I got a call from Wells Fargo telling me that they had identified a fraud on my account. Fair enough, I was about to call them to tell them that they cashed a check against my account that was written for a different name. This was entirely their own doing, essentially. Then, they ask me to verify my information before starting the process of fixing this and creating a new account number.
“With all due respect, you called me. How do I verify you?”
“Well you have to answer the question otherwise we can’t fix this over the phone.”
“OK that’s fine, just give me some way to contact you when I call the main number.”
“No, there’s no way to do that. If your don’t answer these questions now, you’ll have to go to a branch.”
This was entirely surprising to them. In the end I had to go to an office and show my forms of ID, which I found amusing because they didn’t even bother to verify that the name on the check matched the account. But anyway. This bank, at least, is not yet on board with good security practices.
My real estate agent has a @agentname.com domain which all my previous communication has run over.
Last week I got an email notice that a payment was due for a household bill. It came from mailer@constantcontact.com and contained a link to a Google Form which asked for a credit card number. The form itself even has Google's warning not to provide credit card numbers down the bottom. It never even named my agent, where I was living or what the bill was for or anything that made it believable.
I forwarded it to them and said I wanted to report some potential phishing. A legitimate person responded from their mailbox noting that they don't accept excuses like that, and pointing out the bill must be paid and noone else had ever questioned it.
I work so hard to train users about scams but I just have no idea what to do about the rest of the world.
> The form itself even has Google's warning not to provide credit card numbers down the bottom.
I received a PayPal phishing email once which included PayPal's actual security footer at the bottom. It helpfully pointed out that communications from PayPal will always address you by name, never as "Dear customer".
I was amused by this, since the phishing email started off with "Dear customer".
There must be some population of people out there who are looking for the footer, but not bothering to think about what it means. (Or possibly a population of scammers who copy the official formatting without checking whether it's something they really want.)
Don't get me started on Paypal. They send emails from a domain that isn't paypal.com with login links in the email that point to a domain that isn't paypal.com
I genuinely can't distinguish official Paypal emails from phishing emails - and that's because the Paypal emails look like bad phishing emails rather than because phishing emails are so sophisticated.
The last time I attempted to sell something on eBay, twice in a row a scammer -- presumably in the Ukraine -- won the auction and then proceeded to send me a spoofed Paypal payment confirmation (from: service@intl.paypal.com) written in Cyrillic. The mailing address was a drop ship company in New Jersey. Then they were aggressive about sending me messages like, "I paid, have you sent it yet??"
I ignored them and sent the spoofed emails to the spoof addresses at both eBay and Paypal, which seemed to be entirely ignored. After the required amount of time passed I reported the auction winners as non-paying, and I finally got my seller's fees "refunded" to my eBay account.
Then, a couple of weeks ago, I attempted to get eBay to actually transfer my fee credit to my bank account. eBay responded with, "We would really love to help you out with this. but due to COVID-19 we can't."
Somehow one of the fraudulent buyers has had an eBay account since 2012, and it's still active and has a 92% positive feedback rating. Their current auctions include a used gynecological examination chair. It's as if they're flaunting the fact that they can get away with whatever they're doing without being held accountable by either eBay or Paypal.
As a bank we do the same thing. Driven by the fact we don’t want our login emails to come from a domain that also sends “normal” emails in case spam filters start dropping emails from our primary domain.
This isn’t a hypothetical concern either, having spam filter go crazy happens more often than you expect, and some of them drop emails completely rather than putting them into a spam folder (looking at you Microsoft).
There's a theory about phishing emails that they deliberately make them slightly more obvious in order to weed out people like yourself who are unlikely to fall for them, to increase the average ROI of time spent on dealing with responses.
> How do I know this is not a Spoof email?
PayPal is committed to preventing fraudulent emails. Emails from PayPal will always contain your full name. Spoof or "phishing" emails tend to have generic greetings such as "Dear PayPal member".
To learn more, go to the PayPal website and click Security.
-My bank sent an (authentic, it turned out) E-mail including the ‘We’ll always use your first name in our correspondence with you to prove we’re who we claim to be.’
