My girlfriend got hit with this one. According to her the scammer was very convincing on the phone. American accent. Empathetic tone. "Don't worry, we'll get your money back, we just need to make sure it's really you not the person trying to steal your money."
Luckily her credit union was quick to restore the funds with minimal hassle.
Don't these sorts of emails already say things like "nobody legitimate, including our employees, will ever ask you to tell them this code"? I'm not sure how to stop scams that are already only possible because of people's lack of reading.
> Ally: As Security measure, we will never ask for this number over the phone. Security code: xxyyzz. Call 1-877-247-2559 if you did not request a code.
Cap1 does this:
“Capital One won't call you for this code. The temporary code you requested to sign-in is 091657. Please use this code to complete your request.”
IIRC, there was one time I did have to verify a code over the phone, and the message that came with it was completely different.
Major ones have it, but there are thousands of banks in the US and I'd wager almost all of them provide some form of online banking experience. Outside the larger ones security isn't really up to par.
There was another one that came in between them that felt the same (language that I think of as "conversational robotese"), but appeared to be VPN phishing.
Any telco people here that can explain the technicals of how or why it’s still possible to spoof a phone number? Is this just how the whole system works?
When I use Twilio, I have to prove to them that I control a phone number before I can use Twilio make outbound calls or send SMS messages that appear to originate from my number. This suggests to me that the system is built with assumed trust, like email was originally. Is everything too ingrained at this point to add some type of authentication that would prevent this type of spoofing? Something similar to a CAA record, where the owner of a phone number could say “legitimate calls from this number will only originate from $TELCO and $SMS_PROVIDER” would be nice.
These gateway providers, in addition to simply spoofing the outgoing number, will also sell blocks of legitimate domestic numbers to the scammers- knowingly- to use for callback numbers. Truly disgusting
Not telco, so I hope there will be better answers.
Phone numbers are basically identical to IP numbers in their use, and they are declared by the emitting party. Just as you can spoof IPs in the packet headers, you can spoof the telephone number at the tranport level.
We could upgrade to more secure connections, but the whole point of using the telephone network is because of the legacy. I can't imagine a telco putting significant money into improving the network when no customer will pay more for that (right now arguably, spammers are their first class customers ).
that doesnct work for publicly available services and the initial routwr passes the traffic. This is how things like dbs and ntp amplification attacks work: you spoof your origin ip and have the server generate traffic to the targwt/spoofed ip address.
The big difference is that if you send a packet with a spoofed source IP, the reply won't get to you. The phone system allows you to set up a full two-way channel without the receiving party ever needing the correct identifier for the caller.
SS7 and TDM may be phased out but phone numbers and phone calls will still exist. It seems like the replacement protocols (SIP?) are still copying SS7 security flaws exactly, with STIR/SHAKEN as a bandaid on top instead of a fundamental fix.
Agreed. The joke is ultimately on them, though, as a new generation of people grow up and their only experience with the pstn is that every incoming call is fraudulent. What good is having a phone number at that point? It’s just a liability.
Most likely the only reason a young person will ever have to interact with the phone system is to call 911 for emergency services. Ultimately the spam problem will kill the pstn as we know it.
"A gracious hello. Here at the Phone Company, we handle eighty-four billion calls a year. Serving everyone from presidents and kings to the scum of the earth. So, we realize that, every so often, you can’t get an operator, or for no apparent reason your phone goes out of order, or perhaps you get charged for a call you didn’t make. We don’t care!"
If there was ever a public service job where I could receive scam reports, and trace every single scam text and call back to its source and take action against the gateway carriers allowing these scams to enter domestic copper, I would apply immediately. So much time, needless worry and anguish imposed on innocent people who simply want to trust a communication protocol that should be trustworthy.
Funny you mention that. I'd say based on personal recollection that in "public service" you'll likely find people in on the scams.
Former congressman from NOLA, Bill Jefferson, orchestrated scams involving securing minority-preferred business loans to found rural phone companies. Those rural phone companies would then pay him back by getting pre-arranged contracts from African countries like our phone scammer friends in Nigeria.
When hurricane Katrina hit, they found $90,000 in cash in his freezer. Was pretty close to the $100,000 in cash that the DOJ had videotaped him receiving from the Nigerian government's vice president a few days before.
SS7 was not really designed with any security. It assumed only telcos would be using it and that stopped being true in the 1980's/90's as the bar to entry for getting your own SS7 link was lowered. Even if SS7 were retrofitted to support this type of validation it would be negated by the fact that numbers are portable. A number can legally originate from anywhere. Validation will have to occur out of band by some other means or by replacing or deprecating the telco network entirely.
The authentication you’re talking about is called STIR/SHAKEN and it’s an ongoing retrofit. I will describe the status quo based on my brief time in a business VoIP form.
The concept of a “phone line” with a fixed number belongs to residential service. Pretty much any business premise has a PBX on it, and that PBX is connected to the PSTN by a bundle of circuits including some voice channels and some signaling channels. Some number of inbound numbers may be routed there. Or not! But that has nothing to do with the signaling on outbound calls.
Now for a small business it would probably be sensible to limit outgoing caller IDs to the inbound numbers routed there. In a larger business, PBXes at different sites are connected to each other by an enterprise network, and to the PSTN through different telecoms in different regions. You may have branch offices that only receive calls via the enterprise network, but make outbound calls on local transit. You may route a call from elsewhere on the enterprise network to exit to the PSTN via that branch office, for cost or redundancy reasons. That’s how Twilio itself works. Lots of IT departments have internal Twilios, in that sense.
The upshot is that you need a fairly sophisticated cross-telecom standard for establishing authorization to present a number on caller ID, and no one got around to building or driving adoption of that until pretty recently.
> Any telco people here that can explain the technicals of how or why it’s still possible to spoof a phone number?
Because couriers offer spoof calling as an under-the-table service to spam caller organizations.
I have no proof of this, but at this point in time my opinion of telcos is so low that I will assume it is happening until I find out explicitly that it’s not.
> Consumers who suffer unauthorized transactions are entitled to Regulation E protection, and banks are required to refund the stolen money. This isn’t a controversial opinion, and it was recently affirmed by the CFPB here [0]. If you are reading this story and fighting with your bank, start by providing that link to the financial institution.
Props for including this in the article! All too often the basic legal situation is never explained, leaving victims to believe that blatantly illegal crap is "just the way it is". For example, "identity theft" and fraudulent medical bills.
I recently had a weird issue: some random dude sent me $1.xx over PayPal. Naturally I refunded it and thought matter closed.
Then, some days later I got 3 more payments in similar $1.xx amounts. I refunded 2, but for the 3rd one PayPal wanted to charge some fees. At which point I just blocked the dude.
No idea if this was a genuine mistake or a scam. Anyone knows??
Not sure but I think what they want is for you to pay them $1.xx back (rather than refund). Then they can try and initiate a refund on their end, which allows them to pocket the amount you gave them for free.
I used to deal with some online merchant facilities. I used to see loads of $1.xx charges on clients that were not careful with their merchant details.
I once panicked that someone was getting ready to withdraw funds from my account because I saw those two <$1.00 auth charges. I called my bank, and they panicked, and immediately created a new account, moved the money into it, and closed the other one. Like within 5 minutes.
Turns out I forgot I told a friend to reimburse me for beers we had a few weeks before that, and his payment service was verifying my account.
Online banking and all of this digital access to my monies makes me nervous as heck. Double-edged sword. (Yes, I have 2TF hard tokens on all major accounts.)
Those are called micro deposits and are only used to verify ownership of an account you own. Your friend was incorrectly setting up an external transfer account via ACH. Next time they should use a check, zelle, etc etc.
