This also applies to offline solicitation. Someone came to my door and asked me to sign on to switching my gas supplier. He said it is a supply chain change and will not affect anything beyond I getting a smaller monthly bill, still coming from PG&E. I told him that it sounds wonderful but this is the first I'm hearing of such a thing and I need to research online what it is about before signing anything. He said he has all the details in his paper folder and I can read it. I insisted on doing my own research. He said the deal is off once he leaves and it is my last chance. I told him, "so be it, such is life".
Did a quick Google search the next day and figured the process is legit but people out there have gotten higher bills than before.
Moral is to fight the human-interaction pressures and be adamant on doing your own research. No shame in that.
My standard response to that sort of thing is, "Sorry, but my personal policy is to not make any decision without sleeping on it first." That usually gets them right to the "deal is off" phase quickly, since there's really no good rebuttal for that. Or they leave their materials. Either way, they leave me alone.
Yep, I have a standing rule that I don't buy anything marketed by someone standing at my front door (I will make an exception for Girl Scout cookies). Someone at your front door is interrupting you, and creating a power imbalance leveraging long standing cultural norms that you invite people in and are courteous. That may apply to neighbors and friends, but not to salespeople.
A good more general rule is not ever to buy anything from anyone who has initiated the first contact. Not sure that's going to be an entirely popular thought on a forum of entrepreneurs who live and die by their marketing to an extent, but from a recipient's point of view I do advocate it.
On the flip side, it’s far easier to sell to someone that comes to you. In fact, many businesses do just that and don’t even bother with cold sales. This is trivially true in the case of stores but also marketing companies, SaaS offerings. And really it’s better that way. It’s not unsolicited, both have mutual interest and the buyer clearly sees value enough to talk to somebody on the expectation it’ll cost.
This works extremely well as a tourist too. If someone is walking up and offering something to me that is almost always a no. Scams frequently depend on seeking out targets.
I remember my dad telling me about a farmer he knew, who said to him once, (pointing at his lane), "Any time Jim, I see a f*er driving in that road I know he's not doing it for my benefit"
Indeed. I always think to myself: if it’s worth coming to my door or cold-calling me there must be a pretty margin. And then they claim it’ll be so much cheaper than my well-researched current contract. Yeah, right.
The only thing that will sometimes peak my interest enough to listen to the pitch, is if they offer non-monetary upside.
This is exactly the reason why there are specific limitations on so called "Haustürgeschäfte" (sales made on the perch of your own home) in German and European law. For example you get a reasonable time period to rethink those sales without any charges.
Yes exactly (I've lived in Germany). And where I live now in southern California, thank goodness, it's actually against the law to "solicit door to door" (I think that's how the law is written).
Before I lived "here", every weekend, guaranteed, at least 4-5 knocks on the door on Saturday & Sunday afternoon (combined). Trying to sell me something that I didn't need, didn't want, and often it felt like a scam.
Last time I just opened the door and spoke first: "Sorry I don't have time to talk to strangers right now" and closed the door before he could say one word.
I'm thinking of preparing an mp3 of a chaotic household (think 10 kids screaming and fighting) for improved effect in the future.
I outright reject anyone trying to sell me a subscription model at the door - a lot of charities do that, and their sales talk nowadays includes that I can cancel at any time.
But the caveat there is that if I were to do a one-time donation, they would still have my information and the permission to receive mail on file.
Charities are marketing companies; they collect money and advertising permission, and give you direct mailed marketing in return.
True on cultural norms. Myself I have found myself being rude and when I answer the door, I point at the "No Soliciting" sign directly below the door bell and keep repeating "No Thank You" until they leave or I decide to close the door if they persist.
this is absolutely true and any product or service that requires sending people to knock on doors in order to sell it is by definition not worth buying, because if it were, they'd sell plenty using regular advertising. anyone that comes to my house to sell something is automatically a scam in my perspective and it is usually those fake electric company / gas people, though sometimes someone offering to redo my driveway.
What? What if it's a neighbour you haven't met asking you over for a bbq? Or somebody who noticed your garage door was swinging open and wanted you to know they'd closed it?
Or OMG what if somebody needs a boost because their car battery is dead? Oh man, I couldn't bear it if I became that guy who didn't give someone a boost.
With all the news I keep hearing from the US, I can't say I blame you. It's sad, though. I want to live in a society where people can knock on each other's door, and open the door trusting it's a legitimate friendly talk or person in need, and not a threat or someone looking to take advantage of me.