The E-mail started «Dear $FORNAVN...» (Where ‘fornavn’ is Norwegian for ‘first name’)
When I called them up to ask, the helpdesk rep just sighed and suggested that the mail merge script had probably crapped out. Again.
I'm always skeptical of when companies say they will "never" do something. How in the world do all your employees know to never do that thing? Are you constantly reminding people every day in your office of the list of things to never do? Even if you're one person that's an insanely strong promise to make to anyone about your future actions. How does a company have such confidence in the future? The only way I can imagine this working is if they make it impossible for themselves to do that thing, which itself is practically impossible in these cases.
I mean, in theory, yes, but I mean, I'm sure you've seen your share of mishaps, right? Like when companies send "Dear $CUSTOMER..."? When something that blatantly obvious can get through, what confidence do you have that training is enough to prevent more subtle things like this for all eternity?
I have a paper letter here from my dentist, the purpose of which is to explain that they've cancelled all routine appointments, because duh, of course they have.
The letter addresses me as "Mr" in some places and as "MrNicholas" (no space) in other places. But to be fair it also claims the problem is COVID-9 (not COVID-19) so I'm guessing that correctness was not the number one focus of the person typing it.
We had some employees working from a coworking space last year, and we would receive invoices from The coworking biz addressed to "MR Company Name". They would frequently omit our VAT number as well. Of course, we could not pay those invoices, and whenever we got in contact with their support The response would be so delayed that we already had received multiple warnings and threats from their automatic invoicing system. They did eventually get their shit together and voided all The junk invoices they had sent us, but it took three months or so... And this was a huge player in coworking, not a small indie bussiness.
Mail merge is mail merge, be it, to an email, letter or text.
Dental practices aren't usually big enough to have a person who devotes such a large percentage of their time to composing mail merge templates as to become slick at the task. Rather than being sarcastic you would be better being grateful that they were courteous enough to go to the bother and expense of writing to you at a time when their business was experiencing complete shutdown and they themselves were facing total loss of income. They probably had more on their mind than pleasing pedants who'd focus on trivia at a time like this.
Did it come across as sarcastic? I certainly didn't intend that, of course they have more important things to worry about. They'd usually come in to do a day's work and now suddenly everything is closed and they've got to write this weird open-ended letter.
It's an NHS dentist, so unless we have millions of deaths I expect the practice will continue to exist and receive funding as before. Such practices are funded partially on the basis of the number of patients who are notionally "theirs" to look after and that hasn't changed even if providing non-emergency services is not a priority now.
In this case wouldn't naming the agent also increase the likelihood that they're targeted? The clients have already been primed to follow the phishing link, so it'd just be a matter of getting a target list. Most agents I'm aware of stick to a local region/market, so targeted ad buys ("people in X county buying homes")/email lists/etc could be worth it for a motivated phisher.
Even when a bank or organisation does have good general security practices, I have, far too many times, encountered CS agents who have leaked information like sieves - given me multiple attempts on passwords, hinted which address I’ve registered with. I get why - many people have no idea about any of this stuff, and if CS don’t cut corners they never get to serve anyone. Many, many people I know can’t recall any passwords, and reset them every single time they need them.
I was recently targeted by I-don’t-know-what. Third party opened a fault ticket on my BT FTTC line, and then through a combination of SMS SC spoofing, real links to BT systems, and false links to very plausible looking “book an engineer visit” screens tried to get me to invite a criminal over to play with my technology.
The idea was likely to get me to welcome some unknown party into my home to mess with my router - I would assume putting some kind of packet sniffer in place to skim data and cards - but I honestly have no idea to what ends.
As a general rule, I ignore all communication from banks and service providers, as I’ve nearly fallen for a “card fraud” scam twice - the second time, they already had my card, and had already done some petty fraud that they wanted to talk to me about, with the hope of me giving them access to my online banking. The worst case in ignoring them is that they will try again. If it’s actually important, they’ll keep trying. If it’s fraud, I’ll notice and will contact them.
HSBC UK fraud department in the UK send you a text message if they believe there is fraudulent use of your card with a number to call.
The problem is that number is nowhere on the website. How do I know that text is actually from HSBC? How do I know the number I’m being asked to call is legit?