I saw the same thing with Venmo. Someone was sending money to someone else in smallish amounts $25>. But it was being labeled as me so I would get emails of "You sent $20 to SomeBody". I told Venmo, they didn't seem to care, but I was curious about how their scheme worked. I ended up creating a Trash rule for such emails.
I had a similarly weird thing happen to me with an even weirder outcome:
I was in the Dominican Republic last year and I got a notification that someone had sent me $100 via CashApp. It wasn't a person I recognized, she looked clearly Dominican in her photo, and I presumed it was a similar sort of scam. (I assumed someone saw I had whatever "send to someone nearby" setting turned on, saw I was a foreigner, and decided to try for an easy mark).
I didn't refund it, I didn't cancel it - I just did nothing. And you know what happened?
Absolutely nothing. I waited for the phone call asking me to send the charge back. Nada. I waited for a text explaining it was a mistake. Nada.
It was over a year ago and I still have the $100. So.....maybe it was an actual, genuine mistake?
Like many scams, it depends on the victims being polite, perhaps more much than them being naive.
The fraudulent message asks for a yes or no reply but does not care about the answer spefically; only that there was an answer. So the victims are the people who couldn't ignore the message and had to say no. Most likely the people who say yes are still taken into account , because they confirmed there was a person behind the number. They'll get a new scam later on.
But the people saying no are the target.
A lot of people feel bad if they don't answer the phone, or a message, or the doorbell. So you prey on their niceness.
How to fight back? Don't. The way to defeat the scam is to not acknowledge it.
Ignore whatever primal urge you have to get involved, or teach them whippersnappers a lesson, and cast it into the void.
I agree with your point about not acknowledging these scam attempts. Just wanted to point out the "fight back" bit of the story was advice for people who've already been victimized and are being told their bank won't cover the loss.
I'd be really curious to know how many people actually answer calls they aren't expecting, on their personal phones (e.g., non-work phones where you must answer customers).
I bet that graph is U-shaped of % of people that answer unknown messages vs. age. Kids want to be social, and old people don't know any better. With salty Gen-Xers in the middle.
99.99% of the time I let it go to voicemail. I have since the days of cassette-tape answering machines. The only time I don't is if some just texted and said they are calling. Even when my insurance company hold line asks if I want a callback, I'm too paranoid that a scammer could have infiltrated the callback process.
>I'd be really curious to know how many people actually answer calls they aren't expecting
What do you do when your counterpart won't answer their phone?
I answer calls I'm not expecting when I'm expecting a call. Like from a plumber, a recruiter, a paving company, etc.
If I don't, at best I get to play phone tag, and at worst, the other person gets ticked off and I lose an opportunity. I don't like leaving voice mail, particularly the second or third time.
It would be nice if everyone legit had their main number show up to identify them, and it would be nice if they all answered their phone all day, but they don't.
I'm a Paramedic here in Northern California and we recently went on a welfare check to an apartment - us, fire dept, and law enforcement - for a family that could not get ahold of their grandmother.
Grandma was fine, fortunately, and she simply turned her phone off because it was ringing constantly with scam phone calls. She was sick of the auto warranty spam all the time, so she unplugged entirely.
The elderly are the ones that still have landlines and cell phones too, so they often get hit multiple times. It's harder for them to disconnect the landline due to things like Life Alert requiring a landline.
It was...erm...remarkable in its high production values.
Even compared to the auto warranty ones, which I don't get often, but every now and then.
I also got a "hello...hello...hello" call, and seven hangup/no message calls the same afternoon.
I assume the call I answered was a scammer, but a few months ago, I got one just like that and it turned out it was from my physician's office, and I had some trouble getting ahold of them.
> What do you do when your counterpart won't answer their phone?
I'm not sure what you mean. Like I said, if someone texts me and tells me they are calling then i'll pick up. Or if I get a voicemail saying, "duh, pick up dingus"... then i'll pick up the next buzz.
That never happens because almost no one I care about uses the phone anyway. Exvept that 0.01%.
I don't live in a big city or even in a super-internet-embracing country like for example South Korea - but even in my neck of the woods, dentists, doctors, vets, barber shops, car mechanics, contractors, etc. all have shifted to messaging instead of calling. Unfortunately most are using WhatsApp because of peer pressure. But I'll even swallow that bitter Zuckerberg pill because it's so much more convenient than doing appointments over the phone.
In my region of the US, people with appointments to come to me will sometimes text that they're on the way, which is nice.
And plenty of people have websites, but on the whole, most local business interactions start with a phone call, and usually it goes to voicemail or a receptionist, so I have to answer when they call me.
Even small time businesses have websites, but they don't do anything usually so it's clear you have to call.
Also, sometimes they try to embrace the Internet, and then they get hacked...
My primary care doctor had a patient data breach by their accountant. A different practice failed to set permissions propertly on the patient information on their portal, and never said anything to me, but silently scrapped it. A plumber that I had over once had all their client information stolen about six months later and vigorously spammed/phished.
Nobody has ever suggested WhatsApp to me. But I gather it's disproportionately popular in some countries.
I think WhatsApp is especially popular in countries where SMS messaging was the number one means to communicate before smartphones. No idea why WhatsApp in particular won the messenger race, I don't like it and think it's a bad piece of software even before Facebook bought it, but it seems to be "fun" enough for non-savvy people to try to get into it.
And it's the same here - operating their own website and handling email is too challenging for most small businesses, doctors, or contractors. But for some reason they all manage to operate WhatsApp.
I don't answer a single call unless I'm told to expect it, or I can antipate one coming (e.g. I ordered takeout and the delivery driver is gonna ping me, or I asked a recruiter to call me at X time).
If the call comes out of nowhere, or if it's from a hidden number, then I'll silence it rather than declining (i.e. hit the power button rather than actually acknowledging the call, so it carries on ringing in silence until they give up instead of being told I'm busy). If it's important they'll leave voicemail or send an email.
I don't think the issue is people being polite. It's that these messages look similar to the legitimate fraud alerts that credit card companies and banks send.
What happens if you don't respond to those? Presumably, the transaction will be blocked -- but can you be sure? It would cause me a lot of anxiety not to resolve the issue right away.
It's not about niceness. When you get a text about a potential scam there's an urgency to reply. And you can't just ignore it. All major banks send out official text messages to confirm large transactions. This has happened to me multiple times with Chase, and just recently I blocked a fraudulent ATM withdrawal using exactly the method outlined in the article (someone skimmed my debit card when abroad, I got a text from Chase when they tried to use it, I replied no, got a call from the customer service rep). Only thing missing was reading out the OTP, obviously, which I would not have done.
Last week I had to call Wells Fargo to change my home address. They texted me a code to read it back to them to confirm my identity.
Their standard text messages for auth codes say: Wells Fargo will NEVER call or text you for this code. DON'T share it. Enter code 123456 online to send $1.00.
Their verification text said: Free Msg: Use Wells Fargo verification code 123456 to verify your identity. Reply STOP to stop msgs. Call 1-800-869-3557 if you didn't request this code.
In some cases, banks have trained us not to panic instead of taking time to understand what's happening.
A while ago, I scheduled a wire transfer through Chase to go through the next day.
While asleep, I got an automated call from Chase asking me to confirm that the wire transfer was placed by me.
By the time I had woken up, my online banking and my bank cards had been shut off.
This is not consumers fault. Everyone is used to banks not being completely impatient and expecting immediate responses. For some other example, by law, you only have two days after a transaction to respond to fraud, or else you could be looking at $500 lost instead of $50. Not immediately answering the phone could make a difference of $450!
I wish there was a coordinated public service campaign around "Hang up, Look up, Call back". I feel like if we could really ingrain those 6 words that it would go a long way to blocking these types of phishing scams.
Number one thing I tell folks in my security training is to never respond or click a link on an inbound message. Instead, look up your bank or service provider and make an outbound call (or direct URL navigation) to them.
I recently heard about an incident where hanging up turned out to be more difficult than it should have been. Stay calm. Call from another phone perhaps?
If you don't have another phone would it be safe to first call some other known number and see if that goes through?
If it does, then you should be able to infer that the previous inbound call has (probably [1]) hung up, and it is now safe to call your bank.
[1] A sophisticated enough scammer could hold the line, give a fake dial tone, detect that the number you are dialing is not the bank number they expected you to dial, dial that number themselves on a different line, and relay between that line and yours to convince you that you really did have a clear line, and then keep holding the line when you then hang up and try to call the bank.
The issue I imagine here is that calling the bank can be costly both in hold time and in phone fees. If banks were able to remove this disincentive to call by ensuring that their phone lines have zero wait time, and offering to immediately call back to avoid billed-by-the-minute phone charges (or in the case that they already offer this, by making it clear to customers), then I think there’s be a larger uptake of the idea of “hang up, look up, call back”.
As it stands, I’d be afraid of needing to wait 30 minutes in hold, and getting billed 30 minutes of call time by the phone company for the privilege. I’m not from the US, so it’s possible that your banks are doing this part better than the local ones, but that’s always the worry with the phone for me.
> I’m not from the US, so it’s possible that your banks are doing this part better than the local ones, but that’s always the worry with the phone for me.
Since the person is asking about what it’s like here I’m providing that perspective. In Canada banks also provide 1800 numbers so it should generally be free. I thought Canada has mostly unlimited plans but I haven’t had a Canadian phone plan in over a decade.
While that's a real problem in general, I would think that for this particular group of people it might be less of an issue.
We are well paid, and as such majority of HN'ers should qualify for premier banking. One of the advantages in that is that you get access to quality in-house customer service, and may be able to call them directly from the banking app. (A really nice feature.) They tend to have good availability too. The plural of anecdote is not data, but I've never had to wait for longer than five minutes when I do have a problem that requires CS's involvement.
this is why I have a credit union with multiple locations nearby and they only have 1 phone number for customer service and I know it by heart, good luck scamming me over email or txt, at least when it comes to my bank account :)
It immediately eliminates anyone not thinking to spoof-call GPs small credit union. Given that most of the scammy calls I receive are about accounts with places that I don't have accounts, I don't think that level of targeting is the norm.
Obviously if your bank asks you to "verify" yourself after they've called you, it is 99% chance of being a scam and you just tell them you're going to call back and if they get desperate sounding it is 100% a scam.
A citibank security call I received impressed me, they seemed to completely understand me wanting to call back and gave me instructions to get back to them through the phone menu of the corporate line (that I looked up). Iirc it included a case id that got you right back to the same security team.
On that note, I should name and shame T-Mobile USA. They called me back after my line got disconnected and proceeded to ask security questions to verify me and pretended to not understand my concern when I said how do I know you are who you say you are. They were calling me on my T-Mobile line.
I've been called by Chase and at least one other for fraud alerts. If I recall correctly, the Chase message instructed me to call back using the number on my credit card.
It is not correct that banks will never call you in the US.
However, a bank should not ask you to verify your identity when they call you. This is the missing piece. If anyone calls me, I should not give them any information they don't already have. If they are the fraud department, they already know everything.
What are they calling about? Just curious - it seems like I’m wrong. Also maybe there is opportunity to develop some service for them so they do not need to call.
I have absolutely been called by Bank of America, both by an automated "did you really do this?" sort of fraud detection, and by a human calling to tell me my card number was known to be stolen and make arrangements.
Heck, I'm pretty sure I've gotten sales calls from them as well, though I never stay on the line long enough with those to be sure.
Same here. I also have a BoA account for most of my day-to-day stuff.
I use credit cards (in particular, an Apple Card) for almost every transaction. In fact, I seldom carry cash, which has been a problem, from time to time.
I won’t use Venmo, or PayPal with direct bank account connection. It has earned me scorn, but you really only need to have a problem once, to learn religion. I don’t use credit cards for Venmo or PayPal for cash transactions, because cash advance fees.
I always pay my account in full, every month. It also means I get Apple Cash, for a slush fund.
I do use direct bank account connection for a few things like utility bills, but that is a fairly primitive setup process, where there is no doubt about the other end. Even so, many outfits now allow bill pay, via credit card.
> The issue I imagine here is that calling the bank can be costly both in hold time
The solution to the time wastage problem is for the bank to have a better method of sending you information than random calls out of the blue. Most banks have a message center on their website, where you can see any messages waiting for you when you log in and can send messages in reply.
The tricky bit is I know some legitimate departments of my bank follow this policy -- so if they make an outbound call to me, they will trust what I say on the phone, but if I hang up and call them back, they will take down my number and call me back later.
I tried to buy something, but it was a large amount - over my normal usage. I had to call the bank, and they said "we're sending a code to your phone..." and the text message said "DO NOT share this code. We will NEVER call you or text you for it. Code xxxxxx. Reply HELP if you didn't request it."
So... they then say "what is the code?" that specifically says "DO NOT share this code". I know what's going on, mostly, but it was still confusing.
It’s worth pointing out that if you are not the one initiating the call, then this is a legitimate attack vector, and not just via SMS text message or email two factor but also any type of OTP. The attack goes like this: (1) given that the whole point of two-factor auth is to prevent access to your account in the event that your primary authentication tokens (usually a username and password) are compromised, let’s assume for this attack that a bad actor already knows your username and password. (2) the attacker calls you up and says “this is <your bank>”, then (3) the attacker logs into your account with the username and password they already know (4) this either triggers an email or text message with the second factor, or if you use a hardware token or an app then the code is available there. Either way, the attacker requests you to read back the code over the phone (5) the attacker uses this secondary code to gain access to your account, and can then take any action including changing your password and 2nd factor setup. I think this is the reason security teams set up these messages to say things like “NEVER share this code!” and the like.
It was definitely poorly written. It's correct, since they never called you, it was you who called them. But it does raise the question as to how to teach people that who initiates the contact is very important and completely changes the security analysis.
The message should have read "You were speaking to one of our agents who indicated in the last minute or so they would send you a confirmation code. The code is XXXXX. Do not give this to anyone unless you initiated contact with our bank." Or... something closer to the actual scenario as it was playing out.
Unfortunately financial companies act outside of the best practices that make it impossible for the consumer to distinguish.
After being transferred during after hours, American Express asked me for some unnecessary information and I hung up. I called back and got someone different with a local US accent and I told them what I encountered and they said that's normal (facepalm).
I called back during normal business hours and the more expected experience occurred.
Most cyber criminals have a script. They don't deviate from the script unless they think they have a potential home run. Even then, going from this to sending out fake mail correspondence... That's a whole different toolbox. 99%+ of the time they will not even consider it. Especially since it's not scalable.
I remember that scammers got in touch with my wife, trying to get personal info. It was fairly elaborate. She got a call from a man that she said had “a golden voice,” followed by official-looking mail correspondence (very quickly, which was suspicious, in itself -it can take many days for my bank to get me correspondence). They had our home phone number, her name (not mine), and address; either through public records, or via a breach (which is why “they didn’t get customer credit card info” is a worthless reassurance).
It was “Synchrony Bank,” telling her she was victim of a fraud. I contacted the real Synchrony Bank, and let them know about the fraud. The contacts stopped.
has there been a breach of credentials associated with clicking on a link and having firefox or chrome fill in your password saved from the site? i am pretty paranoid but if firefox says it's able to fill in a saved cred from this site i assume it's probably the right site. now i am paranoid enough that i don't do this for sites with a lot of downside like banking or the like... those are a strict "i'm calling the number on the back of the card or lookup the number from their website" kinda things.
Firefox/Chrome will link the saved credential to the domain name, so unless your bank lost control of its domain name, that's an unlikely attack vector. To be safe you can confirm that you're on the right site by manually looking up the domain name.
Yeah that I get but I am curious if there is a more subtle hack or technique that would bypass that somehow. like a MitM attack or something more clever.
I had a call from my bank, and they before the they could even tell me what it was about, they asked me to answer some security questions. When I pointed out out how ridiculous that was, and I asked them to prove their identity first, they didn't even have process for it. Calling back was also impossible since apparently there was no way to get connecter back to the person with whom I was speaking.
I was unable to get back in touch with them, and a week later someone else called from the bank trying to do the same, and the same thing happened again. I refused to answer their security questions and they had no way to prove their identity.
The next time they called, they didn't ask for the security questions anymore and just got to the point immediately. They have never asked for it since. I wonder if I'm flagged in their database as someone who shouldn't be asked security questions.
It looks like you didn't even try it. In order to do what the GP described, when your bank calls you, you say nothing and answer nothing. You hang up and call back on a number you know.
> Calling back was also impossible since apparently there was no way to get connecter back to the person with whom I was speaking.
You don't have to. You just ask the bank when you call them back: did someone just call me a little bit ago? What about?
If the bank can't answer that question, it's time to find another bank. Any reputable bank will be able to look at your file and see that a call was made to you and what the issue was.
> The next time they called, they didn't ask for the security questions anymore and just got to the point immediately. They have never asked for it since.
This does not look like success to me. It looks like failure. What your bank should be doing is sending you a message via some known channel--like the message center on their website, where you can see messages for you when you log in--telling you that there is an issue that you need to call them about. If you're giving information to someone who calls you out of the blue and says they're from your bank, you're setting yourself up to be scammed.
> It looks like you didn't even try it. In order to do what the GP described, when your bank calls you, you say nothing and answer nothing. You hang up and call back on a number you know.
I did do exactly that. I asked them for a reference that I could give when I call back. They couldn't give me that. I then did try to call them back, and said "someone called me about something just now, what was it?" and they were not able to tell me.
> If the bank can't answer that question, it's time to find another bank.
Thankfully, that's not my normal bank. This was the bank that has by car loan. That's my only interaction with them. It's unlikely I'll have more business with them.
> This does not look like success to me. It looks like failure.
Absolutely. This along with the other issues suggests that they value convenience over security. Also, this is not a small bank we're talking about.
I have never seen issues this bad with other banks, but the problem is that when there are banks that get away with this, that suggests people in general do not make a fuss about it and simply accepts whatever people tell them on the phone. If nothing else, it proves why phone scams work.
If the bank didn't even have an answer when I asked them to authenticate themselves, that suggests very few people even ask.
Asked who? The people who called you out of the blue and you weren't sure it was legit? I wasn't recommending that at all. I said, explicitly, that you say nothing and answer nothing when you are the recipient of the call. You only say or ask anything when you are the one who initiated the call, to a number that you already know via some other information channel belongs to the bank.
> I then did try to call them back, and said "someone called me about something just now, what was it?" and they were not able to tell me.
Did they say there was any issue with your account? If there wasn't, then that would indicate that the previous call you got out of the blue was not legit. If they weren't even able to tell you that, then yes, this sounds like a really incompetent bank.
> You don't have to. You just ask the bank when you call them back: did someone just call me a little bit ago? What about?
> If the bank can't answer that question, it's time to find another bank. Any reputable bank will be able to look at your file and see that a call was made to you and what the issue was.
That won't help: all the phisher has to do is make a call at around the same time that the legit employee called you. The person you called back would probably not be able to tell you what the call should be about anyway.
The idea is to call the institution back, often customer service, or log in to your account and check for alerts or messages. If customer support knows nothing about the contact attempt, I presume it's not legitimate.
> The idea is to call the institution back, often customer service, or log in to your account and check for alerts or messages. If customer support knows nothing about the contact attempt, I presume it's not legitimate.
And I'm saying that even if the customer support knows about the call, that doesn't mean that the next call you get in 2m from the bank is legitimate.
In all cases, anyone reaching out to you from your bank should be treated as not legitimate. The only way to do this is to call the bank yourself, and get put through to the person who wants to talk to you.
Any other way including the way you said you'd do it is vulnerable to phishing.
You're not wrong about the incoming calls, but I can't figure out who you're replying to. Nobody above you in the thread seems to be suggesting that the bank ever call you. And certainly not call again in a short time.
> I'm saying that checking with the bank doesn't indicate that a call was legitimate
If you call the bank, using a customer service number that's already known to you, either they will say there's an issue with your account or they won't. So calling them does tell you, indirectly, whether the previous call (that you hung up on and gave no information to) was legitimate or not. But more importantly, it tells you, regardless of the status of the previous call, whether or not there is an issue with your account, and that's what you care about.
Note that you never have the bank call you back in this scenario. You call them, and that's it. You don't call them and ask them to call you back.
You don't call the bank, check whether it's legitimate, then wait for them to call you again. You call, confirm that they were attempting to contact you, then complete the issue on that same call.
They wanted to tell me that I hadn't made my loan payment. They were right about it. I did miss it. I had made a larger payment a few months earlier, and I hadn't resumed regular payments.
Most banks have separate customer facing departments and back office departments that process paperwork. In the full evolution of this setup the customer facing departments are basically useless, and answer your questions by putting you on hold while calling up a back office department. Getting the actual details of some issue is like pulling teeth with these arrangements, because the front end has no domain knowledge. But every so often a person from the back office will call you to ask a question and you'll get to speak to a real human who can intelligently tell you the status of an issue. And so when you get calls like that, your choice is to either just roll with their insecure process where they want to verify you but you don't verify them, or give up getting that additional visibility and ultimately spend more time on the phone working through the front end.
You can hardly teach a large part of the population how to drive a car and use the indicators when switching lanes. How can you expect to be able to teach them security processes?
The only working approach would be to make a law that phone companies must ensure that caller numbers cannot be spoofed in any way and make them responsible for loses due to spoofed numbers.
And require that banks publish which phone numbers they call customers from (like spf is for email), and do so in a format that mobiles can use. So the mobile can show the customer "this is really your bank" or "unknown caller".
I think it will work way better when companies will plain stop calling customers at all.
As it stands now I receive ‘legitimate’ calls from a credit card company to open new options on my account. Or from my phone company to switch my plan. And the interesting part is that as it is ultimately to improve the caller’s monthly numbers, they won’t offer the same conditions online or through mail, I tried. And calling back the same person is a royal PITA. So in some cases, it costs me to not deal with transactions on the phone, inbound, from a person I need to trust to be what they say they are.
Well, my opinion is that a ridiculous root cause of all this is the lack of a central, government-supervised, secure, instantaneous, free, direct payments system. Such that all these stupid private bank-based services are attempting to fill that void and don't get it right when they do it.
Not to say that such a service would not also have vulnerabilities. But you hear about all the bounced check / advance fee / text message validation scams going on now, and you would think that the banks would want to get this liability off their hands and into a central service that they can just be rid of the responsibility. (ok, on the other hand, having an irrevocable transfer system might introduce new problems as well, but still...)
I find it unfathomable why we continue to saddle ourselves with one of the most ancient check-writing based systems in the world that people in other countries laugh at us for (or ask in puzzlement, "what is that?"), and have to make all these terrible workarounds to deal with.
This scam doesn't seem to have anything to do with actual Zelle aside from using it to enhance the social aspect of the phishing. If Zelle didn't exist, they'd use some other service that gave their scam a patina of truth.
I fell for this, and I have never fallen for a computer scam in my life, nor even had so much as a virus in the last two decades.
However, it is very sophisticated. They somehow managed to actually get a fraudulent charge on my card. When I got the spoofed message from "my bank", the first thing I did was log onto my legitimate account. Sure enough, there was a charge I did not recognize.
The rest was just a series of unfortunate "rookie" mistakes on my part. But the person who called me was highly professional, easily could have been a real customer support representative and spoke English perfectly with no accent.
They took the max, $5,000. My bank thankfully refunded it.
I always thought there was an underserved market if scammers are just filtering for gullible people. So, about time to see more sophisticated scammers casting a broader net.
You can't dispute a charge until it's posted (at least with two of my banks) and it can take up to 2-3days before a charge is posted. A charge will almost always show up immediately on my bank's website as pending.
Can't dispute until posted, and the way the scam works is they get you on the phone as quickly as they can in order to continue to the scam.
Obviously, in hindsight the correct way to handle this is to call the bank yourself. The way the scam works is they spoof your bank's caller ID, and you get a standard "do you recognize this charge? Press YES if you recognize, NO if not".
When you type NO, you get a message stating "our fraud team will be reaching out to you momentarily to resolve this issue", followed immediately by a call from a very convincing "customer support" person, again coming in as a caller ID from your bank.
At this point, I made some "rookie" mistakes as I'd mentioned, but hindsight is 20/20 in these cases where they are trying to keep you on your toes.
If we know the bank will refund through insurance than there's a second level fraud where the victim is in on it for a cut of the profits.
Essentially the theatrics of fraud is done and then victim is refunded by the bank and then secretly compensated by the "fraudster" for their participation.
I may be convinced of that kind of scam. Everyone wants to feel like they're outsmarting the system. There's so many unknowns. Will I get the partial compensation? Will the bank reimburse me? I don't know, but I can see myself doing it. That's a problem
Is asking for the texted passcode really necessary? Can't they just SS7 hack that part since all SMS is vulnerable to this? Or is it really necessary to just carry the conversation flow forward by asking the victim themselves.
"many credit unions offer it by default as part of online banking"
I remember I had to opt-in to get zelle transfers activated. Information, terms of the service, and separate activation of email/phone were done at that time just for zelle. I suppose nowadays it's streamlined... which is not so good if customers don't even know what zelle is.
I have had a crazy theory for awhile now. It goes like this…
Scammers have a do not call list. The only people on it are violent drug lords and members of congress. The first will kill them, the second will kill their business (by fixing the phone system).
My parents just got hit for a couple thousand dollars. Somehow someone got ahold of their online banking info, pulled money from a savings account to a debit card, and send the money God knows where through "Remitly", a services I've never heard of until tonight. Their bank is contacting Remitly, but they have to nuke all of their accounts and cards and start over, and they're out the cash until the bank comes through. It's really awful to see.
What's wild is my parents aren't the phishing victim types. They know about not reusing passwords, not sending passwords, not trusting phone calls, all of that good stuff. I'm really curious how they got got.
This isn’t really helpful, I know, but Remitly is a real company and I’ve met someone who worked there — it sounded pretty legit. But like with Western Union, pretty much anything that lets you transfer money internationally is prone to misuse. It sounds really stressful what your family us going through and I hope they get their money back.
Yeah, from what I could tell there wasn't much Remitly could have done to prevent this outside of like checking citizenship documents and contacting the bank. They seem legit enough.
If the bank's phone number can't be "spoofed" then it can only have 1 outgoing call at a time, otherwise, each agent will have an independent line and a unique number.
> “In the background, they’re using the username with the forgot password feature, and that’s going to generate one of these two-factor authentication passcodes,” Otsuka said. “Then the fraudster will say, ‘I’m going to send you the password and you’re going to read it back to me over the phone.'”
It seems like a simple mitigation on the bank's end would be to add warning text to the 2 factor authentication.
"You have requested to change your password via our web portal at yourbank.com. If you did not request to change your password via the web portal, or if someone asked you to give them this number, then it is possible that someone pretending to be a bank representative is attempting to hack your account. The code to change your password is ..... Do not share this code with anyone."
The 2FA messages I get from my bank are already something like "Your security code is 0123456. Do not share with anyone. We will never call to ask for this code." But it wouldn't surprise me if victims are too scared to read it properly, so some improvement could be helpful. It doesn't help that other banks regularly ask for SMS codes over the phone, entraining into people to do it without thinking.
I would personally feel a lot better if every bank had the ability to only allow 2FA via OTP, or only physical key, or even email. My bank uses a "Security Word" which is crazy to me.
The scammers get you panicked and hold you in that state so that you're stressed out and not thinking rationally.
They also exploit a small slip up and escalate it into a catastrophic one. For example the scam might start with the assumption that caller ID is accurate, or the assumption that because there is fraud on your account the person is actually from the "fraud department", or the assumption that hanging up a landline terminates the call.
Each of those are small slipups, but they get people bought into the fiction, and then as the scam escalates they don't stop and think through the sequence and realise that the initial assumption was flawed.
Note that, in this case, the SMS code is not a second factor. It is a single factor that is enough to get full control of the account.
Besides that, I think you are right. Binding 'signatures' to what you are authorizing is one of the ways to prevent your authorization from being re-used. There are parallels in cryptography where you sign not just data but also what it will be used for.
Otherwise an attacker might reuse your signature.
Whenever I log into my mobile account I get the following texts 2 minutes apart, doesn't matter if I'm doing a SIM swap or just checking the bill.
"SECURITY WARNING The one-time code you requested will arrive shortly. DO NOT give this code to anyone. If someone's calling you and asking for a code, they DO NOT work for O2. Call us on 202 if you suspect fraud so we can protect your account."
"Be alert to fraud NEVER share this code, including with O2 staff. Help us protect your O2 account. To swap your sim, enter code 123456."
I’m confused about this. What’s the target here? It’s shady/weird to want to use Zelle, but couldn’t this have been a legit person wanting to use Zelle?
Yes. But if they have the cash and bank hours are open, why not just get the cash out?
I even offered to meet them at the bank. They were scamming.
The target is the unaware seller, who has no recourse when the funds magically disappear from their account. They are out whatever goods they had for sale.
It is not typical to take down the license plate or copy the drivers license of someone buying something from you.
Circle that bit of advice around Regulation E folks. (Not a lawyer but I have had a lot of experience citing Regulation E on behalf of various folks. It, unsurprisingly, works the way that regulators say it does.)
242 comments
[ 2.7 ms ] story [ 273 ms ] threadLuckily her credit union was quick to restore the funds with minimal hassle.
> Ally: As Security measure, we will never ask for this number over the phone. Security code: xxyyzz. Call 1-877-247-2559 if you did not request a code.
IIRC, there was one time I did have to verify a code over the phone, and the message that came with it was completely different.
There was another one that came in between them that felt the same (language that I think of as "conversational robotese"), but appeared to be VPN phishing.
When I use Twilio, I have to prove to them that I control a phone number before I can use Twilio make outbound calls or send SMS messages that appear to originate from my number. This suggests to me that the system is built with assumed trust, like email was originally. Is everything too ingrained at this point to add some type of authentication that would prevent this type of spoofing? Something similar to a CAA record, where the owner of a phone number could say “legitimate calls from this number will only originate from $TELCO and $SMS_PROVIDER” would be nice.
Twilio is doing their own enforcement to help their reputation.
https://www.justice.gov/opa/pr/district-court-enters-permane...
Phone numbers are basically identical to IP numbers in their use, and they are declared by the emitting party. Just as you can spoof IPs in the packet headers, you can spoof the telephone number at the tranport level.
We could upgrade to more secure connections, but the whole point of using the telephone network is because of the legacy. I can't imagine a telco putting significant money into improving the network when no customer will pay more for that (right now arguably, spammers are their first class customers ).
There is not much motivation to fix PSTN (and cell networks that rely on or emulate PSTN) as it's being phased out. So things move slowly.
If they were this would have been solved yesterday
Most likely the only reason a young person will ever have to interact with the phone system is to call 911 for emergency services. Ultimately the spam problem will kill the pstn as we know it.
From the 1976 SNL sketch, starring Lily Tomlin. [1]
[0] https://i.imgur.com/VDdfwNQ.png
[1] https://vimeo.com/355556831
Former congressman from NOLA, Bill Jefferson, orchestrated scams involving securing minority-preferred business loans to found rural phone companies. Those rural phone companies would then pay him back by getting pre-arranged contracts from African countries like our phone scammer friends in Nigeria.
When hurricane Katrina hit, they found $90,000 in cash in his freezer. Was pretty close to the $100,000 in cash that the DOJ had videotaped him receiving from the Nigerian government's vice president a few days before.
https://www.nola.com/news/article_ed0819a4-9aab-5510-b68c-41...
The concept of a “phone line” with a fixed number belongs to residential service. Pretty much any business premise has a PBX on it, and that PBX is connected to the PSTN by a bundle of circuits including some voice channels and some signaling channels. Some number of inbound numbers may be routed there. Or not! But that has nothing to do with the signaling on outbound calls.
Now for a small business it would probably be sensible to limit outgoing caller IDs to the inbound numbers routed there. In a larger business, PBXes at different sites are connected to each other by an enterprise network, and to the PSTN through different telecoms in different regions. You may have branch offices that only receive calls via the enterprise network, but make outbound calls on local transit. You may route a call from elsewhere on the enterprise network to exit to the PSTN via that branch office, for cost or redundancy reasons. That’s how Twilio itself works. Lots of IT departments have internal Twilios, in that sense.
The upshot is that you need a fairly sophisticated cross-telecom standard for establishing authorization to present a number on caller ID, and no one got around to building or driving adoption of that until pretty recently.
Because couriers offer spoof calling as an under-the-table service to spam caller organizations.
I have no proof of this, but at this point in time my opinion of telcos is so low that I will assume it is happening until I find out explicitly that it’s not.
Props for including this in the article! All too often the basic legal situation is never explained, leaving victims to believe that blatantly illegal crap is "just the way it is". For example, "identity theft" and fraudulent medical bills.
[0] https://www.consumerfinance.gov/compliance/compliance-resour...
Then, some days later I got 3 more payments in similar $1.xx amounts. I refunded 2, but for the 3rd one PayPal wanted to charge some fees. At which point I just blocked the dude.
No idea if this was a genuine mistake or a scam. Anyone knows??
Turns out I forgot I told a friend to reimburse me for beers we had a few weeks before that, and his payment service was verifying my account.
Online banking and all of this digital access to my monies makes me nervous as heck. Double-edged sword. (Yes, I have 2TF hard tokens on all major accounts.)
I was in the Dominican Republic last year and I got a notification that someone had sent me $100 via CashApp. It wasn't a person I recognized, she looked clearly Dominican in her photo, and I presumed it was a similar sort of scam. (I assumed someone saw I had whatever "send to someone nearby" setting turned on, saw I was a foreigner, and decided to try for an easy mark).
I didn't refund it, I didn't cancel it - I just did nothing. And you know what happened?
Absolutely nothing. I waited for the phone call asking me to send the charge back. Nada. I waited for a text explaining it was a mistake. Nada.
It was over a year ago and I still have the $100. So.....maybe it was an actual, genuine mistake?
The fraudulent message asks for a yes or no reply but does not care about the answer spefically; only that there was an answer. So the victims are the people who couldn't ignore the message and had to say no. Most likely the people who say yes are still taken into account , because they confirmed there was a person behind the number. They'll get a new scam later on.
But the people saying no are the target.
A lot of people feel bad if they don't answer the phone, or a message, or the doorbell. So you prey on their niceness.
How to fight back? Don't. The way to defeat the scam is to not acknowledge it.
Ignore whatever primal urge you have to get involved, or teach them whippersnappers a lesson, and cast it into the void.
I bet that graph is U-shaped of % of people that answer unknown messages vs. age. Kids want to be social, and old people don't know any better. With salty Gen-Xers in the middle.
99.99% of the time I let it go to voicemail. I have since the days of cassette-tape answering machines. The only time I don't is if some just texted and said they are calling. Even when my insurance company hold line asks if I want a callback, I'm too paranoid that a scammer could have infiltrated the callback process.
What do you do when your counterpart won't answer their phone?
I answer calls I'm not expecting when I'm expecting a call. Like from a plumber, a recruiter, a paving company, etc.
If I don't, at best I get to play phone tag, and at worst, the other person gets ticked off and I lose an opportunity. I don't like leaving voice mail, particularly the second or third time.
It would be nice if everyone legit had their main number show up to identify them, and it would be nice if they all answered their phone all day, but they don't.
Grandma was fine, fortunately, and she simply turned her phone off because it was ringing constantly with scam phone calls. She was sick of the auto warranty spam all the time, so she unplugged entirely.
The elderly are the ones that still have landlines and cell phones too, so they often get hit multiple times. It's harder for them to disconnect the landline due to things like Life Alert requiring a landline.
There going to be areas where coverage is poor, but for many people, working out of the home is going to be a considerable improvement.
It was...erm...remarkable in its high production values.
Even compared to the auto warranty ones, which I don't get often, but every now and then.
I also got a "hello...hello...hello" call, and seven hangup/no message calls the same afternoon.
I assume the call I answered was a scammer, but a few months ago, I got one just like that and it turned out it was from my physician's office, and I had some trouble getting ahold of them.
I'm not sure what you mean. Like I said, if someone texts me and tells me they are calling then i'll pick up. Or if I get a voicemail saying, "duh, pick up dingus"... then i'll pick up the next buzz.
That never happens because almost no one I care about uses the phone anyway. Exvept that 0.01%.
Right, even 80-year-olds can text these days. You're talking about personal friends who almost never call from unknown numbers.
But with professionals? Would you miss an appointment for a root canal or spend an extra day without your car because you won't answer the phone?
And plenty of people have websites, but on the whole, most local business interactions start with a phone call, and usually it goes to voicemail or a receptionist, so I have to answer when they call me.
Even small time businesses have websites, but they don't do anything usually so it's clear you have to call.
Also, sometimes they try to embrace the Internet, and then they get hacked...
My primary care doctor had a patient data breach by their accountant. A different practice failed to set permissions propertly on the patient information on their portal, and never said anything to me, but silently scrapped it. A plumber that I had over once had all their client information stolen about six months later and vigorously spammed/phished.
Nobody has ever suggested WhatsApp to me. But I gather it's disproportionately popular in some countries.
If the call comes out of nowhere, or if it's from a hidden number, then I'll silence it rather than declining (i.e. hit the power button rather than actually acknowledging the call, so it carries on ringing in silence until they give up instead of being told I'm busy). If it's important they'll leave voicemail or send an email.
