I wonder where the fraudsters have got all his personal info (including his land-line phone number) from. Even if they got a hold of his receipt that shouldn't contain enough info to get all the other details.
The FCC (and a bunch of other government agencies in the U.S.) will happily take a post office box as an address. That's the official address on my ham ticket.
The GP did use a PO box, and even if you use a PO box you still now know someones name, state and general area pretty much unless you are willing to drive far away for some remote box.
I used my employer's address there, since .us demands that you be able to receive their physical mail. Kind of pointless with my ham radio information on the web, though.
He says they cloned his card, so they probably either had a card skimmer installed on top of the ATM's card slot or a tiny hidden camera to photograph the card. Now they have his name and account number. They then followed him home to get his address. Then they looked him up in the phone directory to get his land-line number.
That's not what the article said. It said that the initial fraudulent call claimed that they had cloned it.
Getting a name and phone number is easy. After you've followed the person home, poke through their waste paper bin until you find a letter/bill with the info. If the person is listed in the phonebook (often the default) then you just need the surname from the bin and the town/village of the house you're stood in front of.
Date of birth would be a bit harder to get. Not on the average bill or in a phone book. I guess someone could go through social media once they had your name, but it might not work for everyone.
I'm in the US. Online, I've obtained birth and death dates and lists of mailing addresses of specific persons. In one case, I started with the subject's name and county where they died (the goal was to find the burial plot of a relative). Other cases I started with a name and current city of residence (ie, googling myself and family members). I didn't search social networks. Iirc, most of my success came from online county records.
That doesn't match what the article said. Also, if they already had his card then there would be no need to send a courier to his place and pick it up, that only increases their exposure and the risk of getting caught.
>If you call a landline, it’s up to you to end the call. If the other person, the person who receives the call, puts down the receiver, it doesn’t hang up the call, meaning that when I went to find my bank card, the fraudster was still on the other end, waiting for me to pick up the phone and call ‘the bank’.
Can someone explain this? This seems like a pretty glaring and obvious issue that I'm sure I would have experienced before. Is he saying that if he hangs up the phone and picks it up again and the person at the other end doesn't hang up, then the conversation isn't over?
Yes, that's what happens here in Australia (and I assume the UK). If the receiver doesn't hang up the call disconnects. The exchange disconnects the call after 1 or 2 minutes.
What I don't understand is how the scammers got his landline number?
Followed him home, then used a phone number search? That would also explain why they didnt need to ask him his address.
This is a really elaborate scam, btw. The few times my cc# has been stolen, some dude just makes a card and uses at someplace like a hardware store and buys $1500 worth of tools before the bank frauds it out. In, out, no contact with me, just a sprint.
In the european chip and pin system, there's no way to extract the private key on the chip - the chip has to be present, and has to be unlocked with the PIN. Which is why they had to steal the card, and get him to enter the PIN. (of course it's possible to trick most merchants to fail back to the legacy mag stripe which is still present, but perhaps that triggers fraud alerts quicker)
It lets you do things like receive a call, put the handset down (or even unplug the phone!) then continue by picking up a phone on the same line in another room.
It also meant you would accidentally DoS someone by failing to hang up correctly if you initated the call - the pre-mobile equivalent of someone phoning you from the inside of their pocket...
Many years ago, when I used to drink (far too heavily on this occasion) my last memory of an evening was ringing up my Godmother to see how she was; powered by a kind of drunken momentum to say hello to someone I love.
I didn't remember anything about the conversation, only that I got up from bed with a pounding headache and thought no more of it. A few days later my godmother phoned me up:
"Do you remember what you did a few days ago?"
"I think I phoned you up?"
It turns out that while she was talking at length I had passed out from the booze. She had spoken for some time and then I hadn't replied. After some time, finding the call strange, she hung up and picked up, only to find the sound of silence; my room in which I had passed out. This was unfortunate as she had quite a few phone calls to make and she was effectively blocked from doing so. Presumably at some point I came back to some kind of consciousness that was capable of putting the receiver down and staggering to bed, but not capable of remembering. Thankfully I was forgiven and suffered only the punishment of wry disapproval.
So yes - as a young man I accidentally DoS'ed my Godmother because of stupidity and Stella Artois.
My landline phone (BT 6500 Cordless Phone) rings if you have hung up but if the person on the other line hasn't hung up after 5-10 seconds which is great if you accidently turned off the phone (my parents do this all the time) and in this instance for this case.