I’ve tried to explain to HSBC that they are training their customers to be susceptible to scammers but they just don’t get it. I had this conversation with someone in the fraud department where I said, “at least put that number on your website somewhere, so if I go to Hsbc.co.uk and search it turns up” “we don’t want to publicise the number sir” “Well out it on a page that isn’t displayed on the site, but which still shows up in a search if I search for the number” - “I’ll pass on your concerns”. That was about 10 years ago. They still do it.
This situation is getting better. In the UK now there’s a big push among all the banks to ensure that phone numbers and links are never placed in texts. Rather they will only tell you to “ring the number on the back of your card“.
The banks got rather upset when the gov sent that COVID-19 text with a link in it. Silly move, and we’ve seen plenty of fruadsters take advantage of it.
I think the situation has improved in the last 10 years.
When I got a fraud call and was asked to authorise I told the agent that I didn't trust them unless I had a number to call to verify, so the agent on the phone told me to call the number on the back of my debit card. They give every person the number explicitly now.
One glaring example is our online electronic tax forms in the US. Is it at "forms.irs.gov"? Of course not, it's at the not-shady-at-all "freefilefillableforms.com".
I've done that to credit card companies that I even called. They'd say something like "okay I need your full social security number" and I would just say no. There would be a pause, then they would say "okay I can verify you by your recent transactions."
Like why didn't you start with that! Some companies just don't teach their reps to care about security.
If they did it the right way, each call would be longer, and they would have to employ more people to maintain their goal of giving the minimal level of service they can get away with.
I’ve had a similar experience when my bank called me and asked me to verify my identity. I asked them to tell me the sum of the last four digits of my account number. They wouldn’t. I had to call another number and get transferred around a bunch.
Perhaps I should have said: here are five possible transaction amounts and dates. Tell me which one is real and then I’ll verify my identity to you.
It's simpler than that. Ask for their desk extension and then call the number on your bank's website/card and use the extension. I have yet to talk to a bank employee who isn't willing to do that.
This is the best way, but some call centers aren’t set up to give it. (I have intimate knowledge of this topic.)
If you run into one of them, the quickest resolution is calling their preferred services line and saying “I just got a call from the Fraud Department but was disconnected; can you transfer me?”
I asked for this on a recent Wells Fargo call as I got disconnected from the previous one when they put me on hold. They said they don’t do that. Maybe you need a million dollars with them before they do, I don’t know.
Had a similar situation, mobile provider had called me to offer me a deal, was no CLI showing - usual withheld affair, as is the case of many companies alas (though mindful that can be spoofed).
Again, same situation, wanted to very who I was and when I wanted them to verfy who they was we ended up in a circle-dance.
But it is important and getting their number or in your case, a branch to go into - something you can prove with a degree of confidence is important. Many will happily give out information. In my early days of work(before CLI and still analogue exchanges afoot) a friend pulled a joke upon me, phoned up pretending to be TAX office and to verify details. It's easy to fall foul of such things and been a source of many scams against less aware and older people less savy of such.
One way is to partialy give information and ask them for some back that they are verfying againt.
Also if you ask them to verify details they will (legit even) use the data protection law flavour of the country to say they are not allowed to do that and very easy to get into a circle-dance.
Which makes online more secure than the whole phone network with all it's legacy overhead opening up to abuse such as spoofing. Bit like the early days of the internet and spoofing IP's, not so easy today (mostly if routers configured right as most are).
I think this is a significant part of why identifying frauds is hard: normal business phone practices are often surprisingly scam-like (e.g. asking to provide verification info when they are the ones calling). So not only do frauds imitate legit activity, legit activity frequently imitates fraud.
Do banks ever actually do this? It makes no sense and what you describe us identical to a push payment fraud? A bank account number is not private information so there's really no point in creating another account.
I asked if it was really necessary and they said they had to. So perhaps this was a situation where they expected much more fraud if they didn't give me a new account.
I discovered it is a real hassle to change a business operating account number. Providers who, in the past, were happy to start doing ACH through your account with minimal documentation require a lot more to change that ACH account number. In one case, they asked for something I don't think I can provide (a scan of a canceled check) as the bank doesn't send those anymore. I'll have to see if they really only need a void check.