The bonus of it only ringing for your contacts is that when your phone does ring, you know it's something relatively important.
Completely changed my relationship with my phone.
What happens if you don't respond to those? Presumably, the transaction will be blocked -- but can you be sure? It would cause me a lot of anxiety not to resolve the issue right away.
This is the real red flag here. No workflow that I'm aware of ever has you read a one-time code to a human, it only ever goes into a text field.
Their standard text messages for auth codes say: Wells Fargo will NEVER call or text you for this code. DON'T share it. Enter code 123456 online to send $1.00.
Their verification text said: Free Msg: Use Wells Fargo verification code 123456 to verify your identity. Reply STOP to stop msgs. Call 1-800-869-3557 if you didn't request this code.
If I place a large wire with my bank, they text me a code and ask me to read it back to them. Granted, I will only do that if I initiated the call.
A while ago, I scheduled a wire transfer through Chase to go through the next day.
While asleep, I got an automated call from Chase asking me to confirm that the wire transfer was placed by me.
By the time I had woken up, my online banking and my bank cards had been shut off.
This is not consumers fault. Everyone is used to banks not being completely impatient and expecting immediate responses. For some other example, by law, you only have two days after a transaction to respond to fraud, or else you could be looking at $500 lost instead of $50. Not immediately answering the phone could make a difference of $450!
Number one thing I tell folks in my security training is to never respond or click a link on an inbound message. Instead, look up your bank or service provider and make an outbound call (or direct URL navigation) to them.
https://bc.ctvnews.ca/beware-of-the-delayed-disconnect-phone...
https://security.stackexchange.com/questions/100268/does-han...
If it does, then you should be able to infer that the previous inbound call has (probably [1]) hung up, and it is now safe to call your bank.
[1] A sophisticated enough scammer could hold the line, give a fake dial tone, detect that the number you are dialing is not the bank number they expected you to dial, dial that number themselves on a different line, and relay between that line and yours to convince you that you really did have a clear line, and then keep holding the line when you then hang up and try to call the bank.
As it stands, I’d be afraid of needing to wait 30 minutes in hold, and getting billed 30 minutes of call time by the phone company for the privilege. I’m not from the US, so it’s possible that your banks are doing this part better than the local ones, but that’s always the worry with the phone for me.
> I’m not from the US, so it’s possible that your banks are doing this part better than the local ones, but that’s always the worry with the phone for me.
Since the person is asking about what it’s like here I’m providing that perspective. In Canada banks also provide 1800 numbers so it should generally be free. I thought Canada has mostly unlimited plans but I haven’t had a Canadian phone plan in over a decade.
We are well paid, and as such majority of HN'ers should qualify for premier banking. One of the advantages in that is that you get access to quality in-house customer service, and may be able to call them directly from the banking app. (A really nice feature.) They tend to have good availability too. The plural of anecdote is not data, but I've never had to wait for longer than five minutes when I do have a problem that requires CS's involvement.
https://symantec-enterprise-blogs.security.com/blogs/threat-...
Ehh that doesn’t change anything as far as having to call back. CallerID is trivially spoofed everywhere.
When I initiated a wire transfer, my bank did call me to confirm it.
What's worse, when I called back, I didn't reach the same department and it took half an hour to sort it through.
It was all legit, but was indistinguishable from a scam attempt.
It is not correct that banks will never call you in the US.
Heck, I'm pretty sure I've gotten sales calls from them as well, though I never stay on the line long enough with those to be sure.
I use credit cards (in particular, an Apple Card) for almost every transaction. In fact, I seldom carry cash, which has been a problem, from time to time.
I won’t use Venmo, or PayPal with direct bank account connection. It has earned me scorn, but you really only need to have a problem once, to learn religion. I don’t use credit cards for Venmo or PayPal for cash transactions, because cash advance fees.
I always pay my account in full, every month. It also means I get Apple Cash, for a slush fund.
I do use direct bank account connection for a few things like utility bills, but that is a fairly primitive setup process, where there is no doubt about the other end. Even so, many outfits now allow bill pay, via credit card.
The solution to the time wastage problem is for the bank to have a better method of sending you information than random calls out of the blue. Most banks have a message center on their website, where you can see any messages waiting for you when you log in and can send messages in reply.
What bank doesn’t have toll free dialing numbers, and what voice plan in 2021 doesn’t have unlimited voice calling minutes?
It’s impossible to implement good user behavior when the banks themselves are wildly negligent.
So... they then say "what is the code?" that specifically says "DO NOT share this code". I know what's going on, mostly, but it was still confusing.
After being transferred during after hours, American Express asked me for some unnecessary information and I hung up. I called back and got someone different with a local US accent and I told them what I encountered and they said that's normal (facepalm).
I called back during normal business hours and the more expected experience occurred.
Even if some transactions is suspicious they tell me to call them.
But but it'll filter out most of such scams which are "online-only".
It was “Synchrony Bank,” telling her she was victim of a fraud. I contacted the real Synchrony Bank, and let them know about the fraud. The contacts stopped.
A letter can be discussed with friends and family. It's much easier to dismiss without a con artist whispering in your ear.
The lesson in these times is don’t answer your phone… the phone companies are completely overrun.
I had a call from my bank, and they before the they could even tell me what it was about, they asked me to answer some security questions. When I pointed out out how ridiculous that was, and I asked them to prove their identity first, they didn't even have process for it. Calling back was also impossible since apparently there was no way to get connecter back to the person with whom I was speaking.
I was unable to get back in touch with them, and a week later someone else called from the bank trying to do the same, and the same thing happened again. I refused to answer their security questions and they had no way to prove their identity.
The next time they called, they didn't ask for the security questions anymore and just got to the point immediately. They have never asked for it since. I wonder if I'm flagged in their database as someone who shouldn't be asked security questions.
It looks like you didn't even try it. In order to do what the GP described, when your bank calls you, you say nothing and answer nothing. You hang up and call back on a number you know.
> Calling back was also impossible since apparently there was no way to get connecter back to the person with whom I was speaking.
You don't have to. You just ask the bank when you call them back: did someone just call me a little bit ago? What about?
If the bank can't answer that question, it's time to find another bank. Any reputable bank will be able to look at your file and see that a call was made to you and what the issue was.
> The next time they called, they didn't ask for the security questions anymore and just got to the point immediately. They have never asked for it since.
This does not look like success to me. It looks like failure. What your bank should be doing is sending you a message via some known channel--like the message center on their website, where you can see messages for you when you log in--telling you that there is an issue that you need to call them about. If you're giving information to someone who calls you out of the blue and says they're from your bank, you're setting yourself up to be scammed.
I did do exactly that. I asked them for a reference that I could give when I call back. They couldn't give me that. I then did try to call them back, and said "someone called me about something just now, what was it?" and they were not able to tell me.
> If the bank can't answer that question, it's time to find another bank.
Thankfully, that's not my normal bank. This was the bank that has by car loan. That's my only interaction with them. It's unlikely I'll have more business with them.
> This does not look like success to me. It looks like failure.
Absolutely. This along with the other issues suggests that they value convenience over security. Also, this is not a small bank we're talking about.
I have never seen issues this bad with other banks, but the problem is that when there are banks that get away with this, that suggests people in general do not make a fuss about it and simply accepts whatever people tell them on the phone. If nothing else, it proves why phone scams work.
If the bank didn't even have an answer when I asked them to authenticate themselves, that suggests very few people even ask.
Asked who? The people who called you out of the blue and you weren't sure it was legit? I wasn't recommending that at all. I said, explicitly, that you say nothing and answer nothing when you are the recipient of the call. You only say or ask anything when you are the one who initiated the call, to a number that you already know via some other information channel belongs to the bank.