As I understand it, it's some of the insane backwards compatibility the 'pots' system has to put up with.
If you think way back, before dtmf/touch-tone phones, when you dialed a number, the line clicked. You press one, the line clicks once. For zero, 10 clicks. This is backwards compatible all the way to rotary phones.
Those clicks are the line being closed and re-opened in rapid succession. You dialled by 'hanging up' repeatedly. So the line can't close the moment you hang up - there's a grace period while it waits for the next click. If the initiating party does't hang up, they emulate this grace period until the exchange times out.
That's the problem; it's not a modern system. eg, the British GPO 332 handset was first issued in 1937 - and still works. It's difficult to demand millisecond timing when you're backwards-compatible with pre-war equipment.
Way back... I still use a good old GPO rotary phone. Only thing you sometimes have to retrofit is the capacitor on the ringer circuit, as they're usually dead, or not big enough for today's lower voltage lines.
Phone systems allow this so that the called party can answer on one handset and then easily transfer to another handset on the same line by hanging up the first and picking up the second handset within a certain duration. In Australia, IIRC this is around 45 seconds. I'm not sure if this is universal. It's certainly unnecessary for mobile (cell) phones.
Are there even any of them in use? I was talking to a Telstra employee a few years ago who mentioned that there were only one or two in country towns that didn't warrant replacement.
I seem to remember a case, possibly in Sweden in the late 90's or early 00's, where a woman was unable to call an ambulance for her husband who was having a heart attack, because of an incoming caller who had not hung up properly (or something along those lines). After some panic I think she ran to a neighbours house where she was able to make the call.
If I remember the story correctly, this resulted in some debate followed by a law change, such that now if the called party hangs up, you have only a few seconds before the connection is broken.
I don't know how it went for the husband though...
It seems so backwards! Why wouldn't you be able to hang-up if you are the callee? Anyway, it makes it clear now how the scam works.
In a proper telecom setup, if the hang-up time is longer than the flash time (a few hundred milliseconds) then the call should end - period. This allows you to hang up properly while allowing for call waiting features and the like.
US Phone system worked this way at least when I was younger; there was a party trick you could do to have someone call your phone, hang up and then tell people to "pick any name and I'll call someone with that name" then pretend to dial and ask for that name, your friend says something "Yes, that's me, who are you?"
Wouldn't that trick work equally well by just learning your friend's number and actually dialing it? I don't see where the phone thing comes into play here.
> then pretend to dial and ask for that name, your friend says something "Yes, that's me, who are you?"
As long as I tell my friend "I'm going to call up, pretend you are whoever I ask for", then when I call up and say "hello is Mr X there?" it's irrelevant whether I just dialed my friend, or whether he was sat on the line waiting for me to fake dial.
The person being duped provides a name and a number.
You leave your line open with a friend. Then you dial the new number, which doesn't work because the line is open, but it appears to work, fooling the person being duped.
Dialing the new number is a required part of the illusion so the person you are duping believes you are calling the person they provided the info for.
If you just dial your friends number and don't use the fake number... and they see you doing that... then that's stupid and your friends would have to be exceedingly trashed to fall for what is essentially you just dialing a friends number and talking to them.
Where does the person being duped get the number from? I thought the whole point of the trick was that they would give you a name and you'd come up with a number for it.
The trick is that you (or even the audience) actually dial Mr. Smith's number in front of them. The trick is no good if you dial your friend's number openly.
I believe this was alo used by hackers/crackers back in the modem era. When you connected to a corporate system the system would first identify you, then drop the connection and call you back to your official number. If you did not hang up, the system ended up connecting back to you.
I was in Barcelona, regular tourist. Here come a guy saying he is a cop, in civil but showing some kind of ID. Saying I might have stolen my own credit card and asking to dial the PIN on his phone. I've fallen for it. They've taken 400 euros from my bank account.
I guess we don't have to blame ourself, scheme exists, we might fall for we might not fall for it. This guys have training we don't, we have good reason to not act in the smartest way!
It is a fantastic city, has a beautiful beach right there in the city, a great old town, fantastic events on all the time, nice parks, good food, great architecture, is easy for Europeans to get too. And as long as you are a bit savvy, and don't accept whatever some strange guy coming up to you says, you will be fine.