The fact that the phone number on your screen cannot be trusted to be the real one is completely unacceptable. It takes a very savvy person to know not to trust it; any reasonable person would assume it to be correct.
And there is no one to blame but the carriers. I really hope the FCC's new anti-spam rules kill this problem dead in the water.
This is an unfortunate by-product off the easy phone numbers work. It’s necessary that when I call from one of my N lines, your caller ID says my main number. Adding in SIP, cellular and other forms of phone mobility makes it hard to authenticate phones without a central system that was never provided.
We don't have spam calls over here in Germany. I _never_ received one. There were 3 calls I remember that were doing research stuff, but that's all. And telling them to not call again would have solved it, btw.
It seems to be related to other stuff the US is behind on, but I've given up on finding out how it could be fixed in the general (last 20 years) political climate.
The “caller pays” system in Europe helps a lot to make spamming less cost effective. In the US we don’t have that system. A cell call incurs charges to the recipient for the cellular service. The caller may not have to pay at all beyond basic line service.
We had an effective program for a few years eliminating telemarketing calls on landlines.
I think it might be mostly that you're not in an English speaking country. Based on accent, a lot of spam calls appear to originate from developing countries.
That would explain maybe a 100x difference on it's own. But that's already way over, if I aggregate data from close family about how many spam calls they got.
It is not hard, carriers are lazy. These are massive companies with deep pockets and no motivation to tackle a problem that doesn't directly impact their bottom lines.
Just keep a registry of every organization that you've given permission to to fake phone numbers, and which phone numbers they're allowed to fake. Make them route those calls through a special system and give them a secret token that that system will verify. Centralize your client/token/virtual phone number registry across all carriers (it's no different from certificate-authorities). If one of the accounts starts sending spam calls, revoke their token. Done.
>Make them route those calls through a special system and give them a secret token that that system will verify
STIR/SHAKEN is handling this at the provider level. There are an awful lot of PBX installations out there, with hundreds of makes and models and service lives in decades. You are absolutely not getting every business with a trunk line (e.g. essentially every business with more than one telephone) to participate in a protocol change.
Have their system type out the secret token in dial tones before each call that has a fake number. Any phone could do that. They have to already be doing something special to tell it which fake phone number to use. This can't be a more strenuous ask than that is.
It’s not the complexity of the change, it’s the number and diversity and distributed ownership of machines that would have to be updated and configured (if still supported; many are past vendor EOL and would need outright replacement).
Yesterday a family member got scammed out of banking information in a COVID-19 related scam. These scams are rampant right now. I think it is worth warning family and friends that might be unaware.
Banks sometimes make it hard to do the right thing. Last year my bank called me, I didn't answer the unknown number and they left a message. The message had a phone number to call and a case number. I'm not going to call a number someone gives me, so I called the main number and asked to be transferred. After a few transfers to the wrong people, it eventually became clear they couldn't transfer me to this particular fraud department.
I physically went into a bank branch. A very nice banker there tried to call them for me, spent 20 minutes on hold and being transferred around. They were able to confirm the call was real, and what it was about. But the final conclusion was, there was no possible way to reach the person in this fraud department, they had to call me. We arranged a 1 hour window where they would call me and I'd be sure to answer the phone.
I don't know the specifics here but many official sites also can have compromised parts, e.g. a subdomain with an old wordpress install or similar can get taken over.
A friend’s mother got scammed because she’d arranged for her ISP support to contact her that afternoon and then an Indian IT scammer happened to call just before...
That's so frustrating, as a bank they are making it harder to avoid fraud by training people to trust them. I was in the same position where someone tried to hack me but I will never give out information to a incoming caller, so I asked for their fraud number and googled it. I figure if it comes up on somewhere on their website its legit, if not I won't trust it.
The persistence is what tells me its fraud. A regular bank would just tell you the number to call and say "have a nice day."
In fact my bank recently did try to reach me for fraudulent charges and they did it by text and at the end it said "call the number on the back of your card" so I would suggest just like the IRS will never call you directly; assume your bank will never call you. They might text you, email you, have their app send you a notification but never a call. and they will always say "call the number on the back on your card"
I got a call from my bank earlier today, trying to get me to finish my mortgage application. I think it was them, but I refused to authenticate, because I didn't schedule the call.
