560 comments

[ 2.9 ms ] story [ 342 ms ] thread
Easy way to avoid this: don't answer the phone
I think the movie was Phone Booth that begins with the line

"A ringing phone demands to be answered"

Technology projects a form of authority (disconnected from any real power) in the same way that written words were synonymous to truth for illiterate 13th century peasants.

To follow your logic, which I am not criticising as it's a valid approach given how dysfunctional cellphones are as trustable systems, I would say it's better not to have a phone. But there's the road to living in a woodland shack and eating spider and squirrel broth.

The rule in our family for a number of years now has been, "If the number is not in your address book, let it go to voicemail." We have the landline ringer off and always let it go to voicemail. As an 80/20 solution, it's been remarkably effective so far.
The scammer spoofed the wells fargo customer service line in caller ID though.
This is a perfect case of iatrogenic security. When the systems get so complex and remote that security experts are caught out, they do more harm than good.

It's also a consequence of solutionism, systematic monotonicity, mother-knows-best and externalising costs such that we:

Only add more security solutions on top of existing ones to fix their holes.

Deny the user any choice or agency in setting their own security terms

Never revoke or remove a feature (that would be admitting defeat)

Push the burden in every process on to the user

Create fear in the user - that any misstep will cause them more inconvenience and trouble.

Make security an authoritarian culture such that user will not question or be sceptical.

All of these are antithetical to civic cyber-security that we need available so educated and empowered users can operate technology under their control.

I nearly got taken by a scammer because Amazon transferred me to one. I purchased a set of Reolink cameras on Amazon, (they've been great) one of them failed a couple months in. I contacted Amazon customer support (via my Amazon login and in their interface) and they wanted to troubleshoot with their technical team. Eventually the (very helpful) Amazon technician suggested contacting Reolink for support and started a 3-way call. The "Reolink" technician got my phone number and then said they wanted to call me back.

They called me back a minute later (now without Amazon recording the conversation) and asked me for my NVR's serial number so they could connect to my NVR. I was shocked they had a backdoor into my NVR but I figured I'd let it play out. A minute later the technician said that he was having trouble connecting because "an internet virus is corrupting my firewall". I was extremely confused and thought it must be a translation problem. Until he kept insisting it was a problem and became belligerent and angry. He said I needed to pay $300 to have an on-site technician troubleshoot the problem. I got angry because he was making some weird excuse for their camera not working, and wanting to charge me rather than just ship me a replacement. I refused and he started mocking me. I demanded his manager and he ignored me. Eventually I hung up and called Amazon back.

The Amazon technician was helpful and shipped me a replacement. I contacted Reolink via email to complain about their technician. They responded that they have no on-site technicians and that it was a scam!

I was blown away that Amazon would transfer me to a scammer. I contacted Amazon again and let them know what had happened. Hopefully they will figure out how their guy got this scammers phone number and teach him how to find a 3rd party phone number...

> I was blown away that Amazon would transfer me to a scammer. I contacted Amazon again and let them know what had happened. Hopefully they will figure out how their guy got this scammers phone number and teach him how to find a 3rd party phone number...

1) Amazon is complicit in shady behavior on their platform, whether it's inventory commingling, sketchy sellers repurposing existing, well-reviewed listings for a totally different product or those bribing customers to leave good reviews with gift cards or free stuff.

2) The tech support number could very well be provided by the seller, and you could've bought the camera from a listing from said seller instead of the real Reolink (if the "real" Reolink even sells on Amazon to begin with). Maybe tech support scammers are now using this as a new lead-generation tactic ("legitimately" sell a high-maintenance product but scam anyone that calls for support?).

Yep. Amazon gets a cut and they act like it.
This is quite a jump to conclusions. The alternative theory of the customer service rep googling a phone number and getting the wrong one is far more likely. Or, it's possible that the company's own seller login was compromised and a scammer changed their contact number.

The idea that a wildly successful multi-billion dollar company would actually set up such an easily-noticed system where they "get a cut" of phishing scams is outlandish.

> The alternative theory of the customer service rep googling a phone number and getting the wrong one is far more likely.

Their support staff is that reckless and Amazon has no training and other systems in place to prevent that? Your theory doesn’t paint them in any better light.

it's far more believable than amazon being in cahoots with scammers. whether you think this is "better" or "worse" wasn't really part of the discussion
I don't think the "cut" implies they are in on some phishing scam. It's saying they take a cut of all volume, so even volume that's harmful to consumers is hardly worth Amazon's attention (as is evidenced by the obviously massive economy of systematic scamming that happens via Amazon, all of which, again, they get a cut of).
Haha no, when I picked it I had no idea of the connection. I just like Dr. Steve Brule (“Tim and Eric Awesome Show, Great Job!” and “Check it Out! With Dr. Steve Brule”
Well. Not directly. But same outcome. No actual conspiracy or collusion necessary.

Amazon profits so much that they're content to eat the rampant fraud and waste, than to run a proper legit market place.

It’s pretty shocking but most IP cameras can be accessed with nothing more than their serial number. Here’s a somewhat recent DefCon talk about it: https://m.youtube.com/watch?v=Z_gKEF76oMM

I use Reolink cameras, in the admin interface there’s an option called UID. Turning that off (theoretically) disables the backdoor. I have my cameras and NVR (which is actually just a python script on an old laptop that uses ffmpeg to capture streams) on their own airgapped lan so I don’t have to worry about blackhats or the ccp using backdoors to watch my kids.

Well, most IP cameras cannot be accessed this way when you look at the global pool of IP cameras. However many on them on Amazon, particularly from OEM companies like Reolink that are more of a custom relabeller vs. a real camera manufacturer have all kinds of backdoor access methods.

Best practice is to put your IP cameras on a separate isolated network, connected to a dual-NIC recorder/PC running trusted software (eg: not some random DVR/NVR on Amazon) for recording and viewing. This is not a perfect solution, but it at least takes you far away from the path-of-least-resistance pool of devices with weak cybersecurity that are prone to various exploits.

Can't you just use VLAN tagging and firewall rules?
You sure can. And as a result you will get...

> a separate isolated network

They specifically called for dual-NIC.
As an extension of their suggestion. There’s no mystery here.
Yes, of course. Though most people who understand that are already doing things to mitigate exposing these devices to open internet access. My comment was targeted more towards anyone who might not have considered the risks, or might not be comfortable with virtual segmentation vs. physical segmentation.
And this is why my reolink cameras are on a subnet without access to the internet. The only thing it can reach is my home assistant and open source NVR.
This internet of things future is frightening. I don't feel comfortable buying any new product.
Best practice is to remember that intelligence means optimizing for some state of the world. If you have a "smart" product, it may not be optimizing for your preferred state of the world. Most commonly, it's not even optimizing for its manufacturer or vendor's preferred state of the world, because we don't truly know how to design a specific intelligence yet.

Our best efforts are just kind of putting in some objectives and hoping they don't get goodharted too badly.

that number 2 is some next generation criminality there!
If you watch Jim Browning or some of the other people that investigate such scams you'll realize that it's not just a couple of idiots in a boiler room; those operations have all the hallmarks of a legitimate company including layers of management, offices, them having meetings to discuss new scam strategies/etc and the scammers being actual "employees" on a standard (low) wage + commission, so I definitely wouldn't be surprised if something like this would happen especially if they've already got a network of local accomplices to launder the stolen money that can easily be repurposed to sell products at cost (in fact that could also be used to launder money, win-win situation right there!).
> Amazon is complicit in shady behavior on their platform

Bought some wireless earbuds a while back, they sent me a horrible knock off. Contacted the store, he said the delivery guy made the switch, took forever but sent me new ones. Left a review stating all of this and warning users not to buy from this sketchy store, my review never saw the light of day.

None of my negative reviews about scammers have ever been approved by Amazon. I have just started taking my business elsewhere.
Man that annoys me so much, in my case it was a silent removal. You're not aware that your review was removed.

The things I don't buy from Amazon Prime really anywhere are replacement batteries.

At this point I only really buy things from Amazon that are essentially fungible. Cables, adapters, toiletries, tools, none of these matter enough to me to care about exactly what I get, as long as it’s roughly what’s in the picture, and to be honest they’re not even worth counterfeiting.

For everything else there’s rarely a reason to not buy directly from brands or niche specialist retailers. Customer support is typically better, warranties are often better, repair processes are better, and that’s not to mention the issue of counterfeiting.

Toiletries? You trust Amazon to not swap out your lotion with a cut-rate adulterated copycat?
These are things that don't really matter to me, the point is that I don't really care if they get switched for "cut rate", I'm practically buying the cut-rate version already. That's what Amazon is good for.
Amazon filter out those sort of reviews "because theyre not about the product but the supplier". Of course, they don't make it easy to report the supplier.

I've bought ssr relays rated at 40A, with the actual picture of the real product shown. What I got was a fake that was literally an electrical fire waiting to happen. Maybe my complaint to support actually made it to the supplier, because they Photoshop blurred the product picture listing so the real brand name was obscured. Still had phony specs though.

(comment deleted)
I got bitten by this bundle of reviews thing. Amazon was made available in my country some time ago. I went on there to buy video capture device to help convert my parents old tapes to video. I found the device listing I was looking for, with good reviews. Placed my order.

Then a counterfeit showed up, completely different from the spec sheet and the image on the listing.

I filed a complaint, but they wouldn't give me my money back unless I paid to ship it back to half way across the continent, where they sent it from. Despite them just sending me a piece of electronic waste rather than the real product. Nor would they do anything about the listing.

Never looked back at their scam website again.

Disputing the transaction with your card issuer is the only answer companies will understand. The company wins as long as more users eat the losses (essentially giving Amazon free money) than those actively fighting for their money back.
I’ve done this before and it worked for me. Can’t say it will always go so smoothly though
I bet your Amazon rep just searched for Reolink and clicked on a Google ad that happened to belong to the scammers.
Well this initiated a rant, not directly related to ads, but Google in general. This is an internet literacy issue I’ve noticed more and more. People will refer to Google listings as an authoritative source even if the data comes from some third party.

“Is this Jordan’s Tiles?”

“No. This is Patrick. You have the wrong number.”

“It says on their website this is the number!”

“Their website is wrong, this isn’t Jordan’s Tiles.”

more argument with me just hanging up because they’re clueless (someone even had the audacity to ask me what the number was for Jordan’s Tiles like I’m their personal assistant)

And finally I went on Google and searched for Jordan’s Tiles. There my number was on the listing and on a third party source. The right number was on the lower ranking Jordan’s Tiles website. They were so argumentative about being so wrong, it was outside of their ability to understand that the internet can and does give you the wrong information.

I've had that happen to me as well - person finds a wrong number online someplace, calls me, and then is mad at me that I am not who they are looking for...go figure.
Had this happen to me when I was in IT. I got a cold transfer of an angry customer who wanted to talk to a guy who had a very similar name. I told the customer that they wanted the other guy, I was in the wrong department, and they wouldn’t believe me. They said “I know it’s you from yesterday, I recognize your voice!” How was I supposed to argue against that?? Eventually I convinced them and did a warm transfer to the correct guy. We do have similar voices…
"Call Google. Ask for Sundar."
(comment deleted)
Yeah, you hear about this with the people who get taken in by Grubhub or whoever that's spoofing a restaurant's phone number/ordering site. I would never take a third-party source as authoritative, but apparently people do it.
I never take restaurant phone numbers directly off of Google, I always check their (hopefully existent) website before calling, or at least crosscheck it against other sources. There is no way Grubhub or any of the other mediating greedholes will get even Caller ID data from me if I can help it.
Wait until you find out that Grubhub and ilk have been known to prop up fake websites for places.
Go to the right address in person. If you have no real-life connection with the restaurant, or any restaurants, give up and take what you get.
When a small guy does something like this it's called fraud and heavily punished. When a VC-funded company does this it's called "growth hacking" and applauded.
Grubhub et al promoting their own phone number as a restaurant's is exactly what I'm talking about.
Related. Finding real locksmiths has become so difficult that I have resorted to calling a business across the street and asking them to tell me if there is, in fact, a locksmith at the purported location.

Maybe there is a business in physically verifying a given business is the actually the real thing.

KeyMe are one of the perpetrators of this shady practice. They have vending machines for keys and put them all over the place and then their machines show up when you search for a locksmith. If you call the number their rep will act as middleman to connect you with an actual locksmith and they take a cut.

I've decided I will do my searches through https://www.findalocksmith.com/ which is from the associated locksmiths of America

Google used to send a postcard to a business address before adding a listing (in UK at least). Do they not do that now?
Apple Maps from my experience is quite bad about this. I know of one city where it happily provides the locations of four DHL counter locations even though there is only one. Numerous other store locations on Apple Maps also often do not exist, so however they are sourcing their data is full of errors or outdated information.
Wrong opening hours on Google is a niggle for me. And having been on the other side of the equation, changing the hours Google says a business is open is not always straightforward.
My friend booked one international flight with departure and destination having 12+ hours timezones difference. The email listed the departure time & duration of journey and arrival time, all in local times (as expected). Gmail auto creates an event about flights and hotel bookings, and thus shows the correct departure time, duration & then that AI simply added that duration to departure, and showed departure city's time flight lands. Wrong. My friend, no blame, believed it; until I pointed it out.
i'm confused, what's wrong there? event starts at departure time and goes for duration. the arrival time is correct, and can be reported in any time zone.
Sorry for not being detailed in my comment. Or i might have butchered. I will simply explain with numbers.