Also ALWAYS keep a look at your wallet. Keep it in front of your pants and the hand over it when walking the most touristical places. Also keep an eye while eating or having a coffee. They are very fast and creative.
I could imagine falling for the OP's landline hangup ruse, but I can't imagine falling for somebody on the street telling me to type my PIN into their phone, regardless of how they were dressed.
There was a TV series named 'Scam City', in which presenter Conor Woodman gets scammed in some of the worlds most iconic cities. Here's episode of Barcelona http://vimeo.com/63510709
I was once SE'd (socially engineered) into providing the caller with my full name, address, DOB, but no financial information.
The caller had spoofed their caller ID to reflect a police agency, albeit out of my jurisdiction, but like the OP it was early on a weekend morning and I was quite well hungover, so I readily supplied the requested info.
It was a valuable learning experience and I admit to being "schooled" by the perpetrator but seeing that no actual harm was done I let the matter drop like the lead it was worth.
Wow, that admittedly had a lot of effort going into it. I'd like to say that I wouldn't have fallen for it, but I'm not so sure. I think I wouldn't have physically given them the card, though. Something about the whole thing just seems really odd they'd go so much out of their way for one victim.
But is this something more common in the UK, perhaps? The only scams I run into are these laughable phone calls I get from time to time - recorded messages like, "This is card services from (fake phone static). Your card has been compromised. Please call us back." I never called the number back but from looking up online it seems that pretty much straight off the bat they ask you for your SSN, and I'm guessing they wouldn't have any personal info about you.
It's a pretty convincing scam for sure - especially if they get you to think that you called your own bank.
I wouldn't be surprised if they got this information from a receipt or something rather than following him home though. As he said, it would be easier to just mug the guy in that case. Following somebody home seems like a lot of investment and risk for a scam that only works on certain percentages of the victims.
- Less effort but requires willingness to use force.
- Doesn't require any knowledge of the phone system or victim's details beforehand
- High risk, since violent crimes can go bad.
- Police care more (although depending on jurisdiction they may take a report and be unable to do anything unless you get lucky and there are leads for them to follow).
Con game:
- Requires more preparation and knowledge
- Allows more time to abuse the card because the victim doesn't know anything's wrong for days.
- Virtually zero risk during the acquisition of the card
- Police care less... these crimes are more difficult to solve/clear.
I shouldn't have mentioned mugging because that wasn't really my point - and I usually know better than to provide ammunition for arguing a tangential point!
Anyway, I was trying to muse that spying and following somebody to their home is a lot of work and carries the risk of being noticed and/or caught on camera, getting attacked by their dog, or at the very least consuming your entire evening. Who knows if the victim is going to drive 10 miles out of town or stay at the bar until 4am. Maybe they'll go to their girlfriends place instead leaving you with a bogus address. Maybe they'll notice you from the bar and wonder what the fuck you're doing following them..? It just seems impractical just to get your address.
Whereas getting info from a receipt could be safe & easy and you don't have to get physically close to a victim until you have them on the hook. You could pre filter. You probably don't even need to be at any particular location. Just go through a pile of receipts in the comfort of your own home.
But then again what do I know? Maybe it's ridiculously easy to find a mark and then follow them home.
Not really, actually mugging someone would be a lot of risk for unknown and surely lower return. What these guys are doing won't work all the time, but when it does the return is very high as they can steal money you don't even have if they get a credit card. They also wouldn't have to deal with any issues like getting caught by CCTV, a group of well wishers or the ever elusive police patrol.
The OP said he woke up "hungover, sitting on the sofa trying to piece together the night before." I have to wonder if the scammers were aware of that and were using that fact to catch him in a disoriented state.
This is why I'm terrible to my bank over the phone... I always ask them to prove to me they are from the bank and when they can't - i hang up. It's kind of annoying except I work above my bank so it's pretty easy to walk downstairs. Maybe someday the bank will implement a kind of certificate to help me identify i'm really talking to the bank...
Precisely. I've had the legitimate fraud-prevention department of my bank contact me but be unable/unwilling to authenticate themselves. I told them that until they were willing to authenticate, they would never receive any identifying information from me.
At some point I said that I would accept the account number as authentication and they were unwilling to provide that. I don't know why they--a legitimate fraud-prevention department--expected to be able to cold-call a customer and receive identifying information. They should be actively working to prevent customers from turning over this information to "just anyone who rings them at home."
I ended the call and contacted my bank via their online banking system and via that system they vouched for the original call and provided a number to call back. I lodged my complaint that their own fraud department was calling customers without any ability to self-authenticate. Not sure what happened from there; I've not had to deal with that process again since.
I challenge my bank all the time. The answer I get is "Certainly sir. The best way to validate is to find our free-call phone number in a place you trust - the phone book, or anywhere else you trust - then call it and type in the following number: X X X X X. That will route the call directly back to me".
> "[...] call it and type in the following number: X X X X X. That will route the call directly back to me."
I wish every bank did this as standard practice! Hang up, dial the customer care number on the back of the card, then dial the digits supplied by the support rep.
Better yet, print instructions right on the back of the card: "don't engage any support representative you did not call directly." Training customers to do this (perhaps even through proactive callouts?) would work to significantly reduce this kind of fraud.
> Hang up, dial the customer care number on the back of the card, then dial the digits supplied by the support rep.
Except apparently to prevent this form of fraud you need to hang up, then call from your mobile, so that the "support rep" can't just stay on the line and do what the guys in this story did (fake a dial tone, make it seem like you've called the customer care number).
I think Canada's system does this, though it might only be a couple seconds. I recall being able to stay on the line ~10 seconds or more and still retain the call. If you have the person on the other side of the phone holding the card and looking at the phone number, being instructed to call it because of some urgent fraud, they're almost certainly going to hang up, and pick back up within a ~5 second window.
And if they don't, no harm, no foul (to the scammers)
Wow, that's so simple and clever. It seems so obvious but I wonder if I'd remember to do that if I was shaken up by my "bank" calling to tell me my account had been compromised. I'll write it down for future reference.
Yeah, but in the article author's case, you can't even rely on being able to do that (at least with a landline), due to the severe landline security hole regarding ending of phone calls.
I thought this was common sense. I even have done that with the police: They called and started to ask question, I asked for their name, and called back on a well known number.
This though, is where this scam is cunning, they use the fact that people feel safe calling a well-known number. I'd like to think I'd have offered the bank to cut off my cc rather than send it, but who knows...
My bank never calls me. They send a secure message over the banks online system or leave a recorded message on my phone. They don't give a number to call back, so that I have to look up the real one. Not that those measures would have saved me in this scenario.
Some banks I've worked with have configuration so that when they contact you by email, you can set a code word(s) that they will include in the communication. So if the communication doesn't start with "Your Majesty Dark Lord", you know it's fake :) Similar system may work with the phone too.
I rang my bank last week, I rang them, and they asked me for my pin number. What, there is not way I am giving you my pin number. It is not used for identification.
This was the Visa at the RBS bank in Scotland, not sure what they are doing over there.
The phone thing I can understand, but why would a bank ever send a courier to pick up a card (and why would someone believe that they would)? I've never heard of such a thing.
Even if it's got a chip, what could possibly be stored on the chip's memory that would help? If there's a problem with a card being compromised or cloned, they issue a new one.
In Israel it is actually pretty common occurrence to get a card from the bank by courier. Of course, not personal courier sent just for somebody, but the mode of delivery is like this. Of course, Israel is a pretty small country :)
So it's wouldn't sound that outrageous for me. Especially if a courier would give me a time like 10am to 3pm and would come at 3:15pm :) Of course, other parts where they need my card for some kind of examination would sound weird. But I imagine I personally could have fallen for that if the other guy is really good, if not for tiny detail that I don't have a landline for about last 10 years... But the trick with calling back really adds a lot to the deal, all the rest s not that suspicious given that.
That's the part the alerted me the most. You are always told to destroy the card, not even throw it away.
Getting the customer to call a number is another, they could have transferred the customer. Instead, they wanted to provide a shot of confidence before extracting info that no one, not even the bank should ask for.
> Getting the customer to call a number is another, they could have transferred the customer.
No way. If someone claiming to be a bank cold-calls you, you tell them you'll call them back at their official number. Only deal with bank information on a call that you initiated.
I don't know how to work around the flaw in the article. Luckily it's not something we have to deal with here in the US, as far as I know. What a dumb "feature."
I can understand ending the call if they start asking for personal information, but if you get a call from the bank to take you through a suspected fraud case then all they do is ask you some 'pick-the-odd-one-out' style questions to verify your identity. They then list all your transactions, including the fraudulent ones and ask if you recognise them. After that they cancel the account and start a new one.
I wouldn't be too hard on yourself. I would have probably fallen for it after the phone call. The answer isn't that you're stupid - the answer is, when other human beings exert a ton of effort to deceive you, sometimes you're going to be deceived. Especially if it's out of the blue and you're not on guard. Human beings are pretty cunning and deceitful bastards.
Who pays for fraud cases? Do the credit card companies end up paying for all the merchandise when they reinstate the victims cards and forgive his debts?
Pretty dicey, I can see a day when your bank calls and you say, "Thanks for calling, I know you're my bank but I wonder if you wouldn't mind answering a couple of security questions for me ..."
The big risk though is going out to pick up your card, that gives you the opportunity to film them. If you know which ATM they are watching you set up a sting to catch them in the act.
I imagine that a great many of us would be fooled by that sequence. It's easy to consider yourself paranoid or careful and then be thrown off-guard by a well-optimised routine.
"As for the call, well, credit where it’s due, it’s pretty clever. If you call a landline, it’s up to you to end the call. If the other person, the person who receives the call, puts down the receiver, it doesn’t hang up the call, meaning that when I went to find my bank card, the fraudster was still on the other end, waiting for me to pick up the phone and call ‘the bank’. As I did this, he first played a dial tone down the line, and then a ring tone, making me think it was a normal call. He will have been sitting next to the first person that called me, no doubt laughing their heads off at how stupid I’d been."
Wow, what? This seems pretty crazy. I was wondering how they did it until I got to this point.
I seem to remember Kevin Mitnick making use of this feature at some point, I think it was the time he's trying to make more than one phone call from inside prison; he basically never hung up.
Indeed, I had the same reaction - and I live in UK! I haven't ever used a landline though. I'd be more than happy to cooperate with a bank when I'm calling them (though asking for PIN would probably make it suspicious - AFAIK there are ways of intercepting calls anyway, so by that point I'm all 'actually, I'll just come over to your branch').
Phones in general are ridiculous for authentication. You can spoof nearly every bit of data, and there's no way to know, and little weird bits of flotsam like this float to the surface occasionally and make it even worse than it normally seems.
If only I could ask them what their favorite restaurant is, maybe we'd finally have two-way verification. Nobody else picked McDonalds, right? That's a safe choice?
About the PIN: your guess is right. The tone system for dialling numbers works like this: there are four "low" frequencies (697, 770, 852, 941 Hz) and four "high" frequencies (1209, 1336, 1477, 1633 Hz). Each key plays exactly one "low" and one "high" frequency, e.g. when you press "1", your phone plays 697 and 1209 Hz.
The telephone exchange listens for those tone combinations to know what number you're dialling. If you have an audio recording of a number being dialled, you can actually figure out the number just by listening to each tone separately and comparing it to the sound made by pressing keys on your own phone. Wouldn't surprise me if the fraudsters did just that, or maybe they used a "spectrum analysis" feature on a PC audio program.
There are programs that will do this for you... probably even for your smartphone. I mean - it is built into asterisk and other pbx software already, code for it can't be that hard to find.
Someone suggested they went through his rubbish once they were standing out side his house. Seems like a bit of a gamble though as by this point they would have invested quite a bit of time following him etc. And how many people these days (young and living in a shared house in Islington especially) still have a land line, and are even in the phone book?
I once got an SMS to the tone of "This is <my bank>, you have to call us urgently on <some 0800 number> and quote reference <blah>". So the first thing I did was ring the number printed on my card and have a nice talk to them.
Turns out it was the bank, but they don't do themselves any favours.
I've received similar (legitimate) texts from Chase a few times.
A couple months ago I was in the pharmacy to pick up a prescription. I handed the pharmacist my card and she walked back to her computer to run it.
A moment later, as she gets back to the counter where I'm standing, my phone (which I was holding) buzzes. I look down at an SMS "fraud alert" from Chase just as she says, "I tried running it twice but it won't go through."
The SMS from Chase had the name of the pharmacy and the total amount and told me I could reply to the message to state whether it was a legitimate transaction (I don't recall exactly what I had to reply with but effectively I was responding "yes" or "no").
I quickly sent back a reply stating it was legitimate and almost instantaneously received a "thanks" message. I asked the pharmacist to run the card again and it went right through.