I hated that. When I was buying real estate, it's an endless stream of of warnings to not give away all your money to scammers, interleaved with a stream of messages from the bank, brokerage, and escrow company that look and act exactly the way scammers behave. No security in the phone based transactions. No challenge-response. Constant handoffs to new associates and affiliates.
They don't care about security at all; they just want to be able to say "we warned you" if you get robbed.
This is so true! It's absolutely mind-blowing how a fraud warning can be immediately followed by an impromptu call from someone's assistant using a cellphone.
This is also more broadly true of the consumer lending industry. One of the things that totally boggles my mind is that consumer loans are bought and sold, and then a consumer just receives a random letter one day: "hey, start sending your payments to me now!" How on earth is the poor consumer to know that the random person who is demanding money actually holds the note? And it's not like the student loan or the auto loan or the mortgage loan originator actually has a phone number one can call where someone actually reliably will answer the phone and will actually know whether the note was sold or not (have you tried to get a student loan servicer on the phone?)...
I think probably the only solution for that industry is to legislate rational security practices at them.
I've had that once a long time ago, now they always just text or email, I'd rather that... no matter what I'm trying to buy, I have 15 credit cards if one doesn't work a different one will.
Another missed red flag is when the scammer told him his last four of SSN. No legitimate company who has your DOB or SSN will ever tell you it over the phone. I'm pretty sure that's a violation of compliance laws. Agents are trained to ask, not tell.
Your DOB and SSN shouldn’t need to be private information! The first is a matter of public record and the second is an identifier not a security token.
You're overestimating the legitimate companies' employees security acumen. They do it all the time.
Sometimes when a legitimate company asks me to verify something, they do it by telling to me. As in, "I need to verify your date if birth. Is it xx/yy/zzzz"?
Giving it to some random caller does not make me any more secure - so it would seem that the rational approach is to distrust any incoming call that mentions the issue, as it does not belong in any security challenge.
To correct my own claim, it seems reasonable to give this information if you are confident you have contacted a trusted entity, so that it can do its verification.
If someone claiming to be from your bank calls you, it isn't safe to hang up and call on the official number, unless you call the bank on a different line. The original call doesn't end until the calling party hangs up, and they might spoof a dialling tone and then a ringtone.
What is line-trapping? The article doesn't explain how it works and which devices are vulnerable. I tried to look it up but the results aren't helpful. They are either rewrites of the same article or irrelevant pages about wildlife trapping.
I suspect they affect landlines, but the articles have confusing photos showing smartphones.
I had one of these guys call me and I can tell you they are good, we have a lot of skimmers on gas terminals, atms, etc. in South FL so it's pretty normal to get fraudulent transactions calls. But like this article, the guy spoke perfect English. The cunning part is they really knew the workings of my bank, they would call 5 minutes after the main line closes for the night. The worst part about it is, they had my card number but it has been put in cold status due to legit fraudulent activity, which basically means you can only use it as a debit card. Their aim was to get my pin from me, and they had a whole script before that, that they run thru. The scary part is it felt like a legit fraudulent activity call from my bank and I still suspect that one of the scammers had inner-working details of my bank. I knew it was not when they asked me to verify my pin. At which point I realized it was not a legit fraud activity call. I ask for a call back number and of course the excuse making started about the main line being closed now (they have a separate fraud line that is 24 hours). I told them I would call back in the morning, they said they would have to let these transactions go thru if I did. I said fine but I dispute them if you are recording and hung up and promptly called the fraud line. The scammers are getting more sophisticated and convincing.
Some banks do actually send and then ask for a verification code over the phone. And it's legit!
They have multiple types of verification codes, like ones for wires and another verifying your identity if you call customer service.
Avoiding fraud is complicated already and will continue to be a problem forever. As people get better at identifying scams, the next one will emerge. As companies create new policies to avoid fraud, "jerk"s will figure out ways to manipulate it.