I hope you'll consider changing your media diet, because your current selection is filling you with irrational racist fear. That's not how the real world is. Consider lolc's comment below:
"I once got lost in typical U.S. suburbia and the first door I knocked the guy wouldn't tell me the direction I needed to go but insisted on driving me there.
I was conscious of being percieved as a potential threat in that situation. But me being percieved as a likely nuisance to be ignored didn't cross my mind."
I think your comment might have had a useful alternative perspective if it could have been made without calling the parent racist and irrational. ISTM difficult to change someone's mind while disparaging their reason and character.
That was with the pretext of it being a person standing at your front door with a clipboard--if such a person did not also have a badge and a gun, GP wouldn't open the door.
What do guns have to do with anything? Why would a badge alone not be enough? Why are you trying to sound so epic? What are you trying to prove? Are you the type of person who brings assault rifles to a protest to make some sort of cowboy-style point?
I totally get not wanting to talk to people who are trying to sell you something, but if you are such a bad ass, living in your wild west world, why don't you try bringing up the courage to just tell someone at your door that you won't buy anything from them? Seems easy enough to me.
The only people who come to my door are gas people saying that they're going to be turning it off for a period/back on, window washers coming to clean the windows they can't reach from the outside, and similar things. I do want what they offer, because it's useful/important.
He also lives in the US, where current laws and general social norms and expectations means there's a much higher perceived/actual risk to opening your front door to a random stranger, so it's less surprising to hear this..
This problem, at least at that level of magnitude, does not exist in other parts of the world.
Have you ever lived in the US? You're statement is probably only somewhat valid in the worst neighborhoods. People don't shoot you in the face when you open the door...
People come to the door in my neighborhood for only a few reasons:
- to sell me on religion
- to solicit money for some kind of commercial service, charity, non-profit fundraiser
- to sign me up for political stuff
And they do this several times a week (pre-COVID). So I never open the door to surprise strangers. It's not paranoia; it's just preventing the waste of my time and emotional energy. I'm not interested in worshipping a sky demon. It's not incumbent on me to figure out whether the service is legit, rent-seeking grift on top of a legit service, or a total scam. I don't have to figure out how to gently turn them down just to keep junk food out of the house.
I once got lost in typical U.S. suburbia and the first door I knocked the guy wouldn't tell me the direction I needed to go but insisted on driving me there.
I was conscious of being percieved as a potential threat in that situation. But me being percieved as a likely nuisance to be ignored didn't cross my mind.
If you don't have a badge and a gun, I'm not opening the door for any reason.
Then when your irrigation system has sprung a leak and is spewing water all over the side of my house, I'm going to go to the valve on the sidewalk in front of your house and turn off the water to your house while your family is trying to shower and make breakfast.
That's exactly what happened when my neighbor refused to answer his door one morning at 6am.
There's usually an internal and an external shutoff valve. Inside is easier when you're working on things inside, but the water company may need to turn off your water, and they can't depend on being able to get inside. So valve on the sidewalk (or in the lawn as the case may be).
Yep. They're metal lids labeled "water" that you lift up and inside there is a valve that can be turned. They're very common in most cities in which I've lived.
There's a lot that go wrong with this approach, and the upside is pretty obviously dwarfed by the (small to minuscule, depending on many many factors) chance of getting murdered while puffing about your rights. Whose front door has a gap underneath it, anyway?
Assuming they knock and announce they have a warrant as opposed to knocking the door down, you open the door and they start coming in immediately. You can read the warrant, they'll likely shove it in your face. You should be on the phone to an attorney or the local bar association before the last officer in past the threshold, anyway.
I'm pretty shocked an attorney would suggest doing something that can very likely be construed as stalling for time when tensions are likely pretty high.
You're aware that -- regardless of what you might have seen on TV or the movies -- they don't actually have to present a physical warrant, right?
Nor do they have to allow you time to call a "watch commander to verify it".
What is likely, however, is that you're gonna be shopping for a new front door if you don't open up by about the second knock -- if they give you that long.
Obviously this isn't legal advice, but it's what defense lawyer friends have suggested if it ever comes up.
I think that popular video about "never talk to cops" mentions something like it too?
I assume if they don't wait, it helps your court case. They could always go with the "probable cause" argument, but again this can help your case if you can prove they didn't have actual cause.
