|
Top-level
 The scammer is on the phone to you. Someone has just lost £18,000 because of this. 2/3 118 comments
It *is* a genuine notification. But it isn't confirming the bank is calling you. Should the bank word that differently? In a rush, would you read it thoroughly? Most likely, in a panic about the fraud, you'd confirm it was a genuine notification (it is!) and accept it. 3/3  @Edent I think I’d be taken in by that. My thought was: why do they need to check they’re on the phone to me if *they* called *me*? But on balance I’d decided it was just poor wording or an ill thought through system (both of which I still think, in fact!) so I wouldn’t have challenged it.  @simonwood I tend to be suspicious. The only time my bank ever called me was from the security dept and I refused to believe it was them and called back on the main number and asked to be transferred. That’s not to say that I wouldn’t be taken in by a different fraud, of course @simonwood @Edent one might assume even if they believed the bank was calling them, that they still need to confirm they got you and not someone else. @flabberghaster @Edent I have had my actual bank call me, and then ask me (via security questions) to verify that I am actually me. I feel that was *training* customers to divulge information insecurely, as I had no way of knowing that they were who they were, and they wouldn’t have provided it if I’d gone along with their request. @simonwood @Edent yeah, same. I had told my bank I intended to travel internationally and then when I got there my card stopped working and they called me saying there was suspected fraud on my card. I knew it was legit because I called back on the number on my card, but I think it's bad practice to initiate calls.  @flabberghaster @simonwood @Edent Yes, always call back on a phone number that you know to be legit when your "bank" calls. @flabberghaster @simonwood @Edent Indeed. They should, probably, do it like the good banks send mails: plaintext notification, no link at all, just an info - there is an important message in your Internet banking inbox, go there and fetch it. So even the call may be initiated in a way - hello, this is your bank, we need to talk to you immediately because of "reason without details" (e.g. there was a suspicious transaction we want to xcheck with you), please contact our telebanking number to proceed.  @simonwood @Edent @simonwood @Edent The bank do need to confirm that: they only know that they called your number, but they can't be sure that you picked up - maybe someone else has access to your phone, or it's been lost or stolen, or you changed your number and forgot to tell them. Unfortunately this only makes this attack more persuasive. Telling them you'll hang up and call back on the main number is a good option, and the bank employee should always be happy for you to do so. Buuut this is Chase... @CaptainJanegay @Edent Maybe someone else has access to your phone, so they’re going to send a push notification to your phone to verify it's really you? 🤔 @simonwood @Edent Well, it asks for your password as well, which would significantly increase their confidence - although ofc this notification is not actually used to verify your identity in that situation. But my point is that it's entirely believable that the bank would need *some* kind of verification when they call you, and a lot of people won't pick up on inconsistencies like this, especially when they've just been told someone has fraudulently taken £300 out of their account @CaptainJanegay @Edent Very true. Asking for verification is ok, but it amazes me they don’t work on customer expectations - what you will be asked for when the bank calls - and also customers’ fraud literacy - how we can and should verify them! @Edent yikes. This could easily impact my elderly parents. They’re so scared of internet fraud that they only ever talk to the bank in the branch now  @Edent There’s probably lots of good reasons not to, but I wonder if they could change the notification to show which number they *think* you’re calling from. Presumably their system knows, it’s just a question of whether it could be hooked into the notification sending infra.  @acdha @Edent Fair, there’ll never be perfect technical solutions to these human problems, just trying to imagine what we might do better. Could the banking app use the phone’s phone API to check whether the call is being made on that device, and then at least show something like “You are talking to us on THIS PHONE” vs “You are talking to us ON A DIFFERENT PHONE THAN THIS ONE”? Again, not perfect, but maybe that would help some number fewer people get scammed.   @notsoloud @philip @acdha @Edent That's why I suggested including whether the call was in- or out-bound. The point is to give someone a clue so they can have an a-ha moment and go 'wait, something's wrong.'  @MisterMoo, assuming that each X represents exactly one digit, I'd find that phone no. extremely suspicious as it's too short; and the only 3-digit area code which I can think of is 020. @lp0_on_fire @MisterMoo that is a US format phone number which can never start with 1 or 0. 