@Edent thats a pretty interesting scam pattern.
Spitballing, the banks need to send a message saying “there is suspected…. Please call the number on the back of your card to talk to a rep”
Pretty cost efficient secure solution, anyone able to poke a hole in it?

@Edent this is wrong and bank must be responsible for any losses. they clearly failed to identify customer The app can say: if it’s you, call us again number+3 digits from app+3 digits from the call. Bank Identity is established by a well-known number, the additional digits demonstrate that the same person is using the app and talking on the phone. May still be problematic if the attacker managed to login to the app. Better idea: just verify ID through a video call in the app.

@Edent I always assume scam. If I look up their number myself and call them, and get the same info, then I believe it.

@Edent makes me glad that I just don't answer phone calls.

@Edent

I would hang up on them.

@Edent the scam would probably not work if the messaging on the phone app was better

"did you initate a call with us from number +1 555 123123 five minutes ago", for instance, would work much better

@Edent@mastodon.social if someone calls me in any "official" capacity I automatically assume it's a scam.

@Edent @timbray Users have no way to verify an incoming call.

It should say “Did you call Chase? Chase will never call you except to tell you to call us back.”

@Edent At this point, I think all unsolicited/unexpected communications are fraudulent. The only reasons I even have a phone nowadays are because my day job requires MFA and because you could walk 10,000 miles in any direction and not find a pay phone.

@Edent @briankrebs Damn, that’s a slick one.
I never answer calls from unknown numbers personally. I’d rather go through the hassle of missing the call and then trying to get ahold of whoever called me. That being said, my banks are smaller and I usually just go into a building when I get a letter or bill that looks weird.

@Edent I wouldn't fall for this, but pretty much everyone I know would.

A rule for living in 2024: if someone calls you claiming to be from your bank, credit card company, or PayPal, tell them to make a note on your account so you can hang up and call the official number that appears on your card or official correspondence you have on file.

@Edent
They're getting clever. Like the one where "the bank" rings you and asks about a transaction of $x for Y. You look and see that transaction in your account; only the bank can see this, right?

Except it was the scammers that did that transaction knowing it would fail, but they obviously know the amount and details.

@Edent Well this is fucking horrifying.

@Edent definitely should be re-worded at best. Perhaps "Did you call us?" not are you talking to us? - how would that verify anything?

Wonder if they could do some kinda back and forth button pressing to check but latency might make that difficult. Interesting problem to solve for!

@Edent Years ago, someone claiming to be Sprint fraud protection called me on my new Sprint phone wanting to verify some things. They asked for the first 5 digits of my SSN. They said they would disconnect my phone if I didn't verify the info. Suspicious, I asked I could call them back via their publicly listed phone number to handle the verification, and they said no.

I told them I thought they were scammers. It was obvious. They failed every test.

My phone was then disconnected.

@Edent Terrible wording. They need to ask "did you just call us".

@Edent ...Shia LaBeouf!

@Edent
That would be the point that I knew it was a scam.
Before that, I might think they are legit and would be telling me to call their 800 number.

@Edent The bank could probably know what I sound like. They record all the calls. It would be feasible for a computer to check whether the current call and the archived snippet were the same person. I wonder if that would help.

@Edent The only safe thing to do is to always hang up on an unsolicited call and then call back on the bank’s publicly posted number. Problem is that the scammers will likely call back or call your spouse or family member and hound you trying to keep the scam going in the meantime

@Edent If scammers can successfully make that work, then the bank should be 100% liable for reimbursing the customer for anything the scammers take. This isn’t like these scams where they convince the customer themselves to make transfers to other people, this is the bank’s security practices not being sufficient so the bank allowing scammers to take money!

@Edent can no one open a video call or go to a branch?

@Edent

At this point I wouldn't even trust their app. It looks legit, but...

The safest response is to ask for a reference code you can use when you call in using the number on the back of the card. Do not accept an alternate number.

Then make your own call to them.

@Edent

the answer to the question in the push alert is “I’m not sure, I haven’t been able to verify this yet.”

If the alert is meant to inform and verify to me that I’m on the phone with Chase, it wouldn’t me asking me a question and wouldn’t need my input.

That said, I understand how this would fool people.

@Edent Anyone saying they’d immediately identify this as a scam is delusional or a perfect mark in the future...

@Edent This is similar to how Paypal scammers are abusing how Paypal's lost password mechanism works (it sends a code a little like this).

@Edent I would always hang up and call the bank/credit card company number on my card. The real bank has no problem with that, but scammers would be upset.

@Edent Another reason to ignore calls from people who aren't in my contact list.

@Edent I had the security company of my business call me and I refused to talk to them. Called them back, it was legit but it may not have been. Never trust anyone calling you about personal business. Always call them back using a known number.

@Edent The other piece is my bank has never and will never call as apart of their security (they say this a lot). They communicate in other ways and ask for the customer to call them.

@Edent I'd tell them I'd call back. But my ex bank did this to me for real...

@Edent what surprises me is so many people here who know what they are talking about rely on calling their bank. But if I’m getting the zeitgeist all these calls are set soon to be answered by LLM’s. People on the banks end of customer calls will not be a thing. How will that change the playbook?

@Edent
Yeah bc I don't use chase. 😜
@briankrebs

@Edent Bank needs to establish that You arent a scammer who could hypothetically be carrying out the man in the middle attack against the trust between Your bank and You, using your stolen phone, or your phone number which leaked out somewhere.

@Edent I wouldn't fall for it, since it's asking for a passcode, which the bank would not do to confirm that it's *them* calling *me*.

But I can see that this would be extremely convincing. The bank could definitely word it better. Just a simple "did you call us?" would be an improvement.

@Edent Whenever my bank calls me, I hang up and call them back myself at their normal customer service number.

Inbound calls from a bank? Never. Not on my watch.

You receive a call on your phone. The caller says they're from your bank. You hang up and call back to the bank yourself. End of story. If the caller objects to you doing that, that by itself is an enormous red flag. You never, EVER take incoming calls from "your bank" seriously.

I myself have an additional rule that I always reject calls from unknown numbers, unless I expect one (delivery, taxi, etc).