protection. If someone is intercepting and redirecting your outgoing calls via the phone network, I'd say you probably have a bigger problem than a declined transaction.)
As for them initiating a phone call, it still does remain the best way to contact someone urgently, usually falling back to SMS and/or email when/if you don't answer (this was our SOP when I was in a fraud detection team years ago). We'd also usually tell them to call the number on the bank of your card (because not everyone is able to look up the bank's website, shockingly, so this is the most universally applicable way to give people a number) but my usual spiel was "call us on the number on the back of your card or from our website".
There's also no real way for you to know that they're legit, but an interesting reassurance one bank I know uses is to provide your month and day of birth and ask you for the year (as just part of the verification process). The partial info probably helps some people but I still wouldn't go for it - too many people know my birthday.
And explain to them that we, as a society, need to come up a way of authenticating inbound and outbound calls to ensure we are connect with who the other party claims to be because when you do this it conditions society in to responding and that’s how phishing attacks occur.
Customer support could ask you to authenticate using the TAN already, the hurdle is that you would need to carry the reader at all times.
Unrelated to banks, I believe it could be possible to extend SS7 signalling to not just transmit the caller ID but also a crypto signature/public key which the phone then can verify - or your phone provider could. Think of something like HSTS with a global database, if there is no match for the phone number the provider patches the call through, but if there is an entry, all providers can check for the public key transmitted by the caller and refuse to patch the call if it's missing or faked.
Correct. If someone calls me, the onus is on them to prove to me that they are who they say they are.
However, I usually just block ALL unscheduled phone calls, period. Not only do I not have time for unscheduled interruptions, but banks have secure websites and if they can't make proper use of them, too bad, they aren't going to reach me by trying to call me. They should know that phones are easy to phish with, and stop using phone calls to initiate communication.
Ideally what I want is an e-mail saying "we saw some suspicious transactions, please /log in/ to check that there is no fraudulent activity" or even a more general "please log in for an urgent message" with a suspend button in the online interface.
I think anyone building such systems (either via e-mail or SMS or whatever) should at least remember THIS.
Send something like this via SMS:
> The password reset code you requested via our website is 12345. We will never ask you for this code except when you requested a password reset.
1. What is requested
2. How was it requested
3. Is it safe to pass this to some other human being
Okay, 4. in better English ;) As opposed to:
> Your caller verification code is 12345, please read this code to your banking agent to verify your identity.
Also, ChipTAN is great: https://en.wikipedia.org/wiki/Transaction_authentication_num... If your bank would use this, it would be require extraordinary smart social engineering (or a really naive user).
For example, for online transactions, the SMS includes a warning to not share the code with anyone, while SMS codes for telephone banking tells you to share the number with the representative.
My bank uses a scanner to authorize pretty much all actions. It scans some sort of RGB QR code .
When scanned you'll see the IBAN you're sending the money to and the amount you're sending. I think that when the IBAN is in your contacts it shows the name instead of the IBAN.
But most importantly it shows a descriptive message of what action you're verifying.
I think the only actions that don't require the scanner are small transactions through their app and marking your card as broken/stolen in the app.
I think this is a social skills moment. For those that claim it's "easy" to spot: This is not the right time for people to brag about how they would have totally spotted it. This is mostly for protecting people who (as most people in this world) don't have time to build up a solid understanding of all aspects of internet security. If you don't care about these people, as some sort of Darwinian schadenfreude, stfu. If you do, focus on their perspective, not your brilliant detective skills.
Personally, I don’t even answer the phone anymore unless the number is one of my contacts. Looking at the last 30 days of call history, a good 95% of my incoming calls were spammers who didn’t leave a message or spammers who did.
The last time a legitimate number called me I didn’t recognize was probably a year ago. It was my daughter’s school. They left a message and I called them back immediately. That’s probably the safest way of dealing with the security trash fire called the phone system.
But, the responses on Twitter weren't "never talk", they were "I'd know it was a scam as soon as..." (implying they'd allow the call to get that far).
Here is a summary of what customers and phishers have to face since september:
In fact, because it makes checking recent transactions that much less convenient, it probably made me less safe because I do it much less often.
U2F is a useful method, but it's not common at all (even in IT most companies don't provide it, not even the website we're on right now, nor PayPal), and it's not understandable how this isn't "proper 2FA".