020 in the UK is a London number. @darrenmoffat @lp0_on_fire It was just an example. Presumably it can be modified for telephone numbers across the world. @philip @Edent yes - it’s a brutally hard problem because banks have to assume some customers will have lost phones/ID, be confused, etc. and the fraud industry is large enough to have decent IT, training, etc. I think expecting the phone companies to do more is the future. I’d bet a lot of people would use an international/VoIP block and they could setup a system where you can’t reset passwords, transfer, change your address, etc. except by starting the call in their app.   @Edent @derickr the level of knowledge of this incident suggests the target has already been stalked and their finances already monitored (its way too much resources/effort to put into attempting to scam someone who is skint and only has a few quid in the bank. really wouldn't put it past insiders in the bank/call centres being involved)  @Edent there used to be a time where they told customers at every possibility: our employees will never ask for your password etc. @funbaker they haven't asked for your password.  @Edent That is when I ask for a case number, and then call the bank back on the number on the back of my credit card.  @Edent I feel like the notification would be better used for warning you about the purpose of the call. "are you on the phone with us right now RE your requested money transfer" would be more accurate. Also, I'm not sure how it works with this bank, but with mine I need to approve transactions to new recipients with a physical card reader that asks for a ref no and the transfer amount. That would nix this scam.  @Edent If I was lucky, I would've noticed that it's kinda strange that the person on the phone said they'd show a notification to prove it's them, while the notification is asking me to prove it's me. But the person on the phone could just phrase it differently, something like "for security reasons, we have to verify that we have reached the right person, you will receive a notification to confirm" and then I'd have no chance at all, I *am* on the phone with "Chase" after all @mort, exactly: in this case, the notification needs to include text meaning “you called Chase”.  Hey, thanks for this. Too many have been scammed the last few years, especially seniors. I just stay safe and will ignore these as I do online banking or in person banking.  Well if it was my bank calling I'd be suing them for disability discrimination for phoning me (deaf). I've already tried the Financial Ombudsman on NatWest over deafness and phone issues. I've told my mum that even if she thinks the bank caller to her is legit. Hang up. Wait 10 mins. Look up the bank's number on a statement she has and use a different phoneline to initiate her own call. Thanks for sharing how this scam works. I hadn't thought of the dual prong approach. Evil scammers  In cryptography, it's called "man-in-the-middle attack": @Edent "If someone called you and you did not call the bank, hang up and report fraud" at the beginning would help. Directionality is important in this protocol and needs to be of prime importance. @Edent I got a call saying it was my bank. Almost got me. But I decided to call my bank and hung up. The bank said they will never call me. The same scammer called me several more times trying the same tactic. Somewhere on that page it should say that the bank will never call you and ask you to accept this. @Edent This is is difficult because the caller ID is spoofable.
If it wasn't, the notification could have been: "We received a call from PSTN_NUMBER, is it you?" Then "You should have been provided by agent the following number XXX. If not, please hang up"   @shansterable @Edent Which is why if you say that, the real bank will go “sure, give us a call” and the scammer will try to stop you. Either way, you hang up. @Edent I love this scam. The banks need to repeat the standard advice of never passing information to a caller about your account, ever. Their security advice is you must call back on their standard number. It's definitely the bank's failure to not make this explicit on the app notification. I hope they are rushing to fix it :blobsweats: "We will never call you and ask for information" For a moment, can we just appreciate this archaic and literal 'man in the middle' attack is viable today? An oldie but baddie? No? Well I think it's neato, even if absolutely fucked. Okay, I'll go. @Edent thinking about this and wondering "how could one prevent this?" and originally a thought I had was "play a sound over the phone that has to be interpreted, like a piano / animal / etc." but it could be even easier thanks to the sole system behind calls. Add an additional prompt asking if you got called or are calling, I couldn't think of a way to task you in calling a scammer number like that and I can't see the bank accidentally calling a scammer pretending to be you with this. @Edent The timing is amazing. The fraudsters are good at what they do. The whole reddit thread is worth a read. @Edent Some of the issue seems to be the app allowing login and active use from two different devices simultaneously. (Though a determined attacker might find a way around that... But a lot of people aren't going to be worth that level of effort, especially when this already seems to be an extra level of effort above what the usual banking scams use.) |
Gregory's Server
@Edent OMG thats really really sophisticated