I mean, if there is proper 2 factor authentication set up, it would be much more difficult for this scam to work. Most banks in Asia issue you a physical security token, which if you lost you'd need to get it replaced in person.
Is it possible to eliminate the phone number? It was needed in old days, and many people today use over-the-top services like WhatsApp and FaceTime. Companies use phone number to track us and scammers use it to swindle us.
Probably not. If a phone number is replaced with a hash or a username, similar if not identical problems will emerge. Look at the numerous bitcoin scams.
I think the only thing that helps is time. The longer a technology has been around, the harder it is to fake. Fraudulent gold or currency is pretty tough to do and the people tasked with tracking down the offenders are effective. With most internet-based scams, the technology is emerging. It will take a long time for detection and mitigation to catch up.
One lesson is that it's not a certain type of person that falls for a scam. It's anyone when they are in the wrong frame of mind.
Obviously there are ways to prepare yourself, and rules to follow, and red flags to watch for. But you won't really follow the rules unless you believe that "yes, it can happen to me". It might be when you are busy or fatigued or in the middle of a big transaction or whatever.
I chuckle because rsync.net purchased a few "Witch"[1] licenses and my accountant's auditor who was going through last years expenses came across a charge from "manytricks.com" and sort of sheepishly said " ... I think this might not be a business expense ...".
I had to explain that it was, in fact, and showed her the software that we had licensed ...
A couple of months ago my wife fell for a similar scam. Caller on her cell phone said he was from our cellular carrier. She was sent a text message with a code, which she read back to him. Caller proceeded to access our on-line account at the carrier, using her cell phone number as the user ID, and purchased two top of the line iPhones, to be shipped to a hotel a couple of blocks from our house under her name and, of course, billed to us.
Fortunately, the carrier put the order on hold and sent her a text message asking her to confirm the order, so I was able to regain access to the account and reverse the purchase.
I called the carrier's security, told them the story and gave them the address of the hotel where the scammer would be picking up the phones he had ordered, but they were not interested in following up.
Why would they be? All they're interested in is avoiding transactions that might be marked as fraudulent, they're not interested in actually fixing the issue. Thats the polices issue, not your carrier.
Following up and putting the scammer in legal trouble means he's no longer going to be around to retry the scam on the next victim (who might actually fall for it).
Why do people answer the phone at all when it's not an actual person (family or friend)? There's no reason for a business to call you. My phone sends any call that's not from a number in my contacts straight to voicemail - if a voicemail even gets left that's not just someone hanging up, you can return the call to a number you know is real. The IRS deals almost exclusively by mail, banks have apps with account notifications. There's not many good reasons to answer unexpected calls from businesses.
Working remotely is new for a lot of people and sometimes coworkers will call your personal number because it is available for emergency purposes, which unfortunately we now live in.
Even with new tech companies like Plaid they're designing patterns that will compromise security down the line. Plaid has you enter your bank login information right on some third party website. While Plaid can be trusted, there's no reason to trust the third party with my bank login info. My password manager right doesn't work on these pages since it doesn't recognize the domain. But a less astute user may unwittingly give out their bank login info to some random site that makes a fake Plaid UI.
Please correct me if I’m wrong, but I believe Plaid uses an OAuth-Luke experience via an external tab/window to an encrypted sub domain of their website for authentication (so no middle man sniffing technically
possible).
Disclaimer: I do not work for Plaid, but have used it in the past.
If it is implemented that way there’s no way to tell from the user side. It just looks like it’s a part of whatever website you are on. My password manager even refuses to autofill.
I steadfastly have the stance I will never talk to anyone over the phone unless I initiated the call, and this is a great reminder to stick to that, no matter what they say.
Just to be clear, that's in the context of talking to companies, not when a friend calls you up? Because I'm not sure if it's because I'm just thick or because I'm not natively English but it can be understood (as my sibling comment seems to do) as literally never talking to anyone unless you called them.
Everyone has their own strategy. I only answer calls from my own contact list. I have some friends who literally turned off the ringer and don't answer any calls. You have to leave them a message, or just text them and ask them to call.
You realize this fails because you can spoof Caller ID. The Caller ID was from the bank, so if you had the bank in your contact list, you'd have no protection.
I can count on zero fingers the number of times my bank has called, however. I don't have them on my contact list. I have a few businesses, mostly family, friends, and colleagues. Spoofing one of my contacts is a pretty tall order for a robocaller outfit, and likely would raise the cost of the call high enough to make it unviable.
If your contact list is small enough to be people that you know well, though, it's not a bad policy. Most scammers are not going to be equipped to imitate my brother's or my wife's voice and mannerisms well enough for me to believe them.
Personally, my policy is not to talk on the phone except with people who are close to me. All of the people who are close to me know that I prefer not to talk on the phone. Ergo, anyone who calls me is not someone I want to talk to.
Maybe it's a generation/cultural gap but me and my friends exclusively communicate in text chat apps. If we need to hash something out in voice real quick (finding each other in a park or something), it will have been prefaced by text and the voice call is done in the chat app, not through the phone network.
He still failed to notice a huge red flag. Companies are not supposed to call people up and tell them your last 4 SSN digits, let alone the entire thing.
If your bank every does that to you, close your accounts and switch banks.
Why did he not realize this after the fact and point it out as a missed red flag? Has anyone had their bank read them their SSN over the phone? That sounds like a massive PII compliance issue.
> Here’s the tl;dr version: Do not ever, as in never ever, give out a verification code over the phone.
The deeper lesson here is the power of cognitive dissonance. If you get even slightly fooled, your egotistic brain will Stockholm Syndrome you into working for the attacker, to postpone the embarrassment of acknowledging to yourself you got a little bit fooled. The worse it gets the deeper your denial will grow to stop you from cutting off the attack.
I read these accounts of scams and I can’t imagine any legitimate scenario where I could possibly expect a call from a bank about any of my accounts - checking, savings, brokerage, CC, mortgage.
With everything available online, there is no reason to step into a branch or have an ongoing phone ‘relationship’ with a bank. I can’t remember the last time a financial institution called me about an account. Even credit cards have moved away from fraud check calls to simple and foolproof yes/no verification messaging.
Outside of non-specific marketing and upsell calls, any call I get out of the blue can only be a scam.
1) Because the whole system was designed back in the day of one single integrated phone company (Ma Bell/ATT in the US), so having any form of authentication was unnecessary, because only the one single phone company was ever responsible for handling anything phone related.
2) Because caller-id is an 'add on' that has no relationship to the underlying phone number "address" that is actually used to route phone calls. It is just an extra text string sent along from the call initiator for the purpose of appearing on a display at the destination end.
Of course you can spoof anybody's address. Depending on the protocol, you may not be able to get it working. But if it's UDP, you can definitely spoof someone's IP address.
That may have been the 'second code' referred to as a typo by the article, but was perhaps the standard 2fa token that came in after the original password change token? Nice catch.
No doubt that this person made a huge mistake, but...
Is this seriously a thing? A bank that uses one-factor login? Not only that, but a weak one too? This seems absolutely ridiculous. Why would anyone use such a terrible bank? Isn't the bank at least required to try to protect the customers money? It's usually not that hard to get a hold of a number belonging to someone else. Where in the world is this?
Isn't this two-factor login? Something you know (username) and something you have (phone)? There's also a good chance that the scammers had a set of leaked security questions on hand. I'm sure some banks even use SSN as an authentication factor.
No, it's not. A username is rarely a secret used for anthentication. In this case it seems the user got tricked into giving away a password reset code given over SMS. So the first factor(password) was skipped. If an SMS code and the password would have been needed then it would be 2 factors.
SSN is alsp a stupidly bad usage as an authentication factor. A lot of people have access to it, it's not unique to the service and you can't just change it whenever you want.
“With all due respect, you called me. How do I verify you?”
“Well you have to answer the question otherwise we can’t fix this over the phone.”
“OK that’s fine, just give me some way to contact you when I call the main number.”
“No, there’s no way to do that. If your don’t answer these questions now, you’ll have to go to a branch.”
This was entirely surprising to them. In the end I had to go to an office and show my forms of ID, which I found amusing because they didn’t even bother to verify that the name on the check matched the account. But anyway. This bank, at least, is not yet on board with good security practices.