In addition, the directive requiring the purpose of the code to be fixed and shown aside it, either in the app generating it, or in the push notification, is a very useful security aspect which most other 2FA solutions miss — even U2F can't differentiate between a login and a transaction authorization.
Other solutions are either or. There is a benefit to confirming particular actions (with the info about the action) in the app but it's unnecessarily inconvenient for mere login.
U2F isn't widely supported but I managed to secure virtually my entire high-value Internet presence with it. Google, OVH, Coinbase, and Stripe all support it. Let's be honest, for HN I wouldn't bother with any second factor. I have the password saved in the browser and that's more than enough.
So an attacker would need to alter the image (simple) and cause a collision (hopefully difficult) or somehow abuse an error in the reader firmware.
It seems there is now a QR variant of that (which increases the attack surface since now it has to understand a more complex data format).
If my bank would have had me install an App or use SMS 2FA I would have kindly asked them to .... off (or, if they think their "2FA" is safe, just connect their mobile phones to this totally unsuspicious looking USB device).
ChipTAN on wikipedia:
One thing that I've frequently heard is that in any type of fraud call you should always hang up right at the beginning and call the bank back.
Seems like no matter how sophisticated the attackers, this defense will always foil anything along the same lines of what happened to you. The only way I can see this countermeasure failing is if the scammers can somehow manage to intercept inbound calls to the bank's customer service number.
Paypal really stands out on this one. They are regularly sending me emails with a link to their login page to view my recent transactions (regardless of whether or not there are any transactions). This is clearly negligent.
They're real. They're really real paypal e-mails. Wow.
All messages contain the following "clarification":
"How do I know this is not a Spoof email?
Spoof or 'phishing' emails tend to have generic greetings such as "Dear PayPal member". Emails from PayPal will always contain your full name."
So unless the bad guys can get their hands on a database full of names and email addresses, we're safe. And Paypal can honestly claim that "the security of our customers is very important to us!".
Calling via a landline or via an operator assisted call would make such tricks much more difficult.
Some great papers on Diameter and telco security here: https://www.bell-labs.com/usr/silke.holtmanns
But almost everybody today has a digital phone, any kind of mobile telephone or desk VoIP phone is digital, "hanging up" ends the call because the telephone itself decided to do that, everything is just packets. So this trick won't be effective against most people today.
Likewise "dialling" today is an out-of-band digital step rather than a bunch of pulses or tones sent in-band that an attacker can just ignore.
I experienced this once, but not as a scam, I think there must have been some kind of fault at the exchange... the other end was a mobile phone and they didn't end the call, just putting the phone back in their pocket - the landline wouldn't disconnect, whatever signal was send, even disconnecting the phone entirely and plunging it back in. I didn't understand how exactly, but it made it pretty clear the (landline) telephone is not in control of the connection.
Sometimes the one calling you is already suggesting you to do this just to verify. Especially bank and police I noticed.
I'm seriously surprised there are banks that send SMS codes without a reason for the code. All banks I deal with always send the reason for the code. For example: "This is a new payee addition authorisation code. Last 4 digits of the payee's account number are XXXX, the code is: XXXXXX" or "This a transaction authorisation code for the amount of $XX.XX, to an account ending digits XXXX. The number is XXXXXXX."
I would seriously reconsider giving your business to a bank that doesn't do that.
Interestingly there was an EU regulation passed recently that sets certain standards requiring 2FA for certain operations performed by bank customers. Having set up the 2FA auth app on an elderly relative's android phone and having to set up a pin to unlock a device as this is one of the 2FA app requirements and then spending 2 hours explaining how to unlock the phone, how to use it with a tablet to log in, how to authorise payments etc I have mixed feelings. On one side, it is a pretty secure system that will lower the number of victims of fraud. On the other hand it is a massive inconvenience for elderly people. I like the SMS verification system if done right. I think 2FA is a bit of an overkill.
You can make 2FA really easy if you want to, now that EU req. 2FA there will probably be more banks with reasonable solutions.
Think about the useful information for an attacker in messages like that: Recent transaction details can help an attacker auth on a call, account numbers can do the same. And large transactions are catnip, alerting attackers to worthwhile victims.
We as a society need some form of standardized ISO 9001-level protocol where ALL companies handle security the same way. They all ask the same questions, they don't allow first-tier support access to passwords or changing password, only specialized tier-2 support has this power, etc.