> I then did try to call them back, and said "someone called me about something just now, what was it?" and they were not able to tell me.
Did they say there was any issue with your account? If there wasn't, then that would indicate that the previous call you got out of the blue was not legit. If they weren't even able to tell you that, then yes, this sounds like a really incompetent bank.
> If the bank can't answer that question, it's time to find another bank. Any reputable bank will be able to look at your file and see that a call was made to you and what the issue was.
That won't help: all the phisher has to do is make a call at around the same time that the legit employee called you. The person you called back would probably not be able to tell you what the call should be about anyway.
And I'm saying that even if the customer support knows about the call, that doesn't mean that the next call you get in 2m from the bank is legitimate.
In all cases, anyone reaching out to you from your bank should be treated as not legitimate. The only way to do this is to call the bank yourself, and get put through to the person who wants to talk to you.
Any other way including the way you said you'd do it is vulnerable to phishing.
I'm saying that checking with the bank doesn't indicate that a call was legitimate, so there's no point in checking with the bank.
If you call the bank, using a customer service number that's already known to you, either they will say there's an issue with your account or they won't. So calling them does tell you, indirectly, whether the previous call (that you hung up on and gave no information to) was legitimate or not. But more importantly, it tells you, regardless of the status of the previous call, whether or not there is an issue with your account, and that's what you care about.
Note that you never have the bank call you back in this scenario. You call them, and that's it. You don't call them and ask them to call you back.
How does the phisher have information about what time the bank is calling?
You shouldn't have to get back to that exact person. Just their department.
Hopefully, this particular experience is rare, but the fact that it can happen at all is somewhat concerning
The only working approach would be to make a law that phone companies must ensure that caller numbers cannot be spoofed in any way and make them responsible for loses due to spoofed numbers.
And require that banks publish which phone numbers they call customers from (like spf is for email), and do so in a format that mobiles can use. So the mobile can show the customer "this is really your bank" or "unknown caller".
As it stands now I receive ‘legitimate’ calls from a credit card company to open new options on my account. Or from my phone company to switch my plan. And the interesting part is that as it is ultimately to improve the caller’s monthly numbers, they won’t offer the same conditions online or through mail, I tried. And calling back the same person is a royal PITA. So in some cases, it costs me to not deal with transactions on the phone, inbound, from a person I need to trust to be what they say they are.
https://scaminvestigations.substack.com/p/better-than-the-ma...
Not to say that such a service would not also have vulnerabilities. But you hear about all the bounced check / advance fee / text message validation scams going on now, and you would think that the banks would want to get this liability off their hands and into a central service that they can just be rid of the responsibility. (ok, on the other hand, having an irrevocable transfer system might introduce new problems as well, but still...)
I find it unfathomable why we continue to saddle ourselves with one of the most ancient check-writing based systems in the world that people in other countries laugh at us for (or ask in puzzlement, "what is that?"), and have to make all these terrible workarounds to deal with.
However, it is very sophisticated. They somehow managed to actually get a fraudulent charge on my card. When I got the spoofed message from "my bank", the first thing I did was log onto my legitimate account. Sure enough, there was a charge I did not recognize.
The rest was just a series of unfortunate "rookie" mistakes on my part. But the person who called me was highly professional, easily could have been a real customer support representative and spoke English perfectly with no accent.
They took the max, $5,000. My bank thankfully refunded it.
I always thought there was an underserved market if scammers are just filtering for gullible people. So, about time to see more sophisticated scammers casting a broader net.
Obviously, in hindsight the correct way to handle this is to call the bank yourself. The way the scam works is they spoof your bank's caller ID, and you get a standard "do you recognize this charge? Press YES if you recognize, NO if not".
When you type NO, you get a message stating "our fraud team will be reaching out to you momentarily to resolve this issue", followed immediately by a call from a very convincing "customer support" person, again coming in as a caller ID from your bank.
At this point, I made some "rookie" mistakes as I'd mentioned, but hindsight is 20/20 in these cases where they are trying to keep you on your toes.
https://www.fcc.gov/call-authentication
https://docs.fcc.gov/public/attachments/DOC-363399A1.pdf
It's given me an interesting idea.
If we know the bank will refund through insurance than there's a second level fraud where the victim is in on it for a cut of the profits.
Essentially the theatrics of fraud is done and then victim is refunded by the bank and then secretly compensated by the "fraudster" for their participation.
I may be convinced of that kind of scam. Everyone wants to feel like they're outsmarting the system. There's so many unknowns. Will I get the partial compensation? Will the bank reimburse me? I don't know, but I can see myself doing it. That's a problem
I remember I had to opt-in to get zelle transfers activated. Information, terms of the service, and separate activation of email/phone were done at that time just for zelle. I suppose nowadays it's streamlined... which is not so good if customers don't even know what zelle is.
Scammers have a do not call list. The only people on it are violent drug lords and members of congress. The first will kill them, the second will kill their business (by fixing the phone system).
What's wild is my parents aren't the phishing victim types. They know about not reusing passwords, not sending passwords, not trusting phone calls, all of that good stuff. I'm really curious how they got got.
I feel like this is a solvable problem. Don't allow anyone to spoof the caller ID. Ever.
If the bank's phone number can't be "spoofed" then it can only have 1 outgoing call at a time, otherwise, each agent will have an independent line and a unique number.
It seems like a simple mitigation on the bank's end would be to add warning text to the 2 factor authentication.
"You have requested to change your password via our web portal at yourbank.com. If you did not request to change your password via the web portal, or if someone asked you to give them this number, then it is possible that someone pretending to be a bank representative is attempting to hack your account. The code to change your password is ..... Do not share this code with anyone."
I would personally feel a lot better if every bank had the ability to only allow 2FA via OTP, or only physical key, or even email. My bank uses a "Security Word" which is crazy to me.
They also exploit a small slip up and escalate it into a catastrophic one. For example the scam might start with the assumption that caller ID is accurate, or the assumption that because there is fraud on your account the person is actually from the "fraud department", or the assumption that hanging up a landline terminates the call.
Each of those are small slipups, but they get people bought into the fiction, and then as the scam escalates they don't stop and think through the sequence and realise that the initial assumption was flawed.
Besides that, I think you are right. Binding 'signatures' to what you are authorizing is one of the ways to prevent your authorization from being re-used. There are parallels in cryptography where you sign not just data but also what it will be used for. Otherwise an attacker might reuse your signature.
"SECURITY WARNING The one-time code you requested will arrive shortly. DO NOT give this code to anyone. If someone's calling you and asking for a code, they DO NOT work for O2. Call us on 202 if you suspect fraud so we can protect your account."
"Be alert to fraud NEVER share this code, including with O2 staff. Help us protect your O2 account. To swap your sim, enter code 123456."
No way a fake banker can get you to sign a nonce for them using your private key.
This seems great but there’s value in these transfers as well.
I had a pair of Apple Watches I was selling and someone wanted to use Zelle to pay for them.
No one has ever wanted to pay for a p2p transaction with me using Zelle.
I said since they had the money in the bank, they would just need to pull it out on the way over. (It was still during banking hours)
They wouldn’t do it. Kept pushing Zelle as a safe way to send money.
By targeting people who will trade real items for Zelle transfers, it doesn’t matter if the compromised account owner gets their cash back.
I even offered to meet them at the bank. They were scamming.
The target is the unaware seller, who has no recourse when the funds magically disappear from their account. They are out whatever goods they had for sale.
It is not typical to take down the license plate or copy the drivers license of someone buying something from you.
It seems to me that SMS codes are much more often abused like this than other second factors are.