Your threat model is imaginary, if they are robbers posing as cops, they wouldn't knock and wait patiently, they'd just serve you a fake "no knock warrant" (kick open your door and bust in with flash bang grenades).
I'm sorry, this comment is not necessarily a reply to you directly but to the thread in general--are we talking about the real world or some fictional TV show? Genuine question, is this something a "normal" HN reader should be worried about? Is there any evidence of such incidents happening ("kick open your door and bust in with flash bang grenades")?
My understanding is a valid warrant (which as someone else mentioned does not have to be a physical piece of paper) grants them immediate access and they don't have to wait to verify. If you don't open the door, it will be opened for you by battering ram - demanding you open it is more of a courtesy.
Think about it: say someone has a bunch of drugs, you wouldn't want to give them time to start flushing it down the toilet while they call up and verify the warrant is valid. You kick the door in, arrest them, and secure the scene for forensics and evidence collection.
I assumed something along those lines, but I think they have to knock unless there's a no-knock warrant? I just don't expect they'll be amused if you tell them to hang on for a few minutes while you "verify" the warrant.
When someone tells me the offer expires when I walk out the door etc, I just reply "It must not be that good of a deal if you don't want me to comparison shop." I've never run into a salesperson that had a good/any comeback to that.
There seems to be a huge margin on those things, which bring all kinds of sleazy tactics for third party marketing companies.
I had a call from a guy claiming to be from PECO (my power co) with a good deal to switch off of PECO. Indeed we do have alternate generation supplier options, but this smelled. So I asked him several times if he worked for them and he insisted. Finally i agreed and he wanted to route me to a neutral, recorded line, agreement gathering company, but he said it would identify as "xyz energy". Whoops, deal's off, fat liar.
"Exploding offers" (the deal is off when he leaves) and other hard-sell tactics are big red flags in general, IMO. If I get a whiff of hard-sell it's an automatic and unconditional "no."
I've been working on this over the years, since I noticed a tendency to just go along to make the uncomfortable situation go away. Just having a mental flag helps a lot: "this is probably BS, don't agree to anything."
Just an FYI, my town (in Pennsylvania) passed an anti-peddling / door-to-door sales ordinance to get these high pressure utility sales guys off our streets. You might want to talk to your city council about doing the same.
At this point we can call the cops on them and the cops can issue a citation. I haven't seen them since the ordinance was passed.
My town (in New Jersey) has a similar law. We have a list at town hall. You can ask to be put on the list. Salesman must not go to your door if you are on the list. Only problem is that charities and politicians are exempt from the requirement.
If someone knocks on my door and I haven't invited them over I don't even consider answering it. It doesn't matter to me what sort of uniform they are wearing. The same goes phone calls. I don't understand the obligation people feel to engage in unsolicited meetings and conversations.
> I don't understand the obligation people feel to engage in unsolicited meetings and conversations.
If they get you on the line, you're going to fight against a professional liar on an uphill territory made of cultural norms and basic politeness. Turns out disengaging from a conversation isn't easy. But how do they get you on the line in the first place?
Like anyone, you probably have frequent periods of time when you have a lot of errands in progress. Maybe you've ordered a bunch of things on-line, booked a trip, just sent documents to your accountant, and posted your car for sale. Any of these can face roadblocks that generate a phone call. In such periods of time, you'll be more likely to pick up that unknown number calling in, because maybe it's one of the vendors calling with an issue that can either be resolved in 30 seconds on the phone, or 2 days via e-mail.
For the bad actors (marketers), it's a numbers game. Personally, I also don't take calls from numbers I don't know... except whenever I run any kind of errand remotely, which is when they usually manage to catch me (only for me to wait until they tell me what they want, at which point I hang up).
I do this to some extent. Usually if they get me on the line, I have them wait, then come back after a few minutes, then have them wait, pretend I can't hear them well, pretend I don't understand their questions, etc. It's a bit of a burden, but kind of fun. But really my reasoning is that if they weren't on the phone with me, someone who won't fall for their scam, they would be on the phone with someone more likely to fall for their scam, so better me waste some of my time and have a little fun than the next person losing a bunch of money to a scam.
If you answer the call at all you will be put on the "Answers calls" list and sold to the next company. It's a way of cleaning calling lists from dead numbers.
>. In such periods of time, you'll be more likely to pick up that unknown number calling in, because maybe it's one of the vendors calling with an issue that can either be resolved in 30 seconds on the phone, or 2 days via e-mail.
