I wonder if there's any one legitimate instance of a company calling you about compromised accounts and requiring your action. It seems to me that anyone reaching out and lighting a fire under your ass can be assumed to me a malicious actor.
Any notification asking you to confirm your identity that is not initiated by your actions should be immediately dismissed with a "no" and that should be all there is to such things, no?
I got a call from "Bank of America," and they smoothly talked me into giving them my debit card PIN. The trick was they had gotten into my online banking beforehand. "We've detected possibly fraudulent activity on your account." Then they read me real transactions from my actual account. "To be safe, let's lock down the account. For this we need more information for authentication, though." Probably started from a phishing thing that I fell for online without noticing. It was pretty clever of them. Not so easy to steal from a checking account without leaving a trail, unless you have the PIN. Then the main risk is to whomever was on camera at the ATM withdrawing as much cash as possible before the account was automatically locked down.
The next day, I got a call from "Bank of America" telling me that I'd been had. Fortunately they just credited the money back into my account. About $5000.
The main difference is that the first call wanted me to give them information, while the second call advised only "go into a bank branch in person."
The article's advice is correct. If someone asks you for info, tell them you'll call them back. It is almost certainly a scam. Calling back the possibly spoofed number at worst wastes a little time being on hold, and at best saves you or the bank a lot of money.
Don't call back the number possibly being spoofed (i.e. using your Caller ID as the source of the callback number). Call an independently-listed number for the company, such as the phone number on the back of a credit or debit card. Using an independent number prevents any failures where the Caller ID correctly reports an attacker-controlled but plausible-sounding number.
For extra paranoia and safety, perform the callback from a separate phone line. That would avoid at least some of the more-targeted attacks involving a compromise of the victim's phone connection, which could potentially allow the attacker to redirect outgoing calls.
> The main difference is that the first call wanted me to give them information, while the second call advised only "go into a bank branch in person."
Unfortunately physical branches are expensive to maintain, so a lot of banks have been closing them down. There are even plenty of banks with zero physical branches now. All contact is via phone or email, so there is no scam-proof way for them to contact you.
Exactly this. Send me a call or text message that maybe I should go look at my account. If I log in through my normal trusted process and everything looks OK, then I can assume it's not legit.
Most banks seem to have some kind of internal message center within the application that is just for bank to client communications. That's the place to authoritatively tell me something needs to happen and what potential next steps would be.
Depends on the time frame and the ATMs being used.
I don't think all ATMs require chipped cards yet, and its still common to have a debit card issued with a magstripe. If the GP used their debit card to pay for things it could have easily been duped. My bank issued me a new card for an account a few years ago; it still has a magstripe and I assume can still be used at magstripe-only ATMs.
If it was even a few years ago, a lot of ATMs would have still worked with just a stripe. It's a bit more difficult to find these days, but old ATMs still running OS/2 WARP are still around and kicking.
Its frustrating so many banks and what not are still issuing cards with magstripes. These days wipe the cards I use most with a magnet to try and mess up the magstripe. I don't want to ever use it. Generally speaking, if they can't take chipped cards, tap to pay, or cash I'm not doing business with them.
My understanding is that they had a programmable card. This might have been just before chips became widespread in America. Or, maybe there's still a way to withdraw with only the information visible on the card.
Here's a thing that is enraging, though: when a bank has SMS 2FA (insecure if you're being targeted but better than nothing) and they keep having you enter that into third-party websites. I mean going to a legitimate business, making a purchase with a credit card, and then the bank wants 2FA to validate a purchase instead of a login? Fuck off, I'll use a different card, then.
If it weren't for bullshit FICO calculations I would drop that account entirely.
Banks are pretty good at doing an impression of phishing scams, unfortunately. Almost every red flag for a scammer has also been done by a bank, legitimately.
There was a comment on Hacker News, which alas I can no longer locate, where a guy said he'd been called by his bank and the bank wanted him to answer various security questions. He said he was happy to do so, but firstly needed the bank to verify who they were, or to call the bank back on a telephone number on their website. The bank refused, so he refused to give them any details. The bank then blocked his bank account, meaning he couldn't pay his university tuition on time, meaning his student visa was no longer valid as he was no longer "studying", meaning he had to leave the country.
That doesn't add up; you're free to call the bank at the telephone number on their website whether the representative who just called you wants you to do that or not.
I've definitely experienced the first half of the story: banks really will do dumb things like this and then be surprised when someone is upset by it (anti-fraud protection tends to be the worst: a text-message from a random unaffiliated number with another unaffiliated number to call, where you must then provide account details in order to get your card unblocked, and trying to call the official number and go through the phone tree does in fact, eventually, tell you that it was legitimate, but only after hours of being batted between departments).
Banks do have obligations under AML and KYC laws to get information from their customers. I mean I know a single phone call sounds extreme, but I could believe it.
My bank (in the EU) wrote to me a while back (post, no copy to email, no sms, no phone call, etc.) saying if I didn't provide info on certain recent transactions (my salary) they'd block my account in two weeks. Thankfully I wasn't on vacation and saw the letter and answered and it was all OK.
