|
Top-level
 It *is* a genuine notification. But it isn't confirming the bank is calling you. Should the bank word that differently? In a rush, would you read it thoroughly? Most likely, in a panic about the fraud, you'd confirm it was a genuine notification (it is!) and accept it. 3/3 99 comments
 @simonwood I tend to be suspicious. The only time my bank ever called me was from the security dept and I refused to believe it was them and called back on the main number and asked to be transferred. That’s not to say that I wouldn’t be taken in by a different fraud, of course @simonwood @Edent one might assume even if they believed the bank was calling them, that they still need to confirm they got you and not someone else. @flabberghaster @Edent I have had my actual bank call me, and then ask me (via security questions) to verify that I am actually me. I feel that was *training* customers to divulge information insecurely, as I had no way of knowing that they were who they were, and they wouldn’t have provided it if I’d gone along with their request. @simonwood @Edent yeah, same. I had told my bank I intended to travel internationally and then when I got there my card stopped working and they called me saying there was suspected fraud on my card. I knew it was legit because I called back on the number on my card, but I think it's bad practice to initiate calls.  @flabberghaster @simonwood @Edent Yes, always call back on a phone number that you know to be legit when your "bank" calls. @flabberghaster @simonwood @Edent Indeed. They should, probably, do it like the good banks send mails: plaintext notification, no link at all, just an info - there is an important message in your Internet banking inbox, go there and fetch it. So even the call may be initiated in a way - hello, this is your bank, we need to talk to you immediately because of "reason without details" (e.g. there was a suspicious transaction we want to xcheck with you), please contact our telebanking number to proceed.  @herrman_sk @flabberghaster @simonwood @Edent Since I never answer the phone, that's what my bank does. Simple message requires me to initiate the proceeding.  @simonwood @Edent @simonwood @Edent The bank do need to confirm that: they only know that they called your number, but they can't be sure that you picked up - maybe someone else has access to your phone, or it's been lost or stolen, or you changed your number and forgot to tell them. Unfortunately this only makes this attack more persuasive. Telling them you'll hang up and call back on the main number is a good option, and the bank employee should always be happy for you to do so. Buuut this is Chase... @CaptainJanegay @Edent Maybe someone else has access to your phone, so they’re going to send a push notification to your phone to verify it's really you? 🤔 @simonwood @Edent Well, it asks for your password as well, which would significantly increase their confidence - although ofc this notification is not actually used to verify your identity in that situation. But my point is that it's entirely believable that the bank would need *some* kind of verification when they call you, and a lot of people won't pick up on inconsistencies like this, especially when they've just been told someone has fraudulently taken £300 out of their account @CaptainJanegay @Edent Very true. Asking for verification is ok, but it amazes me they don’t work on customer expectations - what you will be asked for when the bank calls - and also customers’ fraud literacy - how we can and should verify them!  @CaptainJanegay @simonwood @Edent We get landline calls in the UK from “your bank’s security department”. Recent ones have spoofed the local area code.  @CaptainJanegay @simonwood @Edent It is being used to verify your identity though. The scammer has presented it to you as if it's verifying their identity to you, but it's actually verifying your identity to the bank. The notification could be improved with something like "if you have just called the bank, enter your passcode to continue. If instead someone claiming to be from the bank has called you, they are trying to defraud you and you should immediately hang up and call the bank." @CaptainJanegay @simonwood @Edent They could I guess also have an option to push out a notification to go with their outbound calls, "The bank is calling you. You seeing notification confirms that the caller really is from the bank. Please enter your passcode to confirm to the caller from the bank that you really are you." @dragonfrog @simonwood @Edent Yes, you're right - I mean that in the fake scenario the scammer is presenting you, where the bank has called you, the bank does not use this notification to verify you. They only use it if you call the bank. But there's really very little opportunity for most customers to figure that out. @Edent yikes. This could easily impact my elderly parents. They’re so scared of internet fraud that they only ever talk to the bank in the branch now  @Edent There’s probably lots of good reasons not to, but I wonder if they could change the notification to show which number they *think* you’re calling from. Presumably their system knows, it’s just a question of whether it could be hooked into the notification sending infra.  @acdha @Edent Fair, there’ll never be perfect technical solutions to these human problems, just trying to imagine what we might do better. Could the banking app use the phone’s phone API to check whether the call is being made on that device, and then at least show something like “You are talking to us on THIS PHONE” vs “You are talking to us ON A DIFFERENT PHONE THAN THIS ONE”? Again, not perfect, but maybe that would help some number fewer people get scammed.   @notsoloud @philip @acdha @Edent That's why I suggested including whether the call was in- or out-bound. The point is to give someone a clue so they can have an a-ha moment and go 'wait, something's wrong.' @notsoloud @MisterMoo @philip @acdha @Edent Right, but "you called us" is hopefully hard to get past someone who did not in fact call the bank, but rather just received a call from them. @MisterMoo, assuming that each X represents exactly one digit, I'd find that phone no. extremely suspicious as it's too short; and the only 3-digit area code which I can think of is 020. @lp0_on_fire @MisterMoo that is a US format phone number which can never start with 1 or 0. 020 in the UK is a London number. @darrenmoffat @lp0_on_fire It was just an example. Presumably it can be modified for telephone numbers across the world. @philip @Edent yes - it’s a brutally hard problem because banks have to assume some customers will have lost phones/ID, be confused, etc. and the fraud industry is large enough to have decent IT, training, etc. I think expecting the phone companies to do more is the future. I’d bet a lot of people would use an international/VoIP block and they could setup a system where you can’t reset passwords, transfer, change your address, etc. except by starting the call in their app.   @Edent @derickr the level of knowledge of this incident suggests the target has already been stalked and their finances already monitored (its way too much resources/effort to put into attempting to scam someone who is skint and only has a few quid in the bank. really wouldn't put it past insiders in the bank/call centres being involved)  @Edent there used to be a time where they told customers at every possibility: our employees will never ask for your password etc. @funbaker they haven't asked for your password. @Edent That is when I ask for a case number, and then call the bank back on the number on the back of my credit card.  @Edent I feel like the notification would be better used for warning you about the purpose of the call. "are you on the phone with us right now RE your requested money transfer" would be more accurate. Also, I'm not sure how it works with this bank, but with mine I need to approve transactions to new recipients with a physical card reader that asks for a ref no and the transfer amount. That would nix this scam. @LonM @Edent I'd go a step further, "Did you start a call with us? Are you sure someone from the bank didn't call you first?" Have the message confirm the call origin as well. And change that last box to "If this is confusing, the safest option is to just answer No. The call will end and no actions will be taken on your account(s)."  @Edent If I was lucky, I would've noticed that it's kinda strange that the person on the phone said they'd show a notification to prove it's them, while the notification is asking me to prove it's me. But the person on the phone could just phrase it differently, something like "for security reasons, we have to verify that we have reached the right person, you will receive a notification to confirm" and then I'd have no chance at all, I *am* on the phone with "Chase" after all @mort, exactly: in this case, the notification needs to include text meaning “you called Chase”.  Hey, thanks for this. Too many have been scammed the last few years, especially seniors. I just stay safe and will ignore these as I do online banking or in person banking.  Well if it was my bank calling I'd be suing them for disability discrimination for phoning me (deaf). I've already tried the Financial Ombudsman on NatWest over deafness and phone issues. I've told my mum that even if she thinks the bank caller to her is legit. Hang up. Wait 10 mins. Look up the bank's number on a statement she has and use a different phoneline to initiate her own call. Thanks for sharing how this scam works. I hadn't thought of the dual prong approach. Evil scammers  In cryptography, it's called "man-in-the-middle attack": @Edent "If someone called you and you did not call the bank, hang up and report fraud" at the beginning would help. Directionality is important in this protocol and needs to be of prime importance. @Edent I got a call saying it was my bank. Almost got me. But I decided to call my bank and hung up. The bank said they will never call me. The same scammer called me several more times trying the same tactic.  @kcanales02@mastodon.social @Edent@mastodon.social Somewhere on that page it should say that the bank will never call you and ask you to accept this. @Edent This is is difficult because the caller ID is spoofable.
If it wasn't, the notification could have been: "We received a call from PSTN_NUMBER, is it you?" Then "You should have been provided by agent the following number XXX. If not, please hang up" That's an impressively risky scam for the scamming partners. They have to be able to convince both parties (the user and the bank) that they are real. If anything, it requires the user to pick up the phone when called from an unknown number. AND it still likely requires the users username and password. It's a clever scam, but probably not efficient enough to be with the effort.   @Edent I blame Chase. That notification should say: “We have received a telephone request to access your account. Did you call Chase?” Yes, I called Chase in order to access my account.  Capital on Tap, yesterday, messaged me with a new feature on their app that reports whether they're on the phone to me. Whether that covers it properly I'm still thinking about. @simon_lucy @Edent Nope. I don’t think it does. Reporting whether they are “on the phone” with you is meaningless until they have authenticated that it is really you. It covers the case of someone calling (or you calling them) claiming to be them and going through the security but you've not yet responded. Check the app, no it's not the bank. @simon_lucy @Edent Unless they have an accomplice call the bank first and pretend to be you. If that call causes your app to show that as them being on the phone with you, you are in the same situation. Yes but it depends on my number, my number is the expected one. If they use a different number and they haven't gone through security it will fail. @simon_lucy @Edent And in any case, it is never the bank. The bank will not call you. And if they do, it will only ever be to say “Please call the fraud number on the back of your card.”  @Edent oh, and the multiple transfers would have flagged both AML and Fraud systems and locked the account down automatically. this can happen with one really odd transaction, let alone a stream of them. even SWIFT would flag up "ya think???". @Edent I'd think that knowing this, the message should say "Did you call Chase?" (maybe with a note that if it appears that Chase called *you*, you should hang up and dial their number). That might not stop everyone from pressing Yes anyway and confirming, but it might stop some of the scams from succeeding. @Edent  @Edent what baffles me the most is how a large bank with presumably tens to hundreds of security experts can put out a feature like this. They either spotted it (it’s quite a simple MITM attack that a security professional should pick up easily) and put it out anyway. Or they didn’t spot it at all. Either case is baffling.  @Edent My response is always. Okay, let me call you back and we can start this process. A scammer will insist they handle it for you. A bank may say they can handle it but will usually let you hang up and call back. Fraud departments don’t make commissions so there’s no reason for them to hold you on the line. I think this is another reason why I bank at a small local credit union. I get text notifications and phone calls occasionally that warn me that my Chase or other big bank account may have been breached, and I get to know 100% its a scam, because I don't have an account at a major bank. I think the perpetuators of this particular scam would be hard pressed to spoof my bank.  @Edent I think we need to become really stupid and stubborn, because smart is not going to help. They’ve thought it through. 1. If they call you, hang up, find the number yourself, call back. Even for probably genuine calls. Make it a habit. I wonder will this advice continue to hold. @Edent Good attack. Only by knowing that the bank will use this only to validate that YOU are calling THEM, not vice-versa, would I be able to confidently spot it. I hope Chase and others have already taken mitigating action. If the notification were just clear that "We need to verify that YOU CALLED US." It's implied but too subtle "it's you on the phone TO us."   @Edent my bank does messages that look like "you are PAYING $1000 from your account" if that's what they want to confirm -- but I only know that because I've done it before  I just assume everything is a scam. If my bank called me, I wouldn't even take the call. Scammers can fake a caller ID. I would ignore the call and phone the bank directly. Texts, emails - are all a scam unless I'm expecting a 2FA code. In your example, what happens if you click 'no'? @Edent@mastodon.social @Edent We go through repeated training like this at my company to practice “always hang up and call the place they’re pretending to be.” You’d be surprised how many scammers try to phish as other people in the company. @Edent Banks should never initiate a phone call to a customer. If a bank declares that policy, customers will know any unexpected call claiming to be from the bank is bogus.  @Edent I'm pretty savvy, but can't say for certain that I would have been able to see through this in the heat of the moment. Thanks for posting this. The implications go well beyond a bank fraud scenario. So many services have taken to using in-app verification as their way to validate authenticity and all of those can be gamed under the right circumstances. @Edent Oh! I see. I intuitively thought the notification informed me that someone else was speaking to Chase, though Chase appeared to be calling me. I think if I were distracted, it might've worked, but intuitively I thought -- oh this isn't me (regardless of the context). But there needs to be better UX design because your point is clear: the message is ambiguous enough not to be clear.  You know, it’s hard to get scammed by phone if your phone doesn’t even ring for callers not in your address book. @mlanger  Social engineering… common con man practices… now with electronic means… I had the bank calling me about an account, how can we ever trust this anymore now… @Edent I would hang up and call the bank directly to confirm. Bank should never call you. |
Gregory's Server
@Edent I think I’d be taken in by that. My thought was: why do they need to check they’re on the phone to me if *they* called *me*? But on balance I’d decided it was just poor wording or an ill thought through system (both of which I still think, in fact!) so I wouldn’t have challenged it.