I haven't picked up an unsolicited phone call or answered the door in 25 years and I never had a problem with it.
I second this. If I’m not expecting it then I don’t bother. If something is important then they'll call a second time and leave a voicemail or come knocking again but that has rarely happened.
I get what you're saying, but I get irate at people who don't answer calls from unknown numbers. Spam or soliciting? Hang up and block caller. It doesn't take more than 5 seconds.
I've been in situations when I don't have access to my cell phone and I need help from friends, so I call from a stranger's cellphone. I never get an answer. I have to text them from the stranger's phone (and see their text messages), wait for them to see the message, then accept the call. It's incredibly frustrating.
One problem here is that by answering at all, you're confirming your phone number as one with a real live person on the end. They track this and will keep calling. Anecdotally I noticed after I stopped picking up, the number of calls I was getting decreased.
I like to pick up and immediately hit mute. If they say something, maybe I reply, but typically the spam callers just hang up after a few seconds. I read somewhere that picking up but not saying anything can take you off the rotation or something
I've done the same for a span of a couple months--immediate mute, no interaction. It didn't seem to make a difference one way or other other though with regard to call frequency.
It's just a machine calling. If you pick up and make a sound, you will be immediatelly connected to a person. If no person is available it will just drop the call and call again later. Only way is to not answer.
> ... I get irate at people who don't answer calls from unknown numbers. Spam or soliciting? Hang up and block caller. It doesn't take more than 5 seconds.
I'd like for you to spend a day at my grandmother's house.
She's had the same landline number for probably 50 years and gets - no kidding -- probably 20 of these calls a day. It may not "take more than 5 seconds" but it gets real f'in' annoying real f'in' quick.
She now only answers calls from numbers she recognizes. She will pick up if you yell at her on the answering machine, though!
Also, as of iOS 13 (or whenever it was they introduced the feature), I am -- thankfully -- no longer even aware of calls or text messages from numbers that aren't in my contacts until I pick up my phone and look. My phone doesn't beep, ring, or ding if I receive a call or text from an "unknown number" -- and I could not be happier about that!
Doesn't Google have an automatic call screening thing? Maybe it was related to Voice and/or a pilot program they cancelled. But I'd expect people around here to know about it.
Because a world in which people are unwilling to answer their doors is depressing, and answering the door is only going to cost you like 30 seconds of your time.
Exact same experience about a year ago, I also passed up the deal and ultimately concluded later that it was legit. I then emailed PG&E telling them that whoever is doing this is training people to trust a random, pushy person at the door who shows nothing other than a badge and iPad full of content.
My policy is before any time sensitive decision is to determine if it is manufactured time sensitivity, that is the company created the time sensitivity. I refuse to act on things that are only time sensitive because someone else decided it should be. Those are traps.
We would only put up our Christmas tree on Christmas Eve when I was growing up, and it was ever so stressful watching my father haggle on the tree lot.
Tree guy, you can have Christmas without a tree. I hate Christmas trees. They take up space I don't (didn't; I have more space now) have, and spread needles everywhere. And I'm Christian, so I'm not that big on the pagan symbols anyway.
That is an excellent example. Who really has the upper hand? Depends on how close the competition is, I guess. And how close the competition is to their competitors..
This is why I've done my damnedest to avoid jobs that require additional on-call time. It invites abuse where everything has to be a crisis. I worked in e-commerce ONCE. Grandma can't buy shoes at 2am because part of the site isn't working? This is not an urgent situation.
Unless it's the Joint Chiefs calling me up from the war room to stop a meteor from destroying the planet, I'd rather go back to sleep. Even then I still might: they can fire me in the morning if there is one.
I would tell them to fuck off and go back to sales school - these tactics don't work in today's day and age, they worked when information was opaque, you got the world's information at your fingertips now.
Those tactics still work for most people who don't know any better. Most people are still too lazy (even when you tell them it's so easy to save money).
Speaking of school, being aware of sales/marketing/scam tactics and how to defend against them should be taught very early on.
I have yet to find a use for some advanced math school tried to teach me when I was a teen, while basic life skills like how to manage finances, deal with scams, etc are invaluable.
How does "I'll get back to you after considering" let "weasley salesdroids" take advantage, as long as you hold firm? If you're not the type of person to hold firm after saying that, you won't hold firm after saying "No" either.