Having information about you (that you provide when opening the account) is entirely different from calling you out of the blue after you already have an active account for long enough that you trust and depend on it for your migration status. Refusing then is in no way breaching AML/KYC requirements. They would ask them to validate the identity on the call, not to gather regulatory data on their client. If they didn't have any info and were to "call as ask" how would they know it's the right person and data anyway?
How is a bank not validating one phone call grounds for freezing funds?
This is one of the reasons I use a local credit union with a handful of branches only in my region. I can always re-establish trust by just walking into a branch to do business, and likewise they can always just ask me to walk in with my driver's license if they need to verify that I'm really me.
But the mentions of "his student visa was no longer valid [...] meaning he had to leave the country" make me think walking to a local bank branch might not have been an easy option in the post adrianmsmith recalls.
Absolutely agree! I only brought it up because it seems like, in our quest for efficiency, we are rapidly heading for a world where we try to delegate trust to outside entities (like tech companies, megabanks, or far-off government departments in Washington, D.C.) but, fundamentally, what makes financial transactions work (with anything other than physical currency), is actual real trust between parties. This is how the great banking houses of Europe began, it's how remittance networks still work in much of the global south, and its how the Jimmy Stewart-style small town bank once functioned. National banks with lots of local branches are an approximation of this, but the "branches" keep getting less and less bank-like: there is no "president" at the BoA branch inside Kroger, just somebody with a pulse who can technically pass a background check far enough to get bonded. Finally, many of the big banks are just closing these far-flung branches altogether. Bank of America &co. may get many advantages from their enormous scale, but they may be undermining their own foundations in the name of cost savings by trying to cheap out on "customer service" as if banking were just another kind of retailing and trust wasn't central to their entire business.
They probably know this and don't care because it won't happen this quarter or likely even this fiscal year, so it doesn't matter to anyone in charge. But it does matter to ordinary people trying to conduct their lives without being irreversibly de-personed by a flakey customer service bot.
I understand the desire to be skeptical, but maybe you should give individuals the benefit of the doubt and the giant multinational corporation the skepticism.
Also healthcare providers, though they seem to have finally wised up. They would call me from poorly configured phone systems (so unrecognizable caller id) and the first thing they would ask is to confirm full name and date of birth.
Patterns like this do a great deal of damage in desensitizing folks and making them accept dangerous patterns that get exploited by scams.
Even if you recognized it, the number shown by Caller ID is easy for the caller to spoof -- or at least it was a few years ago (the last time I paid attention).
The problem with that, at least on my experience with iPhone, is you can only get the authentication signal after you’ve already hung up. The only thing I see is a small checkmark next to the “location” of the call in my recent call log. I can’t find any indication of a stir/shaken status in the active call screen.
So asking people to take the step to confirm the call is legitimate won’t work- they can’t tell until they’ve already terminated the call. It’s useless for purpose imo.
On my Pixel some calls just get auto-rejected. Others will get through but be marked with a red caution symbol for the picture and say "Scam Likely". Then finally sometimes the call will come through with just the number but still have that red caution symbol.
I imagine it is doing something with STIR/SHAKEN along with how many other times similar calls have been flagged as spam calls.
My carrier has a similar “scam likely” feature but afaik that is not directly tied to stir/shaken. I’ve also signed up to have calls rejected and can see them in the carrier app.
I have reported at least a thousand different scam calls over the past two years and so my blocked number list is so large it freezes the phone for a minute or so while it loads. Still the scammers persist…
I remember when I used Ting, I could specify what would appear as caller id. If I had wanted to abuse this, I could easily have had it display whatever number I wanted instead of my name. Since a number of phones would display the caller id instead of the number when caller id was available, nobody would know that the number was not real. I am not sure if this has changed at all.
I have had my telephone company ask me to give them a code sent to my device. It is presumably to prove to the company that the representative is talking to me so that bad actors low in the company cannot start randomly messing with people’s accounts. It is the equivalent of the bad click here. The only real defense is to know the difference between a mechanism meant to authorize someone a the company and a mechanism to authorize you. Confuse the latter for the former like the victim did here and bad things will happen.
I called a bank to increase my ATM limit. The agent sent me an SMS code to verify my identity and wanted me to read it back to him. The message said not to give the code to any human. Sigh.
If some bank calls you about compromised accounts, the recommended action should be to hang up, find the official phone number for your bank, wait one minute[1], then call back.
[1] You have to wait or call from a different phone, because the call might not terminate immediately, and the scammer might still be listening on the line.
Sometimes there are good reasons for a bank to call you. The infuriating part is that not every bank has a quickly accessible number to call back if you don't trust the caller. Caller ID may be useless, but me calling the official number for my bank is pretty hard to fake (unless my carrier is part of the scam).
My bank has a button inside the app that will confirm that a real bank representative is calling you, or provides a button to call the bank's emergency line if they're not. It's a simple and effective way of preventing scams that I think more banks should implement.
A ss7 attack could make your carrier part of the scam without their knowledge, such that calling back the number will connect you to the scammer and not the bank.
Ideally yes no one would fall for that. But these type of attacks doesn't just rely on solely ignorance. They introduced urgency, the fight or flight situation. Plus the first guy in the article got caught up in bad timing where his mental condition aren't right with his kid crying, his wife yelling etc.
Any notification asking you to confirm your identity that is not initiated by your actions should be immediately dismissed with a "no" and that should be all there is to such things, no?