226 comments

[ 5.0 ms ] story [ 254 ms ] thread
Interesting approach, I'd worry call times would get longer (annoying customers, increasing call center costs). I also wonder how many customer would actually check, if it's a small number then it seems like this just pushes liability to the customer.
In some jurisdictions I'm pretty sure you cannot shift this liability and this might just be a way for the bank to cover its own losses instead of ass.
My bank has done similar for a few years. If someone calls you, they ask you to open the phone app and you get an in-app notification (banner in the app itself, not OS related) that says “Click OK to confirm <rep name> is talking to you” (or some such). They can’t access you account details until you click it.
> If someone calls you, they ask you to open the phone app and you get an in-app notification

You mean that if a genuine bank representative calls you then they prompt you to verify it. A fraudster will not do that and if the customer doesn't challenge them then the scam can continue.

One of my fears around getting older is not having the wits to protect myself from bank fraud like this. I don't have a solution.

Enduring Power of Attorney (in the UK, now called Lasting Power of Attorney [1]) is a solution of sorts. You given up the ability to access your accounts to a third party, usually a relative. It's used when people lose their mental faculties and are incapable of acting for themselves; it can be elective, or imposed by the court in a very long process.

[1] https://www.gov.uk/power-of-attorney

Oof ... a PoA is a bit of a sledgehammer to crack a nut for many people, especially those who still have a perfectly fine mental faculty.

Most UK financial companies will have a third-party authority process. Its the sort of thing used to give professional advisors access to the account, but there is absolutely no reason it cannot be used to give other sorts of third-parties access.

The core difference is that a TPA is technically temporary (and thus will need to be renewed on a schedule, typically annually), whilst a POA is a more permanent affair and that's why a POA is a pain in the rectum to setup.

Scams can be so sophisticated in execution now that I'd quite expect someone to become a victim to one far before they otherwise appear to need the LPA to be used.

I have made it extremely clear to my older (not even elderly) relatives to never, ever agree to anything involving TeamViewer or any other kind of remote connection on a computer or phone. Take a number to call back if they want (do not agree to be called back later), then hang up and call me. And never, ever click anything in an SMS: not only can I not really explain how URL structures work, but companies keep using scammy-looking short URLs that even I can't tell apart, so complete interdiction on ever clicking a URL in a text is the safest way. And if I call saying I'm in jail, ask me for my car model and colour.

But I don't really know how to explain to them what is and isn't a scam on the 40 billion apps you're expected to use for banking, travel, parking, utilities, communications, everything with it's own security systems, quirks and bugs[1]. It's probably only a matter of time before a scam gets through (luckily the relatives are mostly not credulous enough or greedy enough to fall for most of them), but that doesn't mean I should execute an LPA and remove access to everything for their own good. Not least at that point they'll probably not be considered to be lacking capacity, a necessary condition for using the LPA, by the OPG just because they don't understand their mobile network's new login flow.

[1] which won't be fixed because most of these apps are consultancy effluence and they've been delivered and signed off on. So, the consultancy doesn't care any more and the recipient doesn't know how to maintain it even if they wanted to. Not only have they probably not got their own engineering these days, the app is an unmaintainable rush-job that is 90% technical debt and enough duct tape to get it over the acceptance wall before anyone notices. At best the issues will be fixed when the app is so completely untenable that another consultancy gets hired to rewrite from scratch. Then everyone gets a new app and a new set of "is this a scam" decisions to make.

Minor point but I’m pretty sure it’s just a grant of permissions to someone else without you yourself losing access
Right this thing only works if people are aware of it, but the only way for them to be aware of it is to do it every time. This Monzo approach is near useless. The one Sen described sounds quite good.
> Right this thing only works if people are aware of it, but the only way for them to be aware of it is to do it every time*

It need to be done every time and it needs to happen frequently enough that people internalize an expectation that anything else is sketchy.

Now, how often does a bank representative call you? For me it's like once a year when their fraud department thinks that one of my monthly bills is sketchy, even though they've been unchanging for years.

Is that enough to build an expectation? I don't think it is, particularly for elderly clients.

Whenever I get a call from somebody claiming to be X organization I assume it's a fraud by default and don't provide them with any personal information. It has worked fine so far, as far as I can tell.

This sounds like as much of an defence against internal attacks than against scammers.

Though it might be helpful if the customer noticed the attacker didn't ask for the confirmation and became suspicious, but that's probably a small number of people and scammers are very good at allaying such worries with plausible excuses.

Are there banks/companies proactively trying to trick customers? Call, then throw up some red flags, then educate? Especially for older customers a "near-miss" might be helpful to lower the risk of them getting scammed.
Pentesting for the elderly?

Sounds like a cool service.

Banks in my country send all sorts of emails with "scammy" subjects, and then when you open them their banner says "Don't fall for such scams" or "Scams start this way". Maybe if they added an option to opt-out of such emails, it would be pretty nice! Now it's just more inbox noise.

And of course, their "scam-like" emails end up in the inbox, while real scammers emails would end up in the Spam folder.

Banks in the UK do all sorts of scammy things, not for that purpose, but as part of their usual business

Judging by their frequent and long lectures about how I'd be liable for any fraud, it sounds like they've absolved themselves of responsibility too well to need to improve fraud protection

They send email from an unfamiliar domain, not the one customers know from their website, nor a subdomain thereof

They call customers and ask for security information

They ask for one-time codes on some calls from customers, but they also separately say it's something that only fraudsters do

All of the above risk causing customers to lower their guard to fraud

They fail to recognise repeat payees to validate payment details when taking international transfer instructions by phone, which risks fraud (if an invoice seeming to be from a regular supplier is actually from a fraudster) or other loss (if the payment details are misheard)

They also fail to recognise repeat payees when using transaction history to flag unusual activity, which only increases false positives, so it isn't as bad, but it's still annoying

> They send email from an unfamiliar domain, not the one customers know from their website, nor a subdomain thereof

Prime example, Santander

From: Santander <santander@email2.yoursantander.co.uk>

Subject: Know more about Facebook Scams

Congratulations Santander, you've now trained your customers to trust emails from domains like "email2.your<business>.co.uk"

(comment deleted)
I thought that only in my country the banks' "security" turned fucking retarded but it seems it's a global trend. Recently I received legit email from my bank with warning against scammers and the title was "The first step of the scammer will be will be sending an email, text message, or calling you". Is it a double intelligence test or they just admitted to being scammers?
> And of course, their "scam-like" emails end up in the inbox, while real scammers emails would end up in the Spam folder.

