Comment by namaria
4 months ago
I wonder if there's any one legitimate instance of a company calling you about compromised accounts and requiring your action. It seems to me that anyone reaching out and lighting a fire under your ass can be assumed to me a malicious actor.
Any notification asking you to confirm your identity that is not initiated by your actions should be immediately dismissed with a "no" and that should be all there is to such things, no?
Yes, but you have to know that.
I got a call from "Bank of America," and they smoothly talked me into giving them my debit card PIN. The trick was they had gotten into my online banking beforehand. "We've detected possibly fraudulent activity on your account." Then they read me real transactions from my actual account. "To be safe, let's lock down the account. For this we need more information for authentication, though." Probably started from a phishing thing that I fell for online without noticing. It was pretty clever of them. Not so easy to steal from a checking account without leaving a trail, unless you have the PIN. Then the main risk is to whomever was on camera at the ATM withdrawing as much cash as possible before the account was automatically locked down.
The next day, I got a call from "Bank of America" telling me that I'd been had. Fortunately they just credited the money back into my account. About $5000.
The main difference is that the first call wanted me to give them information, while the second call advised only "go into a bank branch in person."
The article's advice is correct. If someone asks you for info, tell them you'll call them back. It is almost certainly a scam. Calling back the possibly spoofed number at worst wastes a little time being on hold, and at best saves you or the bank a lot of money.
> Calling back the possibly spoofed number
Don't call back the number possibly being spoofed (i.e. using your Caller ID as the source of the callback number). Call an independently-listed number for the company, such as the phone number on the back of a credit or debit card. Using an independent number prevents any failures where the Caller ID correctly reports an attacker-controlled but plausible-sounding number.
For extra paranoia and safety, perform the callback from a separate phone line. That would avoid at least some of the more-targeted attacks involving a compromise of the victim's phone connection, which could potentially allow the attacker to redirect outgoing calls.
"Hang up, look up, call back"
> The main difference is that the first call wanted me to give them information, while the second call advised only "go into a bank branch in person."
Unfortunately physical branches are expensive to maintain, so a lot of banks have been closing them down. There are even plenty of banks with zero physical branches now. All contact is via phone or email, so there is no scam-proof way for them to contact you.
They don't have to have a scam-proof way to contact me. They just need to give me a way to contact them.
That way, any phone call or email to me can be immediately ended with me saying "Thanks, I'll call the number on the back of my card," and hanging up.
1 reply →
How were they able to use an ATM without having your card?
I recommend not calling back the incoming number even if you think it's real and spoofed, always look it up on the bank's website.
Depends on the time frame and the ATMs being used.
I don't think all ATMs require chipped cards yet, and its still common to have a debit card issued with a magstripe. If the GP used their debit card to pay for things it could have easily been duped. My bank issued me a new card for an account a few years ago; it still has a magstripe and I assume can still be used at magstripe-only ATMs.
If it was even a few years ago, a lot of ATMs would have still worked with just a stripe. It's a bit more difficult to find these days, but old ATMs still running OS/2 WARP are still around and kicking.
Its frustrating so many banks and what not are still issuing cards with magstripes. These days wipe the cards I use most with a magnet to try and mess up the magstripe. I don't want to ever use it. Generally speaking, if they can't take chipped cards, tap to pay, or cash I'm not doing business with them.
2 replies →
My understanding is that they had a programmable card. This might have been just before chips became widespread in America. Or, maybe there's still a way to withdraw with only the information visible on the card.
Here's a thing that is enraging, though: when a bank has SMS 2FA (insecure if you're being targeted but better than nothing) and they keep having you enter that into third-party websites. I mean going to a legitimate business, making a purchase with a credit card, and then the bank wants 2FA to validate a purchase instead of a login? Fuck off, I'll use a different card, then.
If it weren't for bullshit FICO calculations I would drop that account entirely.
Banks are pretty good at doing an impression of phishing scams, unfortunately. Almost every red flag for a scammer has also been done by a bank, legitimately.
There was a comment on Hacker News, which alas I can no longer locate, where a guy said he'd been called by his bank and the bank wanted him to answer various security questions. He said he was happy to do so, but firstly needed the bank to verify who they were, or to call the bank back on a telephone number on their website. The bank refused, so he refused to give them any details. The bank then blocked his bank account, meaning he couldn't pay his university tuition on time, meaning his student visa was no longer valid as he was no longer "studying", meaning he had to leave the country.
That doesn't add up; you're free to call the bank at the telephone number on their website whether the representative who just called you wants you to do that or not.
A bank blocked an account because they called someone and that person didn't provide them with personal data? That sounds unlikely.
10 replies →
This.
Also healthcare providers, though they seem to have finally wised up. They would call me from poorly configured phone systems (so unrecognizable caller id) and the first thing they would ask is to confirm full name and date of birth.
Patterns like this do a great deal of damage in desensitizing folks and making them accept dangerous patterns that get exploited by scams.
Even if you recognized it, the number shown by Caller ID is easy for the caller to spoof -- or at least it was a few years ago (the last time I paid attention).
5 replies →
I have had my telephone company ask me to give them a code sent to my device. It is presumably to prove to the company that the representative is talking to me so that bad actors low in the company cannot start randomly messing with people’s accounts. It is the equivalent of the bad click here. The only real defense is to know the difference between a mechanism meant to authorize someone a the company and a mechanism to authorize you. Confuse the latter for the former like the victim did here and bad things will happen.
Interesting. Was that after you called them or they called you?
1 reply →
Banks maybe, but Google? Google only has "AI" support and that doesn't call us yet. So it's safe to assume that any call from Google is fake.
Yeah Google will never call you about your free gmail account, just as Microsoft will never call you about a virus on your home computer.
I called a bank to increase my ATM limit. The agent sent me an SMS code to verify my identity and wanted me to read it back to him. The message said not to give the code to any human. Sigh.
If some bank calls you about compromised accounts, the recommended action should be to hang up, find the official phone number for your bank, wait one minute[1], then call back.
[1] You have to wait or call from a different phone, because the call might not terminate immediately, and the scammer might still be listening on the line.
https://security.stackexchange.com/a/100342
Sometimes there are good reasons for a bank to call you. The infuriating part is that not every bank has a quickly accessible number to call back if you don't trust the caller. Caller ID may be useless, but me calling the official number for my bank is pretty hard to fake (unless my carrier is part of the scam).
My bank has a button inside the app that will confirm that a real bank representative is calling you, or provides a button to call the bank's emergency line if they're not. It's a simple and effective way of preventing scams that I think more banks should implement.
A ss7 attack could make your carrier part of the scam without their knowledge, such that calling back the number will connect you to the scammer and not the bank.
Ideally yes no one would fall for that. But these type of attacks doesn't just rely on solely ignorance. They introduced urgency, the fight or flight situation. Plus the first guy in the article got caught up in bad timing where his mental condition aren't right with his kid crying, his wife yelling etc.
I’ve had my bank call me because of dubious online purchases, asking if it was me. The call was legitimate and my card number had been skimmed.