I think you either fail to read comments in their entirety or just focus on one thing. So I'll say it again "Someone who can't hold firm won't hold firm. It doesn't matter if they 'No', or 'I need to think about it'".
Plenty of companies here that are like subletters for utilities; they claim to be able to offer you a lower energy bill because they buy up electricity in bulk, but when I looked into it it turns out that in practice they're only cheaper the first year. These aren't energy companies, they're marketing / sales companies.
Anyway I went with one of the "source" power suppliers who instead offer a loyalty discount that builds up over time. I'm sure switching suppliers every year will be a bit cheaper in the long run but I choose reliability and convenience in this case. Also because the reseller companies tend to pop up and be bought up / merge constantly. Besides, it gives me some moral peace of mind that I'm paying the company producing electricity directly instead of a marketing middle man.
Used to work for a sales company, impulse is a textbook tried-and-true sales tactic. For everyone like yourself that decides to sit on it another jumps at the offer.
A simple "No Soliciting" sign can help ward off many such ruses given the further illegality of proceeding with soliciting when such a sign is visible. (This also may signal you are not as easy a mark and therefore not worth their time.) Doorbell cams + Nextdoor/Citizen make this even harder since one skeptic can poison a neighborhood.
Thanks for sharing. Questionable whether it's legit since they're apparently making false verbal promises of a lower bill. Hard to prove, yes. It's not right just because a corporation does it.
Not so long ago, I got a legitimate phone call from my bank's fraud department (HSBC HK) regarding a dispute I had made (someone had used my credit card to book on booking.com).
The bank employee asked me to give him my passport number and acted annoyed when I refused. He couldn't understand why I would not give this kind of private information on a phone call and why it was a breach of security. I then called the bank's customer service hotline and they had no record of the call from the fraud department being made because it's a separate department and they didn't have access to that data. It took 3 days before I got a confirmation from my bank that that call had indeed been legitimate (and that's only because I have a relationship manager)...
So I think Banks are part of the problem, they need to massively step up their training in security so as not to make this kind of demands on phone calls they have themselves initiated.
Funny you should say that, I've had several calls from my bank - HSBC UK - who have then asked me for information to 'prove my identity. When I've said "you phoned me, you could be anyone, I'm not doing that", they got pretty annoyed, and didn't see why I was saying that I wouldn't give away the information. I phoned them back and then it was OK - when I spoke to the same person (she'd given me an extension to give once I'd phoned the main, publicly verifiable number), she seemed surprised that I'd take such steps.
It's not just banks - I get the same spiel from my insurers, who say they have to check the information "for data protection" - oblivious of the fact that them regularly doing this means that they're setting the scene for people inadvertently leaking the information they take as sacrosanct!
I'm with HSBC too and they seem to be a bit too cautious with their debit card fraud. I get my card blocked a couple times a year.
Whenever they've phoned me and I've told them I don't want to give out my info they just tell me to call the number on the back of my card. Never had anyone act annoyed towards me. Maybe it's because I never act annoyed or accusatory towards them, so they don't act the same towards me. I just tell them that I'd rather not give my info out to someone who's phoned me
That they do this shows that they have been getting bad publicity by calling the wrong number and give private information to the wrong person. Now and then you see articles about this or that hospital sending faxes with patient data to some company fax by mistake. I'm sure this also happens with phone calls so they are just trying to cover their back, has nothing to do with your security. They get annoyed when it means more work for them.
I regularly make outgoing phone calls where I need to request payment details. Out of all of those calls, only one person expressed concern about providing said information so I provided them with three options: pay in person, pay online, or look up our phone number and call me back. Apparently that was enough verification for them, so they provided the information right after I finished the sentence.
Is it any surprise that institutions would not know how to handle their customers seeking verification when it is rare and at least some of the people who claim to want verification have a very low standard for evidence?
I suspect part of the problem is the minimal effort put into most scams, which is where this story is sobering. The people involved in this scam were clearly willing to lay down the framework to take a smaller scale crime and escalate it into something more profitable. While many of us may seek solace in our own practices being able to filter out the type of scam described in this story, the real question is when (rather than whether) these people will find an approach that exploits our own vulnerabilities.
Exactly. Banks need to be aware that data protection goes both ways, and they should teach their customers to check the identity of any bank employee calling them. Training users to give out personal details to people calling them is exactly the wrong thing.
