Hacker News new | past | comments | ask | show | jobs | submit login

A while ago my wife applied for a home equity loan. At some point I got a call from someone claiming to be from the bank she had applied through (I forget which one), calling to make sure I approved the loan since the home is in both our names. He asked for my name, which I gave him, and then the last four digits of my social security number, which I also gave him. He then proceeded to ask for my full social security number, at which point alarms started going off in my head and I started sweating about even giving the last four digits to a stranger who had called me out of the blue. I told him I wouldn't do that, and was there a number on the bank's website I could call in order to get back to him, in order to verify that he actually worked for the bank. The guy started acting really annoyed, and said he didn't think there was any number on the bank's website that could reach him, and that if I didn't give him my full social security number he would be forced to reject the loan application. I told him I didn't feel comfortable giving that information to someone who had phoned me, and if there was no way for me to call him back through an official bank phone number then the call was over. He hung up angrily.

Turns out he actually was from the bank and he did cancel the loan application.




A bank called me to ask me security questions. I said that I would call back using the number on the bank's website. They said (and the bank confirmed when I did call the number) that there is no way to be transferred to the security question people when I call the bank - the only way is for them to call me. I explained that that was poor security practice. They said that I should just look at the caller ID to see that it was the bank calling. It was useless trying to tell them about caller ID spoofing.


It’s a real mystery why, as soon as I heard about a bank founded by people who sounded like they had heard about the internet (Monzo, in the UK), I switched away from my venerable bank (NatWest) that, at the time still had security practices unsuited for the 18th century.

Appropriately enough, the last thing they did was to insist —demand, really— that, in 2018, I fax them my demand. It just so happens that this could have been relatively safe because, after asking everyone I knew for a week (including some venerable hackers), the only way that I found to send a fax was to ask the local branch of the same bank.

Asking them to authorize the transfer wasn’t possible (by showing them all relevant documentation). Asking them to let me send a fax, using their machine, to a sister branch to tell them to authorize a transfer without anyone verifying my ID, was fine.


One of my favourite things about Monzo is they have a little thing in the app that tells you if they are currently on the phone with you to verify against anyone claiming to be them.


And then if your identifiers somehow get in the hands of bad actors and the bank gets fooled by them to open a bank account in your name, you are the one on the hook. It's utter insanity!


PSA: If you are of a certain age, the last four digits might be roughly all of the useful entropy in your SSN. Be careful with them. Before 2011, the first three digits indicated the office that issued the number and the middle two (the "group number") were used in a publicly-known sequence. The Social Security Administration helpfully published periodic lists of the highest group number reached by each office. This makes it extremely easy to predict the first five numbers for people who were registered at birth, which became quite common in 1986 when tax laws changed to require children's SSNs to claim the associated tax credit.


Tangentially related - wouldn't that mean that if you are an immigrant, then you are at least theoretically somewhat safe from that enumeration type of an attack?

Because if I got my SSN in my late teens, then my date of birth shouldn't mean much at all to anyone trying to use that method you describe, right?


Your date and place of birth would not be helpful, but an analogous attack may be possible. The key factors are when and where you applied and that the SSN was issued before June 25, 2011.


This is just an extremely incompetent and rude loan officer. Generally the loan officers are motivated to close the deal and write you a check because they get commission from that. They are nice to their customers because pissing off customers won't get them that sweet commission. The loan officer I last talked to managed to close more than $1B of mortgages in a year and he's the nicest guy on the phone. In your case, they could for example let you email them using their official bank email address, or use the bank's own web app or messaging system.


Wait what? 1B in mortgages per year, even at a nice fat 500k per is what 2,000 closures or something like 10 per day every day.

It’s not impossible but, wow, that’s grinding it out day after day.


I think it highlights why this jerk was rude and short about it. They want to avoid high maintenance customers because it impacts their short term metrics of how many they can churn out and directly affects their compensation. There are presumably zero repercussions for them personally - the worst case maybe is some long term reputational damage for the bank.