If all companies like banks, Amazon, Facebook, etc standardize their procedures in a way that leaks no information, or engage customers in a way that leaks no information, then it will make it harder to phish people because phisher will be forced to ask weird questions that customers will detect as weird.
The problem right now is that some companies ask for last 4 digits of SSN, last 4 digits of credit card, some ask for email address, etc, etc. A phisher can put all those together so if you reduce the attack surface it makes it very very hard.
Unfortunately, some banks do this. (I'm looking at you, U.S. Bank.)
It's like someone calling me and then asking me who they're speaking to. Really? You called me! (Assuming they're not returning a missed call, of course.)
If (someone claiming to be) a bank calls/texts you, (and it's not immediately after a declined transaction) you always hang up and call the number you already have for the bank.
Even if it is after a declined transaction, you still don't provide any info. If they ask if you attempted a $101.89 purchase at "big box store," you should simply respond yes/no, and provide no other info.
If you didn't attempt that transaction, they especially don't need to confirm any other info.
Or do you suspect that there's been an other, undisclosed breach that the scammer used to get your name and phone number? I suppose it's plausible but it seems like it wouldn't be too difficult to get that info.
So how are they going to verify it’s you who is calling them?
"Can you give a reference number (they will have a case number), and tell me where I can find your department's number on your website please. [Edit] I will call you back."
I've never had a bank or other financial institution have a problem with this approach. I don't give myself the opportunity to be fooled, because all of us can be fooled, it's how I respond to every single call from a business.
Would love to see a citation for this.
Fraud tends to be illegal. That’s as far as I’m willing to believe your “of course”.
I do not believe most countries have laws regarding caller ID spoofing.
I know that in my country IMEI spoofing is (Bizarrely!) sort-of prohibited as forgery (as in IDs, documents or “anything of evidential/testimonial(?) value”), but can’t find anything regarding phone numbers.
I know that in the US it’s only illegal to spoof your number for fraudulent purposes.
Seems like you’re gettig bogged down in semantics sir
If this is intended to defend your original claim, you’re being utterly ridiculous. You made a specific claim about caller id spoofing, not fraud.
For example, If you’re spoofing a random number for telemarketing calls that’s just not fraud.
It absolutely is, and in most civilised countries is illegal.
Like, I can totally believe that in the USA where any old lunatic can own an automatic weapon amd nobody gets concerned until he shoots up a school thats the case ye
There’s probably some constitutional argument that you can spoof your number based on something ridiculous like free speech
I feel like we’re moving goalposts here and “civilised countries” will sooner than later become “English-speaking countries”, in which case I’m totally willing to concede that you’re probably right.
Very few countries have found it necessary to prohibit CID spoofing.
More semantics. Yawn. Save it for debate club.
This is technically spoofing caller ID, but is clearly not fraud.
This also gets past some Do Not Disturb modes.
Original (Portuguese): https://threadreaderapp.com/thread/1179903474244444160.html
Same approach, they also pretended to be from the bank calling about an irregular transaction. In this scam, it seems they hijacked her home phone line. She tried to call from her cell phone, then they called back to her home phone and said all communication should be from it, to ensure she was at a different location.
Phone number spoofing has to stop. There is no excuse anymore.
I think it's soo easy to spot scams because 99% of them are so shit, poor spelling, talking nonsense.
If scammers simply spell checked their scams I would fall for them all.
The recipient may believe they had starred the number because of this, making them more likely to pick up the call.
How did they to gain access from "password reset flow"?
How could they tell your last transactions?
"I was just subjected to the most credible phishing attempt I’ve experienced"
Everyone has been subjected to the most credible phishing attempt they've experienced. Need to find another qualifier ;)
A scam phone call seems like a clumsy way of doing it. It also risks alerting the victim to what's going on.
It surprises me that it is legal to conduct banking operations to the general public in this way. In many countries (including all of EU since SCA) that is not the case.
They then don't hang up, but play a dialling tone down the line until you dial the number. At which time they 'answer'. This only works on home phones, not mobile, but is worth considering, and warning your family/friends about.
This is also impossible to pull off on cellphone lines. (There are other attacks but these require access to your BTS.)
Read more about steps taken to prevent this here: https://www.mirror.co.uk/news/technology-science/technology/...
The scammer, when they hear you hangup, plays a dial-tone down the line, so when you pickup the receiver, you have the impression that the line is clean.