Email said, flight departs 31st March 9pm.

Flight duration 15 hours.

Flight reaches Apr 1st. 9pm. No indication of timezones, but as super common in flights, all times are local. Both cities have about 12 hour difference.

Google thought Departure 31st March (correct);

Duration 15 hours (correct).

Arrival Apr 2nd, 12pm. (Not correct, it added 15 hours duration to Arrival city time. Apr 1 9pm + 15 hours = this).

Honestly, how do you know what the right number is though? Everybody outsources their stuff. The real website is at jordans-eatery.outsourcedsite.com. Or maybe the guy at jordans-eatery.seo.com is taking calls and placing orders to the real site at a markup. Or maybe the real number is on jordans-eatery.com. Or maybe it's none of those.
Easy, go to the restaurant in person and order takeout or dine in if you want. On your way out ask them what their official website and phone number are. Then you can put them on your "safe to order from' list
I order all the time from a restaurant with a distinctive name and menu near me. They might have their own website, but their real website is one of these outsourced menu ordering things.

Last time I went to order, I looked up their name, went to the page by that name on the known third party menu site, ordered my usual order from their usual menu, only to discover after the charge went through that a scammer had copied their name and entire menu onto a new restaurant on the same site.

Called immediately to cancel the order (why doesn't the site have that option??) and the woman on the phone feigned ignorance. A few minutes later a gruff man called me back and told me I wouldn't be getting a refund. Not sure what I said to convince him, but maybe enough threats and he decided to change his tune.

The scammers are running the asylum.

Sure, and I agree that this is really the only way, but also isn't super practical for a lot of things.
I think this might just be a people thing? I've had the same experience (some one calling for the YMCA, I inform they have the wrong number, they proceed to argue and berate me) but they probably just misdialed.

Not that I don't also feel like Google search results have gone down hill.

“It says on their website this is the number!”

"What do you think is more probable: that the website is wrong or that I don't know who I am?"

That is one of those situations where the right move is to leave an uncomfortable silence so they can think about what they said.
I responded with almost that word for word once on one of these calls. They made some angry sounds and hung up!
You should have spun up gour own tile business, preferably just dropshipping from the real Jordan’s Tiles!
The SEO thing sucks, I notice it like if you're trying to find a tow truck, it'll be some call center that then directs you to an actual tow truck nearby with their cut added to your cost.
Not an isolated incident. My mother was transferred to an Amazon employee who tried to scam her as well. This was years ago, and I reported it to Amazon. No idea what eventually happened, but I was shocked that they'd be so brazen about committing fraud as an actual employee.
I'm blown away that Amazon has phone support! I had no idea!
They don't make it as easy to call as they did in the past though.
Lots of call centers get targeted with this type of scam. I think it's because call center employees are so poorly treated and compensated that it's appealing to join the scam. I've seen the same exact thing happen with QuickBooks support. The actual agent you're speaking with gives your contact info to the scammer who calls you back.
I've never seen this before but I imagine the call center employee has a lot more to lose being a part of fraud than the scammer who isn't legitimately employed and can't be found. Doesn't seem likely.
Amazon today is a street side flea market. You really don't know what you'll get. I've started ordering more stuff from traditional retailers. Their online operations these days are really good, and at most a few dollars more than Amazon. Clothes from macys.com, home goods from homedepot.com and target.com, and so on. You're not flooded with choices with these stores that are mostly garbage, instead you get only 1-3 choices that are reputable.
These days I'll order certain things from Wal Mart if I'm wary of what I see on Amazon.
I think ordering on amazon has become a little like getting your car towed.

Towing companies appear to be a large shell game where your $200 tow is handled my one or more middlemen who eventually get some poor independent towtruck driver to tow you for $75

Amazon should do something that would allow partnering with decent brands. Customers would be happy, brands could keep their reputation, amazon could get a reasonable cut, and they would still sell stuff via flea-market brands and the made up word-salad amazon brands

Tow drivers make a lot of money. They do a lot of subcontracting and mutual aid type arrangements.
Towys in my country are usually connected to some kind of mafia. Never met an altruistic one like like matts offroad recovery in my travels.
Same here (Western Australia) and it's closer to $2500 than the $200 mentioned above.
The only time I had my car towed was in Devon, SW England, in 2020. I hit a pothole and blew out a tyre. The company that towed my car took it to their workshop, and took me to my hotel. The next day I spoke to them to organize getting a pair of new tyres. That was a challenge because I had winter tyres on as I was intending to return to Norway before the spring and no one stocks winter tyres in Southern England. It took them another two days to get the tyres. They charged me for the tyres and fitting and that was it, no charge for the ten mile tow.
I'd like to see an economist's view on how the free market is failing here, and what we can do about it.
I'd say it's working just fine, by causing people to switch away from using Amazon. Amazon continued to lower their brand's quality and as the name becomes less and less trusted, their products are worth less and less.
Is that actually happening though? I know there's lots of anecdotes around here, but there are still many people using Amazon frequently. I wonder if their numbers have actually gone down
Your regular reminder that theoretical free market assumes perfectly rational and informed consumer, no lies and no misleading or withholding information

In other news a car has infinute milage on a frictionless surface in a vacuum

First imagine a spherical cow...
Most people are still happy to shop with Amazon despite it's failings. I'm sure Amazon has analyzed the data and are coming out ahead.
I mean, roughly, there's no such thing as an ideal free market, and in all real markets all the ways in which it's not an ideal free market are being exploited by people to collect the margin. The concept of an ideal free market is promulgated by the same people who are making money off those margins.

As far as what you can do about it, you could start with preventing those people from interacting with markets. I leave the mechanism as an exercise for the reader.

A free market would first require getting rid of all forms of power and so far there have been people who thought about minimizing the most impactful sources of power and pretty much all economists ignore them.

What we are doing is the equivalent of looking at a warped mirror e.g. a non free market and declaring that the reflections are not distorted e.g. a free market.

A lot of people are scared of living on the streets or feel shame from living off welfare. There is no way these people are going to make long term decisions if their short term needs haven't been met or there is a constant risk that they won't be met tomorrow.

This is actually one of the more disgusting parts of Austrian economics. Where a low time preference is basically considered the equivalent of a high IQ. If you have a high time preference you must be some dumb consumerist animal, when the truth is that you barely earn enough money to meet your living expenses which means 100% of your spending must go to consumption. Thirst is more urgent than hunger which is more urgent than shelter which is more urgent than social needs and so on. At some point you are not longer hungry or homeless. The urgency is gone. It would be more accurate to say that time preference is a function of wealth and having your needs met, rather than some intellectual jerk off competition where stupid people are filtered out and smart people end up with all the wealth.

You might enjoy “The Market for Lemons” by the economist George Ackerlof [0]. It fits people’s descriptions of what’s happening with Amazon.

His idea was: buyers don’t know if a car is good and the risk of getting “a lemon” (a bad car) reduces how much they’re willing to pay. That means sellers reduce the quality of what they’re selling or leave the market. After a while the quality degrades so much that buyers notice and want to pay even less. Eventually the market is 100% lemons.

The paper was controversial when it was published in the 1970s, but helped kick start research into “information asymmetry” and the potential for market failure.

[0] https://www.sfu.ca/~wainwrig/Econ400/akerlof.pdf

This sounds familiar to my used car shopping experience a few years back. Went to see at least 20 private party sellers over a period of a few weeks and most were junk, bought by shady dealers at used car auctions. And their prices were well above the blue book for excellent condition, despite the cars being fair at best. I did manage to find some actual private sellers, and ended up with something I like and still drive now, but it required a lot of time and determination. I can understand why some people would just go to a lot and drive off a couple hours later
What free market? There is no such thing.

I honestly just see a regular capitalistic market, where a company is trying to make money at the expense of other companies. By that I don't mean Amazon is outcompeting retailers and pushing them out the market. I mean Amazon is actively causing damage to well known brands by letting scammers sell those branded products to promote their own AmazonBasics brand which is free of scammers.

Even if the scams are unintended, there is no profit incentive to get rid of them.

This seems to be the classic underdog problem. The traditional retailers that you like today will become third party marketplaces tomorrow if they grow. So the issue is that we only get good service from underdogs and it is destined to fail once the underdog is not an underdog anymore.
That doesn't follow. Just because an online retailer grows it doesn't mean they have to start allowing third-party sellers. In fact, seeing what is happening to Amazon's reputation, that seems like a bad long term move.

Short termisum might win out, but it is not a foregone conclusion.

The mechanism is the managers that take over at companies who focus on the short term bottom line (trimming support today, to juice profits tomorrow, to lose credibility years down the road after the bonuses have long landed in their bank account).

And the problem is that Amazon's growth profile (retail-side anyway) is going to be pretty constrained going forwards because they own too much of the available pie right now. So the result is that managers are going to have to look for other ways to trim costs to make numbers.

If you're starting from 0.001% of the retail market and trying to grow 10x it is much easier to do that just by having really good customer service.

"short term bottom line" is a comically absurd way to describe Amazon, which has been growing consistently for 25 years.
This comment is peak short-termism! It is comically absurd to refer to 25 years as a long time!

There are companies that have been around for 300 years, in fact prior to rise of venture capital moat companies were multi-generational family business and you would consider how a decision would reflect on your children.

The professional management class in America no longer remotely behaves that way.
I'm talking about the prospects for growth in the next 25 years, not the last 25 years.
I agree it's not a foregone conclusion, but it's also not far fetched. That's what happened to newegg. They tried to turn into an amazon and now I have a hard time trusting them.
> Just because an online retailer grows it doesn’t mean they have to start allowing third-party sellers.

Why do you believe this? Not one of the top 10 online retailers in the US doesn’t have third party sellers. It appears to be the case in practice that growing does require opening the doors to anyone and everyone, which obviously increases the scale of business a retailer can offer. There are both reasons and evidence to suggest third party sales are what it takes to grow to even one hundredth the size of Amazon.

> seeing what is happening to Amazon’s reputation, that seems like a bad long term move.

This seems like a big assumption. There is a very long list of corporations and monopolies with relatively bad reputations that are doing just fine and have for a long time. Reputation isn’t a good measure for the success or future prospects of a company, once it gets large enough.

Except Amazon started as a third-party marketplace. This isn't *new*, some of us just have really short memories. For the first several years the only first-party sales they did were in books (and not all books on the store even at the beginning). They've expanded into other first-party categories, but there are much fewer first-party categories than people assume. (And always have been.)

The big thing that changed isn't the third-party marketplace on Amazon, it's that they increasingly and intentionally blurred the lines between "third-party" and "second-party" marketplaces. Any third-party that uses "Fulfilled by Amazon" logistics (warehouses, shipping) just about gets automatically upgraded in the Amazon user experience to "second-party" even if Amazon has no deeper working relationship with the third-party than "Fulfilled by Amazon".

Some of that intentional blurring of the lines is also questionably Dark Patterns intentionally designed to confuse consumers in just exactly what categories Amazon supports directly (first-party) and which ones are third-party, and more importantly which ones are first-party usually versus third-party today (such as sold out goods). They want to give consumers the illusion of an "everything store" that is never out of stock. That's never the practical reality, and the illusion may be evil from the perspective of shadily pushing consumers to unvetted third parties due to Dark Patterns that back that illusion.

Ordered some things from walmart.com, half of it was third-party sellers. They were sort of transparent about it, though, and the quality was at least what I'd expect from inside a Walmart.
Agreed. Last example was LED grow light I purchased and description said had a grounded plug. When it arrived there was only a 2 prong plug. I’m weary of everything I buy there now and try find a manufacturer direct order when possible. Fulfilled by Amazon should read as a warning sign.
Just FYI weary = tired … wary = suspicious.
thank you for letting me know I hate to use words incorrectly
FWIW I'm weary of everything I buy
> Amazon today is a street side flea market. You really don't know what you'll get.

There are two time when I will use Amazon nowadays:

1) If there is an official store there

Anker is a good example of this. It seems like Amazon doesn't commingle inventory if there is an official store.

2) If I want something faster than Alibaba/Aliexpress

Quite often I can find the exact Chinesium equivalent on Amazon and I get the benefit of returnability if what is advertised is completely out of whack.

This has to be costing Amazon money, but, it's their funeral.

> It seems like Amazon doesn't commingle inventory if there is an official store.

Is there any confirmation of this? I've seen assertions both ways.

No. Amazon doesn't commingle inventory when... the manufacturer doesn't sell through any other channels, so there is no one to commingle with.
As I understand it, Amazon charges a fee to avoid commingling. Any seller can pay it and have their items isolated.
Yep. I've been ordering from Target, Best Buy, and Walmart much more often these days. I just assume the product descriptions and reviews on Amazon are all lies.
Interesting. I would have lumped them all together. Why do you trust reviews on Target but not Amazon?
Target and Walmart take online returns at their stores, which no one in the supply chain likes. They will take bad suppliers to the woodshed if too many returns of an item. Hence they have skin in the game to carry quality products
I didn't say I trust reviews on Target. Paid reviews exist everywhere. But if I have to choose, I'd trust Target's first. Amazon's extensive 3rd party marketplace is set up in a way that encourages vendors to game their system. Amazon does nothing about it because it's good for business.

