Email or username:

Password:

Forgot your password?
Top-level
Terence Eden

It *is* a genuine notification. But it isn't confirming the bank is calling you.

Should the bank word that differently?

In a rush, would you read it thoroughly?

Most likely, in a panic about the fraud, you'd confirm it was a genuine notification (it is!) and accept it.

3/3

99 comments
Simon Wood

@Edent I think I’d be taken in by that. My thought was: why do they need to check they’re on the phone to me if *they* called *me*? But on balance I’d decided it was just poor wording or an ill thought through system (both of which I still think, in fact!) so I wouldn’t have challenged it.

Sbectol :twt:

@simonwood I tend to be suspicious. The only time my bank ever called me was from the security dept and I refused to believe it was them and called back on the main number and asked to be transferred.

That’s not to say that I wouldn’t be taken in by a different fraud, of course

@Edent

flabberghaster

@simonwood @Edent one might assume even if they believed the bank was calling them, that they still need to confirm they got you and not someone else.

Simon Wood

@flabberghaster @Edent I have had my actual bank call me, and then ask me (via security questions) to verify that I am actually me. I feel that was *training* customers to divulge information insecurely, as I had no way of knowing that they were who they were, and they wouldn’t have provided it if I’d gone along with their request.

flabberghaster

@simonwood @Edent yeah, same. I had told my bank I intended to travel internationally and then when I got there my card stopped working and they called me saying there was suspected fraud on my card. I knew it was legit because I called back on the number on my card, but I think it's bad practice to initiate calls.

GunChleoc

@flabberghaster @simonwood @Edent Yes, always call back on a phone number that you know to be legit when your "bank" calls.

Ľuboš Moščovič

@flabberghaster @simonwood @Edent

Indeed. They should, probably, do it like the good banks send mails: plaintext notification, no link at all, just an info - there is an important message in your Internet banking inbox, go there and fetch it.

So even the call may be initiated in a way - hello, this is your bank, we need to talk to you immediately because of "reason without details" (e.g. there was a suspicious transaction we want to xcheck with you), please contact our telebanking number to proceed.

thepoliticalcat

@herrman_sk @flabberghaster @simonwood @Edent Since I never answer the phone, that's what my bank does. Simple message requires me to initiate the proceeding.

AlisonW ♿🏳️‍🌈

@simonwood @Edent
I regularly have a little dance with people who phone me asking me to prove who I am before they will continue. I try to get them to confirm something that only the true caller would know but sometimes just have to give up and end the call.

Erik van Straten

@AlisonW : that's usually fine, but may not help during a "live" AitM (Attacker in the Middle) conversation - that is, if you don't notice the extra delays (or the attacker uses social engineering to somehow justify those delays to both sides - which may not be hard; a recording of a crying baby heard by Chase and construction noises sent to you may fool both sides - "sorry, I did not understand you because ...").

Step 1:
[Allison]
     ^
     | "I'm a Chase employee"
     |
[AitM]
     |
     | "I'm Allison"
     v
[Chase]

Step 2:
[Allison]
     |
     | "What's my date of birth?"
     v
[AitM]
     |
     | "What's my date of birth?"
     v
[Chase]

Step 3 (I changed the order):
[Chase]
     |
     | "Feb 29, 2000"
     v
[AitM]
     |
     | "Feb 29, 2000"
     v
[Allison]

@simonwood @Edent

@AlisonW : that's usually fine, but may not help during a "live" AitM (Attacker in the Middle) conversation - that is, if you don't notice the extra delays (or the attacker uses social engineering to somehow justify those delays to both sides - which may not be hard; a recording of a crying baby heard by Chase and construction noises sent to you may fool both sides - "sorry, I did not understand you because ...").

Captain Janegay 🫖

@simonwood @Edent The bank do need to confirm that: they only know that they called your number, but they can't be sure that you picked up - maybe someone else has access to your phone, or it's been lost or stolen, or you changed your number and forgot to tell them.

Unfortunately this only makes this attack more persuasive.

Telling them you'll hang up and call back on the main number is a good option, and the bank employee should always be happy for you to do so.

Buuut this is Chase...

Simon Wood

@CaptainJanegay @Edent Maybe someone else has access to your phone, so they’re going to send a push notification to your phone to verify it's really you? 🤔

Captain Janegay 🫖

@simonwood @Edent Well, it asks for your password as well, which would significantly increase their confidence - although ofc this notification is not actually used to verify your identity in that situation.

But my point is that it's entirely believable that the bank would need *some* kind of verification when they call you, and a lot of people won't pick up on inconsistencies like this, especially when they've just been told someone has fraudulently taken £300 out of their account

Simon Wood

@CaptainJanegay @Edent Very true.

