This happened to me in the 90's so not sure how possible it is today. Someone got hold of my account number - I think it was in Las Vegas when I used an ATM and didn't get the receipt, then when I realized it a couple of minutes later, walked up to get it and didn't find it. A month later at home in Austin, my ATM card was declined at the bank ATM and I was baffled because I knew I had enough money for the transaction. When I went into the branch for an explanation they told me that I had no money in my account because earlier that day someone of a different gender and race ( they had video) had used 12 different bank branches in a different city (Houston) to withdraw 2000 at a time via check. I had to a sign something that swore that I did not do that and the act was not connected to me before they would restore the stolen funds to my checking account.
I get it often with HSBC, it's really frustrating as their fraud systems seem to have only one profile of user, so if you don't fit then you'll get lots of calls from the bank. I even get them when purchasing from sites that I use regularly/semi-regularly.
I had something similar. It's not normal for me to make large purchases via my CC, but I decided to purchase a $600 television from a retail store once.
The payment was declined until I called the bank and told them I was standing in line trying to actually pay for it.
The thing is, I don't think she was able to open it for just that transaction, but instead flagged my account so that ALL large payments like that were allowed.
Which to me just seems like an outlandish shortcoming.
It reminds me of the time that some random ACH got placed on my account. They claimed they couldn't even tell me the name of the person or company who did it, etc. And this despite me having specifically requested that any ACH's placed on my account are approved personally by me.
It's actually kind of scary just how inept these banks are sometimes with respect to these issues.
I've gotten a text from my bank after my first Bitcoin purchase on a newly issued debit card, with it saying that the transaction was flagged as suspicious and I needed to verify that I was actually the one who purchased it.
My bank (well a credit union) called and asked if I really wanted to buy 4 tires. Since I was having a bit of an issue paying it without the money in my checking account, I said yes. It surprised the heck out of me too.
I've done development on these types of systems. I can't go into too much detail for obvious reasons, but your answer is yes. When the details of a transaction seem to be unusual or have an association with high risk or fraud, you'll get an email, sometimes a call, sometimes they'll immediately freeze your account.
It's a security measure to protect both the bank and the customer.
I've noticed my two banks vary wildly in how they respond to this (I'm non-US). Once I was notified that they were replacing my card due to suspected fraud only after I called them to ask why my card was being declined everywhere. The other bank disabled my card when placing an order on Doordash while in LA and I got an SMS, a notification from Apple Pay and a phone call almost immediately.
Not in those words obviously, but yes I have had numerous calls from credit card issuers during or after a large transaction. ATM cards or bank credit cards are usually tied to a bigger card issuer. These issuers have a lot of fraud prevention systems in place.
Not a phone call, but a couple of years ago I woke up to a text and a push notification from my bank (correctly) informing me that someone had used my account to pay for a hotel room and some other stuff and that they froze my account. I'm not sure if the person making fraudulent charges ever got caught, but they refunded me the money and issued me a new card, so it ended up only costing me the hour or so I had to spend at the bank that morning sorting everything out.
One time I flew to Texas and bought a camera. It wouldn't go through, I got a text alert from my bank, and I had to make the poor saleslady wait while I called the bank and walked their phone rep saying that yes, this is me, the owner of thr account and I want this camera.
The scheme is very elaborate, multi-step process so the risk is quite low. Once in motion it is nearly impossible to prevent by a bank, but it would be trivially preventable by Facebook, if they just bothered to check the url and warn if they find them suspicious.
EDIT:
BTW this shows that sites like Let's Encrypt, which automatically issue certificates to websites kind of defeat the whole purpose of certificates - they only check that the site exists and requestor has admin access to it, but do nothing to check whether it is legitimate business or scam.
A green padlock in the address bar should mean that the site is trustworthy. Now it only means that site admin knows how to setup https.
Sure, in theory, but how do you solve a problem like this in practice? What is it about a given URL that makes it suspicious?
Is there a whitelist? Because then the press and the rest of the internet will cry censorship and stifling of innovation.
Is there an algorithm? Then the scammers simply learn how to game the algorithm and defeat it easily. (This applies to some easy checks like domain registration date too.)
Is it a team of humans? That's a lot of sites and a lot of humans to employ. What about user-reports? Now you have to deal with false reporting and abuse.