And I trust Target's products are genuine and what you receive is what's in the product description, because they sell them in stores.

Target and Wal-Mart also sell third party shit. It's easier for me to just buy directly from brands I like, or to shop for them on a couple outlet sites I trust (so far) to sell legit (overstocked or lightly damaged) top-quality stuff and not lower-quality second- or third-tier versions (as some outlet stores do), than figure out how to avoid or disable displaying third party sellers on a bunch of different sites.

By the time you factor in the time and frustration for that, any savings (which isn't even guaranteed) doesn't look like great ROI anyway. Plus, even Amazon often won't carry the full range of a brand's products, so I get more options shopping this way.

Best buy is filled with 3rd party sellers too but it's at least very easy to filter them out. If I could do the same on Amazon I wouldn't have any problem with 3rd party sellers, but they instead make it almost impossible to know even if you check manually.
That and Amazon commingles their inventory with 3rd party inventory, which can sometimes be counterfeit. And Amazon doesn't care if the counterfeit products are mixed in with the genuine products in their warehouses. As far as I know, Best Buy/Target/Walmart don't commingle their inventory with 3rd parties because they have physical stores that they can pull from.
True. But stores like Target also let you see inventory in physical stores, so it's easier to purchase an item you know is coming from a Target store/warehouse than a 3rd party.
As someone who has contributed legitimate reviews on Amazon, I think "all lies" is a bit of an exaggeration.
Do they still allow listing different products on the same page, with the same reviews?

You can read reviews for a whole different model of headphones or kettle, for example, but what you get is another, (usually) cheaper model/revision. Which is insane!

Negative reviews are silenced. I ordered a machine with missing parts such that it couldn't be assembled. I gave a 1-star review and it never appeared on the seller's page.
God I wish walmart’s site was better, it is like punishment shopping there, why does home depot outclass them in every way?
I thought Jet.com acquisition would solve this. What a waste.
It is pretty bad. They're my last resort.
(comment deleted)
Reason #99,999 that I don't use Amazon anymore. Just buy stuff in-person, pay the shipping, wait the week, or whatever. You'll be fine I promise.
Stuff in person costs 2X the price though. Especially bike parts.

It's often cheaper to buy from Amazon but never go through troubleshooting support. Always return or replace.

If that doesn't work, give a 1 star review, wait for the seller to come chasing you with a gift card in return for 5 stars. Change it to 5 stars, spend the gift card, and then change it back to 1 star.

(comment deleted)
As someone why buys a lot of cycling parts online, there are many mom/pop bike shops with web storefronts, that are very reasonably priced and often include "free" shipping. Stop giving bezos your money, you have no excuse.
Yeah.. lots of people keep repeating "but its expensive out of amazon!" and they never tried. Sure, you can find cheaper products on Amazon, but once you start looking around, it's definitely not always the case. But people are lazy, they get multiple amazon packages a week, and love to complain about Bezos but do nothing about it.
I bought a book on Amazon in 2005, it came (weeks) late, i complained, got sent another, ended up receiving 2 books. It was my last purchase from Amazon. Since then, the only time i see Amazon is on the backend of a scammer. Amazon in my opinion, in every sense, a scam itself.

First off, its just morphed from a book store into a upper class ebay. Alibabba became the chinese ebay. I'll pay that drop shipper the money, i got no problem with the conveince they give but realistically whats the point of going through 3 middle men when i can wait an extra week and limit that to 0 or 1.

Reality check:

I'm not exactly rich. When I'm a millionaire I'll happily support LBS.

Until then Amazon helps me save a shitton of money.

I got a pair of Continental GatorSkin tires from Amazon for 30% less than LBS just 2 weeks ago. And yes, I called LBS and checked the price.

Your local shop isn't the only option. The first online retailer (above Amazon in my Google search result) is €3 cheaper than Amazon, shipping included.

https://www.amazon.de/-/en/C1010429-P-Continental-Gatorskin-...

https://www.bike24.com/p2195136.html

+19.99 EUR and 10-14 days to ship to the US. Not cheaper.

Not to mention maybe another $150 in Uber rides waiting 14 days instead of 1 day for it.

Also Amazon gives me 5% cashback too so that also needs to be factored into all prices.

I used two European sites, since my comparison was obviously for delivery to somewhere in Europe (Denmark, in my case).
Ah okay, I though it was because these particular tires are in fact made in Germany ;)

But yes I think in Europe small businesses are much more of a thing. In the US it's very hard to get a better deal than from Amazon and these big companies, especially because they can super-optimize the supply chains across such a big country. Same is true in China.

Amazon is expensive. I once got an Amazon gift card and the first thing I told the person that gave me the card is that I will spend 20-30€ more on Amazon than on any other site.
As someone in Europe, Amazon would be the last place for me to look for bike parts. We have so many great options, including huge online retailers (Bike24, bike-components, bike-discounts, just to mention a few), all of which I've ordered many times from, and was pretty much always happy. Local bike shops may be more expensive, but then you support your folks, which might come in handy later, when you need servicing for something that you don't have the tools for...

The thing with bikes and bike parts is, details matter, two seemingly similar looking parts might be completely different, and there are many small parts that have many options (length, material, color, thread type etc). So unless you really know what you are doing, it's very easy to mix things up - that is true for the consumer too, of course :) Any non-bike-specific webshop is doomed for this reason, except for some special items, eg. eletronics.

One thing I noticed is that these days there are more and more small shops that are legit online, they may not be offering small parts, but I bought a bike from one such shop 2 years ago, and it was heavily discounted, the bike was exactly what they said it would be, it was in stock and was shipped within a week to another EU country no problems.

The reason I buy on Amazon is that finding anything you wouldn't see in a typical department store from somewhere else online takes a bit of effort; and it's an additional effort to gain some confidence that the "somewhere else" won't scam me, sign me up for even more spam, etc.

If there were some reliable meta-shopping site that aggregated trustworthy vendors, I would use that--but I can't see how to build one that wouldn't have all the problems of Amazon in the best case; and all the problems of wish.com in the more likely case.

It's really hard recognizing the image Amazon have in the US compared to my personal experience with amazon.de . The service is stellar, shipping both ways is free as long as you buy products covered by prime. Refunds are with no questions asked (as long as you don't start abusing it i guess). As soon as you go into 3rd party sellers the experience gets muddled, though I've had plenty of good experiences with those as well. There's simply nothing here in Europe that gets even close to what Amazon offers. I really really hope it will never be like the horror stories i see here on HN.
My US based Amazon experience is like yours with fast shipping and easy refunds/exchanges, so don't lose hope. I guess with 100e6 or so customers, there are bound to be some bad experiences.
Amazon US used to be as you describe. But now its mostly just cheap knockoff stuff. I hardly purchase there anymore. Its really sad because they used to have such a wide selection.
> just cheap knockoff stuff.

By that you mean overpriced dropshipping from aliexpress.

Everything I've seen on AliExpress has a 30-60 day delivery window. Amazon gets it there within a couple days. I don't mind paying a couple extra bucks to get something in 2 days vs 60. And that's not really drop shipping anyway.
Where do you shop instead?
Locally mostly. Also, surprisingly on walmart.com.

Edit: Also from manufacturers' websites.

>" The service is stellar, shipping both ways is free as long as you buy products covered by prime. Refunds are with no questions asked"

This is my exact experience in Canada so far. But they did something else weird. I wanted to buy Google Store gift card from Amazon and as soon as I made the purchase my account was suspended. It had taken me few hours including lengthy phone call to sort things out. I was told that gift cards are widely used in fraud. Sure, whatever but then why FFS they sell those?

shipping both ways is 100% not free in canada. I went to price match a power supply I had just purchased and they said they don't price match. I said no worries since it's unopened I'll return it and buy it again and they quoted me $30 shipping to return it. I had prime and it was a prime item.

I've also reported businesses who sneak 'give us a 5 star review and we'll give you $30' cards into their parcels and amazon did absolutely nothing.

Amazon is amazing until you realize it isn't. I got rid of prime and suddenly I found myself spending less money on junk because I wasn't incentivized to get junk by the prime membership. If I have to wait to have enough stuff for free shipping minimums I can wait enough to look locally and 1/2 the time I can find it locally for similar cost and the other 1/2 it turns out I never needed it just wanted it.

Highly recommend getting rid of prime and taking a couple months off ordering anything from them - you'll find out not only is amazon not worth it, they're easily replaced.

>"shipping both ways is 100% not free in Canada."

It is free for what I order.

>"suddenly I found myself spending less money on junk"

I do not buy "junk" just what I really need (mostly for business), so do not have this problem. I buy some things locally as well but it is not my goal to favor either.

>"Highly recommend getting rid of prime"

I am very service averse person and am trying to use as little as possible. My phone for example does not even have data plan. If I do use some however (Amazon in this case) it means I need it as it saves me money / time whatever.

>It is free for what I order.

I thought that too until suddenly it wasn't.

>it means I need it as it saves me money / time whatever.

Only you know your balance book I guess

I dislike Amazon but yes, my experience in what you have outlined is that it's generally amazing.

The parts that aren't amazing is getting items that aren't representative of what I ordered. But refunding is always a breeze when that occurs.

My problem is that it shouldn't be a thing that happens so often (to me). I shouldn't be shipped shoes of the wrong size 3 times before I get shoes of the size I ordered. I shouldn't be buying open box items without being told it's open box. I shouldn't be buying things with the completely wrong thing in them.

Now, all of these can be problems with big box retailers. But the sheer frequency it happens to me on Amazon - it's never happened at this frequency to anyone I know when we would shop in store. Yes, my friend once bought a graphics card at Fry's that just contained a box of rocks. But that was one friend, one time. I've had more of these issues on Amazon, the last ~7 years, than I have for all shopping experiences everywhere else that I've ever shopped combined.

I think it's selection bias. People with a bad experience with Amazon are more likely to dive into it here. And dive they do, nearly any time Amazon is mentioned. Even in a thread about Wells Fargo we somehow get sidetracked into "Amazon just sells counterfeit garbage".

Out of the thousands of items I've bought through Amazon, I think maybe one set of Henckels steak knives might be counterfeit (I've ordered two sets of the same knives and they were noticeably different - both seem high quality though).

I try my best to not buy from third party sellers. Then I occasionally get surprised that I am buying from a third party seller. So I simply stopped because the perceived risk is too high. Amazon is overpriced anyway so why bother buying from them?
If you buy Amazon basic brand items you don’t have to worry. And the Amazon basic products are generally really high quality, from clothes and more high end niche items to daily necessities, Amazon basics items are best in class. People who complain about Amazon are usually buying crappy items from dodgy vendors, and then they idiotically blame Amazon.
Except it's almost impossible for the majority of customers to distinguish between the 'good' sellers and the 'bad' sellers, and we shouldn't pretend this isn't a deliberate effort on Amazon's behalf. Not only do Amazon often make it onerous to find out who is in fact selling an item, they also:

1) Co-mingle the inventory of multiple sellers in their distribution centers, so even if you buy from a good vendor you've used in the past, you still might end up with garbage from a shady vendor. 2) Allow widespread and rampant review manipulation / botting across every product category on the site, making it even more difficult to distinguish 'dodgy vendors' from so-called good ones. 3) Allow vendors to BRIBE customers with things like free items or amazon credits for 'organic' reviews, again, making it a Sisyphean task for most customers to find reputable vendors.

> and then they idiotically blame Amazon

This a callous and inane assertion. If a customer buys something from Amazon's website, and pays Amazon, and Amazon emails them a receipt, and Amazon delivers the product, the customer has every right to blame Amazon if the product they receive is crap. I'm frankly flabbergasted that you somehow think it is the fault of the customer.

> And the Amazon basic products are generally really high quality, from clothes and more high end niche items to daily necessities, Amazon basics items are best in class.

This reads like ad copy to me -- Amazon basic products are fine, but they certainly are not 'best in class' or 'very high quality'. Amazon doesn't even go that far (they items are literally called 'Basics'.). Furthermore, if the only thing a customer can feel confident purchasing on Amazon is a Amazon Basic items, it kind of defeats the point, doesn't it? There are not Amazon Basics versions for most product categories on the site, and the allure of Amazon is that you can get anything you want from one vendor, delivered quickly (A to Z).

(Not to mention, I've seen a lot of cases where Amazon Basic items are clones/knock offs of well-reviewed, high volume products designed and manufactured by third party companies. Amazon then copies these products and promotes its own listings, which isn't exactly the most ethical practice IMO)

“Amazon then copies these products and promotes its own listings”

…for the consumer’s benefit. It’s a win/win.

They are one our best companies. From the climate change perspective alone, think of how much better off we are, as a planet, thanks to Amazon. People are appallingly ungrateful. And the criticism is typically something along the lines that he allows too much freedom (“they let anyone sell stuff, even chinese vendors gasp) or oddly, they complain about logistical efficiency (“eww commingling! I would never!” as they clutch their pearls), when it’s acthually exactly what other retailers do. If people were so worried about their packets commingling we wouldn’t have the internet, the us postal service would stop functioning if mail didn’t get commingled. Commingling is good, progressive.

Using this logic, you could quickly dismiss all criticisms of any company. It's not a very compelling argument, especially because no one is arguing that individual, atomic, anecdotal comments describing negative experiences with Amazon represent a statistically significant evaluation of Amazon as a company.
> There's simply nothing here in Europe that gets even close to what Amazon offers.

I strongly prefer bol.com. No idea if they ship abroad, though.

I wouldn't be surprised if Amazon is more strict in Europe because their behavior from the US would get them in legal trouble here.
Maybe that, to some degree. But amazon.de has a lot of problems, too.

There are a lot of fishy listings, but it's also often quite easy to detect those fishy offers, because the German text is usually full of grammar and spelling errors, and often obviously a result from Google translate, and often not even fully translated, with larger parts still in (shoddy) English. Outright counterfeit products seem to be somewhat rare still, at least from what I observed, but there is quite a number of low quality knockoffs.

Or e.g. multiple journalists reported on review-rigging operations - usually organized through whatsapp, and using regular folks for a few bucks as "mules", to get some coveted "verified buyer" reviews. Or bait-and-switch listings, where they had an original listing which gathered some good/ok reviews, and then they repurpose that listing for another product, while keeping their stars.

Or e.g. there was a report about one guy who got like 10 - 20 packets a day with junk he never ordered, every day, over months. Apparently some shady sellers got hold of his info, and were using him as a "garbage bin" for excess stock[0]. While he wasn't charged for any of the products or shipping, he still ended up in a situation where his door bell rang a few times a day, and he ended up throwing away most of the stuff, having to properly dispose of it. And when contacted, amazon just told him to throw away the stuff he doesn't want. It's unlikely he was the only involuntary garbage bin victim.

[0] It wasn't clear why they did that. Maybe to inflate sales numbers to get higher ranked in the amazon search? Or because just shipping it through amazon to some random people might be cheaper than just keeping that stuff in the amazon warehouse or disposing of it properly?

Honestly maybe you just have a better detector than most.
I don't agree. It's extremely obvious when a listing on Amazon.de is sketchy because the German used is quite bad compared to normal listings.

I'm also quite skeptical of most positive reviews, because it's a known problem in Germany too. I don't think most people are aware of that though and still believe high ratings still mean anything.

As a prime member in the US, your description more closely matches my experience with Amazon than the negative reviews here. I don't know if it's the way I shop or maybe I'm easier to please, but I really don't get it when people complain about counterfeits or poor quality experience with Amazon.

I only purchase items that have prime shipping, and that have free returns in case something is wrong. 99% of the time their delivery estimation is accurate, usually within 48 hours of my order or less. If something is broken or I simply don't like it, I return it for free at any one of several places within a 10 minute drive of my house: Whole foods, ups store, or Kohl's. And there's no rush - I have a full month to return the items and the refund is issued before I even get back home after dropping off the item.

Amazon hasn't been usable in a long time for me. It takes more time to find non-counterfeit/trash products than it's worth.
> The Amazon technician was helpful and shipped me a replacement.

Considering they have a backdoor, why did you want a replacement instead of a refund?

Had they actually had a backdoor, I would have unplugged it from the internet. Clearly the scammer did not have a backdoor.
> I was blown away that Amazon would transfer me to a scammer

You shouldn't be. The amazon store's core business model is allowing scammers to sell garbage to unsuspecting buyers.

Do you know if the original order was from Reolink? If I had to guess, that may have been a questionable reseller, I've seen several cases in which it looks like you're ordering from SomeCorp as fulfilled by Amazon but once you get into the actual order process it shows up as some other seller that was in the "Buying Options" list.

Definitely sketchy behavior on Amazon's part, never dealt with the selling side there so no idea if this is sellers gaming Amazon or just awful market platform in general.

Given how many fake products amazon sells and intermingles with legitimate products, it isn’t at all surprising that they forwarded you to a scammer. They just don’t care about protecting their customers, apparently.
They don't care about protecting third party brands. They will definitively make sure their Amazon Basics products are free of scams.
For me it’s less about them not caring about third party brands, and more about them not caring about protecting their customers from scams and fakes.
Apparently Amazon sells smart home lights from China that will not work if they can’t connect to their home servers in China. Be careful out there…
Slightly OT but I swore off Reolink because as late as two years ago they still required a Flash plugin before you could view camera captures in a web browser. I think they've finally fixed that, but the utter cluelessness of requiring Flash in 2020 left a bad taste in my mouth.
Keep in mind some manager 1000% got promoted for introducing this “innovative” feature.
It sounds like you bought a product not sold by Amazon and got transferred to the company in question.

Don't buy 3rd party products sold on Amazon. I always tell people this. They ignore me and then stories like yours pop up.

NOTE: This applies to prime items as well. Amazon's vetting services for 3rd party sellers is nonexistent. I could literally sell you dog shit right now; with no verification I even exist. I've had a seller account for over a decade, and I've not sold a single item. The Amazon Marketplace is an anonymous Craigslist. Please don't forget that.

>Don't buy 3rd party products sold on Amazon. I always tell people this. They ignore me and then stories like yours pop up.

So buy Amazon Basics and nothing else?

Also I tried to avoid buying from third party sellers but the Amazon website is so deceptive that you are bound to buy something from a third party seller at some point. There is obviously no option to hide third party sellers because that would solve the problem and Amazon's opinion is the problem shouldn't be solved.

The question reduces to one of incentives. Scams are extremely easy to initiate, cheap to scale, and once they're sniffed out, extremely easy to replicate with a small variation in location/product/approach. In other words, they're like good software.

So...what might curtail the proliferation of scams (besides cruel and unusual punishments)? Decentralization? More factors of authentication?

This speaks more to the incompetence of supposed experts and less to the sophistication of scams.
Agreed. I wish someone would try this level of attack against me - I'm 99% sure I wouldn't have fallen for this particular one, but how can I truly know without going through it?

Anyways, I am extremely aware of caller ID spoofing. I use it myself to show a usable callback number on a VoIP outgoing-only line.

And the 2FA - I would be incredibly reluctant to give a code over the phone, even if I had initiated the call.

Sounds like a product idea: Red team for the family
I honestly got this exact same scam happen to me, and probably came 50% of the way through falling for it. Especially since it happened just a few weeks after I had actually had my card compromised, and used for fraudulent transactions.

I got the same text about "confirming fraud transactions" and then a phone call from "my bank". I nodded along at his script for a few seconds, before I remembered the constant, unending advice of: "if your bank calls you, hang up and call back on the fraud number listed on your card". I told the person I'd do exactly that, and hung up.

I then checked my card account and confirmed that there actually weren't any fraudulent transactions, so didn't bother calling.

That said, I can absolutely see a world in which a tired or otherwise frustrated me would just follow along the script, and with a similar background to the author (I'm not a security professional, but I work in fintech and on security-adjacent things):

> I also find it entirely plausible that Apple (or Google) would require a bank to jump through these kinds of hoops in order to remove a fraudulently-added payment method from someone's account, and that Wells Fargo's system would be so janky and sloppily-built that this is the least awful way they could figure out how to do it.

This honestly resonates with me as a plausible thought path. I'm pretty confident that I wouldn't have actually provided the two-factor code, but again, everyone has off days, and everyone makes mistakes. That's the core of all of this, that endless refrain: defense has to work 100% of the time, offense only needs to work once.

Security theater. I had a situation where I had to buy something online from a company in Europe (owl4thunderbird) I placed the charge and then right after I got a text telling me to call a # for a possible fraud alert.

That's a big red flag there. So I try and find the phone # of the fraud dept of Citi because anyone can send a text message. Turns out can't find it anywhere in the official Citi site. So I finally give up and call the phone # before they could go further they asked me to confirm a 2FA they would text to me. At that point I noped out and decided if it was a realt problem I'd find out about it another way.

The problem is I now know how easy it is to break into any Citi account just send them a text with a # and pretend to be the bank. The worst part is every every every message I get that is actually being secure always says "You will never be asked for this code" and everytime they ask for it.

It is security theater of the worst degree by incompetents and MBAs and I am getting sick of it.

>It is security theater of the worst degree by incompetents and MBAs and I am getting sick of it.

It's security theater giving people exactly what they want. People want to feel secure, but they don't want any amount of actual difficulty in getting what they want from Company A.

Like it or lump it, but regular people really don't want actual security. They want the ease and convenience of no passwords at all, and want someone to blame in case something goes wrong.

Of course people want security, how can you say otherwise? What you seem to be talking around is that security researchers have been unable to figure out simpler forms of maintaining a true sense of security, simpler forms of reliability. There is no survey where people say they don't want these things, and if you're relying on the sales figures for Yubi keys or something, that's not a good indicator.

And of course people don't want difficulty! That's why we don't hand-crank to start our cars anymore. Blaming people for wanting faster horses[1] is a convoluted anti-intellectualism where the experts who actually know what's possible are let off the hook. All in all, if you ask me this should be a locus of UI/UX research.

1. https://hbr.org/2011/08/henry-ford-never-said-the-fast

You're absolutely right. People do unquestionably want security! They want privacy too!

The issue that the parent is alluding to is that the same users who want these things seem unwilling to make decisions or change behavior to get that security or privacy. Those of us working with security and privacy often wind up with the sense that users want them, but also that users expect them to be automatic and perfect and free. This starts with the computer-illiterate user who finds passwords confusing and goes all the way to developers who find it irritating to be forced to update the libs in their docker images.

Are there better ways? I sure hope so. So far we don't have simpler forms of maintaining true security or simpler forms of reliability. We just have cheaper ways of maintaining a sense of security - and that's theater.

I don't blame people for wanting faster horses. We don't have them on offer though, so in the meantime it might be nice if they were willing to consider what's available.

>They want the ease and convenience of no passwords at all,

That's not what I see. I see people looking for inconvenience. Expiring passwords. Password requirements, so you have to write your passwords down. (You will change it soon, anyway) "Security" questions. Lock-Screens, session limits. 2FA-SMS. That horrible and unsecure Microsoft 2FA that was on the frontpage yesterday. IP-Geo-location-voodo so you can't log in from a different ISP/cellular/your parents place on this supposedly world wide internet. It's not like these things happen on their own.

Computer illiterate people thing that these inconveniences bring them security.

> always says "You will never be asked for this code" and everytime they ask for it.

Yes, but the real meaning behind that phrase is "You will only be asked for this code by pages served by our domain name or a native app we published." It's unfortunate brevity.

Sorry the exact message is something like you will never be asked for this by a real employee.
Oh I didn't mean to suggest the brevity was your doing. I've seen it the short way first-hand, but yes, more typically it's pretty decent, as you've clarified.
Maybe it would be better to send a link. Then it can't be sent to the wrong domain.

Of course you need to then educate people that they shouldn't trust the domain they land one and always immediately close the tab. Even if that tab says "Warning you have a fraud alert on your account. Click here to check your recent transactions"

Unfortunately, there are all sorts of ways to phish links. https://en.wikipedia.org/wiki/Phishing#Link_manipulation

The link may look similar or even appear identical, and still be under control of the scammer.

Similar to just not trusting incoming phone calls, you can't really trust incoming links via standard email, without some definitive way of validating the sender.

isn't there a phone # printed on your credit card?
Only the customer support number, not the fraud number specifically and at the time I didn't have the time nor patience to navigate through a thousand mile phone tree and wait on hold for 8 hours.
(comment deleted)
Side note: if unexpectedly getting a new card, call the support number on your old card. A friend of mine almost got taken about 15 years ago by a scam where someone got his address and bank name, then sent him a fake credit card from that bank with a letter saying something like fraud had been detected and they were sending him a replacement card. When he called the number on the new card's activation sticker, something seemed off and he balked when they asked for his SSN. He called the support number from his old credit card and confirmed that he had in fact not been sent a new credit card by them!

Hopefully we can at some point stop treating a SSN as a universal password that can never be changed. At least mother's maiden name stopped being a universal security question.

Whoah, that's a pretty smart attack.
somebody physically manufactured a fake, new card and mailing envelope that was close enough to pass scrutiny and in person physical inspection, and send it to him by US postal, for the purpose of getting the person to call the 1-800 number on the sticker and give the scammers his SSN and other details?
He was the CTO of a reasonably large hedge fund at the time, so it's reasonable to think he was the target of a spear fishing attack. If you don't need the magnetic strip to actually be magnetic, I don't think making a fake credit card is much different from making a fake ID.

Though, I suppose it's possible he was telling me a tall tale, he's generally trustworthy.

The two additional explanations would be that he was confused about what was going on, or that there was genuinely a mixup at his bank. If he was confused about what was going on, it would seem that he would have needed to have gotten a card that he didn't remember applying for, and being confused about which bank issued it. The spear fishing and mixup at his bank both sound like million-to-one odds to me.

So now, re-evaluating things based on what I've learned about banks in the past 15 years, maybe his bank grew organically by acquiring several other banks, and has incomplete consolidation internally. Maybe he requested a card from one subsidiary of the bank, forgot about it, and called another subsidiary of the bank (the one that gave him his first card), which had no idea what was going on. The internal structures of large banks are much more disjoint than I realized 15 years ago.

Hell, I'd wish there'd be some zero-knowledge proof protocol that can be performed with a pen and paper over a phone call. You know, like Dining Cryptographers or Solitaire cipher. Maybe there is something, but I'm not a cryptographer and not aware about it.

Though, of course, it's completely unrealistic to expect that some bank person would agree to do some weirdo math tricks with SSN numbers :)

These 2FA bypass scam calls genuinely unnerve me - because they're specifically designed to trick someone who knows how scams work and has actually put some effort into securing their accounts.

Hardware authentication factors are, of course, immune to these sorts of attacks because you can't confuse the victim into forwarding their second factor back to you. However, I don't see why you couldn't construct a specific scam setup for those.

But they could still try to trick the victim into reading the code for them.
Why are you talking about hardware? Just get rid of these weird snakeoil auth flows and make user / password the be all end all way to authenticate. If there's a problem with that, well there isn't. No company on earth has ever tried it, not even in the 90s.
> He verified my name, he had the last four digits of my debit card number, and everything generally seemed to follow the normal script of a transaction verification call

There's a red flag right there — I've never found a bank willing to provide any verification of who they are when calling me. They call me and ask me to give them a code or card number without providing me with any proof of their identity. I've tried to get them to give the sum of the last 4 numbers of my account, but they won't do it.

They always tell me to just call back using the number on my card and try to find my way to the right department. Super annoying.

> sum of the last 4

It's a chicken/egg problem of not wanting to give information first, but a one-way function (hash) is a fantastic idea. The collision possibilities in this particular function are worrisome, though.

It'd be unreasonable to ask someone to perform a hash of those last four digits (how would your mom respond if the bank asked her for the sha256 hash of her card number?), but it could be helpful to ask questions that don't reveal too much information, like, "is the sum of the last four digits even?" or "is the sum evenly divisible by 3?"

It would be difficult to come up with something you could reasonably ask an account holder to figure out on their own that also wasn't easy to randomly guess.

For sure. I wonder what the state of the art is in human-friendly challenges.
Please select pictures containing a boat.
"What is pictured on the front of my card?" might not be a bad question (assuming the bank allowed account holders to choose from a large variety of images or upload their own). It's data that the bank could capture on card issuance, that anyone who has been in the physical presence of the card could answer, and that would not be captured by payment systems.
What I was suggesting wasn't asking the account holder, but asking the bank. With a little training, the call center reps should be able to handle adding together the last few digits of a card number.

I agree that asking account holders for this would be confusing, but since the bank is the one calling in this case it makes sense that the caller (bank) should provide information first.

Of course, it appears that in this guy's case, not even this would have worked, since they apparently had his full card number.

If the account holder has to ask the bank for a piece of information, the account holder will also have to produce it for comparison.

Summing the last four digits could unintentionally leak information (what if those digits are all zeros?), so the challenge question should be carefully chosen by the bank, not just whatever the account holder comes up with.

Can you explain what the information leak would be? Also, I think it's not possible for a credit card to end in all zeroes.
There may be inferences you can make from the sum that aren't immediately obvious. If cards can end in four zeros, the sum and the last four digits contain equivalent information, but you would also confirm that three of the digits are zeros if the sum was 1. It's something that, if I were a bank, I would want someone with a background in number theory to weigh in on. If I were a paranoid bank exec, I wouldn't trust the low-wage customer support reps I had on staff to vet customer questions for how much information they might leak and would instead have blanket prohibitions on answering questions from customers until after the authentication phase of the call.

Questions like "is the sum even?" trade a lower opportunity for information leakage for a greater opportunity for a random guess to be correct.

Don't forget the last digit is a checksum digit too. Which I still can't give you an attack, but I also agree that I definitely can't say I'm sure there isn't one.
That does reduce the number of possibilities greatly, which might matter for some attack scenarios, but usually not IMHO as rate limits should thwart any online brute force.

I'd be interested to know how greatly, if someone has the equation for that.

I understand the perspective of the paranoid bank exec! But if the alternative is that their customers are trained to give out personal information whenever someone calls and says they're from the bank, that's quite possibly worse.

It would be nice if when someone called me from an institution, they gave me a code that I could enter after calling the number on the back of my card. That way I would have confidence I'm talking to the bank and would feel comfortable giving out verification information.

In the past, it has always been a headache to find my way back to the department that called me.

The dataset for hashed credit card numbers is small enough that it can be easily represented in a static lookup table, or brute forced.
Brute forced by a human voice on a phone call? You must talk quickly.
He almost certainly meant that sha256(card number) can be bruteforced to figure out what card number was hashed. 10^12*256 bits is only 29 TiB.

So providing a hashed card number to a potential scammer is just as bad as providing the card number.

So just ask the other party to give you a salt they generate on the spot? And/or you do so on your end?

You can still get targeted for a direct attack but much less likely to end up caught in a dragnet approach.

That would prevent using a pre-generated lookup table but doesn't help much with brute force attacks. All possible card numbers is a finite set, and if you have the sha256(card number + salt), you can figure out which card number was used as input given the improbability of sha256 collisions within that set.

Keep in mind this in the context of an account holder asking the bank to authenticate themselves on a phone call using data only the bank and the account holder should know. sha256(card number) was an example of something that is obviously inappropriate, and I don't think sha256(card number + salt) is any different qualitatively.

Not to mention, how many bits of salt can you transmit by voice in this context without this turning into a whole song and dance?

> That would prevent using a pre-generated lookup table

Only for a healthy pinch of salt, not a couple grains, right?

> like, "is the sum of the last four digits even?" or "is the sum evenly divisible by 3?"

Exactly. After only a few of these you have an equivalent security level to checking the four digits directly but at each step of the way there is a 50% chance that the attacker, not knowing the number yet, gets it wrong and you stop giving more info. If they do a thousand calls a day, they'll still get some people, but it's probably not you so that's at least a small win.

You might enjoy learning about PAKE/SPEKE, which has similar properties.

> An important property is that an eavesdropper or man-in-the-middle cannot obtain enough information to be able to brute-force guess a password without further interactions with the parties (Wikipedia: PAKE)

Just enough enjoyment to then get depressed wondering why nobody is using these nice things

My mom would only have a 50% chance of correctly adding four single-digit numbers, and if she had to divide them by 3, she'd be lost.

She's an intelligent woman who's just lousy at arithmetic. I'd guess hers would be approximately the median experience if something like this became standard.

This happens with my doctor's scheduling people all the time. "Hi I'm calling for $YOU, will you please verify the last 4 of your social and full DOB?" uhhhh... no I will not, random person
DOB is often just to make sure they have the right person, and not an alias. But yeah, SSN, I wouldn't give it out like this.
DOB made sense because 10,000 people in the world have the same birth date. DOB (without PII) didn't narrow enough to identity the person. Regarding that last 4 SSN, yea I would never give that out.

My doctor office required me to provide my DOB before I can schedule an appointment or questioning over the phone. My pharmacist required my DOB before I can get my meds from them. If I don't provide my DOB, they will turn me away and assumed that I'm a scammer.

Oooh, good way to abstract out names from stories! Stolen for my own future use.
I had a similar scam fraud call from my bank and I asked them to verify the last 4 of my SSN. They had it! But later they said they'd send a text verification but it was asking to add my card to apple pay. So I hung up and called my bank back and they had no record of the call. It was freaky that the scammer had so much info though.
Who cares if you've never come across it before. It happens.

How else do they prove they are a real bank???

You are making the same dumb mistake this guy made.

Not much of an expert, caller ID means nothing.

Standard procedure for everybody in the last 20 years should be: Whenever I get a call about security or fraud from the bank, I thank them for the notification and tell them I will call them back, and hang up. Then I call the number on my credit /bank card, not the number I was called from. Fortunately there is a lost or stolen cards so there is no queue time and tell them I received a fraud alert notification.

Simple and effective. It's been over 10 years that I've followed this same protocol. It hasn't failed me yet. I also don't think I've missed anything that could have been better handled, had I chosen to speak to the caller. Just don't say anything, beyond greetings, to the caller.
> Not much of an expert, caller ID means nothing

They... said that:

> The caller ID showed the correct name and number for my bank, but caller ID data is so hilariously easy to spoof that it might as well not even exist.

Honestly, what is with the low quality comments attempting to undermine this person's credibility?

So what if they said that? I'm not trying to pile on them but the reason people are questioning their credibility is that they fell for a pretty basic scam. Even if they acknowledged that their assumptions were incorrect (knowing Caller Id is very flawed but still falling for it), it doesn't necessarily make the scam any less obvious.

Would you not question the credibility of a doctor who falls for say, crystal healing or homeopathic cures?

> I'm not trying to pile on them but the reason people are questioning their credibility is that they fell for a pretty basic scam.

Yeah, I've read the armchair quarterbacks around here thinking they wouldn't be the ones to get duped if it was them.

Of course, I'll bet if they did get duped, they wouldn't post about it on social media because a bunch of folks would come out of the woodwork to point out how stupid they were.

Personally, I read this accounting and thought "You know, for all my own knowledge about how these scams work, I might've been caught by this one." This specific example strayed into spearphishing territory given the knowledge the attacker had of the victim. This wasn't just an average war dialler. And the time investment, alone, on the part of the attacker makes this unusual compared to your average phone same.

But hey, maybe I'm just not bright enough to hang with the cool kids around here.

I'm not saying I wouldn't get duped, but Im also not a scam prevention expert! And you are right that I wouldn't be posting this if I was in their place but I'm not sure if that means that makes them immune to criticism. "I bet you'd have done the same" is not an extraordinarily good defense when we are talking about a scam precention expert.

I also don't think this has anything to do with intelligence. You can question expertise without questioning intellect

What is with low quality comments commenting on low quality comments?

An expert doesn’t just know about a risk, they think through mitigations and apply them. This is a basic 101, and yet no mitigation. A phone call warning about fraud is highly likely to be fraud in itself, so never, ever proceed with the call.

Just don't give people 2FA codes? I am never going to give a 2FA code to someone who calls me, no matter what combination of words come out of their mouth.
Right? There's nothing surprising about getting scammed when you give out the 2FA code.
As TFA starts out, it is always easy to point out all the mistakes after the fact. People underestimate how prone the mind is to just trying to play down danger, inconvenience and generally unpleasing situations. Even after a few minutes on the phone, after you built up the most basic "relationship" with the person on the other end, you simply don't want this to be a scam. Avoiding cognitive dissonance. Just like when you bought something expensive that doesn't really meet your expectations.

Then you must not underestimate the pressure under which you then are, because either way is not a pleasant situation (getting scammed or having been scammed already trying to contain the damage). I fully believe the author that they only skimmed that mail and weren't even aware that this is 2FA. It must have seemed like "just some one-off verification code".

Then I think there is also this phenomenon where experts think that just by being an expert on something, they are immune to it. Not consciously, rationally, but lingering in the subconsciousness. It reminds me of the show "the good doctor" where a seasoned oncologist is diagnosed with a brain tumor and completely blocks off any conversation about it and rejecting treatment. I think that very well illustrates what I mean.

Another anecdote to add here if that Jim Browning, a YouTuber focused on finding scam call centers, getting into their systems to gather information and shutting them down in the end got his YouTube account taken away from him through a scammer on the phone. So I'd be careful with claiming this could never happen to me because I'd never do X. Until the day you do without realizing.

Look, I certainly believe that as you get larger and larger groups of people, law of large numbers it becomes inevitable that someone becomes scammed.

And I certainly don't doubt that I could be scammed at some time, especially by a phishing email or something of the sort.

But I don't think I'll ever give out a 2FA code to anybody that's not me. It's a really simple rule of thumb. Just never do it, there is never any reason for anybody besides myself to know my 2FA. If there is a reason, that is unfortunate that they've designed their system that way because, again, I am never going to give out my 2FA code to anybody.

The person in your anecdote never gave his 2FA to anybody, so it is not relevant to what I am discussing.

Yes, it's easy to convince yourself you're way too smart to make this mistake. At the same time, you now deliberately skipped over the fact twice that he just skimmed the mail and didn't fully realize it was specifically a 2FA code, just assumed it was some verification code. I mean, the wording explicitly talks about entering this code somewhere to enable stuff. That's already two dead giveaways. Otherwise you'd be implying this guy, being an expert, doesn't fully understand how 2FA works. Pretty unlikely, but sure, not impossible. But I mean realistically now that this has been overstressed I actually do believe you'd never make that specific mistake in the future.
It's pretty obvious what is a 2FA code and what is not. If I'm being sent a code on my email or phone, I know not to tell it to someone on the phone. Indeed, even that very email she was sent contained a reminder not to tell it to someone on the phone.

I read the entire article, I am just unimpressed by the justifications as to how this "could happen to anybody."

I don't think the e-mail in the article is very obviously a 2FA code? I usually associate 2FA with something I use to log in somewhere; not to do some other operation which (presumably) already requires account access. To me, it looks like a Wells Fargo Apple Pay "Verification Code", which honestly could mean anything.

There are other signs, obviously. You could ask the question of, why is the e-mail asking me to enter the code myself while the customer support rep asking me to provide it over the phone? But as you well know, the author also asked that question, and arrived at a plausible enough sounding answer.

Regarding that last sentence: I have actually skimmed the e-mail many times now, and only when looking at it again to try to understand what you meant by "even that very email contained a reminder not to tell it to someone on the phone" did I actually see that part. I suppose I just started reading the standard "if you have questions call us on this number" text and skipped the rest of the paragraph. Brains are very good at extracting what they think is the relevant information and ignoring what they think is the irrelevant information, especially when in an active social interaction with another person who expects something from you.

I think any technical person should be able to analyze a play-by-play description of the events and explain exactly how each mistake could've been avoided. But I think most technical people could've made similar mistakes if they were caught in a vulnerable state of mind. I think sharing these kinds of stories, where even people who "should" know better got scammed, is an important part of how we learn to recognize scams. I think the vitriol in places like this comment section plays a part in making people avoid sharing stories like this.

> Indeed, even that very email she was sent contained a reminder not to tell it to someone on the phone.

Yes, as regular unformatted text and tucked away at the end of the very last paragraph that starts with standard boilerplate:

"If you did not request this code, or if you have questions, please call us at the toll-free number on the back of your card. Wells Fargo will not contact you by phone or text to request this code."

Worse yet, the second paragraph starts with "Important:". That implicitly signals that the most important part of the email is what follows. However, that's obviously not the case.

The email is absolutely horrible security-wise, it downplays the most important security bit while overplaying everything else.

I happened to read through the entire email while reading the story and spotted the text at the end, but I'm not that confident I would be as diligent in a real life situation, especially if I was tired, like the OP was.

Just about every regular person would easily fall for this.

> It's pretty obvious what is a 2FA code and what is not.

Unless you're distracted or otherwise having a bad day. Everyone has bad days, even experts. To stay secure you must be secure always, while the scammer only has to be successful rarely. This dynamic favors the scammer very strongly.

Until you play with 15 different companies each which have slightly different variants of how they do their authentication security theater, as well as them throwing odd balls at you every month until you really have no idea how anything is supposed to work anymore.
There's one easy rule that could have avoided all of this - never give out any info on incoming calls. If I get a call or text about fraudulent transactions, I'll keep them on hold while I log into the bank website. If I get a call about a late payment, I'll thank them for the info and ask them to stay on while I pay online. If I get an inbound call with a more complex request, I'll ask them for their employee info and call back the official service number. It annoys the caller sometimes, despite always treating them professionally, but I keep that a hardline rule no matter how real it feels.

I heard this from a security guy and was under the impression it was one of the sacred laws of security. If it's not, it should be - it's a rule of thumb that would stop 90% of social engineering attacks I hear about.

Calling on the official number is a good rule. But my neighbour followed that and was still scammed for tens of thousands.

The critical extra step that they missed was to check that the line was disconnected before calling out. They were using a landline.

The scammers called them, but didn't hang up. Then, when my neighbour called out to their bank, they pretended to be answering that call - going through security, etc.

My neighbour then did whatever the scammers said - because they couldn't possibly be scammers.

Your neighbor just dialed the new number without hanging up first?
I could see this working if the other end played a click followed by and dial tone sound.
Unless both sides hang up, there's something like a 10-20 second window where the call is held open. Hanging up, picking up within 10 seconds and dialing, means you're still connected to the original caller. If they're clever, the might even detect the click of you hanging up, and play a dialtone for when you pick back up, and stop playing it when you start to dial.
Citation needed. I don't recall any land line phone I've used behaving in this way.
No dial tone and no ring… Seems a difficult mistake to make but then again, I regularly surprise myself with my errors.
There's nothing technical that prevents the other side from playing dial tone and ring sounds
The neighbor hung up, but the scammers didn't, and the call was not disconnected? That's not my experience. Is this what you meant?
(comment deleted)
Yes, and this is how it works as another responder mentions.

The thinking by phone companies is essentially: guy calling pays for the call, so we can milk each call for a few extra cents each time even if they're shady or a wrong number.

Your neighbour dialed a new number without hanging up his ongoing call? Is this his first time operating a telephone? The scammers mustn't have believed their luck when they realised that was happening. Did they mimic a "brnnnnggg brnnnggg" sound when he dialed?
The connection isn't always torn down immediately. Different switches behave differently in this regard. I remember a long time ago being trolled by a friend of mine who refused to hang up. I wanted to call someone else, but every time I picked up the handset to dial out, he was still on the line laughing at me.

So if you're served by a switch that operates this way, the scammer just holds the line open, plays dialtone and ringback tones appropriately, and you're none the wiser.

For the people who are confused: this is a fairly common thing on landlines in some countries, where the telephone exchange doesn't drop the connection until both ends have hung up, or in some cases when the caller hangs up but not the callee. So it's possible to put your own phone down, but when you pick it up again your phone is still connected to the scammer's telephone. If they play a convincing dial tone, then change to a ring tone when they hear DTMF, you'd be none the wiser.

The workaround to this is to use another phone (e.g. switch to mobile), or if that's not possible, apparently you can wait several minutes until the exchange times out the connection.

https://security.stackexchange.com/questions/100268/does-han...

I can confirm that at least once this happened to my family in Italy about 20 years ago.

The most anecdotal statement ever, but a data point nonetheless.

I accidentally won a radio contest many years ago in this way. I heard "you are caller 2" and then the DJ hung up. I stayed on because I was confused and then a few seconds later he picked up again and said you are "caller 4". So I just stayed on and eventually said I was caller 10 and the 10th caller won the prize. I assume he was switching back and forth between two internal phone lines.

I was confused because I was calling to make a song request and had no idea that this contest was initiated because they had just played a certain song.

I did that too, except I called the wrong number and won Barbara Streisand tickets. Not my jam.
Even already knowing about this I'm still mystified that landlines work this way on every occasion that I'm reminded of it. Does anyone know if there is, or at least was, a justification for this mode of operation? Was it at least of any use to anyone back around the 1900s or whenever or is it just another "we do it because that's how we've been doing it" residue that hasn't been cleaned yet?
Back in the day, folks would have more than one phone in their house.

Someone would call and all the phones would ring (or you might turn off the ringers on some of them so only one main phone actually rings). So someone might pick up the phone in the entrance hall and the caller would ask to speak to Becky, and Becky’s mom would yell up the stairs ‘BECKY PHONE’ and then put the receiver back down while Becky runs into her big sister’s room to grab the upstairs phone, and carry the whole phone, trailing on its wire, into her bedroom, slamming the door on the wire for privacy, before she picks up the receiver to answer.

I lived through this era and at one point worked at a phone company and never knew about this behavior. I'd hold the receiver until I heard the other person pick up, then hang up.
I saw this sort of thing in american sitcoms as a child, and I was always mildly triggered by it. Here in Australia the landline phone system disconnects as soon as either person hangs up.

On the shows they would sometimes hang up the phone, then somebody else picked up a receiver and the call continued?? Phones don't work like that! Go try it on your real phone, and you'll see!

It never occurred to me that US phones worked differently than Aussie phones.

The fact I was so bothered by this probably says an awful lot about what sort of person I was as a child. Its no accident I fell in love with computers.

Just going from memory - but I’m fairly sure that around 25 to 30 years ago, in Australia, it did work the way that is being described. That is, the person receiving the call could not disconnect the call by hanging up. The person making the call needed to hang up, otherwise the line stayed open. I messed around with this a few times because I was amazed it existed.

Editing to add that more detail, since I’m basically contradicting your memory of how it worked:

I’m fairly certain it didn’t work if you dialled out, so you may not have come across the circumstances to test it. Also, the other person would probably also need to be participating in testing it, because otherwise they will hang up as soon as you do.

I’ve just remembered another detail - I think there was something different about the tone you heard. If you received a call, and the other person hung up, you would hear the disconnected beeps. If you made a call, and the recipient hung up, I think you would hear the disconnection, but then just silenced.

By the way - I was also confused by seeing how phones seemed to work in the US - like pushing the hang up sensors (is there a name for these?) once to switch lines for call waiting. I never really connected their strange behaviour with how the phones in Aussie worked.

Actually, is this all related to party lines? I’m fairly sure Aussie had these. NZ did.

Was harassment by exploiting this ever a big problem? Seems like you could call someone and if they pick up, you now control their phone line... indefinitely?
> you now control their phone line... indefinitely?

Some other comments said there was a timeout after which the call was disconnected if the receiver hangs up.

> On the shows they would sometimes hang up the phone, then somebody else picked up a receiver and the call continued?? Phones don't work like that!

Well, a few decades ago (80s-90s), at least, landlines sure did work like that in Australia, if you were the one who received the call. I played around with that a lot as a kid. Maybe you just tried it on calls you initiated?

Real phones did work like that in +61 20-30 years ago :).
> and then put the receiver back down while Becky runs into her big sister’s room to grab the upstairs phone

This is dumb though. Just don't put it down until becky picks up.

"BECKY, PICK UP! I'm missing my show!"
As opposed to my sib comment, I could see (theoretically, not saying this is what the original logic was) some justification to deal with intermittent line breaks or connection issues - if one side can keep the call open, then a wind gust breaking the connection for a couple milliseconds somewhere between the two parties won't cause the whole call to end. From a customer point of view, it's more resilient and ends up with fewer dropped calls.

I could also theorize about the different switching actions going on, where up until the other party picks up there's already only one phone on the line, but that's getting into phone system/phreaking stuff that is way out of my depth.

Could this be related to party lines? https://en.m.wikipedia.org/wiki/Party_line_(telephony)

This is similar to the other answer regarding answering a different phone in the same house, but perhaps more necessary if sharing a line with neighbours. Distinctive ringtones may have made this phone line non-disconnection behaviour unnecessary though.

I’ve never experienced a party line - but they sound ridiculous (and fun).

Back when I was in high school and landlines were still a thing, we used to prank our friends this way sometimes.
Just FYI, this does not and never applied to mobile phones or any kind of entirely digital (SIP, etc) phone system.

Modern "landlines" when used with DSL or fibre are also no longer "true" landlines, instead the modem/router acts as a SIP client and gives you an FXS port to plug an analog phone into. While it could theoretically emulate this behavior (by keeping the SIP session open for a few more seconds), I don't believe any of them do - in any case it's trivial to test by calling a different phone that you control, hanging up on your "landline" and seeing whether the other phone hangs up immediately (it should) or if the line is held open for some more time.

If this is still a thing (I frankly don't see the purpose of it), it would only apply to real landlines where your phone is directly connected to your phone socket without a modem/router in between.

That's not necessarily true. Most smartphones and SIP clients are designed to kill RTP immediately after sending a BYE, but session teardown doesn't _have_ to happen then. There are many scenarios where a BYE would not constitute destruction of the RTP session, and using a dumb analog phone over FXP could easily be one of them.
What the actual f. I feel like the only commenter here who wasn't aware of this. Thankfully I don't use landlines, but still, that is beyond crazy to me.
Was this common in the US? I spent a bunch of time on the phone in the late 90s at several of my family members houses (I was a social kid) and any time someone hung up I'm pretty sure I'd hear the busy signal if I left the phone unhooked long enough.
So your neighbor hung up to proceed with a follow up call, which, if they're like most people, consists in just pressing the switch with a finger, while keeping the handset to their ear. But then upon releasing the switch, they just started dialing without waiting for the dial tone? And after they finished dialing and never heard the ringing tone, they didn't find that unusual? Forgive my skepticism, but something's missing from that story.

Edit: Just read up on the disconnect time (10 seconds for some providers) and yes, a sophisticated scammer could indeed emulate the various tonalities.

scammer plays a dial tone after the 'hang up' and while dialing.
Was this in the UK? I think they dropped the timeout to help mitigate this. KNow someone else it happened to
I guess we need to teach people how to use a phone line??
(comment deleted)
Yes, this is what I do too. I say "Thank you for the information. For security reasons I won't discuss this matter on this incoming call but I will immediately contact your fraud department on the number I have." They've never been annoyed about this. In fact, mostly they've been positively surprised.
Agreed. No matter how tired and annoyed I was, I'd have stopped dead at the confirmation code that they asked for. There's absolutely no way I'd have given that to them, even if it meant cancelling my account and using a different bank.

That seems a bit extreme, but if their procedures are so crazy as to require circumventing another system's security procedures, I'm not going to bank with them.

I actually had a bank send me an email asking for information that came from another domain, had a header that looked liked it had been badly scanned in, and had links to domains they don't own. When I ignored it, I eventually got a notice that my car loan was in jeopardy because I hadn't provided that information.

They had no clue why I was so upset about that email.

I paid off my loan immediately and never looked back, even though the interest was less than I make off the stock market.

I think this is a statement easier to conclude in hindsight, especially as you are primed with "this story is describing a scam, definitely". The author describes the thought process and what ended up nudging them toward believing the scammer about the workflow. A code sent like this in a legitimate workflow could be plausible. Maybe it's a requirement to ensure that the customer is indeed acknowledging the operation and the CSR isn't taking actions behind the customer's back, for instance.

The author had a lot of signals pointing toward legitimacy to counteract their natural skepticism, it was a stressful situation and the nature of a phone call puts time pressure into the decision making, increasing the odds of a mistake.

Your example points out that false positives on the "scam or ham" decision do have a cost to the contact recipient too, so "never respond to anything" comes with risks and costs too. It's hard to be perfect.

1) You don't hear about the stories where the scam is stopped.

2) As you have noticed yourself, legitimate banks do what they can to make their actual requests indistinguishable from scams, and "not falling for that" can have severe consequences.

> In order to do that, I needed to relay a confirmation code that would be texted to me.

Everything up to that point matches exactly what happened when I got a call from my own bank (Charles Schwab) regarding fraudulent charges. However, whenever Schwab sends me a code (or Bank of America, Coinbase, etc) the code comes with a message stating that an employee will never ask you for this code.

The fact that OP is an "expert" yet fell for this shows me that they are in fact not an expert here. Don't get me wrong, the execution by the scammer was slick, but I would expect an "expert" to be familiar with their own bank's policies:

"Wells Fargo will not call or text you requesting an access code. We may ask for an access code when you call Wells Fargo customer service. Always contact us using a trusted number on the back of your card or wellsfargo.com."

Yes, this is scam prevention 101. Anyone who called you is always unverified. It's hard for me to take seriously a "scam prevention expert" who doesn't seem to know or follow this rule, which by itself is enough to protect you from most scams. Normally I try not to victim blame people for getting scammed, but when you've made a declaration like that you forfeit that right.

I'll also point out that the author seems to have some complicated arrangement for their phone number(s), presumably in the name of security, that in fact got in the way of identifying this to be a scam.

Regarding the complex phone arrangement: There's an effect, the name escapes me, that adding security can make threats less frequent but more dangerous. Sounds like he was more complacent because he had trust in his phone system.

And I agree about author - if he had said that he violated an easy rule and owned that I would take his credentials more seriously. Everyone makes mistakes, but he didn't list this simple, well-known rule as a way of preventing this.

I can see a normal person falling for this, but in my opinion this person called themselves a scam expert is a scam in itself. The claim that this has only been praise since 2018 is absurd, even if true being four years behind on current practices is making you a no longer expert.
I am a security guy by profession, the other day my wife singed up for a tesla and they ran her credit. next day we get a random call from wellsfargo regarding an auto application and wanted to verify her information. my wife confused why wellsfargo calling, did what I always ask her to do. tell the individual to provide her with the case number and she will call back and they do not need to provide her the call back number. This is easy to remember for most people and She did just that. It turned out tesla has multiple financier which tesla failed to mention that one is wellsfargo.
surprised too, once i read it all started with a phone call from author's bank. your bank will "almost" never ask you for your info on the phone. if they do, you don't have to provide it. you can ask to go to a branch in-person, or log onto the website to provide the required information.

all banks should often remind their customers of this. mine does.

banks and phone carriers should do scam and fraud trainings for customers. or friendly reminders.

This is good advice, despite it being a pain sometimes! I once got a voicemail from the fraud department at my bank, with a number to call back. I googled the number and all that came up were stories about being scammed. So I was 95% sure it was a scam, but called my bank directly just in case. The person who answered assured me they hadn't contacted me, and it was indeed a scam. I later got a follow-up voicemail from the "fraud department", from the same supposed scam number, which I ignored.

Then, the next time I went to use my card, it was blocked. I called the bank again and spoke to someone new, who informed me that the original calls had been legitimate - they had the same reference number and everything - and the card had been blocked due to lack of response!

Obviously a false positive on the scam detector is less of a problem than a false negative, but was still pretty incredible. No idea what was with all the people talking about being scammed from that number online; I can only assume that they (like the first rep) assumed it was a scam, since if the bank needs to call you, they should tell you to call back using the number on your card, not some random number they give you. But apparently that's exactly what they did.

I had something similar. One time I got a phone call from a "Scam Likely" and decided to answer it. And it was an automated message from my bank asking if some purchases in another state were real or fraudulent. At this point I began to second guess if it was a scam or not, but had to assume it still was. I ended up logging into my account and seeing the same fraudulent purchases that it listed over the phone. So I called the number on my card and had it all settled. I found it weird that the original call was a false positive though.
Probably because the phone number is calling about a scam (fradulant charge), and then when they hang up, people report the phone number as a scam because they don't understand the difference.
No, it's because caller ID can be easily faked. So both spam calls and real calls come from the same number.
STIR/SHAKEN has been the law in NA (where the GP) is for a year or two, so it should no longer be easy. It's a problem a lot of countries are tackling.
Some scammers are making fraudulent charges, then calling victims as the bank to “fix” them. Skips over a bunch of red flags because the bank has every reason to be calling.
This has a similarity to the original story here, in that the original sounded like: "They behaved a lot like a scammer would, but I also totally expect my real bank to behave like a scammer would".
Many banks today have communications preferences options and I've told all of my banks that do to never call me directly. If I receive any sort of legitimate call from them I immediately follow up with a strongly worded letter that they should not have called me and violated their own security policies.

The only thing we can do about "bank behaviors make it easier for scammers" is to change bank behaviors. It's not an easy process, but unfortunately it is a necessary process.

One of the wonders of the world is how much unnecessary data they collect - just because they can demand it - with nary a thought of how much of a liability that is.

Guess it will take a few years of getting slapped for it to filter down.

He is looking for a definite red flag that it's a scammer. This is a terrible strategy and he should know better. One suspicious act and you should hang up and call the number on the back of the card. Really you should just not take calls from the bank ever and call back on the number on the card.
Many years ago, I have worked in a call centre for a bank and the process for calling customers was exactly what you’d expect from a scammer.

In the standard/credit card section (not, for example, credit card debt collections), it was rare to have to make outbound calls, but when they were needed, no information could be given out until the customer answered security questions. Some customers questioned this because it was exactly what they’d been told never to do. They were told that of course it was right to be cautious, and they could call back, but that they would need to wait in the queue and likely speak to a different person. This was all before they could even be told what they were being called about.

Perhaps half the people questioned the process upon receiving the call (“you called me, and you want ME to prove who I am?”, but very few hung up and called back.

From memory, this was mostly improved later on - no security questions needed unless some sort of action needed to be taken on the account.

This happened to me with Bank of America’s fraud department. I had a charge that tripped the fraud detector on a relatively new card. I don’t recall the sequence of events, but I believe I was prompted to request a callback from the fraud department. When they called back I had to answer a bunch of PII questions, and then they pushed a 2FA code to me and asked me to read it back over the phone. I told him, the 2FA message literally says to never give this number out to anyone, but they insisted it was necessary to continue. I was shocked that the banks fraud department would be so cavalier.
If you’ve ever tried to get a crypto token listed on an exchange, its just as bad in that arena even though it seems so far behind the scenes.

The process to get listed is the same as a scammer’s process to ensure you get listed.

Some exchanges will say “no we would never handle this with DMs over telegram”

/gets listed by being introduced to someone with a DM over telegram/

I have the same rule for online chat support.

Last week, I cancelled my Netflix subscription and been trying to remove my credit card details from my account to prevent surprise reactivation in the future. There wasn't an option to do it online, so I went in their chat support and ask them to remove my CC information from my account. Then they asked me to provide my CC number to validate who I am. I told the rep that I am not comfortable sharing my CC information over the chat and prefers only give out my service code or alternative information. This rep kept ensuring that it is secured and they can't see what I am typing in. I asked them to initiate it and I will decide if it is trustworthy to put it down. I got the prompt and it asked for a full CC number. I declined the prompt and told them that I'm not comfortable doing that. And it didn't help that the rep are unintentionally behaving like a scammer. I shared my concerns about the rep behavior and remarks that scammers can say those things. The rep understand my concerns and asked for other information like the email address that is linked in the account and what are two recent activity on the device I uses. I gave out the information and validated I am the accountholder. Then the rep processed my request and I see my CC information is removed from my Netflix account.

Banks and health care providers have aggressively trained customers to be ok with giving sensitive info in a received call. It's a real disservice to the community, but kind of a tragedy of the commons.

I also do a callback (verifying the number they give me via a google search) but it seems like almost no one else does. On one of these calls from a bank, I asked the agent whether anyone else asked to do a callback, and they said no one ever did this.

> it seems like almost no one else does

Nope, I do basic stuff like this too. And it's basic stuff. As in, can be defeated by simple wiretaps in infrastructure outside your control.

Agreed. It’s easy to play Monday morning quarterback, but the author of this article made some pretty big blunders for an expert.
That's good advice. I'm also wary of providing information over a customer service chat. A recent example that comes to mind was when I was price matching a product on Best Buy's website over a chat session. The rep confirmed the price match was valid and began to initiate it. And then he started asking for all of my personal details including, phone number, address, and credit card. When I politely refused, he thought I didn't want the price match anymore. I confirmed I still did, and he said he needed all of the info to place the order for me. I had assumed I would be sent a personalized link to order the product, or it would just be added to my cart (since I was signed in). But no, he needed personal info which would live in a chat log. I ended up ordering from the other retailer.

Anyways, maybe there was nothing wrong with providing those details. Maybe they were already available to him on his screen. But the act of asking for that info and making it commonplace for people to just provide it is how so many scams are successful. I don't know how we get away from bad security practices being the norm.

"There's one easy rule that could have avoided all of this - never give out any info on incoming calls."

Also: Just call your official bank/card phone number yourself. This number should be on the back of your debit/credit card.

Or better yet, just don't answer incoming calls that you're not expecting
But I might miss out on a sweet extended warranty deal for my car.
what information is actually being asked of people on incoming calls these days? I never seem to get any of these calls, but banks and credit cards etc. by now should be clued in enough to this stuff that when they actually call a customer, they do nothing more than alert that customer to proper channels they should initiate and follow to resolve the issue.
Entire generation of older Americans who will happily read out their credit card number over the telephone.
that was not the point. the point was, the actual banks should at least no longer be asking people for information on initiated phone calls. so that we can in fact tell people, "never give information to anyone that calls you", no need for awkward arguments with legitimate callers, because no legitimate caller would ever do that.
> In order to do that, I needed to relay a confirmation code that would be texted to me.

Yeah, BZZZT! End of conversation. Hang up.

My doctor's office has a note in my file about this now.

Every time they call me, they just say, "Hi smeej, it's NAME at Dr. NAME's office. We have an update for you, so go ahead and hang up and call us back."

Works like a charm!

You literally can’t set up Xfinity internet service without accepting an inbound call and then clicking on a shortened link they text you.

I asked for a callback number instead. They hung up and made me go through the entire process again, culminating in a new inbound call a day later and a new sms.

I don't know, I maintain that policy fairly strictly, but I can imagine falling for this.

I won't as a policy give out information to an incoming call, and I do call back if they want any info from me. But my working memory is not endless. The topic of discussion had changed three times before he was asked for any information, and the information still wasn't PII, it was a confirmation code. The scammer knew enough about him that he wasn't especially on alert. I can well imagine that flag in my mind that I was on an incoming call having been lost before we got to that point. And I suspect that's exactly how the scam was designed.

>call back the official service number

I thought that was fairly standard in banking/credit card fraud as well. That's how I was directed to proceed when I got a call from my CC company about fraud: "please call the service number on the back of your card regarding potentially fraudulent transactions"

Excellent, simple advice! I don’t believe anyone who calls me with a problem, ever!

Overdue bill? Okay cool thanks, I’ll call back and ask to speak to someone, hang up.

Compromised card? Okay cool thanks, I’ll call the number on the back of my visa, hang up.

(This one happened to me) Relative in another country is dying of cancer and needs money for some obscure procedure and doesn’t want to tell anyone else about it only me so don’t call anyone about it? Okay cool, I’ll check and get back to you.

I don’t care how important the matter is; your house could be on fire! If you are calling me and need any type of personal info whatsoever, I hang up and call you or someone I know related to you or just Google that thing!

Same with door to door salespeople. No thank you goodbye.

Hi, the government is giving $5000 credits for people to add insulation, blah blah blah. Can we do a free evaluation? No! I would have heard of this free money falling from the sky from someone I know.

No thank you, hang up, give zero info don’t even confirm my name, close the door or hang up. Goodbye, won’t phish me.

> Hi, the government is giving $5000 credits for people to add insulation, blah blah blah.

This is... occasionally a real thing. Drives me nuts that they choose to implement it this way though.

I just don't care. I don't want to risk getting scammed for a few bucks that I was not expecting. Give the $5000 to someone else, I'm fine.
I go one step further and tell them I don't talk to unauthenticated callers, ask them for a reference number and an published return phone number that I can authentic using the usual methods (website, advertising material), explain to them that unaurhticated / cold calls are unethical, and then end the call.
Am I alone in just never answering my phone? Like, ever, for _any_ unknown number. Seems like that alone solves a certain class of problems.
That's what I do. If it's actually important I'll get physical mail or a knock on my door. If I didn't request the communication then the communication is not legit.
I feel like the author made two mistakes that anyone who goes after scammers should know. First is to never trust the caller. Didn't matter what info they have. Second is never give your 2fa. Who cares if some third party product has some wonky scheme that requires it. Don't do it.
(comment deleted)
Better rule: NEVER answer the phone.
> There's one easy rule that could have avoided all of this - never give out any info on incoming calls.

When I don't recognize a number, I don't pick up. I tell them to email me/text me and that they provide when they called and with what number. Then I might call them back.

Asking extra effort from unknown people will do a few things:

- Scammers won't do it (not yet anyway)

- Spammers won't do it either

- Anyone lazy won't do it

I think I read about this rule here on HN and have been following it since a couple of years. The funny thing is, banks do scammer like things so often. I had a yearly subscription that tried to renew and they tried to charge me first for 0, and bank rejected it. 2 hours later I get a call from a weird number from my city (when my bank is in another city and all official numbers are from there) from apparently the fraud department of another bank that now handles fraud prevention from my bank. I refused to give them any info, told them I will call the bank back and just called the number on my card, which is the default support number for my bank and sorted everything out in 5 minutes.
I feel like all banks and other such institutions should give trainings / information at least once a year on how they will contact you in the case of e.g. fraud.

I think that any phone calls from a bank about fraud should only be a notification and them telling you to "go to the website, the Contact page, there you will find a number to call in case of fraud". Without naming a web address. And the search engines should mark bank websites and the like as protected, so neither competitors nor scammers can buy ad space when people search for a bank by name.

I find there being little risk to giving a yes/no for "is this charge fraudulent" although maybe that's a higher risk than I anticipate.
"never give out any info on incoming calls". 100% agree. It's such a simple rule that I don't understand why it's not part of everyone's DNA. Should be taught at home and in schools, same as "look both ways before crossing a street".
I'm so skeptical of these "experts" especially if they write a blog post where they hate their bank.

I've been with Wells for over a decade. They have never called me. Never.

I have had "fraud" alerts hundreds of times. They always happen at certain POS, and it's always a text alert.

Some of the stories I read make me viscerally react with "what in the world are you doing with something as simple as a bank account?"

Also a fundamental default is "no action". If you are even slightly suspicious, do nothing. It isn't somehow so important that you stop thinking and just act or react. Just stop.

My wife used Well's Fargo, I've heard about how they don't like to bother customers, in fact they hate it so much they didn't even bother notifying customers when opening new accounts for them, or performing actions on their behalf to generate fees.
Also, no one asked for the account to be opened or for the fee-generating actions to be performed.

(They're still not out from under that Federal Reserve asset cap!)

> I'm so skeptical of these "experts" especially if they write a blog post where they hate their bank.

There is a nearly endless list of legitimate reasons for one to hate Wells Fargo.

The author does seem to bang on about his "reasonable assumptions" for how much Wells and Apple Pay suck, so he should continue the call! Like he's just too clever to follow the advice he'd give everyone else to hang up and call back.
I'm honestly surprised he even wrote this if he claims to be an expert.

He literally ignored half of what the rep was saying because he was busy fiddling with the computer, then willingly gave up all his personal information because of the distraction.

You would think an expert would know how to properly use 2 factor auth too. Giving someone the code is exactly how you defeat it.

I didn't read it as explaining why she should continue the call, just why she did continue the call. She's explaining why those things didn't immediately trigger the scam alarm. Nowhere did I see her claim to be too clever to do anything.

I found it an interesting read which details an experience which is far removed from how you expect a scam call to occur. It's interesting to read the signs which should have been alarm bells, but which were dismissed because nobody is perfect all the time.

The author very kindly addresses my comment in a PS:

I also, admittedly, allowed my cynicism toward my own industry and Wells Fargo to cloud my judgment; I didn't know the first thing about Apple Pay or Google Pay prior to this incident, but I don't have particularly positive experiences or feelings toward either company, and it's extremely common for the process of fixing someone else's mistake on large tech platforms to be nightmarishly convoluted.

Ultimately she did realise & fix her mistake - at some pace - lost nothing, and got an up-close view of a scam in progress.

> I'm so skeptical of these "experts" especially if they write a blog post where they hate their bank.

Really? That's the thing that makes you skeptical and feel the need to use scare quotes?

Banks suck. Hell, mine hasn't even implemented proper 2FA.

And Wells Fargo is so bad they've been caught scamming their own customers:

https://en.wikipedia.org/wiki/Wells_Fargo_account_fraud_scan...

The point is not that banks don't suck - it's that a professional will not inject that sentiment into a post on another topic. And if a professional does mention it, they will do so in a way that doesn't sound like blanket griping, but will instead focus on specific facts about that bank that cause them to recommend against them. And finally - it would be a former bank, not a current one.
I think it was important of the author to put that out there, expert or not. It made me take a mental inventory, and bolster my first-responder thoughts.
I've had other banks call for fraud alerts.

Once, I got a call about attempted activity on a debit card. The person gave the wrong last four digits of the card number, then the call dropped due to poor cell reception.

This was on Christmas Eve or something. I called the number on the back of the card, but they were an outsourced call center for card replacements. Fraud alerts had been outsourced to a different company, so they had no idea if the call was legit.

I went into the physical branch the next week, and spoke to a manager. They said it could be legitimate or not. I think we ordered replacement cards at that point, and watched the next few statements more closely than normal.

Honestly, the behavior of the scammer sounds more legitimate than the actual non-scam behavior of the last half dozen banks I've dealt with.

Scam reports like these really frighten me. If someone of above-average intelligence like the author can nearly be taken for a ride, imagine how easily our friends and family -- who are often far more vulnerable -- can be taken advantage of.

As the people most capable of remediating the vulnerabilities in our telecommunication and banking systems, I think we ought to close ranks and insist that our employers do a better job of protecting the innocent, even if it means breaking a few conveniences.

> imagine how easily our friends and family -- who are often far more vulnerable -- can be taken advantage of.

FUD. Hackers and scammers exist, sure, but your friends and family are always most likely going to be victimized by friends and family.

Outsiders have to work to collect intelligence, gain access and obtain your trust. Friends and family already have all three prerequisites.

Bernie Madoff didn't become the most prolific con-artist in history by cold-calling strangers. And consider what demographic is most likely to try recruiting you into the latest MLM scheme.

I'm not exactly sure how what you said contradicts my comment. Threats from families are "in addition to," not "instead of."
Why do you assume the author is of above average intelligence just because they work in a technology profession? I work in this industry, and I've met a lot of people even dumber than me in it, so intelligence can't be much of a requirement.
I'm not assuming she's of above-average intelligence because of where she works. The quality of her blog post speaks for itself.
(comment deleted)
I had a legitimate call from my credit union last month. They were following up on a problem I had reported with their on-line bill pay system. Toward the beginning of the call, they wanted to verify that it was me and they asked me to provide them with the 2FA code they had just texted to me. I declined and told them that this is what scammers do. They agreed with me and encouraged me to call them back at the number on my ATM card.

I thought it was really unprofessional of them to operate this way.

It's insane for them to request that you read a 2fa code to a human over the phone. Even if you called them. Escalate and get their policies changed, or get them fired if they're violating policy.
(comment deleted)
I have to give credit for sharing your story and how sophisticated these attacks can be. These scams work because we're human and don't always think rationally under pressure.
(comment deleted)
> if it was a scam, then this was clearly a bluff to try to reassure me, but he had WAY more information about me than I would expect an average scammer to have

you can purchase FULLZ from darkweb marketplaces, these contain name and address and social security number and often come with credit card details too

with that, you can do social engineering like this, you can also remote desktop into any computer nearby to their zipcode (from a different darknet marketplace of compromised computers being rented out) and purchase things online from that, making it less likely to be flagged

the idea that "scammers intentionally do obviously red flag things to weed out discerning people and just target susceptible people" is just one segment of the market. doing smarter more cunning things is entirely available and entirely lucrative

Be interesting to do a lookup on yourself, is there any information how you go about this ?
I mean you could try to find the large known leaks and go through them yourself

People just cross reference them and sell individual ID packs one by one

There were 15,000,000 people in the Experian leak alone. Most of that information is still valid, we've just gotten numb to it.

Merchants that care about customer support and reviews will just replace an ID for the consumer if its been used before

There isn't a way to try to find who is in a database without the source databases yourself. Merchants don't tell you how they found the aggregate data, they just have reviews from people that say if it was accurate data or not. You could try and ask a merchant if they have a particular person, but I doubt many merchants have a way to sort that themselves, as the files are no longer in a parseable database by the time it reaches them. The organized networks are corporations and conglomerates with separations of knowledge and duties.

All you would be able to do is purchase a FULLZ and get what you get.

Sounds like they’re not an expert after all, never give out information over the phone unless you initiated the call.
> And lastly, if you're reading this, Daniel Coffmane #1687979, whoever you really are: Well played.

I went to read the comments here to see if Daniel somehow acknowledged this

I expected some crazy new attack vector that was so sophisticated it could fool this Scam Prevention Expert, but this post is laughable. They fell for textbook "scamming 101" that my grandma knows to avoid.

Here's one tip for this expert – if you get a 2FA code over text or email that clearly has the line "we will never contact you for this code over phone or text" right under it, DON'T give it to a "support agent" over the phone.

> this is clearly a two-factor authentication code, meant to be entered directly into an authentication page. Which is normally not something that would be relayed over a phone call to a customer service rep. A concern that I raised to Daniel. However, he said that it was part of Apple's system, which they only had limited access to. An explanation that, as someone who works with computers, data security, and API integration professionally, I completely bought

And after reading multiple paragraphs of this person describing money literally taken out of their account in front of their eyes, you get to this line:

> Putting all of this together, the scales started to tip toward this potentially being a scam call, but I still wasn't certain

I really hope they don't have a lot of clients

I agree. I nodded along to the part about not assuming it's the victim's fault, and then this "expert" falls for an extremely basic, obvious attack. "Wells Fargo will not contact you by phone or text to request this code." -- maybe that should have been bigger and bolder, but it was there. This guy should not be allowed to call himself a "scam prevention expert" anymore.
There's a lot of text in that e-mail. The text you're referring to is perfectly positioned to be almost invisible -- it's in the last paragraph intermingled with the standard "if you have any questions, call us on blah blah blah" text. My brain skipped the rest of that paragraph the first 5 times I skimmed the e-mail.
Does a "scam prevention expert" really need to read that fine print to know not to provide a one-time code to an inbound caller?
The author mentioned that (1) they have had many poor experiences with Wells Fargo and (2) they don't have much experience with Apple but the experiences they have had weren't positive. I personally have had to deal with my fair share of janky and badly designed support systems (especially in health and banking), sometimes they are worse than startups. So it's not outside the realm of possibility that giving the support rep the auth code was simply the best solution they could find given whatever poor and legacy systems they had in their backend.
Listen, I responded to a particular part of my parent comment. Whether the author's given explanation for why she in the moment read the code over the phone is reasonable or if it proves that she's a fundamentally terrible scam prevention expert is a much bigger topic which my comment didn't touch on.
Anyone can fall for these attacks in the moment, even experts. That was the point of the article.

What makes us vulnerable is that we are human: we get tired, caught up in the urgency of the call and our logical thinking stops working.

The actual story of the article is that we need to design systems that are robust even when people are getting scammed. Able to identify and reverse scamming soon after it happens with easy ways to report it.

There are no experts in information security. It's just random people with in depth knowledge of some tiny subsystem they happened to feel like studying. They are literally all LARPers who will fall for every single thing aside from whatever class of vulns they specialized in. There is no way to use modern systems securely. Absolutely none. Even with 20 years of study you will still find new ways they are broken and where security forgot to be implemented.

All of this is a consequence of the industry being controlled by what is essentially a 5 year old: monetary incentives.

> Able to identify and reverse scamming soon after it happens with easy ways to report it.

Just make a site with a username / password where the user gets locked out forever if he forgets it. Do banking transactions by singing them with your public key, via a phone app. This is what I was complaining about not being able to do before smart phones became a thing. This is literally better than the tripe the 'experts' come up with. All these roundabout shit ways of authenticating people just add new ways of getting phished, exploited, etc.

Amazing that a security "professional" would wait until he is 100% sure it's a scam and not hang up when he isn't 100% sure it's legit.
This feels like an unreasonably nasty and condescending response to an article about how anyone can make mistakes in the moment. I thought it was a pretty good article about how easy it is to sit at your computer and look down at people who fall for scams, but that scams are effective precisely because they take advantage of mistakes and the fallibility of people - even knowledgable ones.

I feel like this comment misses the core thesis of the article - that condescension and expectations of human perfection are not effective ways to prevent social engineering attacks and that building systems that anticipate human error is a better approach.

even worse is spreading this attitude is something that only aids a scammer. Fear and shame at reputational harm prevent victims from alerting authorities, about alerting their friends. About getting help.

Worse than being wrong. Worse than just being a jerk. This poster is being actively harmful.

Yeah, I felt like I was taking crazy pills seeing comments agreeing with this nasty comment. Thanks for counteracting it.
> if you get a 2FA code over text or email that clearly has the line "we will never contact you for this code over phone or text"

I needed a cashier's check recently at $GIANT_US_BANK.

The teller initiated a 2FA handshake. The text said something like "never give this number to anyone, none of our representatives will ever ask you for it".

I figured scammers probably hadn't set up an entire bogus branch with yelp reviews going back years. I handed it over.

The check they issued cleared, from what I can tell.

If you think that's bad, try applying for a mortgage. It's 100% remote these days, with a mix of multiple communication channels, all bootstrapped with incoming phone calls, emails (and, if you're me, phone numbers from government licensing databases, followed by awkward call backs)

Caller would have gotten about five seconds worth of my time: "That's very nice. Please send an email. Goodbye". But then, I'm not an expert.