You start to dial, they stop the 'dial tone', play a fake calling tone, and then 'answer' the call.
This would be incredibly malicious and difficult to detect even for the most skeptical of users.
GSM and VoIP also do not allow this behavior without engaging call waiting on subscriber side.
This only happens with old fully analog connections. Not sure which country or public operator still has this kind of PSTN.
For the difference, peruse ITU-T G.175 and Q.522 standards. SE (switching element) will disconnect the routing on your side.
It took me a while to find the actual standard number.
In 2014 they reduced the timeout to 10 seconds to make this fraud harder to pull off.
It's such an old story that you'd have thought there would be an explanation online by now of exactly which telephone exchanges had this problem and when those telephone exchanges were in use.
For what it's worth, it didn't work when I tried it, probably in the 1980s. Perhaps it worked in the 1970s in some places?
I can't test as I've not had a voice capable land-line for some time. It may not work on newer exchange equipment. It won't work if you have a service whereby calls are directed over a digital connection. It has never worked for mobile phone services. It doesn't work on some (most? all?) office PBX arrangements, either.
As well as allowing this sort of scam to operate, the "feature" can also be used as a DoS attack, blocking calls to and from a line for a time.
1. Users do not expect the call to drop if for some reason the connection to the recipient momentarily is interrupted - there doesn't seem to be any obvious reason it should be right? Remember users don't understand how any of this actually works.
2. But, when they hang up, which to you as the exchange looks essentially the same as the connection being interrupted, they expected the call to end.
As an extreme example of (1) suppose you have a rotary telephone and idly while talking on a call you put a finger in the dial and dial a '4'. What do you expect to happen? Nothing right? Maybe it makes some click noises, and you apologise to the person at the other end. But those click noises are the same - for a fraction of a second - as hanging up. So if we just naively code the system to drop calls whenever it thinks anybody has hung up, the call drops. You can bet customers will not be happy.
So the providers would pick a plausible delay. OK, let's say after two minutes with the call recipient showing as closed we'll give up and end the call, the caller can always just call back if that's a mistake anyway.
Well this fraud comes into the picture, adding a third consideration to the balancing act. Most UK providers would go in and choose a new smaller timeout. One second seems to cause false positives. How about five seconds?
So there's going to have been a window, and it will vary depending on where you live. System X was definitely not everywhere in the 1980s. It will also depend how you tested. If you tried waiting 5 minutes and the timer was set for 30 seconds then your test seems fine, but a victim who hangs up, counts to five and then tries their bank will get stung.
I even remember a thread here in HN were one three-letter agency authenticated themselves to a user with this method, calling his numbers and saying, this is the FBI/NSA/etc but for you to be sure, please hang, look the website for the public number, call, and ask to be put through with $Agent from $Department.
That's what I do. When someone calls me and then proceeds to ask me security question to allegedly assert my identity I reply "well, you called me so how do you prove to me who you are first?"
I usually get a "err..." but on one occasion the guy was rather rude and hanged up.
The worst thing is that most of the time these calls are genuine. This means that my bank does think it's fine to do that.
The fact that they had an immediate answer to the question obviously means that they were asked this question all the time. I wonder how many people happily handed over the info?
It seems that they now just play a recorded message asking to call, and then automatically hang up.
Me: Here is what happened to me, I'd like to file a police report.
Police: Well, with these internet scams, the fraudster is usually in another country, meaning we can't really do anything about it.
Me: They used perfect German, used information that I only ever provided into a non-public database of a German-based business that must have had a breach of some sort. The fraudster also used pictures of apartments in Germany that must have been taken here.
Police: Well, still. The person actually doing all of that could have been doing all of that from another country. Usually Russia or China or something.
Me [thinking to myself]: Yeah, Russia, or China, or some country where law enforcement generally presumes, even against all evidence, that any and all cybercrime is happening outside their jurisdiction and therefore not doing any law enforcement at all when it comes to cybercrime. Like what is happening right here right now.
Me: Well, I realize that nobody is going to start an investigation into this specific thing that happened here, but still: Isn't anyone at least compiling a database so that, once patterns become bigger and more apparent, an investigation of sorts may become warranted, etc?
Police: Nope. Nobody doing that. You can file a report. But I can tell you right now that nobody is going to look at it or do anything with it. Also, we kind of have more important things to do, here at the station. I mean: It's your choice. I can't stop you. Just telling you how it is.