Perhaps you meant this the other way around?

Either way, I have received quite a steady stream of rather obvious phishing attempts directly to my inbox on Outlook.com. Once our twice a month I have a missed Amazon package, or some horrible debt, or an being investigated for tax fraud or other such.

No I mean that if my bank sends me an email with a scammy subject, it won't get caught in the spam filter because everything else is legit, like the From field, their verified domain, email signatures, and the body content. They use the same domain and presumably the same email address to send such emails and other important emails too.

But if a scammer sends me a fake email, it'll probably get caught in the spam filter of my email provider (hopefully).

Not for customers per se, but the company I work for will regularly send “scam” emails to us. If you click on the link you get assigned mandatory corporate phishing trainings. Makes you extra cautious.
One time at work I forwarded what I thought was a genuine phishing attempt to abuse at stupid corporate email like I was supposed to and they dinged my manager because I had remote images enabled or something. I don't remember changing this setting and this was on a computer they owned. There is no winning with these people. I have since turned off remote images in emails. If you have remote images in messages to my work email, I won't see them. I refuse to turn on remote images because as far as I'm concerned, that's my security policy.

I still forward all these "training" emails to abuse at corporate because if I'm doing extra work, they're doing extra work. Recently, they've automated this though because when I email abuse, I immediately get a reply saying congratulations, this was a test message. If this were a real bla bla... Anyway, I think it is safer to forward to abuse just in case.

(comment deleted)
Several banks I use do this all the time.

Except they don't do it as a teaching experience, but as part of their normal operations, and if you refuse to do the extremely sketchy, red-flag, never-do-this thing, you will not be able to get your task done.

I've been required to provide part or all my online banking PIN on the phone and my credit card PIN on a random sketchy website (as part of 3DSecure). Different banks. Both legit and repeated.

One thing I wonder is if this works when you call Monzo as well - once you give them your details, does the same thing appear in the app? Because that opens the door for a man-in-the-middle attack. Actually, in that case it makes the attack so much worse, because it legitimises the attacker.
Why not just have an ability to call in-app via secure voice chat?
Yeah, I didn’t get that either.
because they want to be able to dial a normal phone number to make your phone ring to get your attention.
hmm, WhatsApp rings my phone more than regular phone network and like me billions of people pick-up WhatsApp calls everyday.
this is true, but for most american's we still use a phone number and do not have any thing like WhatsApp, Signal, or Telegram installed on our phones. The phone number ring is still gold here.
Well that would rely on you being able to call Monzo in the first place. None of the numbers you are able to find take you to a person, instead infinitely redirecting you to use the in-app chat... which is more "Leave us a message and we'll pick it up on Monday" than an actual live chat.

Background: Monzo froze _all_ of my bank accounts for nearly 5 days after triggering some fraud protection measures. Great in theory... until you are completely unable to speak to anyone.

Wise will include a user-set keyword on all communications: https://wise.com/help/articles/2932695/watch-out-for-phishin...
This was tried long ago,then cancelled, in Turkey. Perverts will set it to something they want to hear from call center agent and trigger a call where the poor agent will need to read out loud.
Should probably be changed to a random string like “flying neon dollar”

Also wtf

That's pretty easy to work around if there's a will to do it. A single word, a character limit, a dictionary validation or a non-UGC generation are all pretty simple things to implement.
"Privacy & settings – where it lives now – is a natural home for it, but we think it should appear elsewhere too."

Seems like the next step would be to send an app push notification before the call and to have a banner that's visible as soon as you log in to the app. Some sort of visual indicator that appears everywhere in the app that you should not be on a call may also reduce an attackers chance of succeeding.

I don't know how iOS handles this, but on Android you can get permissions to check if the user is currently in a call. Often this is done to mute media when you accept a call, but I can also imagine any sensitive apps popping up a message on their home screen to indicate whether or not a real customer support agent is trying to reach out to you.

I don't think you can get details about the call that easily (like phone number and such) but with the right permissions it may also be feasible to maintain a scam number list based on user reports that sends out a notification when a known scammer is trying to call you.

Phone number is unfortunately not reliable, since it can be spoofed (and phone companies are broadly uninterested in doing more than the bare minimum to address this).

There are plenty of scams based on impersonating some official (FBI, IRS, etc). It's not hard to imagine a scammer spoofing your bank's phone number [0, 1, 2, 3].

[0] https://www.snbonline.com/about/news/scammers-can-spoof-an-o...

[1] https://www.westernbank.com/fraud-prevention/what-you-should...

[2] https://www.wellsfargo.com/privacy-security/fraud/bank-scams...

[3] https://www.fcc.gov/spoofing

> Phone number is unfortunately not reliable, since it can be spoofed (and phone companies are broadly uninterested in doing more than the bare minimum to address this).

I think this can be solved far more simply by only showing the notification/warning (or showing it more visibly) when the app detects you are in a call.

Right. I was commenting specifically on the effectiveness of

> with the right permissions it may also be feasible to maintain a scam number list based on user reports that sends out a notification when a known scammer is trying to call you.