I got the same from Discover once; I was at a computer shop picking up a new PC. They ran it once and told me "it didn't work" as my phone started ringing. It was an automated call asking me whether the charge was legitimate. I told it "yes" and asked them to run it again. Makes sense considering that to Discover, it's an out-of-the-blue $1k+ purchase at a store I rarely visit.
I've had this with my bank: they called me and asked to "take me through security". I explained to them that I'd have to take them through security first, since I had no idea if they were really my bank. They didn't get it. I ended the call.
Banks do this with card fraud checks all the time. They often give you a voicemail telling you to "phone this number" - the google results for my bank's fraud number are a whole load of forum posts saying "is this a scam?". The number is not listed anywhere on their website.
I just make a personal appearance at a branch when this stuff happens - then they have to sit on the phone to themselves for half an hour while I have a coffee.
I guess it's easiest if the bank doesn't have any contact details apart from snail mail. I'm skeptical already when banks want my email address upon opening an account.
I was expecting an interesting article about a deliberate handing-over of credit card and PIN to a known fraudster, in an attempt to examine their behavioural patterns and maybe offer some anecdotal insight.
I felt the actual article was much less interesting.
A good strategy is not to depend on a single bank or account.
At least in Europe it's fairly easy to find banks offering accounts with no maintenance/transactions costs , just open two accounts at two different banks, keep the same level of cash in both and if something happens you don´t have to go on a diet of canned beans waiting for the compromised account to be restored.
(Then again, some might argue that now you have twice the chance of being targeted by a scammer).
131 comments
[ 3.3 ms ] story [ 191 ms ] threadI wonder where the fraudsters have got all his personal info (including his land-line phone number) from. Even if they got a hold of his receipt that shouldn't contain enough info to get all the other details.
http://wireless2.fcc.gov/UlsApp/UlsSearch/license.jsp?licKey...
Yup, that's my home address!
(Thanks for making me realize that I'll need to renew my license in a few months, I quite possibly would have forgotten.)
Most assumed that it was a vanity callsign but it's actually what the FCC assigned to me nearly 20 years ago.
Getting a name and phone number is easy. After you've followed the person home, poke through their waste paper bin until you find a letter/bill with the info. If the person is listed in the phonebook (often the default) then you just need the surname from the bin and the town/village of the house you're stood in front of.
Can someone explain this? This seems like a pretty glaring and obvious issue that I'm sure I would have experienced before. Is he saying that if he hangs up the phone and picks it up again and the person at the other end doesn't hang up, then the conversation isn't over?
What I don't understand is how the scammers got his landline number?
This is a really elaborate scam, btw. The few times my cc# has been stolen, some dude just makes a card and uses at someplace like a hardware store and buys $1500 worth of tools before the bank frauds it out. In, out, no contact with me, just a sprint.
It also meant you would accidentally DoS someone by failing to hang up correctly if you initated the call - the pre-mobile equivalent of someone phoning you from the inside of their pocket...
I didn't remember anything about the conversation, only that I got up from bed with a pounding headache and thought no more of it. A few days later my godmother phoned me up:
"Do you remember what you did a few days ago?"
"I think I phoned you up?"
It turns out that while she was talking at length I had passed out from the booze. She had spoken for some time and then I hadn't replied. After some time, finding the call strange, she hung up and picked up, only to find the sound of silence; my room in which I had passed out. This was unfortunate as she had quite a few phone calls to make and she was effectively blocked from doing so. Presumably at some point I came back to some kind of consciousness that was capable of putting the receiver down and staggering to bed, but not capable of remembering. Thankfully I was forgiven and suffered only the punishment of wry disapproval.
So yes - as a young man I accidentally DoS'ed my Godmother because of stupidity and Stella Artois.
(https://news.ycombinator.com/item?id=4825751)
(https://news.ycombinator.com/item?id=4826367)
Here's another newspaper article about the scam. (http://www.guardian.co.uk/money/2012/may/23/credit-card-user...)
EDIT: cultural note - we don't[1] pay to receive a phone call, even with cell phones. Perhaps that makes a difference?
[1] Well, with normal accounts that is. Obviously free-phone 0800 numbers etc are different.
If you think way back, before dtmf/touch-tone phones, when you dialed a number, the line clicked. You press one, the line clicks once. For zero, 10 clicks. This is backwards compatible all the way to rotary phones.
Those clicks are the line being closed and re-opened in rapid succession. You dialled by 'hanging up' repeatedly. So the line can't close the moment you hang up - there's a grace period while it waits for the next click. If the initiating party does't hang up, they emulate this grace period until the exchange times out.