Me: Okay, thank you, goodbye.
It's not a prevalent issue -> We won't do anything -> You filing a report will be just a waste of time -> Statistics show it's not a prevalent issue
Me: are you confirming that if I start a scam you will not investigate it?
Me: Ok , then thanks a lot, I know now.
Police: umm, wait maybe..
The Bavarian police (this was in Bavaria) even has a "center for cybercrime" which, according to press releases and stuff, sounds like precisely the office that should take note of things like that. But they don't have any public-facing communication channels of any kind, and I'm unclear whether they actually do stuff or whether they exist purely on paper as a public relations and politics stunt.
Maybe if I was politically connected or willing to spend a pile of dough to put a lawyer on it, things would be different, but this was just one man trying to do his civic duty and there's only so much trouble that I'm willing to go to for that.
 EDIT: After doing some more research, it looks like, meanwhile they do. This was just announced two months ago, so seems to be a new development.
Sometimes cops are just lazy (or assholes). When thieves tried to steal the rain gutter from the appartment building on the other side of the road, the cops told me "don't expect us to rush in with sirens and screeching tyres", even after I told them the thieves were still there, in broad daylight.
Later my landlords told me they lost 50k Euros in the previous year because of stolen rain gutters.
My parents have taken their precautions against phishing to extreme levels. They don't speak into the phone when unknown numbers call. At all. If they choose to answer, they wait for someone on the other end to talk and then decide whether to speak or hang up. They have heard horror stories of people getting their voices recorded and replayed into automated systems, so if someone calls and asks, "Hi, Is this <name>?", they avoid even saying "Yes", and instead ask who is calling. It may be paranoia, but as the saying goes... just because you are paranoid doesn't mean that they are not out to get you.
I guess one thing that could have mitigated this quicker is if the text from the bank had said "Here is the code you requested to reset your online password" instead of a generic "Your authorisation code is..."
It's a very clever scam, but it's also a very insecure bank if this is enough to authorise payment. Get a different bank that uses 2FA, makes it clear what an authorisation code is for, and doesn't call you for this kind of sensitive information.
If they really do need to reach you quickly to stop a fraudulent transaction, a simple "that's not mine" should suffice. They know they're talking to you because they're the ones calling you. If the person making that payment has also stolen your phone (entirely possible) they will not deny they made that transaction, because they want that transaction to stand. That means only confirming it's your transaction in this situation is suspicious, not denying it.
Still, it means they had to spend some time to prepare for this specific person.
Aside - here in Europe, the account numbers including bank code is pretty much public information. Something like e-mail address. After all, you can only send something in there. To withdraw, you need login credentials.
Unfortunately, that's no longer true; with the SEPA Direct Debit system, money can be taken from an account with just the person's name, address, IBAN and BIC (the info required to fill a "SDD mandate"). I think there are some verifications you need to pass to be able to create direct debits, but it still seems like a move in the wrong direction, in my opinion.
I hope it's not possible anymore. At least my current bank lets you authorize direct debit in internet banking app. Anything you do in person requires either logging-in to the internet banking account at the branch or presenting an ID.
as far as i know, to set up a periodic sepa transfer - at least here in SVK(EU), you need to do it in person (although more and more banks are starting to allow this through their web/phone app)
eg. issuing a sepa for my monthly ISP subscription, i put into the system that 1)from this account 2)this amount of money 3)to this exact account 4)with these aditional details/comments/etc...
and if it fails for whatever reason - in my case mostly because once in a while, the amount that should be withdrawn for that month is more than the pre-set money
- the payment gets witheld at my bank / simply fails;
- the other side contacts me via phone/mail/... that there was a failure (which i can check on my bank account, so "kinda-phishing-safe");
the other side is still able to withdraw only that specific amount once in a period (most likely a month), and if anything is amiss, the payment simply fails
My Gmail account has 2FA. The token is only used for login. If anyone asks me for it over the phone, there's only one reason.
Banks use 2FA sometimes at login, sometimes over the phone, and sometimes to authorize transactions. That should be made transparent in the message, but it usually isn't.
Imagine: "Your temporary pin for identity verification is 373123, and expires in 5 minutes."
"Your temporary pin to authorize a transfer for an amount ending in $xxx4.23 is 522185 and expires in 5 minutes."
I'm always amazed at how stupid the security situation is in these cases. Banks, telecoms services, etc. do actually call up and try to 'take me through security', and when I say "tell me something you know about me first so I know you're who you say you are", the best they can usually manage is "well, uh, you bank with [Bank]". It just perfectly trains us to fall for scams.
Now, it should be supported, but I don't want the folks on the front lines guessing (or figuring out on their own) what sorts of mathematical games are safe. Erring on the side of caution is the right approach for CSRs.
So given banks have nothing to lose by scams, I suppose that explains why they just don't care about the fact they're training users to ignore them. The bank just does whatever's easiest for it, which in this case is just to call the customer.
On UK landlines the call is not terminated until the person who made the call hangs up. That is to say if I call you, you answered and then hung up, then waited a minute and picked up the phone again, I'd still be there and the connection still made.
Scammers phoned people, told them there is an account issue and to phone the number on the reverse of their credit or debit card. The scammers keep the line open and play a recording of a dial tone to the target phoning back and then go through garnering all the details needed to rinse the accounts.
I believe in response UK phone networks are implementing time limits on one sided terminations
I always thought the expectation of interrupting whatever you're doing at a few seconds notice was incredibly rude anyway, even more so now we have so many other ways of communicating.
Phones seem just as dangerous these days. I don't answer them at all. Anyone who really needs to get in touch knows multiple services that will get through to me.
I tried to call the number back from my phone (it was seemingly a regular local phone number in the LA area and I love fucking with scammers) and an automated response told me that “no Rover account could be found for my number, please visit Rover.com/help for more” which I thought was very sophisticated of them to really try and prove authenticity.
So then we called it back, from her phone, and it connected right away. The person on the other end said, “Ashley?” and I responded (in my non-female voice, not that there aren’t many men named Ashley) “yes, hello, how are you?” - they hung up immediately.
Ultimately my wife called Rover via their 1-800 number and it was indeed a scam. People try to ascertain your login creds to redirect funds. Basic stuff... but I was impressed at whatever basic twilio system was built to try and mask the scamminess with that automated message.
Couple days later two FBI agents show up in my driveway asking why I didn't respond to their voicemail..
1. Phishers call someone and pretend to be from their bank. If they've guessed the right bank and the person gives away their details, they win!
2. If they don't, and question the phishers authenticity, the scammers say "sure, just call us on the number on the back of your card".
3. The cardholder hangs up, and then dials the number for their bank, which they know and trust, because they've called it before or it's come from their card.
4. They get connected to a service representative, answer security questions, confirm that the transactions are valid, and then can relax.
5. A few days later, they get a call from their bank saying there's a whole lot of fraud on the account.
The trick to this one is that the phishers (a) call the cardholder on a landline and (b) when the cardholder thinks they've hung up, they haven't - the phishers just play a hook tone and then a dial tone.
In Australia at least (not sure about elsewhere?) if you call a landline number, the caller must end the call, or at least it used to be that way (I haven't owned a landline phone for a _long_ time. There's probably also a significant skew towards the elderly in landline owners, and in susceptibility to scam calls.
The banks here in the Netherland all have (well, except for one maybe) hardware authentication devices. They are portable smartcard readers, you insert your card, enter your PIN on the device itself (not your computer or phone) and transfer a digest from your PC to the reader by typing or scanning a QR code (some readers have a little camera). You then type the signature into your computer or phone.
The readers for my bank even have a screen, that tells you what you are signing, like a login, or transfer of which amount to which bank account. Photo here .
The banks are very clear that they will never ask you to use the device over the phone. And that double confirmation by showing the sign action on the screen of the reader makes any form of phishing really hard.
IMO these smart card readers are the best compromise between convenience and security for banking.
> The readers for my bank even have a screen, that tells you what you are signing, like a login, or transfer of which amount to which bank account.
That's information that could and should also be included in the SMS. The OP's bank did not do this, which is a huge fail on their part.
My phone requires a password (which I can set to be arbitrarily secure, not 4-digit PIN (LOL)) or a fingerprint (which is something noone can steal, unlike a credit card... or at least I'd notice it's missing much sooner!)
> My phone requires a password (which I can set to be arbitrarily secure, not 4-digit PIN (LOL)) or a fingerprint (which is something noone can steal, unlike a credit card... or at least I'd notice it's missing much sooner!)