Asking for verification is ok, but it amazes me they don’t work on customer expectations - what you will be asked for when the bank calls - and also customers’ fraud literacy - how we can and should verify them!

BarryP

@CaptainJanegay @simonwood @Edent We get landline calls in the UK from “your bank’s security department”. Recent ones have spoofed the local area code.
Main “alarm bell” with that is that our bank, or indeed any other, doesn’t have a branch/office in the three towns covered by the area code.

Captain Dragonfrog Queernabs

@CaptainJanegay @simonwood @Edent

It is being used to verify your identity though. The scammer has presented it to you as if it's verifying their identity to you, but it's actually verifying your identity to the bank.

The notification could be improved with something like "if you have just called the bank, enter your passcode to continue. If instead someone claiming to be from the bank has called you, they are trying to defraud you and you should immediately hang up and call the bank."

Captain Dragonfrog Queernabs

@CaptainJanegay @simonwood @Edent

They could I guess also have an option to push out a notification to go with their outbound calls, "The bank is calling you. You seeing notification confirms that the caller really is from the bank. Please enter your passcode to confirm to the caller from the bank that you really are you."

Captain Janegay 🫖

@dragonfrog @simonwood @Edent Yes, you're right - I mean that in the fake scenario the scammer is presenting you, where the bank has called you, the bank does not use this notification to verify you. They only use it if you call the bank. But there's really very little opportunity for most customers to figure that out.

stephen

@simonwood @Edent All good points. I likely would be tricked too.

Sbectol :twt:

@Edent yikes. This could easily impact my elderly parents. They’re so scared of internet fraud that they only ever talk to the bank in the branch now

Philip Mallegol-Hansen

@Edent There’s probably lots of good reasons not to, but I wonder if they could change the notification to show which number they *think* you’re calling from. Presumably their system knows, it’s just a question of whether it could be hooked into the notification sending infra.

Chris Adams

@philip @Edent I would bet a lot of people would see a different number and just assume their IT department messed up, since there’s rarely a shortage of prior support for that. That goes double if the scammer successfully gets the person into a panic state first.

Philip Mallegol-Hansen

@acdha @Edent Fair, there’ll never be perfect technical solutions to these human problems, just trying to imagine what we might do better.

Could the banking app use the phone’s phone API to check whether the call is being made on that device, and then at least show something like “You are talking to us on THIS PHONE” vs “You are talking to us ON A DIFFERENT PHONE THAN THIS ONE”?

Again, not perfect, but maybe that would help some number fewer people get scammed.

Mister Moo 🐮

@philip @acdha @Edent They could add a box with details about the call. "We are talking to you on the number (XXX)XXX-XXXX. You placed the call to us at X:XX. If any of this is incorrect, please tap 'No, it's not me.'" In this case "No" should change to something like "I have concerns"

Mister Moo 🐮

@notsoloud @philip @acdha @Edent That's why I suggested including whether the call was in- or out-bound. The point is to give someone a clue so they can have an a-ha moment and go 'wait, something's wrong.'

Captain Dragonfrog Queernabs

@notsoloud @MisterMoo @philip @acdha @Edent

Right, but "you called us" is hopefully hard to get past someone who did not in fact call the bank, but rather just received a call from them.

lp0 on fire :unverified:

@MisterMoo, assuming that each X represents exactly one digit, I'd find that phone no. extremely suspicious as it's too short; and the only 3-digit area code which I can think of is 020.

Darren Moffat

@lp0_on_fire @MisterMoo that is a US format phone number which can never start with 1 or 0. 020 in the UK is a London number.

Mister Moo 🐮

@darrenmoffat @lp0_on_fire It was just an example. Presumably it can be modified for telephone numbers across the world.

Chris Adams

@philip @Edent yes - it’s a brutally hard problem because banks have to assume some customers will have lost phones/ID, be confused, etc. and the fraud industry is large enough to have decent IT, training, etc.

I think expecting the phone companies to do more is the future. I’d bet a lot of people would use an international/VoIP block and they could setup a system where you can’t reset passwords, transfer, change your address, etc. except by starting the call in their app.

Derick Rethans

@Edent How and what is faked there then?

Terence Eden

@derickr nothing is faked in app. It is a genuine notification from your bank.

Alex@rtnVFRmedia Suffolk UK

@Edent @derickr the level of knowledge of this incident suggests the target has already been stalked and their finances already monitored (its way too much resources/effort to put into attempting to scam someone who is skint and only has a few quid in the bank. really wouldn't put it past insiders in the bank/call centres being involved)

funbaker #AssangeIsNotGuilty

@Edent there used to be a time where they told customers at every possibility: our employees will never ask for your password etc.
I think they still do.
Wtf happened.

Terence Eden

@funbaker they haven't asked for your password.
You haven't given the person on the phone any details.

Human 3500

@Edent @funbaker As soon as you repeat (to the scammer) the code that shows up, the scammer uses it to access your account.

It's a person in the middle attack.

the cake is offline

@Edent That is when I ask for a case number, and then call the bank back on the number on the back of my credit card.

LonM

@Edent I feel like the notification would be better used for warning you about the purpose of the call. "are you on the phone with us right now RE your requested money transfer" would be more accurate.

Also, I'm not sure how it works with this bank, but with mine I need to approve transactions to new recipients with a physical card reader that asks for a ref no and the transfer amount. That would nix this scam.

Keith Ivey

@LonM @Edent In the US we can't even handle having a PIN for our credit cards. Can't let security get in the way of convenience.

DELETED

@LonM @Edent I'd go a step further, "Did you start a call with us? Are you sure someone from the bank didn't call you first?" Have the message confirm the call origin as well.

And change that last box to "If this is confusing, the safest option is to just answer No. The call will end and no actions will be taken on your account(s)."

Jennifer

@Edent I always wonder what would happen if these scammers used their skills for good

Chris Johnson

@Edent I think it’s just not possible for the average person (or maybe anyone) to evaluate these situations correctly. It’d be better for people to have a blanket rule *never* to trust any incoming call from a business under any circumstances. Hang up the phone, find the number of the business through some trusted channel, and call them back. Don’t try to suss out whether the call is legitimate.

It’s surprising to me that businesses that ought to know better are training people to do exactly the wrong thing. I got a text message from Citibank recently about suspected fraud, asking me to call a phone number they provided. I ignored that number and called the number I found in their app. After working my way through the phone tree, I eventually made my way to the fraud department, where they proceeded to ask me a bunch of questions about sensitive information. It turns out the text message was legitimate, and Citibank expected me to call them at a number that arrived at my phone unsolicited and hand over a bunch of sensitive information.

Citibank’s own fraud protection page warns you of this exact scenario: “Named for SMS (Short Message Service), the technology used for cell phone text messaging, SMiShing messages appear to be from a legitimate company and typically contain a link that takes you to a spoof website or asks you to call a phone number.”

@Edent I think it’s just not possible for the average person (or maybe anyone) to evaluate these situations correctly. It’d be better for people to have a blanket rule *never* to trust any incoming call from a business under any circumstances. Hang up the phone, find the number of the business through some trusted channel, and call them back. Don’t try to suss out whether the call is legitimate.

mort

@Edent If I was lucky, I would've noticed that it's kinda strange that the person on the phone said they'd show a notification to prove it's them, while the notification is asking me to prove it's me.

But the person on the phone could just phrase it differently, something like "for security reasons, we have to verify that we have reached the right person, you will receive a notification to confirm" and then I'd have no chance at all, I *am* on the phone with "Chase" after all

lp0 on fire :unverified:

@mort, exactly: in this case, the notification needs to include text meaning “you called Chase”.

Maddad The Friendly Ghost 👻

@Edent

Hey, thanks for this. Too many have been scammed the last few years, especially seniors.

I just stay safe and will ignore these as I do online banking or in person banking.
The bank website also says at the top..'We will never call you unless you ask us to.'

Franz Graf

@Edent ahhh that's really nasty. Thanks for sharing

NatalyaD

@Edent

Well if it was my bank calling I'd be suing them for disability discrimination for phoning me (deaf). I've already tried the Financial Ombudsman on NatWest over deafness and phone issues.

I've told my mum that even if she thinks the bank caller to her is legit. Hang up. Wait 10 mins. Look up the bank's number on a statement she has and use a different phoneline to initiate her own call.

Thanks for sharing how this scam works. I hadn't thought of the dual prong approach. Evil scammers

Chris Martin

@Edent The premise is confusing, why would I receive a call on my phone

Dan McDonald

@Edent

Wow a man-in-the-middle attack with a real life person actually in the middle! 😮

Tristan Slominski

@Edent "If someone called you and you did not call the bank, hang up and report fraud" at the beginning would help.

Directionality is important in this protocol and needs to be of prime importance.

Pass the Dutchie

@Edent I got a call saying it was my bank. Almost got me. But I decided to call my bank and hung up. The bank said they will never call me. The same scammer called me several more times trying the same tactic.

Tilo

@Edent someone really really fucked up their „Security protocols 101“

MarkS

@Edent

Somewhere on that page it should say that the bank will never call you and ask you to accept this.

Nicolas SAPA
@Edent This is is difficult because the caller ID is spoofable.

If it wasn't, the notification could have been: "We received a call from PSTN_NUMBER, is it you?"
Then "You should have been provided by agent the following number XXX. If not, please hang up"
Bindestrich

@Edent yeah definitely I'd fall for that if my bank had such a system.

Dallas (Join Something IRL)

@Edent

That's an impressively risky scam for the scamming partners. They have to be able to convince both parties (the user and the bank) that they are real. If anything, it requires the user to pick up the phone when called from an unknown number. AND it still likely requires the users username and password.

It's a clever scam, but probably not efficient enough to be with the effort.

DELETED

@Edent I'd say out of the gate, "Oh, I'll be right there!" Then I'd hang up and call my bank directly. Cause I don't believe anything that comes in a phone call or email unless I instigated it from a system I'm familiar with and it's simple, like verifying a doctor visit, etc.

Joe Hill 🇮🇱🇵🇸🇺🇦

@Edent
Definitely a scam. Always hang up, call your bank.

Aleggra

@Edent

Not even in a drunken stupor. I’d hang up, block & call my bank.

Brian Hawthorne

@Edent I blame Chase. That notification should say:

“We have received a telephone request to access your account. Did you call Chase?”

Yes, I called Chase in order to access my account.
No, I did not call Chase. The person you are talking to is probably trying to steal my money.

Simon Lucy

@bhawthorne @Edent

Capital on Tap, yesterday, messaged me with a new feature on their app that reports whether they're on the phone to me.

Whether that covers it properly I'm still thinking about.

Brian Hawthorne

@simon_lucy @Edent Nope. I don’t think it does. Reporting whether they are “on the phone” with you is meaningless until they have authenticated that it is really you.

Simon Lucy

@bhawthorne @Edent

It covers the case of someone calling (or you calling them) claiming to be them and going through the security but you've not yet responded.

Check the app, no it's not the bank.

Brian Hawthorne

@simon_lucy @Edent Unless they have an accomplice call the bank first and pretend to be you. If that call causes your app to show that as them being on the phone with you, you are in the same situation.

Simon Lucy

@bhawthorne @Edent

Yes but it depends on my number, my number is the expected one. If they use a different number and they haven't gone through security it will fail.

Brian Hawthorne

@simon_lucy @Edent And in any case, it is never the bank. The bank will not call you. And if they do, it will only ever be to say “Please call the fraud number on the back of your card.”

Simon Lucy

@bhawthorne @Edent

In the scenario I've described it's covered.

Paul McO'Smith III

@Edent so Scam-2 is on the phone with the bank and gets the bank to send the notification before Scam-1 or 2 have any of your card details. how the hell did S2 convince the bank to do that? sure, the notification came in legit, but what convinced the bank S2 was you at that stage to send the notification? did the bank just test a phone number? it sounds... improbable.

after that it's all sorts of dumb. 12 digits... nah. CVV and 12 digits... you kidding?

i still can't get to why the notification was sent. okay, a phone number not hard, people have those everywhere. but a bank would never simply use that as authentication. first pet name, anyone?

honestly the whole thing sounds like BS, or the guy in question was d-u-m-b dumb. perhaps both. why did the bank send the original notification? was this guy's whole life available online? xfer money instead of lock the account? sounds like he was scammed and has made up a "they were so good" story to save face.

@Edent so Scam-2 is on the phone with the bank and gets the bank to send the notification before Scam-1 or 2 have any of your card details. how the hell did S2 convince the bank to do that? sure, the notification came in legit, but what convinced the bank S2 was you at that stage to send the notification? did the bank just test a phone number? it sounds... improbable.

Paul McO'Smith III

@Edent oh, and the multiple transfers would have flagged both AML and Fraud systems and locked the account down automatically. this can happen with one really odd transaction, let alone a stream of them. even SWIFT would flag up "ya think???".

John Mark Ockerbloom

@Edent I'd think that knowing this, the message should say "Did you call Chase?" (maybe with a note that if it appears that Chase called *you*, you should hang up and dial their number). That might not stop everyone from pressing Yes anyway and confirming, but it might stop some of the scams from succeeding.

Korny

@Edent
Theres also the problem that, even if I suspected it was a scam, I really struggle to do the sensible thing and call my bank - because all my experience with calling large institutions on the phone is long annoying call queues and difficulty getting any help.
My bank is probably better, but I've just been trained to avoid calling any businesses because so many are so bad.

Snowshadow

@Edent Nope I wouldn't click any links and I would call the bank. End of scam.

Paul Richards

@Edent what baffles me the most is how a large bank with presumably tens to hundreds of security experts can put out a feature like this. They either spotted it (it’s quite a simple MITM attack that a security professional should pick up easily) and put it out anyway. Or they didn’t spot it at all. Either case is baffling.

Houston Bova

@Edent My response is always. Okay, let me call you back and we can start this process. A scammer will insist they handle it for you. A bank may say they can handle it but will usually let you hang up and call back. Fraud departments don’t make commissions so there’s no reason for them to hold you on the line.

Sue

@Edent

I think this is another reason why I bank at a small local credit union. I get text notifications and phone calls occasionally that warn me that my Chase or other big bank account may have been breached, and I get to know 100% its a scam, because I don't have an account at a major bank. I think the perpetuators of this particular scam would be hard pressed to spoof my bank.

tptigger

@Edent I'm hearing "if the bank calls to tell you they've found fraud" the correct answer is always "Let me call you back" hang up, dial number on back of card?

Mark

@Edent I think we need to become really stupid and stubborn, because smart is not going to help. They’ve thought it through.

1. If they call you, hang up, find the number yourself, call back. Even for probably genuine calls. Make it a habit.
2. The only thing that might be happening now, in real time, in a rush, is a scam. There is never a rush.

I wonder will this advice continue to hold.

Keith Mann

@Edent Good attack. Only by knowing that the bank will use this only to validate that YOU are calling THEM, not vice-versa, would I be able to confidently spot it. I hope Chase and others have already taken mitigating action.

Democracy Matters :verified:

@Edent

If the notification were just clear that "We need to verify that YOU CALLED US." It's implied but too subtle "it's you on the phone TO us."

UncleCharlieA

@Edent hang up the phone and contact your bank directly…

Ölbaum

@Edent Well, you have to hand it to the bank, how could they predict their security feature could be misused like that? It’s such a novel technique it doesn’t even have a name. Let’s give it one, for the sake of future customers. I suggest PIB strike. PIB stands for Person In Between.

Chris Were ⁂🐧🌱☕

@Edent I've been tripped up by simpler scams. That's pretty devious.

Thomas Lumley

@Edent my bank does messages that look like "you are PAYING $1000 from your account" if that's what they want to confirm -- but I only know that because I've done it before

Magenta Rocks

@Edent

I just assume everything is a scam. If my bank called me, I wouldn't even take the call. Scammers can fake a caller ID. I would ignore the call and phone the bank directly. Texts, emails - are all a scam unless I'm expecting a 2FA code.

In your example, what happens if you click 'no'?

ferricoxide

@Edent@mastodon.social

Why my banks have a "PIN" word for verifications.

But, in general, unless I'm expecting a call, my rule is to tell such callers, "I'll call the number on the back of my card: what's your name/extension".

Blaine Motsinger

@Edent We go through repeated training like this at my company to practice “always hang up and call the place they’re pretending to be.” You’d be surprised how many scammers try to phish as other people in the company.

Corb_The_Lesser

@Edent Banks should never initiate a phone call to a customer. If a bank declares that policy, customers will know any unexpected call claiming to be from the bank is bogus.

Sheldon Chang 🇺🇸

@Edent I'm pretty savvy, but can't say for certain that I would have been able to see through this in the heat of the moment. Thanks for posting this. The implications go well beyond a bank fraud scenario. So many services have taken to using in-app verification as their way to validate authenticity and all of those can be gamed under the right circumstances.

0f4d0335

@Edent Oh! I see. I intuitively thought the notification informed me that someone else was speaking to Chase, though Chase appeared to be calling me. I think if I were distracted, it might've worked, but intuitively I thought -- oh this isn't me (regardless of the context). But there needs to be better UX design because your point is clear: the message is ambiguous enough not to be clear.

Maria Langer | 🛥️ 📝 🎬🚁

@Edent

You know, it’s hard to get scammed by phone if your phone doesn’t even ring for callers not in your address book.

#JustSaying #DoYouReallyNeedToAnswerEveryCallYouGet?

Terence Eden

@mlanger
Lots of us use or phone for business. I can't ignore most calls.
And, even if I did, it is trivial to spoof a caller ID.

xs4me2

@Edent

Social engineering… common con man practices… now with electronic means…

I had the bank calling me about an account, how can we ever trust this anymore now…

Cameron Talley

@Edent I would hang up and call the bank directly to confirm. Bank should never call you.

Go Up