Ever see the "flash" key in a phone? Add a few milisseconds to that and a modern phone system should hangup.
If I remember the story correctly, this resulted in some debate followed by a law change, such that now if the called party hangs up, you have only a few seconds before the connection is broken.
I don't know how it went for the husband though...
In a proper telecom setup, if the hang-up time is longer than the flash time (a few hundred milliseconds) then the call should end - period. This allows you to hang up properly while allowing for call waiting features and the like.
As long as I tell my friend "I'm going to call up, pretend you are whoever I ask for", then when I call up and say "hello is Mr X there?" it's irrelevant whether I just dialed my friend, or whether he was sat on the line waiting for me to fake dial.
The person being duped provides a name and a number.
You leave your line open with a friend. Then you dial the new number, which doesn't work because the line is open, but it appears to work, fooling the person being duped.
Dialing the new number is a required part of the illusion so the person you are duping believes you are calling the person they provided the info for.
If you just dial your friends number and don't use the fake number... and they see you doing that... then that's stupid and your friends would have to be exceedingly trashed to fall for what is essentially you just dialing a friends number and talking to them.
Maybe to add a little bit of diversity:
At least in Germany, I don't recall this ever working.
I was in Barcelona, regular tourist. Here come a guy saying he is a cop, in civil but showing some kind of ID. Saying I might have stolen my own credit card and asking to dial the PIN on his phone. I've fallen for it. They've taken 400 euros from my bank account.
I guess we don't have to blame ourself, scheme exists, we might fall for we might not fall for it. This guys have training we don't, we have good reason to not act in the smartest way!
I hate Barcelona.
You can go to Avila, Segovia, Cuenca, Toledo... all excellent places and with good train and bus connections with Madrid.
The caller had spoofed their caller ID to reflect a police agency, albeit out of my jurisdiction, but like the OP it was early on a weekend morning and I was quite well hungover, so I readily supplied the requested info.
It was a valuable learning experience and I admit to being "schooled" by the perpetrator but seeing that no actual harm was done I let the matter drop like the lead it was worth.
But is this something more common in the UK, perhaps? The only scams I run into are these laughable phone calls I get from time to time - recorded messages like, "This is card services from (fake phone static). Your card has been compromised. Please call us back." I never called the number back but from looking up online it seems that pretty much straight off the bat they ask you for your SSN, and I'm guessing they wouldn't have any personal info about you.
I wouldn't be surprised if they got this information from a receipt or something rather than following him home though. As he said, it would be easier to just mug the guy in that case. Following somebody home seems like a lot of investment and risk for a scam that only works on certain percentages of the victims.
- Less effort but requires willingness to use force.
- Doesn't require any knowledge of the phone system or victim's details beforehand
- High risk, since violent crimes can go bad.
- Police care more (although depending on jurisdiction they may take a report and be unable to do anything unless you get lucky and there are leads for them to follow).
Con game:
- Requires more preparation and knowledge
- Allows more time to abuse the card because the victim doesn't know anything's wrong for days.
- Virtually zero risk during the acquisition of the card
- Police care less... these crimes are more difficult to solve/clear.
Anyway, I was trying to muse that spying and following somebody to their home is a lot of work and carries the risk of being noticed and/or caught on camera, getting attacked by their dog, or at the very least consuming your entire evening. Who knows if the victim is going to drive 10 miles out of town or stay at the bar until 4am. Maybe they'll go to their girlfriends place instead leaving you with a bogus address. Maybe they'll notice you from the bar and wonder what the fuck you're doing following them..? It just seems impractical just to get your address.
Whereas getting info from a receipt could be safe & easy and you don't have to get physically close to a victim until you have them on the hook. You could pre filter. You probably don't even need to be at any particular location. Just go through a pile of receipts in the comfort of your own home.
But then again what do I know? Maybe it's ridiculously easy to find a mark and then follow them home.
At some point I said that I would accept the account number as authentication and they were unwilling to provide that. I don't know why they--a legitimate fraud-prevention department--expected to be able to cold-call a customer and receive identifying information. They should be actively working to prevent customers from turning over this information to "just anyone who rings them at home."
I ended the call and contacted my bank via their online banking system and via that system they vouched for the original call and provided a number to call back. I lodged my complaint that their own fraud department was calling customers without any ability to self-authenticate. Not sure what happened from there; I've not had to deal with that process again since.
I wish every bank did this as standard practice! Hang up, dial the customer care number on the back of the card, then dial the digits supplied by the support rep.
Better yet, print instructions right on the back of the card: "don't engage any support representative you did not call directly." Training customers to do this (perhaps even through proactive callouts?) would work to significantly reduce this kind of fraud.
Except apparently to prevent this form of fraud you need to hang up, then call from your mobile, so that the "support rep" can't just stay on the line and do what the guys in this story did (fake a dial tone, make it seem like you've called the customer care number).
And if they don't, no harm, no foul (to the scammers)
This though, is where this scam is cunning, they use the fact that people feel safe calling a well-known number. I'd like to think I'd have offered the bank to cut off my cc rather than send it, but who knows...
This was the Visa at the RBS bank in Scotland, not sure what they are doing over there.
Even if it's got a chip, what could possibly be stored on the chip's memory that would help? If there's a problem with a card being compromised or cloned, they issue a new one.
So it's wouldn't sound that outrageous for me. Especially if a courier would give me a time like 10am to 3pm and would come at 3:15pm :) Of course, other parts where they need my card for some kind of examination would sound weird. But I imagine I personally could have fallen for that if the other guy is really good, if not for tiny detail that I don't have a landline for about last 10 years... But the trick with calling back really adds a lot to the deal, all the rest s not that suspicious given that.
Getting the customer to call a number is another, they could have transferred the customer. Instead, they wanted to provide a shot of confidence before extracting info that no one, not even the bank should ask for.
No way. If someone claiming to be a bank cold-calls you, you tell them you'll call them back at their official number. Only deal with bank information on a call that you initiated.
I don't know how to work around the flaw in the article. Luckily it's not something we have to deal with here in the US, as far as I know. What a dumb "feature."
But then, a lot of stuff my bank asks me to do doesn't make much sense.
I guess it says something about banks that someone can call you, and ask you to do something weird, and it's okay because "that's what banks do".
The big risk though is going out to pick up your card, that gives you the opportunity to film them. If you know which ATM they are watching you set up a sting to catch them in the act.
Wow, what? This seems pretty crazy. I was wondering how they did it until I got to this point.
If only I could ask them what their favorite restaurant is, maybe we'd finally have two-way verification. Nobody else picked McDonalds, right? That's a safe choice?
I assume because each number on the keypad has a unique tone, they could extrapolate which keys were pressed?
Also how did they get his phone number? The phone directory?
Most shocking is how did they get date of birth and mothers maiden name!?!?
The telephone exchange listens for those tone combinations to know what number you're dialling. If you have an audio recording of a number being dialled, you can actually figure out the number just by listening to each tone separately and comparing it to the sound made by pressing keys on your own phone. Wouldn't surprise me if the fraudsters did just that, or maybe they used a "spectrum analysis" feature on a PC audio program.
Turns out it was the bank, but they don't do themselves any favours.
A couple months ago I was in the pharmacy to pick up a prescription. I handed the pharmacist my card and she walked back to her computer to run it.
A moment later, as she gets back to the counter where I'm standing, my phone (which I was holding) buzzes. I look down at an SMS "fraud alert" from Chase just as she says, "I tried running it twice but it won't go through."
The SMS from Chase had the name of the pharmacy and the total amount and told me I could reply to the message to state whether it was a legitimate transaction (I don't recall exactly what I had to reply with but effectively I was responding "yes" or "no").
I quickly sent back a reply stating it was legitimate and almost instantaneously received a "thanks" message. I asked the pharmacist to run the card again and it went right through.
I just make a personal appearance at a branch when this stuff happens - then they have to sit on the phone to themselves for half an hour while I have a coffee.
I was expecting an interesting article about a deliberate handing-over of credit card and PIN to a known fraudster, in an attempt to examine their behavioural patterns and maybe offer some anecdotal insight.
I felt the actual article was much less interesting.
At least in Europe it's fairly easy to find banks offering accounts with no maintenance/transactions costs , just open two accounts at two different banks, keep the same level of cash in both and if something happens you don´t have to go on a diet of canned beans waiting for the compromised account to be restored.
(Then again, some might argue that now you have twice the chance of being targeted by a scammer).
Twice the chance for half the money. Significantly less for the whole sum (assuming scams are independent events). I think it's a good tradeoff ;).
That's bold.