What if I call the bank from another phone?
That's my biggest worry about this: That every app on my phone that considers itself important decides to attempt to notify me during every call, leading to a wall of notifications.
Disabling notifications is easy (hold notification, click "disable") so if it rolls out and you don't care, it's quite trivial to get rid of the notification wall.

So far, no apps that I know of have any such feature. If only one single app does it, it shouldn't cause a problem for anyone.

Many apps make this impractical by not separating the notifications into separate categories, so you either have to accept the spam, or break functionality that spans from convenient (credit card payment notifications) to critical (2FA push prompts that may only be accessible from the notification).

> If only one single app does it, it shouldn't cause a problem for anyone.

And that's how every app justifies doing it...

> Many apps make this impractical by not separating the notifications into separate categories

I can't say I share your experience. There are apps that spam you with notifications and intentionally don't use categories but I generally just uninstall those.

> Some sort of visual indicator that appears everywhere in the app that you should not be on a call may also reduce an attackers chance of succeeding.

Everywhere would probably be to distracting, but placing it on important screens (such as "verify transaction") would probably be a good idea.

yeah the UX is wrong. when they're on the phone with you the app should display a loud banner, and nothing when not.
I turn banner notifications off by default so it may not appear for a lot of people
I mean in the app, not as a hideable OS notification.
That's not not the right idea. The absence of a visual indicator is not a good way to let me know my current call is fraudulent. Especially since it's most likely most people will not have a call with their bank almost ever, so they'll not have any familiarity with the fact that such a banner is supposed to be there.
Unfortunately, the only way people are going to know to check in the buried menu is by reading that link. At which point that link might as well just say "if we are on the phone with you, the app will say so" [screenshot].
I don’t think you have thought this through. The fraudster call you, the app display nothing and you have no indication that anything is amiss.
yes but there's no way a customer would know to check in the menu in the way they've implemented it to know that the call is valid unless they already knew about it. at which point the customer outreach is the same.
(comment deleted)
Both a good and bad idea. Obviously dependency on a side/control channel limits this.

Better? Mix and broadcast authentication beacons over the audio channel. If it got there, by whatever transport the audio did, you're good to use them as a MAC against some key.

Can you expand on that? I don't understand what you mean.
Sure, what I'm specifically addressing is "can we do it without the internet bit?", because as a security solution I see it as a bit of a problem relying on that. Since the person is calling with a duplex audio link already, by GSM or whatever, why not use that?

There are many, many ways (modems of a kind) of putting an (almost) inaudible signal into audio. Those could easily be short message authenticators, just a sequence of digits that derive from some frames of the audio, they might sound like little high frequency blips. Can you see how that might work?

[edit]

Forgot to say; those frames would get hashed along with some private part of a public key, or sym-key that only you (the user) has. A fake caller wouldn't be able to spoof them easily, and so they wouldn't decode at the client side correctly.

How do you expect that to work? Their app would either need to have access to all your phone calls, or you'd need separate hardware to detect and authenticate the audio?
Correct, an app would need to read the audio stream and do some preparatory DSP to extract audio short codes.

Of course you could build standards in at a point closer to the radio basebands. I mean, why is basic source authentication not built in as far back as SS7 given we had the technology even in the 1970s?

The only time you'd be using the app would be if receiving a call from an untrusted caller. And if you don't trust the app period, then the game is off anyway. In theory the same app could hold certs from a number of "trustworthy" sources you might like to check; much like a TLS certificate.

But in the end you'd wind up with too many, and hard to keep track of, and then buffoons like those from the EU commission would be wanting to "force trust" upon you to authenticate "approved government sources" - Which sadly is the problem with all source authentication schemes that work with PKI this way. You really need to keep the application layer relation 1-to-1.

I prefer simpler, elegant solutions - like your bank should never call you or push ANYTHING which is why I called it both a good and bad idea, and generally I distrust the whole ecosystem, of "apps" anyway.

> what I'm specifically addressing is "can we do it without the internet bit?",

Monzo could open some branches, where it's somebody else's problem to verify the identity of the staff in the building and you can be quite certain the person behind the desk is in fact an employee

(Edit: I know they're a 'challenger' bank)

Well tbh with you that's how I bank, and I agree with you.

I think that "app based" banking is a shitshow, and will only get worse, and ultimately more insecure. The entire economic strategy of dehumanisation is a catastrophe in the making.

And clearly there is no genuine market demand for it, people hate it with a passion, but it's being forced on the population, probably for other reasons more nefarious than "convenience" or "efficiency".

That said, if you're going to do telephone banking with another actual human over an audio or AV channel - which is an acceptable mode of interaction for me - then you may as well employ that information stream for more sophisticated authentication as we go into the age of AI deep-fake voices and video.

Because authentication doesn't need a terribly large bandwidth, indeed we can do it with tiny amount, side-channels within the audio stream see a good leverage point.

Do you think telephone-based banking is more secure than app-based banking? What's your argument for that?

My experience with talking to banks on the phone has been that common security measures seem laughable to me - like "last four digits of your SSN" laughable.

Good question. Yes I think it's more secure if complemented with other good mechanisms. I agree that the current state of most voice based schemes is pretty poor. But those that involve a separate codebook can be quite tight.

Like all things it's more secure in the hands of people moderately educated in protocols and sufficiently sceptical.

A general security problem, perhaps a paradox, is that the more we try to hide it for "convenience", the more opaque and automatic, the more people come to blindly depend on the mechanism at some other layer and stop thinking.

I suppose what makes voice based interaction more secure is that it's slower. It gives more time for levels of security in depth and for people to figure out something is amiss.

But we'll have to see how that pans out with sophisticated voice-spoofing technology because I expect most people, even well educated and sceptical ones, are easily flipped into trust mode by the sound of a seemingly familiar voice and some clever replay attacks.

I have another idea for Monzo: never call people.

You can't rely on people being able to talk on the phone for accessibility reasons, so it should never be necessary to call people on the phone.