This is in the Bay Area so more like 1M each. But still I was also very impressed.


Similar story, I transferred a decent amount of money from one bank account to another (different bank). I thought nothing of it, but I got a call randomly from what appeared to be the receiving bank's 'fraud' phone number (based on Google). I picked up, and the person on the end had an extremely thick accent similar to scam callers. He started asking me if I had made a transaction recently (I said yes), then asked me to confirm this transaction if I would provide additional information about myself, including home address and social... I refused, and was told if I didn't my bank account would get locked!

Sure enough... I had to go down to the local branch to get my account unlocked, as well as prove the amount of money I was transferring was... available in the other account? Absolutely ridiculous. I don't even know what sort of fraud they were trying to prevent, as this wasn't a new bank account and I'd made transfers between them before.


I feel for legit employees with strong accents. In an era of getting 5-10 calls a day from OS scammers, I had a call from a woman with an accent about an invoice. I was curt and ended the call quickly. Turned out that her wording was just ambiguous and she was trying to pay my invoice to her employer's company.


Language barrier or whatnot is one thing, but I was having issues with the methodology of it. I’d have had similar levels of concern (perhaps less suspicion) if it was someone who spoke English fluently with no accent. There’s absolutely no reason they needed to confirm information from me to make a transaction between two bank accounts I own!


Terms of service from my bank say you're not allowed to give your PIN or secrets like one-time passwords (called "TAN" here) to third parties, not even the bank employees themselves.

But when I contacted them about a phishing practice, it was A-OK because it was a "legitimate" website that phished your credentials to view the last 180 days of transaction histories, compute a credit score, and then withdraw the money. They would "look into the situation and see if a better solution could be found" with this german company...

I don't understand how anyone is okay with this but klara or klarna or something is a pretty popular payment provider in germany as far as I know, but so my experience is now that banks like to change their security-relevant terms one-sided. But it's your fault if you give out secrets to the wrong person of course, not like the bank was going to care if your social security number had gone to a scammer for example


I've implemented the bank account checking flow for a German client in a purely B2B setting, and this is essentially based on the PSD2 directive, which requires all/some/most (not entirely sure) banks to provide exactly this functionality (google keywords "PSD2" and "XS2A"). The bank's T&C should reflect this ... somewhere.

The main protection to you not getting scammed out of money this way is in the kind of TAN used for this process. It should/must only allow read access to your account, and at least one of my banks very clearly shows this in the 2fa approval app. Technically, checking your account history and then deducting money will (hopefully) have been two different processes.

The moral/ethical implications of requesting (up to) 365 days of full bank transaction details and being allowed to store this information is a whole different animal, tough, and I'm glad I haven't had to do this myself yet.


> It should/must only allow read access to your account

Besides that it also needs to perform the payment, why do they need to pull 180 days of transaction history just so that I can give the merchant their money? (I'd be happy to just be given an IBAN number and transaction description to use and do it myself.)

At least that's what the consent screen said it was going to do: assess my creditworthiness before withdrawing the money. There was no way to pay without sharing who my employer is and how much I earn, which shops I visit in which cities, where I've been on holiday, what online purchases I do and on which platform and how frequently and for how much, etc. Obviously I declined this but since it's one of the logos you see every time, I guess a lot of people "consent" to this (knowingly or otherwise)


AirBnB has adopted Plaid for credit card verification recently, which wants bank login credentials. Nope, never going to happen.


Any bank where this is the standard operating procedure for interacting with loan applications is not a bank that I'd want to do business with. Perhaps this was just one loan officer's way of doing things, and not the way of the business, but that's just not okay to me.

Any time anyone asks me for any part of my social over the phone, I ask for some other method of verification. Most folks have other ways of doing stuff. It's ridiculous that what should purely be an ID number is so powerful, but I can't change that fact, just how I interact with folks with regards to it.


