Email or username:

Password:

Forgot your password?
Top-level
Simon Wood

@Edent I think I’d be taken in by that. My thought was: why do they need to check they’re on the phone to me if *they* called *me*? But on balance I’d decided it was just poor wording or an ill thought through system (both of which I still think, in fact!) so I wouldn’t have challenged it.

20 comments
Sbectol :twt:

@simonwood I tend to be suspicious. The only time my bank ever called me was from the security dept and I refused to believe it was them and called back on the main number and asked to be transferred.

That’s not to say that I wouldn’t be taken in by a different fraud, of course

@Edent

flabberghaster

@simonwood @Edent one might assume even if they believed the bank was calling them, that they still need to confirm they got you and not someone else.

Simon Wood

@flabberghaster @Edent I have had my actual bank call me, and then ask me (via security questions) to verify that I am actually me. I feel that was *training* customers to divulge information insecurely, as I had no way of knowing that they were who they were, and they wouldn’t have provided it if I’d gone along with their request.

flabberghaster

@simonwood @Edent yeah, same. I had told my bank I intended to travel internationally and then when I got there my card stopped working and they called me saying there was suspected fraud on my card. I knew it was legit because I called back on the number on my card, but I think it's bad practice to initiate calls.

GunChleoc

@flabberghaster @simonwood @Edent Yes, always call back on a phone number that you know to be legit when your "bank" calls.

Ľuboš Moščovič

@flabberghaster @simonwood @Edent

Indeed. They should, probably, do it like the good banks send mails: plaintext notification, no link at all, just an info - there is an important message in your Internet banking inbox, go there and fetch it.

So even the call may be initiated in a way - hello, this is your bank, we need to talk to you immediately because of "reason without details" (e.g. there was a suspicious transaction we want to xcheck with you), please contact our telebanking number to proceed.

thepoliticalcat

@herrman_sk @flabberghaster @simonwood @Edent Since I never answer the phone, that's what my bank does. Simple message requires me to initiate the proceeding.

AlisonW ♿🏳️‍🌈

@simonwood @Edent
I regularly have a little dance with people who phone me asking me to prove who I am before they will continue. I try to get them to confirm something that only the true caller would know but sometimes just have to give up and end the call.

Erik van Straten

@AlisonW : that's usually fine, but may not help during a "live" AitM (Attacker in the Middle) conversation - that is, if you don't notice the extra delays (or the attacker uses social engineering to somehow justify those delays to both sides - which may not be hard; a recording of a crying baby heard by Chase and construction noises sent to you may fool both sides - "sorry, I did not understand you because ...").

Step 1:
[Allison]
     ^
     | "I'm a Chase employee"
     |
[AitM]
     |
     | "I'm Allison"
     v
[Chase]

Step 2:
[Allison]
     |
     | "What's my date of birth?"
     v
[AitM]
     |
     | "What's my date of birth?"
     v
[Chase]

Step 3 (I changed the order):
[Chase]
     |
     | "Feb 29, 2000"
     v
[AitM]
     |
     | "Feb 29, 2000"
     v
[Allison]

@simonwood @Edent

@AlisonW : that's usually fine, but may not help during a "live" AitM (Attacker in the Middle) conversation - that is, if you don't notice the extra delays (or the attacker uses social engineering to somehow justify those delays to both sides - which may not be hard; a recording of a crying baby heard by Chase and construction noises sent to you may fool both sides - "sorry, I did not understand you because ...").

Captain Janegay 🫖

@simonwood @Edent The bank do need to confirm that: they only know that they called your number, but they can't be sure that you picked up - maybe someone else has access to your phone, or it's been lost or stolen, or you changed your number and forgot to tell them.

Unfortunately this only makes this attack more persuasive.

Telling them you'll hang up and call back on the main number is a good option, and the bank employee should always be happy for you to do so.

Buuut this is Chase...

Simon Wood

@CaptainJanegay @Edent Maybe someone else has access to your phone, so they’re going to send a push notification to your phone to verify it's really you? 🤔

Captain Janegay 🫖

@simonwood @Edent Well, it asks for your password as well, which would significantly increase their confidence - although ofc this notification is not actually used to verify your identity in that situation.

But my point is that it's entirely believable that the bank would need *some* kind of verification when they call you, and a lot of people won't pick up on inconsistencies like this, especially when they've just been told someone has fraudulently taken £300 out of their account

Simon Wood

@CaptainJanegay @Edent Very true.

Asking for verification is ok, but it amazes me they don’t work on customer expectations - what you will be asked for when the bank calls - and also customers’ fraud literacy - how we can and should verify them!

BarryP

@CaptainJanegay @simonwood @Edent We get landline calls in the UK from “your bank’s security department”. Recent ones have spoofed the local area code.
Main “alarm bell” with that is that our bank, or indeed any other, doesn’t have a branch/office in the three towns covered by the area code.

Captain Dragonfrog Queernabs

@CaptainJanegay @simonwood @Edent

It is being used to verify your identity though. The scammer has presented it to you as if it's verifying their identity to you, but it's actually verifying your identity to the bank.

The notification could be improved with something like "if you have just called the bank, enter your passcode to continue. If instead someone claiming to be from the bank has called you, they are trying to defraud you and you should immediately hang up and call the bank."

Captain Dragonfrog Queernabs

@CaptainJanegay @simonwood @Edent

They could I guess also have an option to push out a notification to go with their outbound calls, "The bank is calling you. You seeing notification confirms that the caller really is from the bank. Please enter your passcode to confirm to the caller from the bank that you really are you."

Captain Janegay 🫖

@dragonfrog @simonwood @Edent Yes, you're right - I mean that in the fake scenario the scammer is presenting you, where the bank has called you, the bank does not use this notification to verify you. They only use it if you call the bank. But there's really very little opportunity for most customers to figure that out.

stephen

@simonwood @Edent All good points. I likely would be tricked too.

Go Up