Instead, handle things by the app or wait for customers to call you.

From that article:

> Remember, we will never call you without arranging it with you first through in-app chat.

Right - so why not simply ask people to call them? It would make it a lot simpler to ensure there's no fraudulent calls. No need for some fancy verification method like the one outlined in this article.
The app verification method is better - it helps protect against people being tricked into calling a fake number (through a deceptive text message, email or internet search).
If people can be convinced to use the app for verification, why can't they be convinced to use the app to find the correct number to call? I think the latter is much more natural for most.
I also like that I can skip a lot of the authentication steps by requesting a call from within the app - that way they already have a head start on identifying me when the call starts.
Ally Bank on the other hand has outsourced its debit card to the worst possible company out there. They called me and asked me for my social security number. I said is this a security training? Are you testing me? He said no, my card was recently used (it was me I was trying to withdraw USD 400) and I said I refuse to either confirm or deny anything on an incoming call.

This RUDE person said well my debit card will remain locked until I answer their questions. I said fine I'll call my bank.

My card remains locked to this day.

While their security practices sound woeful and you did the right thing, why haven't you called your bank to unlock your card and give the feedback that the outsourcing is awful?
It's probably less effort to switch to another bank.
With those security practices in place, locked is probably the status the card should have.
Who says it’s their security practice… The way the top post is told, I would assume the call to be made by an attacker . :)
> person said well my debit card will remain locked until I answer their questions

You also have the option of reporting them to your state banking regulator [1], the CFPB [2], the FDIC [3] and FTC [4].

A polite way to do this is to write a letter to your bank explaining what happened and Cc’ing the regulators. It will tend to get escalated to their legal department and has a chance of forcing policy change (and producing compensation).

[1] https://www.consumerfinance.gov/ask-cfpb/how-do-i-find-my-st...

[2] https://www.consumerfinance.gov/complaint/

[3] https://www.fdic.gov/contact/

[4] https://reportfraud.ftc.gov/#/

What's your approach for "cc'ing" on a letter?
Cc'ing comes from letters. The usual approach is to send a copy of the letter to each recipient in the cc list
Yep. CC means “Carbon Copy”, as in I’m writing this letter once, and using carbon paper to make copies as I write it. So the main recipient would get the primary copy and the CC recipients would literally get a carbon copy.
This made laugh so hard. I love these kinds of discovery as people make that to some are so obvious.
That's ridiculous. I have a similar story with Citibank. I decided to buy an M2 Macbook Pro less than 30 mins before the nearest Apple Store closed. So I ran to the store and, in doing so, forgot to bring my wallet. I figured it wasn't going to be an issue, since I have all my cards on Apple Pay.... but as it turns out, attempting to purchase with any of them resulted in a fraud block.

The Apple rep told me Amex was the worst, so I figured I'd call Citi. The person on the phone said "I've just sent a code to your phone". I got the text, which reads (and I quote): "Citi ID Code: 671865. We'll NEVER call or text for this code". I told him "this text says you'll never call for this code, yet you're on the phone with me asking me to give it to you". He laughed and said "yeah, I know it says that, but you have to read it to me"

I reluctantly read it to him, he unblocked my card, I tried purchasing again and it got blocked again. I ended up having to run home to get my wallet and run back. The Apple rep was kind enough to let back into the store with like a minute left before it closed.

This was ~6 months ago. My Citi app says my card is blocked to this day and that "[they] need to speak urgently with me", yet I can still make purchases with it as if it weren't blocked. I'm letting it linger in this limbo state to debug what happens. I have also never used this card again unless the POS really won't take Amex.

Semantics, but important: they said they’d never call or text YOU for the code.

In this case you called them and they asked you.

Yeah, I noticed that as I was writing the comment but I was too invested to backtrack at that point lol
Amex actually once did the same to me several years ago when trying to verify my identity while talking to them.

I refused on a couple phone calls. I forget whether in the end I gave it to them or not, the details are hazy. I do remember I left feedback.

To my knowledge, Amex actually stopped that practice since then. Because as you note with the citi experience, it is bad.

Amex asked me, via text, to call a number they provided to verify a potentially fraudulent charge and the first thing the number you call asks for is your full credit card number, all digits, not last four, all of them. The line doesn't even identify them as being from amex (not that you should trust it).

I called the fraud line on the back of the card (which was different than the number in the text) and they confirmed it was authentic but man, everything about that is straight up phishing.

TD Bank is also one that's horrible. Their online banking portal is myonlineaccount.net which is straight up a domain you'd use for phishing.

My mortgage got sold to M&T Bank whose web presence is at www3.mtb.com. I love that for them. I wonder what happened to their cert/HSTS setup on www ;)
But then what do you think the code is for if you can't confirm your identity with it when you call them? This is how it is supposed to work!
I generally use it to log in to my account as 2FA or when shopping online when some merchants also implement a payment process that taps into Citi's, when it also requests it as 2FA. Meaning I'm using it myself in some software rather than handing it over to someone else (even if by using software I'm also technically giving it to someone else)
(comment deleted)
> I'd call Citi [...] "We'll NEVER call [...]"

Those are 2 very different things! Indeed they did not call, you called.

> yet you're on the phone with me

That wording is specifically ambiguous as to who placed the call.

Citi’s fraud prevention and identity verification systems are absolutely bizarre.

I’ve had them block my card and refuse to talk to me until I read them back a code from a letter in the mail more than once. The code is single-use, so this adds about a week of latency.

On the other hand, they once called me about fraudulent transactions on my card and didn’t hesitate at all to ask me for very personal details on that inbound (to me) call. I hung up and wasn’t able to get back to whatever department made that call due to the reasons above.

I had a similar experience with Sainsbury’s Bank in the U.K.

Called me out of the blue after a failed transaction, I refused to give them the info they wanted and so they locked my account. Unlocking needed me to send them physical info that would have cost me.

Easy to sign up for an alternative. Lost a customer after 15 years. Well done Sainsbury’s Bank.

It's unbelievable how bad at security financial institutions are. At an old job I had to set up our company with the accounts payable system of a customer. They used a system run by US Bank. They told us that we would receive set up instructions by mail, and a week later we got mail. It said "to begin the set up process go to https://bit.ly/..." and I knew I was being phished. Then I stopped to think and how would anybody know to send the set up packet to exactly the right place at the right time? Must be an insider. So I called US Bank, and they confirmed to me that the packet was in fact legit and this was supposed to be a bitly link. JFC.
When the WF credit cards were leaked someone claiming to be WF called and asked for my CC# and SSN to see if I'd been hacked. I laughed and told them that if they are hackers they can go F off and if they are truly WF then I need to speak to the manager immediately. I never got to chat with that manager.
This is disappointing to read. I've had nothing but excellent service from Ally. Whenever I've called their customer support, they are quick to answer, polite, competent, and have always resolved whatever problem I was having. But, I don't use their debit card.
Ally remains my favorite and main bank. It is just really complex and difficult to run a national bank as seen by out darling simple bank getting passed around like a hot potato before disappearing entirely. I think simple never really had a chance.

I have nothing but good things to say about ally itself.

I was recently a target of a UK online bank phishing scam (not Monzo). They were highly sophisticated. They knew details of recent transactions, including bank transaction numbers that don’t show in any qif export or anything. They had a plausible reason to call (based on said visibility). They had researched my name and everything about me and my family that is online. They faked caller ID. Their ‘patter’ was so advanced that I do not know this extra layer of protection would have helped much. Luckily I didn’t finish the steps and lost no money.

It is clear the bank has had a severe exfiltration event. There are other reports that online. IMHO the law should make banks report breaches to the ICO and a record of the nature and size of the breach be public.

Through the process I learned that in the UK you can call 159 to directly contact your bank fraud dept (most banks) https://stopscamsuk.org.uk/159

I also learnt about the police’s Action Fraud hotline to report cybercrime. https://www.actionfraud.police.uk/what-is-action-fraud

The phisher was very determined. They called back in 15 minutes claiming to be from the bank fraud dept returning my call. Then 2 weeks later they called back claiming to be from Action Fraud.

However prepared you think you are for such an attack, my advice is to have utmost caution for every single call from anyone claiming to be anyone.

I also have a Monzo account. Even if they called me I wouldn’t use this. Hang up. Call them. Don’t let them call you.

Could the breach be at an Open Banking service that lets you view and aggregate your bank details such as Emma, Money Dashboard, TrueLayer? Some marketing/voucher companies are also using this sort of integration now such as Airtime Rewards.
This is possible. I had the account linked to a very well known and popular service that is owned by another bank. I don’t want to use names. But “bank transaction ids” were known I do not know if this is part of the spec. My theory was some export from bank 1 for openbanking was breached or in bank 2’s import was breached. But the news items are about bank 1. Also, they knew details like the date of account opening which was different to date of first transaction. I was not using openbanking in many places but I have now turned it off everywhere.
What about stolen mail? Would any of this details be in a bank statement?
No paper bank statement. No email bank statement. Only qif/csv export. iPhone app only (not web). Fairly sure it was either an inside job and/or openbanking API implementation.
[flagged]
But the very last line says they wouldn’t trust this feature and they have a Monzo account?
I am usually this cynical, but they don't really even support the post, they urge readers to hang up and call directly.
It’s not coincidental. I had a story to tell and didn’t want to use my main account. Monzo is OK and I have a 2nd business account with them. I find it expensive personally, at £5pm, since other banks offer free service and per transaction costs that total less for me. After the phishing attempt I moved to NatWest, of all places.
> Hang up. Call them. Don’t let them call you.

This is the golden advice. Never, ever speak to anyone about anything important if they contacted you. Call, text, email, whatever. End it and you contact them.

It doesn’t matter if it’s the bank, power company or telco. Even if HR called me or the CEO. Hang up, call them back. It adds 5 seconds to ensure all is good

(comment deleted)
> This is the golden advice.

This bears repeating. It's so simple to check in using another known-good contact method, and btw phone calls are still cool.

As everyone else is rightly saying, phone calls are only still cool if your bank or other institution agrees, which some do not.
> btw phone calls are still cool.

Not to large corporations. Have you called one lately?

It's a minimum of five minutes of bartering, begging and pleading with the IVR to let you speak to a human, and even then a successful outcome is anything but guaranteed.

Usually doing what the IVR asks is the slowest path. Confusing it by mumbling nonsense so it thinks it can’t understand or ramming never-ending DTMF tones up its input buffer until it chokes works well. For certain companies and certain departments (usually where my ongoing satisfaction is a concern for the company), I’ve sometimes found yelling repeated expletives at the hold music gets me connected faster. I have nothing to substantiate it, but my conspiracy theory is that there’s a customer rage meter that can be gamed (remember “calls may be recorded for quality assurance“). By contrast, when my call is a pure cost center (e.g. product warranty claims), I’ve found there’s a mandatory hold time to encourage you to hang up.
> yelling repeated expletives at the hold music gets me connected faster

The confirmation bias is real!

> It adds 5 seconds

Depends on the bank.

Some make it almost impossible to get past their IVR, which always claims to be able to help you with any issues you might have (as long as the issue is wanting to know your balance and last three transactions).

Why are you banking there? Switch banks. Don't be a victim.
I did. Ironically, it was almost impossible to get to a human representative to close the account: At one point, the IVR would literally end the call after authenticating me due to "problems with your account" (presumably my pending/stuck account closure request).
It may add up to 20 minutes if the waiting line is long.
> Even if they called me I wouldn’t use this. Hang up. Call them. Don’t let them call you.