This method of data exfiltration is in Kevin Mitnick's book! He needed a daily pin that banks used to validate intra-bank communications. He called a bank, said that he needed to fax over loan forms from another branch for signing later that day (or something like that). He then asked the bank that he called for the daily PIN. They refused because he called them. He pointed out that he was sending sensitive data to them so they needed to provide the pin... and they did.


One of my startup jobs paid us through ADP. While our ADP account was being set up, my boss told us to be on the lookout for an email from them. So one day, I'm in the middle of programming something, and I check my email. Lo and behold, there is an email from ADP... or is it? It is about fifty words long and contains five grammatical errors. It's asking me to fill out the attached PDF and email it back. The PDF is asking for my full name, address, phone number, SSN, and so on. I figure this may be some kind of phishing attempt, so I ignore it and get back to my work. If it's real, I'll hear about it again, right? Well, two weeks later, my boss tells me amazedly, "Hey, Bill from ADP is still waiting for your information! Why didn't you reply to him?!?!" I laughed and told him why.

As a bonus, when I was finally put into the system, they managed to get my zip code, phone number, and SSN wrong. At ADP, quality is job zero.


> He asked for my name, which I gave him, and then the last four digits of my social security number, which I also gave him. He then proceeded to ask for my full social security number, at which point alarms started going off in my head and I started sweating about even giving the last four digits to a stranger who had called me out of the blue.

I'm super paranoid about even the last four. The first five digits of an SSN were algorithmic for most of US history, and still mostly are but a tiny bit more random entropy, and can be narrowed down with mostly only the city in which you were born and what year. You can often use basic k-means clustering to find it even without that information. More often than not entire families share the first five (or close to it) and you only need to phish one family member to k-means cluster the five digits for the rest.

The last four are more often than not the most significant digits in terms of identification and entropy. Masking the rest is almost silly for most Americans. Our masking schemes have actually made phishing easier because people feel safer sharing just the last four, when for most those are the only four that matter.

SSN was never intended to be a secret so its design is horrifyingly bad for something that has come to be a huge secret in banking and healthcare and so many other industries. Recent SSN changes have made it a little better for anyone born after roughly 2010, increasing somewhat the entropy in the first five, but the rest of us have problems that we can't solve easily and banks should be ashamed they helped lead us to these problems.


I'd have read him the riot act on the phone. My bank has big warning banners on virtually every page of the site warning me to be careful of scammers. Someone calling me on the phone and asking for my TIN? Yeah, I don't think so.


> I'd have read him the riot act on the phone.

No point. If he is a scammer he has a thick skin. If he is working for the bank this is either a training or a policy issue.

Just refuse politely and report to the bank. (preferably to some security channel if there is one.)


Had a very similar experience with a bank few years ago. I filed an official complaint because it was not possible to verify the caller was authentic.

Can you guess what happened next? Yep... The complaints team cold called me and requested PII to confirm they were talking to the right person. I refused and the call ended.

Later got a letter saying it wasn't possible to followup on my issue and they didn't see any issues with what I had raised. I tried... :/


Reminds me of the repeated calls my parents received to refinance their mortgage under some government program. It took them months to realize it was legit.


Shout out to my car insurance, Amica. They called me because they needed some account information updated/clarified. Before we started doing anything I told them "Hey, not to be rude but could I call you with the number on your website? I'm paranoid about scamming and that's safer" They said "Absolutely, that actually makes a lot of sense". So, I called back and we got everything done.

The issue, I think, is the larger the company is the more incentivized it is to hide away access to it's internal employees. If you can call a department directly you can start phishing between multiple employees pretty quickly. Locking that down and putting a horrible automated system in place makes that harder to do.


I swear, it's like banks are trying to train people into being scammed.


> Turns out he actually was from the bank and he did cancel the loan application.

Plot twist! Didn't see that coming.

Seems bizarre to me that this would happen, but reading sibling comments just keeps having me shake my head in dismay.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: