I think the only qualification for "security engineer" these days is changing your LinkedIn job description to "security engineer". Unlike SWEs, there isn't really any sort of standard leetcode bar for them, which is both a pro and a con.
That seems the opposite of true. They have pretty standardized certifications in the field. CISSP is much more consistent and predictable and known than random sampling of leetcode questions. Of course, you don't need to score 100% on the exam to pass it, and not being familiar with the content of the exam, I'm not vouching for it or anything. But it is effectively the equivalent of something like a CPA or CFA that Software Engineering has no analog of.
As someone who recently left a security job at a very prestigious and well known organization.. The person you're replying to isn't wrong. Certifications only prove that you took the time to memorize a set of concepts.
> CISSP is much more consistent and predictable and known than random sampling of leetcode questions
Even the CISSP is just a test of memorization - The ISC2 cert prep book is 10 miles long, but only about 5 feet deep (if that makes any sense).
Being a good security engineer comes with experience and knowledge of basic scams such as caller ID spoofing (something I did to my friends as a bored 6th grader). Being a good security engineer is having a keen eye for small changes and being skeptical about EVERYTHING.
Any security engineer worth their salt would never discuss anything containing PII on an inbound phone call.
>Even the CISSP is just a test of memorization - The ISC2 cert prep book is 10 miles long, but only about 5 feet deep (if that makes any sense).
Except passing the (broad, but shallow) test isn't the real reason why CISSP is a decent certification.
Passing the exam is just the first part. You then need to document at least five years of professional infosec experience[0] and have one or more current CISSP holders recommend you[1].
Experience and the approval of your peers are much better predictors of value/knowledge than a test.
That's not to say that every CISSP cert holder is a rock star, but it's a lot more than just passing a test.
If you spend time working in a field that requires a CISSP (like most info sec roles in the US government), you will meet plenty of people who crammed for a test but are otherwise completely incompetent.
I would not recommend viewing the CISSP as anything other than an attestation that someone can memorize a few concepts for a test.
What the heck is a “standard leetcode bar?” Who does leetcode to prove their worth as an SWE?
I know plenty of leetcode aces that couldn’t work on a real world application if their lives depended on it. Leetcode might test the ability to write some academic algorithm from some college textbook, but it doesn’t test real world.
There is a reason many top companies don’t use Leetcode or HackerRank: zero prediction of real world skill or systems thinking.
I've been a SWE and Seceng. Interviews are extremely similar and extremely easy in both cases. The bar for both is kind of a joke, and it's very much made up.
A corollary to Sturgeon's Law: 90% of any given field is shit at their job. I've met a lot of "Security Engineers" and I can assure you the pattern holds.
Then again, even the other 10% of any given field that is actually good at what they do still fucks up occasionally, so maybe we needn't judge too harshly.
I don't think it's fair to claim that the author is "shit at his job" because he doesn't know some (rather unintuitive and unexpected) trivia about how phone ID works. There are plenty of different roles in security engineering, many of which would never need to be concerned about this.
Everyone in the US with a cell phone is getting inundated these days with spam texts and calls with fake caller ID. It's almost inconceivable that someone with an American cell phone wouldn't know that phone ID is a lie, which is I think where some of the incredulity from other commenters is coming from. But I believe the author is from the UK, where the spam situation might not be so dire?
The recent surge in spam texts that show as having been sent by the recipient[0] has driven this point home for a lot of mobile phone users. For me, the fact that caller ID is fake was made evident when a spammer used my number as their origin ID for a wave of spam calls and texts, and I got ~100 voice mails and texts the next day kindly asking me to eat shit and die. Verizon support said that there was nothing they could do, that it was happening left and right, and that I was in no way legally or financially responsible for any of the messages purporting to be from me. This was in 2020, and the unreliability of long code origin ID numbers has come up frequently in my work as a security engineer for the past few years.
Yes. There have been multiple front-page news articles in the NY Times in the past month about people getting spam texts from themselves. The fact that caller ID is unreliable is part of the public discourse today.
FWIW, I had to answer the phone at my first office job in ~2005, and the office manual has a section on how caller ID was not trustworthy caller authentication. None of this is new, and it is odd that a self-described security engineer would blindly trust caller ID.
Awareness may have grown, but I'd put money on people at-large not knowing anything about caller ID spoofing, both in terms of its existence, and certainly in terms of its accessibility.
I think majority of older American is 100% aware of that.
I do see how young adults are still not aware of that since they are not valuable target and their info is relatively unknown (no mortgage on their name, no car loans, cell phone number is not old, they never sign up for sweepstakes in Las Vegas, etc.)
The job of security engineer is a very very wide spread one. Someone might be an expert wrt. detecting avoiding DDoS, RCE, encryption and/or signing that doesn't mean they are an expert in social engineering or phone security.
What's weird is, this is the sort of thing that many (not all) average people know because it materially happens to them. It doesn't even rise to the level of elementary professional knowledge that you'd expect of all but only of professionals.
After encountering everything from a taxi driver in NYC who didn’t know where Grand Central Station was, to a recently hired physics professor with a PhD (Univ. Cal. Davis) who didn’t know what a partial derivative was, someone having a particular job title means zero to me. It just means that someone, for some reason, is paying the person to do <job title>. But this guy didn’t do too badly, after all.
No, I mean the largest train station in the world, the central rail hub of the city, a famous landmark and tourist attraction. The official name is Grand Central Terminal, but nobody calls it that (usually just “Grand Central”).
I was curious about the "largest train station in the world" claim. I figured there would be bigger ones by now in India, say, or China. Sure enough, there are different metrics by which different stations can claim to be the largest. Nagoya Station in Japan, for instance, is the largest in floor area. Shinjuku Station, also in Japan, is the busiest by daily traffic. The Gare Du Nord in Paris is the second busiest by this metric. Apparently Grand Central is the biggest in platform capacity.
One thing that many people don’t know is that SMS caller IDs are also being spoofed more frequently. In the article the author mentions noticing that the authentication code came from a number the bank didn’t ever use.
Sophisticated scammers can spoof your bank’s phone number and send a message that appears in a thread alongside other legitimate SMS from the bank.
This is harder to do than caller ID spoofing, but has become more prevalent recently.
It all depends on what kind of security engineer this person is. The author writes about computer network attacks, tracking, and privacy violations. If their expertise is in preventing web application attacks, detecting fraudulent operations in the inter-bank payment systems or in finding signs of compromise in a corporate network, there's no reason for them to know about the intricacies of SIP and SS7 and the many faults of the international/US phone network when it comes to trust and abuse.
Really, "security engineer" is as vague a term as "programmer". Web programmers are programmers yet they don't necessarily understand the layout of virtual memory or the way the kernel interacts with userland programs, something many other programmers would consider essential for their jobs. A kernel programmer couldn't give two hoots about how Chrome's CSS engine works, but the vast majority of modern programmers probably do.
I've had lectures in university on natural language processing and data structures that were slowed down because the lecturer couldn't get the beamer to work right with his Macbook. You can't expect someone to know everything, even if it's in their apparent area of expertise.
I'd go so far as to say that any security engineer worth their salt will admit that they too are vulnerable to being scammed under the right circumstances and that anyone pretending to be unscammable is severely overestimating their abilities.
Not that I disagree, but I think the majority of sec engs do not deal with telephony or related fraud directly. In companies where fraud with caller ID and responding to it matters, that's often tasked to a fraud team dealing with account takeovers or a user onboarding team that offloads verification to a vendor like Persona -> not a security engineering team.
However, I think it's common knowledge that inbound identifiers like IPs, user agents can be faked and aren't great technical indicators to anchor detections on for longer than an active incident. That intuition should extend to caller ID IMO, if they didn't know it already.
Security engineers are basically expected to know everything. It's part of why I enjoy the work. But it's also impossible. "Understand the security implications of every nuanced technology decision" is not tractable, so we pick the ones we can and specialize.
POTS is rarely of interest to a security organization. You have very few levers to pull even if you do consider it a threat, since it's just fundamentally an awful system, and you can't tell people "don't use telephones". At best you can train people, but your concern is probably phishing via email.
Only a few people, at the company level, are at risk in terms of this sort of attack, compared to everyone being at risk (with regards to the company) from phishing emails.
So a lot of people just don't really think about it. Security engineers might hand wavingly say "phone numbers can be spoofed" but I'd bet the percentage of seceng that know how that works is very small.
It's true, being a successful information security engineer requires a very diverse understanding of technology and psychology.
Not one person understands all the technology in existence, and no one person ever will.
Also engineers come in different levels of experience. Just because someone doesn't have experience in specific technology doesn't exclude them from being an engineer in a specific field.
It was refreshing to read an honest post. If more people were willing to admit they don't know something, the world would be an infinitely better place.
My apartment has almost no phone signal so I started leaving my phone on airplane mode. Best decision I've ever made, it's been like this for 6 months now without issues. With friends and family I call through facetime/whatsapp/etc. anyway.
Agreed - As a minimum if the caller has no caller ID I don't answer unless I'm expecting such a call. If I answer the phone and get a long pause or clicks before I'm talking to someone, I'm very dubious of who I'm talking to and get their name and phone number so I can do quick background check and call them back.
With that said, I almost got duped by a good samaritan debit card scam about 20 years ago in Toronto.
A direct answer to your question, and depending on the cultures of where you live, you could say something like Hello, whom do I have the pleasure of speaking with? But that's very southern, so I could see many people not feeling that. I say Howdy, what may I do for you today?... Which I now recognize is also southern... But there's a lot of things you could say that distract from identifying yourself.
Along the topics others are replying with, I also don't answer calls usually, and have a call blocker so I'm only notified if someone from my contacts list is calling or if they are recognized by my network carrier as a verified business. Since businesses can also be spoofed, I still don't give any information and find out why they are calling, then politely hang up and call back myself, after first verifying the number in about to call is actually associated with the business.
Seriously, for the vast majority of people, the number of legitimately urgent calls from strangers is going to be vanishingly small. Why even bother answering?
Credit card fraud is not urgent unless maybe you know your card has been deactivated. They can leave a quick message if your relative is in the hospital or whatever.
This is my MO for unknown numbers these days (which I only answer when I have a reasonable expectation of getting a call from a new contact). Automated systems will just disconnect when they think they got a dead line. Humans will go, "uh, hello?"
I started doing this a few months ago, and the number of spam calls I've gotten from certain area codes that used to call me without fail at least three times a day has dropped considerably.
I've had good results from answering spam calls, following the prompt to get a human to "resolve this matter with the IRS" or talk to "Visa and Mastercard customer service" and just screaming into the phone when they come on the line.
Seems to get me on a "don't call this number" list after a few goes.
I also don't mind confirming my name. But I try to never say "yes" or "no" when they ask if something is right, I respond with "That is correct" or "That is not correct". That may be me being too paranoid of people editing the conversation to make it look like I agreed to something I didn't.
There was some point where I was getting a call that claimed to be a collection agency trying to collect on a DirectTV bill. I've never had DirectTV. They kept trying to get me to confirm an address, I kept informing them that I've never had DirectTV. They would usually hang up when I would press them on who their employer was. They often made the mistake of calling during my commute when I lived roughly an hour away from my place. So, you know, I had the time to kill.
> But I try to never say "yes" or "no" when they ask if something is right, I respond with "That is correct" or "That is not correct". That may be me being too paranoid of people editing the conversation to make it look like I agreed to something I didn't.
> The details of this scam vary, but it always begins with a call, usually from a telephone number that appears to be local. When the person answers the call, the scam artist tries to get the person to say “yes”—most often by asking, “Can you hear me?,” “Is this the lady of the house?,” or a similar question. By responding “yes,” people notify robo-callers that their number is an active telephone number that can be sold to other telemarketers for a higher price. This then leads to more unwanted calls.
> In some cases, the caller may record the person saying “yes.” Scam artists may be able to use a recorded “yes” to claim that the person authorized charges to his or her credit card or account.
I've probably read something similar at some point, made the change, and forgot the source that made me wary of it. Cutting the ends of the roast as it were.
I'm hostile to anyone who calls me until they deserve otherwise. Just "hello", "mhmm", "mnnn" kind of grunts. Kind of sad but 95% of phone calls that I don't know are from scammers/telemarketers.
> Any suggestion on how I should politely and professionally answer a call without giving away my identity?
I use "hello". It's pretty rude compared to how I was raised, but it's also the only way to not give scam calls the ammo they need to mess with me. So I can live with rude.
If I don't recognize the #, "Tech. Support, do you have a Contract # or Incident #?". Backed by a brusque "very busy professional, required to bill his hours" attitude. Human cold callers often identify with that - enough to either end the call fast, or to try no "hooks" to keep me on the line when I end it.
Just being a security engineer doesn't instill you with a defensive or paranoid mindset. I work with security analysts who use TAILS to browse random websites and security engineers who torrent cracked software and install whatever they find directly on their baremetal PC/laptop.
I would hope that a security engineer would keep up enough with news about security issues to be aware how easy it is to spoof numbers for calls and texts.
There are people in all manner of jobs that are just working a job and don't have a significant interest in learning all they can about their area of employment. IME security has a lot of people who see it as a hot new thing but don't actually invest their time and attention into maintaining an appropriate level of awareness.
Phone calls are one of the primary means of communication. If you aren't aware of how it can be compromised, you are not capable of adequately assessing security.
It is not like the spoofibility of phone numbers is some security industry specific news. It gets talked about all the time outside of tech given the prevalence of spam calls.
I also thought of this prior post. I believe it is the same scam and written up by someone also claiming to be a security researcher. It seems too on the nose to be a coincidence.
If your card is stolen and you become a victim of fraud, and they manage to take money from your account, and your bank already knows its fraud, there's no urgency on your end.
You'll get your money back. I'd go as far as saying that if the bank genuinely wants you to decide fast, it's not to protect you. It's to protect itself. Shenanigans about "do it fast or they'll take more" are bullshit always. The bank is on the hook, not you. So never do things in a rush, take your time to verify yourself that money indeed disappeared. There. is. no. urgency.
Sense of urgency is one of the best ways to make people do bad decisions. Salespeople use it, scammers use it. Nobody who is trying to be helpful will come with a story "that needs to be fixed now!!!".
If you still want to be safe, and you use a debit card, have 2 accounts. One with the bulk of your money without a card associated with it. One with the card associated with it and no more than whatever you spend in a week. If you use a credit card, it totally doesn't matter, it's the banks money, not yours that they'd steal.
So whenever you find yourself in a situation where someone wants you to decide something fast that you didn't know about and isn't a direct threat to your life, don't do it. Think about it first.
It's impossible to keep up with all the scams, but if you stop to think and never take rash decisions you don't have to. Slow is safe.
I'm well aware of the (lack of true) financial implications but I still get the urgency and need to speed up because of the violation and shock that someone is impersonating me RIGHT NOW! It feels similar to a physical threat, or enough so that our bodies react the same way. It is really hard to develop control unless you're exposed to this situation, so I like your strict yet general rule to (a) classify the situation, (b) slow down. Even enough time for 10 deep breaths is likely enough to get you centered and thinking clearly.
That's assuming the bank actually finds the transaction(s) were fraudulent when they do their "investigation". If they disagree with you and decide it wasn't fraudulent for whatever reason it's quite often a giant pain to argue with them and get it sorted out.
There was a relatively recent case of Bank of America deciding eight months later that it wasn't a fraud and clawing back their provisional refund. It turns out that the original card was intercepted in the mail and they simply issued a duplicate without preventing the use of the first, but it took the victim's attorneys to get the evidence from the bank, connect the dots and figure out this happened.
I got some details wrong; in particular, the initial dispute denial was after two months (with the Consumer Financial Protection Bureau agreeing with the bank after another two months), and the resolution followed NJ Advance Media contacting BofA.
The burden of proof is on the merchant. If they don’t have a signed receipt or video evidence they probably can’t win (so any online purchases are doomed). I’ve never failed a dispute in around 25 times, including several in the range of $2k+
No it's not. It's on you to persuade the bank it was fraudulent. If the bank doesn't believe it is fraudulent then they won't claw the money back from the merchant. Source: personal experience.
Exactly this. I bought something online. The company shipped it, but FedEx screwed up and sent it back to the merchant. The merchant never responded to me after that and then went bankrupt. I called my bank (Square) and they said it wasn't fraud as the package had been "delivered". I pointed out it had been delivered back to the merchant, and they said that still counted as delivered in their support script. They told me the only way to fix it was to call FedEx and somehow scam them into changing the status of the package online. I tried to get them to change their support script but they decided it was easier just to terminate my account instead.
This exact scam happened to a coworker's wife and the bank refused to consider it fraud since she "authorized" it by giving the confirmation code for Apple Pay to the attacker.
I find it interesting that this is the level of detail discussed with the bank. Our family has had 3 instances of unauthorized charges over the years, and the most we've ever done was to sign a form that basically says "we didn't make these charges"
Did they volunteer these details or were they asked? This is just conjecture, but sometimes when people volunteer too much information to front-line support you can get erratic responses if they latch on to superficial parts of the story rather than the underlying message.
i.e. support just hears "I gave someone access", and they close the ticket under "customer authorized someone else to purchase", because they're following a decision tree, not analyzing the root cause of a security incident.