This has become increasingly difficult in my experience. Where calling the local branch I have the actual relationship is just dumped into the IVR. They make it very hard to speak to an actual human being bank employee.

All I can get is callbacks for some places. This is newish. You can call, wait in the queue for 20+ minutes, get routed to voicemail, and leave an option for a callback. That’s it. And the CSRs won’t reveal any semi-secret info to confirm who they are, they just want info to confirm your identity. It is frustrating because “calling them first” for anything billing related has been my go-to for a decade.
I just make them tell me how to do it.

If they are behind an annoying IVR they usually know how to get back to themselves.

Of course don't take their word on what number to call, make them point to a part of their website that shows the number.

The (US) banks I've experienced will give you an "incident number"[1], you can call the number on e.g. your credit card or bank's website and say you have an incident number and you'll be connected to a rep who can pull up the details.

[1]: or something like that, I forget the exact words

Might be nice if you could enter that incident number from the initial phone menu instead of waiting for a human first.
My card has an international number which is US +1-(AreaCode)-XXX-XXXX. It used to bypass the IVR and send you directly to the top of the queue to a CSR. Because who has time to putz around the IVR when you're paying .25-.50/min to make an international call. Sadly, because some customers figured it out, it just routes you into the queue.
I have experienced an increase in just flat out hang ups as well. If the automated system doesn't understand you, it'll just say "it looks like we're having a problem, goodbye". It's infuriating.
On landlines IIRC there is some feature that allows them to stay on the line after you hang up. So when you try to call the bank, you get the scammers again.

https://security.stackexchange.com/questions/100268/does-han...

So try to call the bank from a mobile.

Now that is insane. Totally sounds like one of those things that paranoid old people believe about newfangled technology, but nope, just extremely weird protocol design.
> just extremely weird protocol design

Its not really weird if you look at it in context.

People who are not Gen-Z whipper-snappers will recall the era.

Before cell phones, before DECT home phones, before wireless cordless home phones you had fixed phones.

You had a master socket and then, optionally, one or more secondary sockets (depending where you lived, you were either permitted to install these secondary sockets yourself, or you had to call in the telco to do it).

Anyway, so what would happen is that your friend from school would call you up. Inevitably your parent would answer the phone because they were, for example, in the kitchen cooking your dinner.

There would then be a shout across the house "Bobby its Johnny ... AGAIN !".

The call-transfer process would involve your parent hanging up and you picking up the nearest secondary handset.

Hence the exchange needed to keep the A-end of the call live whilst you completed the B-end "transfer".

The same generation of people will also recall the ability to abuse the mechanism to quietly spy on someone else using the phone. :)

In the US, Bobby would pick up the second handset before the parent hung up the first.
Shouting across the house, "got it!"
... although they can hear each other through the devices in their hands. More likely the person in the kitchen just put the handset down on the table and continued cooking.
UK analogue strowger exchanges did not permit the called party to clear down the line - that was the job of the calling party. A legacy function of being 'patched through'.

"Called Subscriber Held", a feature that was carried into early digital exchanges because people expected it to work in the manner you describe, even though afaik it was designed for the other purpose of keeping the line open whilst operators patched it through, trunk lines picked up the tone, etc.

My grandpa was a something like chief engineer for the West Coast of Scotland phone network. I have so many questions I wish I could ask him these days.

It's still weird and unnecessary. This happened everywhere, but people just picked up the phone before the other person in the house would hang up. You mention it yourself because of the ability to spy.
> Now that is insane.

Remember it used to be a switched physical circuit. In the early days the switching was done by people, later it was automated. But you still had a circuit from phone to phone.

When one side hung up, the circuit is still live. Eventually it timed out and the switch disconnected it, but it took a while (don't remember how long). So you could hang up a phone, walk to a different room and pick up another phone and the same call circuit was still live (as long as the other side didn't also hang up meanwhile).

It's worth noting that many landline phones now allow you to enter a number that you're intending to call, then pressing the call button at which point the number is automatically dialed.

If the dial tone is heard at all, it is for a very brief period, and might be entirely missed. This would make the scam you're describing even more readily achieved.

On further reflection ...

... the autodial feature may well be waiting for dialtone in order to dial. I've not looked into this and you're probably best off testing this yourself on your own equipment.

This also exists (existed?) for mobile numbers, and was used by newspapers to 'hack' certain celebrities' voicemail. Including some cases where they deleted existing messages when the mailbox was full, so they could get more.
I thought they just called their phones when they weren't in and used the default voicemail PIN (which most people don't change) to access their messages.
either default pin or guessed based on publicly available info. calling from their line was also done to get at more mailboxes.
This was, IIRC, a regional thing based on how the internal network was set up And all the legacy stuff. Half the country experienced this and the other half didn't so it always causes fun stories like this And expected gotchas from those who are learning it for the first time.
Which bank? (Slightly worried UK resident here!)
One of those on the 159 programme https://stopscamsuk.org.uk/159

Honestly, I’m not sure it matters. They’ve all had such incidents. I read somewhere that about 30% of your fees and mortgage interest go toward fraud mitigation,monitoring, and restitution.

I always live by these rules

- call them back, don’t talk to them

- ask why you need to do anything. It’s exceedingly rare a bank would call you to do something legit there and then. “I will do it later” will help. In fact that’s how I caught the phisher as I noted the aggravation in 1% of his voice.

- use credit cards, not debit cards, for purchases. They have far more protection.

- use all the 2FA and password complexity you can

- never use real info for challenge questions. Never use maiden name of mother etc. you can put “14 green fish” as the answer to the question if you like.

- make sure they are FSCS regulated, and try not to exceed that limit.

- understand FSCS does not cover you most phishing attempts, since the bank will claim they tried to warn you and were not negligent

- use private tabs for bank interactions

Through this experience I have learned not to trust “what we know about you” information they share. Do not underestimate HUMINT. A bank snitch could give up something as seemingly innocent (to them) as your “join date” and it be a lynchpin piece of info for a scammer.

This may all seem obvious to an HM reader. But it’s worth refreshing and reiterating.

These are by far the hardest kinds of fraud for banks to deal with right now. They’re so convincing that even when the bank detects them, the customer still demands the transactions go ahead because they’re so bought into the fraudsters. We need this kind of authentication to become normal for everyone for any transaction.
> IMHO the law should make banks report breaches to the ICO and a record of the nature and size of the breach be public.

The law already is that they should report breaches to the ICO, at a minimum you should report this to the ICO and if you can you should name the bank, possibly right here in this thread so that others have a chance to find out. It's a throwaway so why not use it?

> Hang up. Call them. Don’t let them call you.

Louder for the folks in the back. All bank cards should be required to print this on them.

I got a call from Amex fraud prevention and the voicemail explicitly told me to “Call X or the number on the back of your card” which I really appreciated.
The best advice for dealing with this kind of fraud is knowing that there are exactly three things that can happen in a conversation with the fraud department.

1. "Did you make these purchases?"

2. "Yes" -> "Thanks, bye."

3. "No" -> "Thanks, we're disabling your card, and sending a new one to your address. If your address has changed, please pick it up at the branch."

Any deviation from this is a scammer posing as the fraud department. Any attempt to gather any information from you, besides 'Did you make these purchases?' is a scam.

They know who you are, if they didn't, they wouldn't be calling you.

Could you let us know how you spotted it was a fraud please?
people who fall for scams on phone are the ones who wouldn't hear about news like this.
Don't be so sure of that. A lot of really smart people can fall for scams because they are caught off-guard or are focused on getting something done, discarding some necessary caution along the way.
This is a nice feature but the root problem is how trusting people are of the totally insecure phone system. We all have to have “the talk” with our elderly parents, where we try to convince them to never do business over phone or e-mail unless they themselves initiated the conversation. No legitimate business will call you and expect you to pay money, give them access to a computer, ask for security codes, or anything like that. Always hang up, and if you think it’s actually life-or-death important (hint: it isn’t), call them back in their official number.

My parents got scammed in the past so they are on the lookout, but I still don’t think they are careful enough. And due to their age they get attacked a lot! Last time I visited, their phone was ringing every hour or two--all scam/spam. It’s only a matter of time until the next one is clever enough to get through.

I think these “external caller” scams are going to be with us until that generation dies out. The “trust the phone” instinct is too strong. Of course for my generation, the scammers will find something we inherently trust and exploit that, I have no doubt.

I think this should be hammered into everyone's head and am surprised it isn't already.

I get regular emails from retailers and banks reminding me that they will never call and ask for money or personal info. Then they state exactly what you said; hang up and call the institution's official number if you're unsure who is calling.

(Note: a quick way to find the official number is by looking on your debit/credit card. It should be printed on there.)

(Note note: Don't sign your credit/debit card. Put "SEE ID" or something in the signature area.)

Why not sign the card?
"SEE ID" is an explicit instruction.

But I haven't had anyone check the card in ages.

But not a meaningful one. It's a signature panel, not an endorsement one like on checks, or a free-form message to card-accepting merchants.

Best case everybody will ignore it; worst case your card will be declined because somebody will still actually attempt to compare the signatures on the receipt and card, and “SEE ID” is not a signature.

The purpose of "SEE ID" is that a cashier or server actually requests a photo ID like a license and verify the name and visual identity to the person presenting the card.

This seems like the second most secure form of identity check (chip + PIN #1) if everyone could be made to follow it consistently.

> This seems like the second most secure form of identity check (chip + PIN #1) if everyone could be made to follow it consistently.

Yes, but that's not happening since there is no incentive for the merchant to do it. Merchants are generally not liable for card-present lost/stolen card fraud, so the only thing this does for them is add friction.

It's a textbook principal-agent problem (in addition to requiring a human in the loop), and I highly doubt that the schemes would ever introduce anything like that, especially given that there are viable alternatives available (PIN entry on the terminal, on-device authentication for mobile wallets etc.)

> Note note: Don't sign your credit/debit card. Put "SEE ID" or something in the signature area.

When is the last time anybody has even looked at the back of your card?

Signature comparison (or even asking for a signature) is no longer required in most circumstances under the card schemes’ rules, whatever the signature panel says.

> My parents got scammed in the past so they are on the lookout, but I still don’t think they are careful enough. And due to their age they get attacked a lot!

I'd bet that it's not because of their age, but because they have been scammed in the past, so their data now is on the lists of "verified victims" which get passed around as those are thought to be more likely to fall for the next scam than simply a random number.

It’s somewhere in-between. They have a landline. Only really old people have landlines, so those are specifically targeted.
A bank that never calls or messages via traditional phone/mobile network and never uses email is the best. Always use secure in-app communication. And use secure device binding + password/pin + biometric authentication for access. Use a pre-registered and securely couriered FIDO2 token (Yubikey) + in-app video-KYC for initial setup and credential resets. Don't depend on another channel for resetting any of the credentials. Educate the user that you will never contact them via any other means. Establish these secure expectations with the user from day-0. Within the app, always do additional factor authentication for any monetary transaction. On the server-side, have per-transaction, per-day limits for fund transfers. For large value transfers, require payees to be added to the account and have a 1-2 days cooling off period. Notify the user during this cooling-off period and give them ample opportunity to intervene if they think it is a mistake or fraud. Have low-friction instant payments only to pre-verified and registered merchant addresses. For person to person instant transfers, have velocity limits and legal framework to clawback and prosecute in case of fraud. For out-of-network (say international) instant transfers, definitely require payees to be verified and added to payer's account and have fraud protection funds to enable swift clawback and legal frameworks for prosecution across international borders. Without these types of protection, any increasing in banking velocity is bound to result in more fraud harm than traditionally accepted.
I'm a Monzo client and honestly, I'm surprised they even offer the option. They do everything on-line if they can: it's cheaper for them, and I find it more convenient, on top of all the reasons you listed.

I suspect phone calls only happen at the very edge of rare branches, with elderly or handicapped clients, complex transactions, when ID checks fail, etc. They might not do it at all, and had added that feature in the rares of cases they might — but making it visible as “this changes color if we call you” makes a more compelling story than they previous “we never call you” if you are on the phone with a high-pressure scammer.

Banks in the UK are legally obligated to provide phone support to their customers. Monzo mostly doesn’t do outbound calls at all, pretty much the only situation they’ll do an outbound call is if it’s a pre-arranged call to discuss a complaint, or difficult situation (death of a customer etc).
That sounds fantastic for more technically sophisticated users… but I strongly suspect the reason banks continue to use phone, email, and SMS is that most users aren’t that technically sophisticated, and strongly want to use the (admittedly unsuited) communication methods they’re already familiar with. There was a post here a while ago about the debt collection industry that had a section of which the essence was “You’d be shocked at how little many people understand about banking and technology and basic math”.
That's very secure. It's also utterly unusable and will result in customers picking another bank, possibly retrieving their deposit through regulators and the court system in some cases because it's easier than going through your impossible account recovery.
These are all good ideas, but unfortunately really not that easy to implement, largely due to institutional inertia, but also because it would put the bank at a competitive disadvantage with others: Often, security and convenience really are trade-offs.

> Don't depend on another channel for resetting any of the credentials.

What if a customer's house burns down with their phone and Yubikey in it?

> For person to person instant transfers, have velocity limits and legal framework to clawback and prosecute in case of fraud.

That's not up to a single bank.

> For large value transfers, require payees to be added to the account and have a 1-2 days cooling off period.

"Why are you telling me what I can and can't do with my own money!?"

Sometimes, large value transfers really do need to happen quite spontaneously to a previously-unknown recipient, e.g. for a used car purchase.

> Use a pre-registered and securely couriered FIDO2 token (Yubikey)

That would indeed be great, but not a single bank I've done business with supports FIDO. In fact, I haven't even heard of one that does (I might just open an account with them!)

One annoying aspect to app push notifications is that my bank uses them to send marketing too.
The marketing will eventually sneak into every guaranteed channel of customer attention. That's why no app is sending me notifications.
> Use a pre-registered and securely couriered FIDO2 token (Yubikey)

Banks are awful enough with software, I don't want any hardware from them. Increasingly mobile apps are becoming first class citizen for online banking, web browsers second class. There doesn't exist reliable non-infuriating workflow with physical security key and a smartphone.

> use secure device binding + password/pin + biometric authentication for access. Use a pre-registered and securely couriered FIDO2 token (Yubikey) + in-app video-KYC for initial setup and credential resets.

Does this work with a privacy-respecting ROM like GrapheneOS? If not, then it's nowhere near the best solution for me.

After an unfortunate event I managed to teach family members to never do any kind of bank actions in a call where they were the ones being called. Always end that call and then call the bank support back using the number they all know how to find on their credit/debit cards.
Most irritating thing the Amex did recently to me is to call me from a random number and then proceeded to ask me for my personal details like date of birth etc for "verification purposes". I promptly refused to provide any details as I have no way to authenticate them and cut the call. They are basically educating their customers to become vulnerable to fraudsters and I told them as much. But the call center person is the wrong person to hear that from me.
This is insecure because it relies on people having the app installed and knowing to check it. Why not call the user through the app itself? Why not send a notification through the app telling the user to find the official support line and call that?

Banks should not call you anymore since it cannot be trusted.

For context, the app is monzo bank. You can’t bank with them without the app, they’re a challenger bank. Essentially all interaction is through that app. What surprises me is that they didn’t just put a webrtc call function hidden in the app so they could call you over a secure channel in the rare case that they needed to call you.
I would almost bet that 100% susceptible to scams won't remember to check an app for call verification.

Or, maybe I'm just a skeptical curmudgeon...

The problem is not with the call but with who is calling you. If you can authenticate the caller, all’s fine.
This is a great idea, but there's one problem I see with it: When I'm in a call, my internet doesn't work if I'm not on wifi, as the modem is busy with the call. I believe this doesn't happen if you have VoLTE, but it does mean that this feature can't work for many many people.
Yep, CSMA needs Voice over LTE (VoLTE) or else data is enabled while the call falls back to 3g.
> This blog post was accurate when we published it – head to monzo.com or your Monzo app for the most up to date information.

I am on monzo.com

I absolutely love this feature so much. I work at a competitor of Monzo and this is definitely something I'll bring up with our Product team to see if we are thinking about this.
this is a cool feature!

i had someone call me recently claiming to be from coinbase and try to get me to enter a password reset code into a site hosted at “w-coinbase.com”. they claimed my account was compromised and “locked” (it wasn’t).

i humored the guy and asked for a help page from coinbase that listed “w-coinbase.com” as one of their official domains. they genius asked me to trust him, or i could talk to his manager who would share my ssn with me as “proof”.

i talked to the guy for like an hour asking him to put himself in my shoes, or explain why i couldn’t address the issue myself with a password reset or redoing my mfa setup. he got really angry, saying i was berating him for doing his job.

i suggested he give me a case number and i’d call back into coinbase’s support line. he gave me a six digit number and then hung up abruptly when i said i’d call him back.

it was glorious.

anyway, every one should have a feature like this.

It's a cat-and-mouse game of banks saving money by closing branches (or never having them in the first place) and wanting to make fraud as much as the customer's fault as possible, and implementing new laws to shift some of the burden back to the banks and other organisations and creating toothless regulators for political marketing purposes.