Anyone can steal your fingerprint, and you can't reset your fingerprint like you can with a password or PIN.
A smartcard will self-destruct (wipe the key material) after a number of unsuccessful PIN entries, so the chance of someone successfully guessing the PIN is ~1:3333 for a 4 digit PIN with 3 attempts.
This is good enough for banks to offer fraud insurance, in the off-chance that your card gets cracked your bank will reimburse the damage.
> optionally entering your PIN which you share with every POS terminal / shop) and get a password.
Yes, but that would still require physical access to your card. So they'll need to have both your card and your PIN. At that point you'll need to have your card/account blocked ASAP anyway. Your bank will supply you with a new card and PIN, which is a way better solution compared to cutting off your fingers and attaching new ones ;-)
You seem to imagine that your phone, on which you run most likely not only a wild variety of apps from potentially untrustworthy sources, but also a web browser, which is a huge attack surface facing the Internet, is more secure than a simple smart card and that doesn't make a whole lot of sense.
In both cases the main real world security is that bad guys will probably need to _steal them_ which is difficult and a completely different skillset from the skills to make phishing emails or lie on the phone. But the phone is a bit worse here because maybe they can attack that remotely via, as I mentioned, your web browser, instant messaging stack or other components of a very complicated device.
Here in scandiavia, we've had hardware tokens (or phone apps) to offer 2fa for ages. And you need a new token for every transaction. In addition to the password for logging in. When you reset your password, you get an email and an SMS saying that your password was reset.
Last time I needed a new token issuer dongle, I had to actually visit the bank and sign stuff.
My UK bank had a hardware token for years. They recently "upgraded" my security for online banking, and now use SMS 2FA codes for login and authorising new transfers. The hardware token is now unusable.
I'd change banks, but I doubt the others are better.
Of course, I expect that eventually they'll move to SMS too since it's easier for them and more on line with the rest of the industry.
Some Polish banks definitely allow using SMS as a second-factor.
(And some even let you use a permanent cookie for that. :-O)
Seriously, switch bank.
I did wonder if it was some unintended consequence of the EU banking interop changes, but that didn't seem especially convincing. OK, changing bank it is then. At least it's so much easier than it used to be. :)
That's fine for sending £100 to an account already in your list of payees, but to set up a new account, where's the second factor in an app? That, to me, seems a large step backwards.
2FA is usually fake anyways, there's usually a way to reset stuff with only one factor (e.g. use phone number to reset password, or login with password and change phone number, ... same with PIN), so it's all a misnomer anyways.
I'm glad UK banks try to avoid physical dongles because having to go to the bank and sign stuff to get one is not always convenient, not to mention you need to carry around the dongle everywhere, and if you lose it while you're in vacation it's yet more troubles.
Phone 2FA would be good but a bit pointless because the 2FA app is on the phone, and so is the banking app. Personally I'm satisfied with the way UK banks handle security - it's secure, they block suspicious transactions, etc. yet it doesn't get too much in your way.
I don't think UK banks are less competent, it's just a fine balance between usability and security.
This is exactly like having a physical token with you. If it gets stolen, they have the tokens.
But, at least, having token on the phone app is waymore convenient for customers and also has another layer of protection (think of the fingerprint/passcode ecc you need to access your phone)
You need my phone unlocked and my six digit pin in order to identify as me.
There are still possible social engineering attacks, though.
My banks hardware token also needs a PIN before it generates a one-time code.
Some bank tokens just give you the code when you press a button, though. Those, you have to worry if stolen.
Can't you just lock the stolen phone?
Meanwhile, banking security in the US is stuck in the Stone Age. Last I checked Wells Fargo, one of the largest US banks, still does not allow passwords greater than 14 characters in length and passwords are not case sensitive.
The worst offender is ING, you can set a payment limit in the app but then you can also change the payment limit in the app itself. If I take a nap on the train, you can drain my bank account my pressing my thumb on the reader.
The process is user-friendly while keeping security high:
- The place where you want to login has to trigger the authentication from their server on every login - and have to be certified for BankID.
- You then have to open the app, enter your fingerprint or 6-pin code before you can enter.
It's available for all state-run services including all banks and post offices.
With the real BankID, the computer accessing the bank web site needs access to the smart card. Exploitation is still possible of course, but the bar seems higher.
Big yikes, that's a no for me.