This is one of the nice things with credit cards. I've never had an issue with a chargeback, and in the case where a card was stolen the charges were just reversed.
In general, banking customer service sucks. I try to buy everything on my AMEX. Their service is excellent. I've never had to fill out a dispute form or give them any kind of proof when disputing a transaction, just a short call and they take care of it.
If someone wipes out my bank account and I can't pay any bills, am I liable for those charges? What about the associated late charges? What about when service is terminated to my home?
If someone takes money from my account, it is absolutely urgent.
This is the primary reason why I stopped using my bank card for anything but the ATM at said bank. A scammer wiping out my checking account is more than an inconvenience, even if the bank only needed a day or so to replenish the account.
Now I use a "proper" credit card for anything. If a crook manages to run up a tab on that thing I still have all my cash for whatever scrapes may come along.
I had a friend who had their bank account cleaned out by a wire transfer of 200K in the same week he is trying to close on a house.
The bank executed on their promises of no disruption to his transfers; they told him he did not have to worry and the customer service was so terrific, he said he was going to stay with the bank.
"Did you ask if there were other accounts at the bank that had been accessed in this way?"
"A wire transfer to an international location went through with no red flags and 0 notifications?"
"Can you ask your security department to produce a report of their investigation into the matter?"
There is, if you have recurring payments on the same card. If the bank knows there is fraud, some won't honor even known recurring payments. The card may be outright cancelled.
If one of those recurring payments is, eg, your Apple icloud or personal gmail/gsuite/gworkplace account, you better hop to with the utmost urgency.
> Nothing the bank might want to talk about could be urgent enough to interrupt an unseasonably sunny March afternoon.
Wrong. Some banks, and with certain account types, the bank will absolutely make a courtesy call to you if something unusual is happening.
I had a call from my bank while spending a few hundred on cocktails in Bali (I'm from London), I hadn't used my card yet on that trip as I'd taken cash.
They also called me to check a payment into my account with an "unusual" reference; a joke from a friend returning the money he owed for a holiday I paid for, but which made it look like he was paying me for "special services".
They called me to query a payment at a home furniture store for a couple thousand pounds in a city ~300 miles from where I live only hours after I'd used the card near home; I'd driven to this particular store to check out the furniture.
If you're not sure, the _real_ bank will suggest you hang up and call their number found on your card or their website (or in your contacts list, where I keep it) and will never pressure you to answer or provide them information, and they'll NEVER, EVER ask you to read a security code out to them sent to your phone, or using your banking app.
EDIT: To further clarify; my particular bank's app, has, on rotation, a series of warnings, displayed each time I log in, saying things like "BEWARE; if someone [calls/texts/etc] asking/telling you to do [XYZ] ...", e.g. to get this code or that code, or do something else in this app, you're being scammed, "WE WILL NEVER ASK YOU FOR [XYZ]...".
I'm not at all confident that the real bank will never actually ask for you to verbally read a security code texted to you. This is how little I trust bank's security practices.
Here's a comment from a similar post last month, where the commenter believes the legit bank asked for a verbal confirmation of security code: https://news.ycombinator.com/item?id=30875233
(I suppose it's possible the commenter was actually interacting with a scammer there and still doesn't realize it?)
If you called in to Amex using the number on the card for certain things like fraud, for a while they would then text you a code in a message that says:
“Amex Fraud Free Msg: Your requested code is: xxxx. We won't call to ask for it. Don't share it. Call ######## if you didn't request it. Reply STOP to opt out.”
You wouldn’t be the requesting this text and code, the person on the phone would. And it says don’t share it. Maybe I was hoodwinked but it seemed really legit although in principle I refused to give it.
It seems so scammy, but I’d called the number on the back of the card.
Banks are dumb, really dumb, and they don't align. I have personally called the number on the card, and been asked to verify the phone by repeating a number they would send, which came with the standard "nobody will ask for this number".
I presume because I initiated the call they think it's ok, but it's still silly.
I agree with you. I think there might be a distinction btw inbound and outbound.
I think reading any code during inbound call is red flag for fraud. However, more than once i took the initiative to call ccs to unblock a large / international charges. The only way for the bank to verify my identity is for me to read the code.
So it is not true that you NEVER read ever. Maybe for inbound this should be true. But not outbound
Yeah, you can tell a lot by the attitude of the caller. A person once called my wife telling us about a potential fraudulent transaction on one of our credit cards. She was a bit worried so she came over and got me. The person started asking her about whether she made a purchase at this time, etc. I jumped in and told her to stop talking to the guy and call the credit card company back. The person chuckled and said "okay, sounds good."
We called the credit card company and there was indeed a fraudulent purchase, so yeah the real companies don't pressure you into unsafe things.
> I had a call from my bank while spending a few hundred on cocktails in Bali (I'm from London), I hadn't used my card yet on that trip as I'd taken cash.
Mine dit that as well a couple of times (Santander UK; my account was nothing special though I do travel internationally several times a year; it was a mistake every time and I never had any fraud with this card). The first time I took it, but now I would say that I cannot, end the discussion, and then call them to their known number. Also, I’ve never had a human ask me to read numbers from a text message. They (well, another bank, but still) do occasionally ask me to unlock their app using either biometrics or a PIN; they can see it in real time and that can only be done on a single pre-approved device.
Part of this comes indeed from not trusting the banks -- like, I know the banks do irrational insecure things, and I also don't trust that if I don't do exactly what they say they will actually cover me in case of fraud (which we know does happen, a lot, now).
Like, let's say I insisted on hanging up and calling the number on the back of my phone -- are there any cases that would be disastrous for me, would end up in me losing money, and I really should have stayed on the phone with the person who called me, who really was a non-fraudulent representative?
I honestly believe that there are no cases for that on a credit card. On a debit card, that might be different. This is why I never use my debit card for purchases.
This is the second very similar report on HN where the end-goal was ApplePay. There must be something poorly done in their card linking/payment process that hackers are targetting. I don't use it, so I'm not familiar.
Collectively, we software engineers that have security focus, have done a piss-poor job with 2FA. Users should've been trained from day-one that 2FA codes sent to their email or SMS should never, EVER, be repeated back to a human. All the additional text sent with the code should clearly and emphatically state that this number is between you and a website that you are reasonably certain represents a secured entity and that you explicitly requested during a login flow. It's like the combination to a safe: that code is between you and the dial on the safe, if it ever verbally leaves your mouth, you're doing something wrong.
Any orgs that use 2FA codes to authenticate a user to a CSR are screwing it up for everyone. Don't do that: you should be able to mutually authenticate using shared knowledge that a hacker isn't likely to have (not an address, FFS), like the previous transactions thing the OP requested. 2FA codes are for computers only.
What pisses me off to no end in Europe is that some banking systems require, in order to do a credit card payment, to provide the online bank account password and online bank account 2fa generated transaction code — requiring that both be entered as part of the payment process on any merchants website. It’s so goddamn stupid I can’t believe this exists. It’s so easy to fake this and use some sort of man in the middle attack to transfer all money away from an account. Plus it teaches ppl that it’s okay to enter one’s online banking credentials one-time generated transaction codes into random websites selling u random crap for 3€…
I don’t understand security researchers. Is it all just a bunch of hooey they sell or what?
> It’s so goddamn stupid I can’t believe this exists. It’s so easy to fake this and use some sort of man in the middle attack to transfer all money away from an account
An MitM attack is significantly harder than "I have your CC number and I'll use it with no authentication", therefore it does increase the difficulty for fraud. Though I haven't seen a requirement to enter the bank's password, my one requires me to confirm the transaction by opening the credit card provider's app on my phone which isn't vulnerable in the way you're describing.
Banks are supposed to do MFA. Some, apparently, are crap and require you to login while doing a payment, but most ask for a confirmation with an SMS code or the banks app, both of which contain who the payment is towards, and the amount.
I don't know for sure, but I suspect, that the reason that ApplePay is being targeted is because other means of credit card fraud at point of sale have become much more difficult with chip cards. ApplePay itself is also quite secure, but the process of enrolling a card in ApplePay is probably the weakest link. The card chip does not provide any added security in the process. I think that most banks use PAN and card security code combined with one time password by email or mobile to verify the cardholder. If a fraudster can crack this nut, and get a card fraudulently enrolled into ApplePay on a phone, they can use the card at point of sale, and point of sale is the ideal fraud target since the fraudster can remain mostly anonymous, and walk out of the shop with the stollen goods.
I appreciate that the OP calls out his bias towards bank mismanagement and "the system". Scammers (like this one) are using the stereotype to run their scams. Are bank systems often disjointed bureaucracies and less than stellar examples of best practices? Absolutely, but scams are so common now I believe it's time that we accept them as the default conclusion until proven otherwise.
I work with phishing content on a daily basis, ashamed to say I fell for a scam on a dating app once, but I was careful enough to use a burner credit card, cancelled it right away with no loss to myself. I don't think I can fend off a well planned scam or phish no matter how careful I am. At the end of the day I have to be a normal human being with predictable weaknesses and psychological vulnerabilities. Instead, I try to rely on security controls that don't rely on my psychological hardening.
I got a call from a bank and they said they wanted to verify my identity. I said, all due respect but you called me. I need to verify your identity. They sounded offended but told me how to continue the discussion when I called back. It was a legitimate call.
I was pretty annoyed that they didn't follow good identity practices by encouraging their customers to trust people who could be scamming them.
I used to get a call every two months from a service I actually use, to arrange their next delivery. The first thing they ask is for my date of birth and address so I can pass their security checks. Each time, there has been a really awkward silence for a few seconds when my response is "Nope".
The problem is definitely still the security of banks. They regularly call YOU and tell you that you have to verify yourself. It’s an incredibly stupid system.
We already covered this, but advice distilled from earlier comments
bears repeating;
One special class of vulnerable targets is security experts, and
top ranks. I remind my students that "pride comes before a fall" and
nobody is immune. While doing some training for <BIG INTERNATIONAL
BANK> someone told me they call it the "cocks problem". It's the
handful of 7 figure salary high flyers that get regularly pwned and
cause grief for everybody else, because they are "too cocky". Lowly
secretaries and desk staff are much harder marks. The more training
you give to people who think they're above it the worse they get. It
has to be pitched as participatory advice, as an invitation to
co-create a secure practice.
We saw this cavalier attitude just the other day with Boris Johnson
[0]. I bet Johnson was told time and again to use equipment that had
been checked by his security detail. And I still cringe thinking of
this one [1].
I suggest there's no correlation between domain knowledge and
behavioural invulnerability. Good security posture is a mind-set. I
also think it's a very strange combination of contradictory qualities
(or attitudes you can be trained to adopt) that are hard to describe,
such as high conscientiousness and humility mixed with utterly cynical
disrespect for "authority", high openness but brutally meticulous
self-checking and introspection. And definitely, never call yourself
an 'expert'.
I guess the common factor is that the most important thing is to be careful and follow the proper procedure to not get caught in a problematic situation in the first place, not to be overconfident and assume you are safe because you can handle any situation with your knowledge or skills.
> security engineers need to design systems that are resilient to them
The problem here, to a security engineer, is that we need better systems. I suspect they mean the hardware and software systems, although the 'system' includes the participants. The problem and solution space should strongly include people as it just was clearly demonstrated.
Could be an occupational hazard, having seen so many insecure and poorly designed system to have low opinions of them. Having low expectation of security practices sets a lower bar for acceptance of what's authentic. I can't say if I would be caught in similar circumstances without being in the moment. The two things I hope I'd do is see the tx in my own history and not tell a human a code. These are for machines to verify. I recall when everyone switched their system so PINs could be entered for machine verification and the human returning after. A machine sent code should also be checked by a machine.
A practice that does bother me greatly is how many different domain names are used by a company. Only subdomains should be used for any kind of official interaction (or perhaps period).
Question: Why banks do not implement bait/decoy codes for people that are aware they are being part of a scam? Wouldn't this provide them at least more information about the scammer? With all the technology that's available, why is not possible to let the scammer believe that he/she is doing a real transaction but behind scenes they are being monitored/traced? I'm asking out of my ignorance on the subject.
178 comments
[ 5.2 ms ] story [ 259 ms ] threadI really think that security engineers should know this.
Still, I'm glad he's not embarrassed to share his story, to help others be more aware.
Lot of snake oil in the field at the moment.
> CISSP is much more consistent and predictable and known than random sampling of leetcode questions
Even the CISSP is just a test of memorization - The ISC2 cert prep book is 10 miles long, but only about 5 feet deep (if that makes any sense).
Being a good security engineer comes with experience and knowledge of basic scams such as caller ID spoofing (something I did to my friends as a bored 6th grader). Being a good security engineer is having a keen eye for small changes and being skeptical about EVERYTHING.
Any security engineer worth their salt would never discuss anything containing PII on an inbound phone call.
Yeah. Clearly "security" means something different to him than it does to us.
Except passing the (broad, but shallow) test isn't the real reason why CISSP is a decent certification.
Passing the exam is just the first part. You then need to document at least five years of professional infosec experience[0] and have one or more current CISSP holders recommend you[1].
Experience and the approval of your peers are much better predictors of value/knowledge than a test.
That's not to say that every CISSP cert holder is a rock star, but it's a lot more than just passing a test.
[0] https://www.isc2.org/Certifications/CISSP/experience-require...
[1] https://www.isc2.org/Endorsement
I would not recommend viewing the CISSP as anything other than an attestation that someone can memorize a few concepts for a test.
I know plenty of leetcode aces that couldn’t work on a real world application if their lives depended on it. Leetcode might test the ability to write some academic algorithm from some college textbook, but it doesn’t test real world.
There is a reason many top companies don’t use Leetcode or HackerRank: zero prediction of real world skill or systems thinking.
Then again, even the other 10% of any given field that is actually good at what they do still fucks up occasionally, so maybe we needn't judge too harshly.
While this is more psychology than technology, that's very important in social engineering.
[0]: https://www.nytimes.com/2022/03/30/business/spam-texts-veriz...
FWIW, I had to answer the phone at my first office job in ~2005, and the office manual has a section on how caller ID was not trustworthy caller authentication. None of this is new, and it is odd that a self-described security engineer would blindly trust caller ID.
I do see how young adults are still not aware of that since they are not valuable target and their info is relatively unknown (no mortgage on their name, no car loans, cell phone number is not old, they never sign up for sweepstakes in Las Vegas, etc.)
The job of security engineer is a very very wide spread one. Someone might be an expert wrt. detecting avoiding DDoS, RCE, encryption and/or signing that doesn't mean they are an expert in social engineering or phone security.
You mean the post office?
Anyway, back to the point.
Sophisticated scammers can spoof your bank’s phone number and send a message that appears in a thread alongside other legitimate SMS from the bank.
This is harder to do than caller ID spoofing, but has become more prevalent recently.
Really, "security engineer" is as vague a term as "programmer". Web programmers are programmers yet they don't necessarily understand the layout of virtual memory or the way the kernel interacts with userland programs, something many other programmers would consider essential for their jobs. A kernel programmer couldn't give two hoots about how Chrome's CSS engine works, but the vast majority of modern programmers probably do.
I've had lectures in university on natural language processing and data structures that were slowed down because the lecturer couldn't get the beamer to work right with his Macbook. You can't expect someone to know everything, even if it's in their apparent area of expertise.
I'd go so far as to say that any security engineer worth their salt will admit that they too are vulnerable to being scammed under the right circumstances and that anyone pretending to be unscammable is severely overestimating their abilities.
However, I think it's common knowledge that inbound identifiers like IPs, user agents can be faked and aren't great technical indicators to anchor detections on for longer than an active incident. That intuition should extend to caller ID IMO, if they didn't know it already.
POTS is rarely of interest to a security organization. You have very few levers to pull even if you do consider it a threat, since it's just fundamentally an awful system, and you can't tell people "don't use telephones". At best you can train people, but your concern is probably phishing via email.
Only a few people, at the company level, are at risk in terms of this sort of attack, compared to everyone being at risk (with regards to the company) from phishing emails.
So a lot of people just don't really think about it. Security engineers might hand wavingly say "phone numbers can be spoofed" but I'd bet the percentage of seceng that know how that works is very small.
Not one person understands all the technology in existence, and no one person ever will.
Also engineers come in different levels of experience. Just because someone doesn't have experience in specific technology doesn't exclude them from being an engineer in a specific field.
I immediately tune out when anyone describes themselves as a security engineer.
This sort of thing is incredibly easy to forge these days.
Any suggestion on how I should politely and professionally answer a call without giving away my identity?
If it’s important, they’ll leave a voice mail and I can call them back.
The telephone is broken.
It also makes the battery last twice as long.
With that said, I almost got duped by a good samaritan debit card scam about 20 years ago in Toronto.
Along the topics others are replying with, I also don't answer calls usually, and have a call blocker so I'm only notified if someone from my contacts list is calling or if they are recognized by my network carrier as a verified business. Since businesses can also be spoofed, I still don't give any information and find out why they are calling, then politely hang up and call back myself, after first verifying the number in about to call is actually associated with the business.
Credit card fraud is not urgent unless maybe you know your card has been deactivated. They can leave a quick message if your relative is in the hospital or whatever.
"Ahoy" — Alexander Graham Bell
Seems to get me on a "don't call this number" list after a few goes.
I also don't mind confirming my name. But I try to never say "yes" or "no" when they ask if something is right, I respond with "That is correct" or "That is not correct". That may be me being too paranoid of people editing the conversation to make it look like I agreed to something I didn't.
There was some point where I was getting a call that claimed to be a collection agency trying to collect on a DirectTV bill. I've never had DirectTV. They kept trying to get me to confirm an address, I kept informing them that I've never had DirectTV. They would usually hang up when I would press them on who their employer was. They often made the mistake of calling during my commute when I lived roughly an hour away from my place. So, you know, I had the time to kill.
It's not overly paranoid. https://www.ag.state.mn.us/consumer/Publications/CanYouHearM...
> The details of this scam vary, but it always begins with a call, usually from a telephone number that appears to be local. When the person answers the call, the scam artist tries to get the person to say “yes”—most often by asking, “Can you hear me?,” “Is this the lady of the house?,” or a similar question. By responding “yes,” people notify robo-callers that their number is an active telephone number that can be sold to other telemarketers for a higher price. This then leads to more unwanted calls.
> In some cases, the caller may record the person saying “yes.” Scam artists may be able to use a recorded “yes” to claim that the person authorized charges to his or her credit card or account.
Used to be used a whole bunch for https://en.wikipedia.org/wiki/Cramming_(fraud) back in the days when you could subscribe to things via your phone bill.
I've probably read something similar at some point, made the change, and forgot the source that made me wary of it. Cutting the ends of the roast as it were.
I use "hello". It's pretty rude compared to how I was raised, but it's also the only way to not give scam calls the ammo they need to mess with me. So I can live with rude.
It is not like the spoofibility of phone numbers is some security industry specific news. It gets talked about all the time outside of tech given the prevalence of spam calls.
https://news.ycombinator.com/item?id=30869427
"I'm a scam prevention expert and I got scammed" (544 comments 20 days ago)
You'll get your money back. I'd go as far as saying that if the bank genuinely wants you to decide fast, it's not to protect you. It's to protect itself. Shenanigans about "do it fast or they'll take more" are bullshit always. The bank is on the hook, not you. So never do things in a rush, take your time to verify yourself that money indeed disappeared. There. is. no. urgency.
Sense of urgency is one of the best ways to make people do bad decisions. Salespeople use it, scammers use it. Nobody who is trying to be helpful will come with a story "that needs to be fixed now!!!".
If you still want to be safe, and you use a debit card, have 2 accounts. One with the bulk of your money without a card associated with it. One with the card associated with it and no more than whatever you spend in a week. If you use a credit card, it totally doesn't matter, it's the banks money, not yours that they'd steal.
So whenever you find yourself in a situation where someone wants you to decide something fast that you didn't know about and isn't a direct threat to your life, don't do it. Think about it first.
It's impossible to keep up with all the scams, but if you stop to think and never take rash decisions you don't have to. Slow is safe.
I got some details wrong; in particular, the initial dispute denial was after two months (with the Consumer Financial Protection Bureau agreeing with the bank after another two months), and the resolution followed NJ Advance Media contacting BofA.
12 CFR § 1026.13 (f)(2)
https://www.law.cornell.edu/cfr/text/12/1026.13
Did they volunteer these details or were they asked? This is just conjecture, but sometimes when people volunteer too much information to front-line support you can get erratic responses if they latch on to superficial parts of the story rather than the underlying message.
i.e. support just hears "I gave someone access", and they close the ticket under "customer authorized someone else to purchase", because they're following a decision tree, not analyzing the root cause of a security incident.
If someone takes money from my account, it is absolutely urgent.
Now I use a "proper" credit card for anything. If a crook manages to run up a tab on that thing I still have all my cash for whatever scrapes may come along.
The bank executed on their promises of no disruption to his transfers; they told him he did not have to worry and the customer service was so terrific, he said he was going to stay with the bank.
"Did you ask if there were other accounts at the bank that had been accessed in this way?"
"A wire transfer to an international location went through with no red flags and 0 notifications?"
"Can you ask your security department to produce a report of their investigation into the matter?"
Nobody asks those questions.
There is, if you have recurring payments on the same card. If the bank knows there is fraud, some won't honor even known recurring payments. The card may be outright cancelled.
If one of those recurring payments is, eg, your Apple icloud or personal gmail/gsuite/gworkplace account, you better hop to with the utmost urgency.
Wrong. Some banks, and with certain account types, the bank will absolutely make a courtesy call to you if something unusual is happening.
I had a call from my bank while spending a few hundred on cocktails in Bali (I'm from London), I hadn't used my card yet on that trip as I'd taken cash.
They also called me to check a payment into my account with an "unusual" reference; a joke from a friend returning the money he owed for a holiday I paid for, but which made it look like he was paying me for "special services".
They called me to query a payment at a home furniture store for a couple thousand pounds in a city ~300 miles from where I live only hours after I'd used the card near home; I'd driven to this particular store to check out the furniture.
If you're not sure, the _real_ bank will suggest you hang up and call their number found on your card or their website (or in your contacts list, where I keep it) and will never pressure you to answer or provide them information, and they'll NEVER, EVER ask you to read a security code out to them sent to your phone, or using your banking app.
EDIT: To further clarify; my particular bank's app, has, on rotation, a series of warnings, displayed each time I log in, saying things like "BEWARE; if someone [calls/texts/etc] asking/telling you to do [XYZ] ...", e.g. to get this code or that code, or do something else in this app, you're being scammed, "WE WILL NEVER ASK YOU FOR [XYZ]...".
Here's a comment from a similar post last month, where the commenter believes the legit bank asked for a verbal confirmation of security code: https://news.ycombinator.com/item?id=30875233
(I suppose it's possible the commenter was actually interacting with a scammer there and still doesn't realize it?)
He was 100% being scammed.
That would be stunning in it's own way! What a world.
“Amex Fraud Free Msg: Your requested code is: xxxx. We won't call to ask for it. Don't share it. Call ######## if you didn't request it. Reply STOP to opt out.”
You wouldn’t be the requesting this text and code, the person on the phone would. And it says don’t share it. Maybe I was hoodwinked but it seemed really legit although in principle I refused to give it.
It seems so scammy, but I’d called the number on the back of the card.
I presume because I initiated the call they think it's ok, but it's still silly.
I think reading any code during inbound call is red flag for fraud. However, more than once i took the initiative to call ccs to unblock a large / international charges. The only way for the bank to verify my identity is for me to read the code.
So it is not true that you NEVER read ever. Maybe for inbound this should be true. But not outbound
We called the credit card company and there was indeed a fraudulent purchase, so yeah the real companies don't pressure you into unsafe things.
Mine dit that as well a couple of times (Santander UK; my account was nothing special though I do travel internationally several times a year; it was a mistake every time and I never had any fraud with this card). The first time I took it, but now I would say that I cannot, end the discussion, and then call them to their known number. Also, I’ve never had a human ask me to read numbers from a text message. They (well, another bank, but still) do occasionally ask me to unlock their app using either biometrics or a PIN; they can see it in real time and that can only be done on a single pre-approved device.
Like, let's say I insisted on hanging up and calling the number on the back of my phone -- are there any cases that would be disastrous for me, would end up in me losing money, and I really should have stayed on the phone with the person who called me, who really was a non-fraudulent representative?
I'm not confident there are not.
I honestly believe that there are no cases for that on a credit card. On a debit card, that might be different. This is why I never use my debit card for purchases.
Collectively, we software engineers that have security focus, have done a piss-poor job with 2FA. Users should've been trained from day-one that 2FA codes sent to their email or SMS should never, EVER, be repeated back to a human. All the additional text sent with the code should clearly and emphatically state that this number is between you and a website that you are reasonably certain represents a secured entity and that you explicitly requested during a login flow. It's like the combination to a safe: that code is between you and the dial on the safe, if it ever verbally leaves your mouth, you're doing something wrong.
Any orgs that use 2FA codes to authenticate a user to a CSR are screwing it up for everyone. Don't do that: you should be able to mutually authenticate using shared knowledge that a hacker isn't likely to have (not an address, FFS), like the previous transactions thing the OP requested. 2FA codes are for computers only.
I don’t understand security researchers. Is it all just a bunch of hooey they sell or what?
An MitM attack is significantly harder than "I have your CC number and I'll use it with no authentication", therefore it does increase the difficulty for fraud. Though I haven't seen a requirement to enter the bank's password, my one requires me to confirm the transaction by opening the credit card provider's app on my phone which isn't vulnerable in the way you're describing.
I was pretty annoyed that they didn't follow good identity practices by encouraging their customers to trust people who could be scamming them.
One special class of vulnerable targets is security experts, and top ranks. I remind my students that "pride comes before a fall" and nobody is immune. While doing some training for <BIG INTERNATIONAL BANK> someone told me they call it the "cocks problem". It's the handful of 7 figure salary high flyers that get regularly pwned and cause grief for everybody else, because they are "too cocky". Lowly secretaries and desk staff are much harder marks. The more training you give to people who think they're above it the worse they get. It has to be pitched as participatory advice, as an invitation to co-create a secure practice.
We saw this cavalier attitude just the other day with Boris Johnson [0]. I bet Johnson was told time and again to use equipment that had been checked by his security detail. And I still cringe thinking of this one [1].
I suggest there's no correlation between domain knowledge and behavioural invulnerability. Good security posture is a mind-set. I also think it's a very strange combination of contradictory qualities (or attitudes you can be trained to adopt) that are hard to describe, such as high conscientiousness and humility mixed with utterly cynical disrespect for "authority", high openness but brutally meticulous self-checking and introspection. And definitely, never call yourself an 'expert'.
[0] https://news.ycombinator.com/item?id=31075558
[1] https://www.arrse.co.uk/community/threads/77-bde-twitter-fee...
I guess the common factor is that the most important thing is to be careful and follow the proper procedure to not get caught in a problematic situation in the first place, not to be overconfident and assume you are safe because you can handle any situation with your knowledge or skills.
Totally. I saw this Krav Maga instructor say:
"Now. I'm going to tell you one of the most effective self defence moves known in any martial art... run away!"
> security engineers need to design systems that are resilient to them
The problem here, to a security engineer, is that we need better systems. I suspect they mean the hardware and software systems, although the 'system' includes the participants. The problem and solution space should strongly include people as it just was clearly demonstrated.
Could be an occupational hazard, having seen so many insecure and poorly designed system to have low opinions of them. Having low expectation of security practices sets a lower bar for acceptance of what's authentic. I can't say if I would be caught in similar circumstances without being in the moment. The two things I hope I'd do is see the tx in my own history and not tell a human a code. These are for machines to verify. I recall when everyone switched their system so PINs could be entered for machine verification and the human returning after. A machine sent code should also be checked by a machine.
A practice that does bother me greatly is how many different domain names are used by a company. Only subdomains should be used for any kind of official interaction (or perhaps period).
Here you can watch video for taking down one of these call centers by police, not so long ago: https://www.delfi.lv/news/national/criminal/video-latvija-ai...
The bank said "we have no record of calling you" and it didn't stop there?
If they want a confirmation, they'd rather use an automated method. Like send an SMS: "Did you spend $X on Merchant, Inc? Reply with Yes or No".
They can't afford a human calling you for every fraud suspicion.
I find it quite amusing that the scam used the domain `people.ds.cam.ac.uk`, which contains `s.cam`.