Email or username:

Password:

Forgot your password?
Top-level
Captain Janegay πŸ«–

@Extelec @Edent That's normal. It's to confirm that someone else hasn't just stolen your phone. The rest of the thread explains, but this *is* a legitimate notification, it's just being misused.

19 comments
Glitzersachen.de

@CaptainJanegay @Extelec @Edent

It's a men in the middle attack. And quite obvious in my opinion.

Only proper reaction: I call you back, gimme a number and your name. Then phone via the front desk of your bank.

Simon

@glitzersachen @CaptainJanegay @Extelec @Edent if you think this is quite obvious I feel sorry for your users.

Captain Janegay πŸ«–

@iokiwi @glitzersachen @Extelec @Edent Yes. I'm also not so much interested in whether it's obvious to a working-age, relatively tech savvy adult who's paying attention.

I want to know if it's obvious to my last scam-related client, who was a woman in her 70s, run off her feet caring for her husband who had dementia, already worried about money, and who picked up the call - thinking it could be a family emergency - while she was cooking dinner & running late.

TheEjj

@CaptainJanegay @iokiwi @glitzersachen @Extelec @Edent I’m a working age, very tech savvy adult who is paying attention, and this absolutely might still get me if the timing of the notification was right.

DELETED

@TheEjj @CaptainJanegay @iokiwi @glitzersachen @Extelec @Edent the notification absolutely should've said "did you call us" rather than "are you on the phone with us". Even that's easy to miss but one would nees to be very paranoid to suspect this one.

Glitzersachen.de

@CaptainJanegay

My mistake --- I wanted to answer to the OP, not not yours or satisfy *your* interest. My heartfelt apologies.

@iokiwi@infosec.exchange @Extelec @Edent

Simon Green

@iokiwi @glitzersachen @CaptainJanegay @Extelec @Edent Yes, the reaction is correct, but it is far from obvious to most people. Or even people who know better, if you catch them at the right moment.

🌱 Ligniform :donor:​

@glitzersachen @CaptainJanegay @Extelec @Edent 'on path attack' now. It's also not obvious at all. If a non-tech person gets this they'd assume it was safe.

Kasey Strube

@glitzersachen @CaptainJanegay @Extelec @Edent it’s obvious to us that have to deal with fraud every day. Not so obvious to someone who is concerned about losing their life savings in the moment.

winter

@glitzersachen @CaptainJanegay @Extelec @Edent I don't think it's that obvious at all. It's a real notification from the bank. They still shouldn't be calling you like that but people do that.

Making them let you call them is the right decision, though. With the said, calling the front of the bank probably won't work for Chase. Not unless your bank account has a couple more zeros in it than mine does and if that's the case you probably have your own concierge line or something like that.

dbrand666

@glitzersachen @CaptainJanegay @Extelec @Edent
Did you mean an extension and a name? If you're calling a fake number from the bank, how does this help you?

Edit: I think he meant he'd ask for a name and *badge* number and then call a published phone number (the front desk) and ask to be connected to that person. This is the correct answer but most banks make this difficult in practice.

Daniel Gibson

@CaptainJanegay @Extelec @Edent
but if someone has stolen my phone and is logged into the app, they'll get to see the notification as well?

Captain Janegay πŸ«–

@Doomed_Daniel @Extelec @Edent Yes, but in most cases they won't know your password, so they won't be able to confirm via the notification

hapidjus

@CaptainJanegay I disagree and I would say it is not normal at all, in fact some banks will tell you outright that they will never ask for these types of codes and that it is a common scam.

Captain Dragonfrog Queernabs

@hapidjus @CaptainJanegay

Right, but in this scenario you're seeing this notification because your bank *does* use these notifications to authenticate you when you call them. It's just being framed by the person on the phone in the reverse, as authenticating them to you.

Captain Janegay πŸ«–

@hapidjus It is normal to be asked, by your banking app, to re-enter your passcode to confirm certain actions you can take within the app

hapidjus

@CaptainJanegay Nobody was asking for a passcode here though, and there is a grammar mistake in "on the phone to us". I will agree that if *I* am the one who manually opened the app and tried to do something, then confirming the authentication is normal in some instances, yes. And I will admit the screenshot is indeed misleading either way, I can still see many people falling for it. I think the entire flow of having the app ask for permission for something done over the phone is flawed.

Death by Lambda

@hapidjus @CaptainJanegay
It's not grammatically incorrect in British English.

In fact the verb is the clue.

"..with us" = We called you.

"...to us". = You called us.

Go Up