While it's possible for some combination of approaches to succeed here, it's not nearly trivial.
Trustworthiness of the organization behind a site is only half the story behind TLS, if that. The most important benefit IMO of secure connections is that some unknown-unknown party can't MitM your connection and read your data or inject malicious code. Trust in the intended participants in the conversation is really a different problem.
The problem with your scenario where https===trustworthy is that it doesn't leave any middle ground for a site to simply protect its and your information. It's either full bank-site security, or none at all. That's not acceptable.
> A green padlock in the address bar should mean that the site is trustworthy. Now it only means that site admin knows how to setup https.
The green padlock means that you have a secure connection to the site you have selected to visit. We should not attempt to ascribe any other meaning to it.
The padlock (even an EV padlock) doesn't (and cannot) claim that the website is honest. It claims the website is who it says it is and that no one can intercept the communications between you two.
You are deeply mistaken on the purpose of certificates. They say that the holder of the corresponding private key is who they are say they are. DV checks the DNS name, EV checks the DNS name and the presence of a business registration with the relevant authority.
The purpose of certificates has never been a "not a scam" stamp, and no traditional certificate vendor was ever checking your business practices or legitimacy. Issuance of DV certs is just as automated at Verisign, etc.
It sounds like you fundamentally misunderstood what HTTPS certificates are for, because they absolutely do not reflect trustworthiness or "not a scam".
As an aside, it drives me up the wall that Facebook's 2FA settings are stuck on SMS. Although other options exist like a Yubikey or a TOTP scheme, even if you select one of those, Facebook still sends you a 2FA SMS whenever you try to login.
At this point I ignore it and use my TOTP app anyway, but it bothers me to no end, as it leaves my account that much more vulnerable to a hacker intercepting the SMS in transit and using it to break into my Facebook account. Facebook does not allow you to disable 2FA SMS without disabling 2FA altogether.
31 comments
[ 3.2 ms ] story [ 46.2 ms ] threadHuh? Do banks actually do that?
While I haven't experienced that personally, a friend reported getting such a call from his bank after he ordered $400 of fireworks online.
Unfortunately it's all pretty opaque and bank dependent - as far as I know, there's no way a merchant can trigger such a call, for example.
The payment was declined until I called the bank and told them I was standing in line trying to actually pay for it.
The thing is, I don't think she was able to open it for just that transaction, but instead flagged my account so that ALL large payments like that were allowed.
Which to me just seems like an outlandish shortcoming.
It reminds me of the time that some random ACH got placed on my account. They claimed they couldn't even tell me the name of the person or company who did it, etc. And this despite me having specifically requested that any ACH's placed on my account are approved personally by me.
It's actually kind of scary just how inept these banks are sometimes with respect to these issues.
It's a security measure to protect both the bank and the customer.
EDIT:
BTW this shows that sites like Let's Encrypt, which automatically issue certificates to websites kind of defeat the whole purpose of certificates - they only check that the site exists and requestor has admin access to it, but do nothing to check whether it is legitimate business or scam.
A green padlock in the address bar should mean that the site is trustworthy. Now it only means that site admin knows how to setup https.
Is there a whitelist? Because then the press and the rest of the internet will cry censorship and stifling of innovation.
Is there an algorithm? Then the scammers simply learn how to game the algorithm and defeat it easily. (This applies to some easy checks like domain registration date too.)
Is it a team of humans? That's a lot of sites and a lot of humans to employ. What about user-reports? Now you have to deal with false reporting and abuse.
While it's possible for some combination of approaches to succeed here, it's not nearly trivial.
The problem with your scenario where https===trustworthy is that it doesn't leave any middle ground for a site to simply protect its and your information. It's either full bank-site security, or none at all. That's not acceptable.
The green padlock means that you have a secure connection to the site you have selected to visit. We should not attempt to ascribe any other meaning to it.
The purpose of certificates has never been a "not a scam" stamp, and no traditional certificate vendor was ever checking your business practices or legitimacy. Issuance of DV certs is just as automated at Verisign, etc.
At this point I ignore it and use my TOTP app anyway, but it bothers me to no end, as it leaves my account that much more vulnerable to a hacker intercepting the SMS in transit and using it to break into my Facebook account. Facebook does not allow you to disable 2FA SMS without disabling 2FA altogether.