Indeed. This is far too common in the UK. The banks call people, introduce themselves to be from a $bank, and then start asking security questions. I have had to tell the other side a couple of times that is not how it goes - they called me, they should first authenticate themselves before starting to ask for details that are part of customer authentication.
The first time I called back through the banking app. (The ability to initiate a call to bank's customer service from a trusted app is a good idea.) It took their end about 40 minutes to sort out who the first caller was. To my bank's credit, at least they didn't make me wait on the line, but sent me a notification SMS once they had the information ready. Then I called back again.
The second time I knew better and asked for a direct reference code that I could use to make the callback verification tango easier on their end.
But at least with the banks they mostly understand that customers may be suspicious about unsolicited calls. The ISPs on the other hand...
My solution with ISPs or similar utilities is to put them in a position where they need you and not the other way around. Blocking their payment magically makes them call you, the call is from someone that at least speaks English properly and is not a monkey, and security questions or other nonsense usually go out the window.
It's not just a social problem, it's also a technical problem as you can't tell if a number is legit, as they can be spoofed or hijacked. There could be something like SSL for phones where you would get a green lock and the company/parson name when someone calls. It wouldn't work with analog phones, it's funny actually, that it's just one small part of the chain that is analog, the rest is digital, we could easily get rid of the analog part, I believe. Still, there are no SSL in popular messenger apps, where you can be any person if you just know their username/password, same for e-mail. We need to have private keys controlled by the users for second factor and end-to-end encryption.
Yeah, a lot of the issues with security on the phone (both spoken and text messages) seem to have to do with backwards compatibility. I mean they add layers on top of the old ones (e.g. to allow higher call quality) but somewhere you can still call someone using just dial tones.
I hope they're working on a new standard for telecom that allows unspoofable caller verification. That, and secure / verified e-mails. But that too is a standard challenged by 60 years of legacy (I had to do a quick wikipedia check).
Unrelated to banks, but more to the point of organizations.
I was reconciling a firms bank account. I had four transactions from their payroll company, but the last payroll was weeks ago.
I called the payroll. The first person I spoke can explain one charge is a tax reconciliation, but don't know about the other three. The next human in another division explains a service fee. Because I'm not authorized, I won't be able to get more information about the last two charges.
Each group is compartmentalized and siloed. Each department is focused on administering their part, but no one person can accounting for the bank activity.
> So I think Banks are part of the problem, they need to massively step up their training in security so as not to make this kind of demands on phone calls they have themselves initiated.
Banks are horrible. Their security measures have been and will continue to be defeated by any targeted attack. Not only that, they act very entitled to people's personal information because they want to protect against fraud. Apparently, that is more important than any other concern.
My bank's authentication system is so convoluted people will just write down the stuff they have to type in. This is so normal, the bank employees print out the passwords and hand them out. This happened to me yesterday: I have two sets of passwords in my wallet. They actually print a message saying they will never ask for this information over the phone but it wouldn't surprise me if they did it anyway. The ATMs ask people trivial stuff like dates of birth as if it was proof of identity. The mobile app wants complete access to my phone, including file system, contacts, camera, microphone and call management. They have a "security" browser plugin that's actually a rootkit: it contains a kernel mode driver module which intercepts all network traffic, reducing performance noticeably. I assume it records the traffic and leaks the information back to the bank. If this thing isn't installed and running, the bank's website won't let users log in.
Interesting story about how this developer got called by the NSA, who instructed him to hang up then call back the publicly listed number for the agency. Exactly the steps that big banks should take. https://medium.com/datadriveninvestor/why-the-nsa-called-me-...
I've had the same thing in the US from Chase bank. They called me about potentially fraudulent charges on a credit card and then proceeded to ask me to verify myself by providing details.
I thought it was fraud, so hung up and called them using the number on the card. Turned out it was a legitimate call. I wrote them a detailed explanation of why their process was indistinguishable from a scam and never got a response. Great.
Same experience trying to open a Checking+Savings account with them online. I get a call supposedly from them and asks me to verify myself by telling them the code they just texted me. I refused, hung up and called back. By then it was past 5 on a Friday and I had to wait till Monday.
The whole thing was BS as it was because they wanted to verify that I owned the external checking account I was using to fund the new accounts -- one that I registered on their portal ~7 years ago and have consistently used since then to pay off my Chase credit cards.
Wow that's bad. My experience with several UK banks has also been "stuck in the 90s"
I did have a very good experience with American Express when they called me about a fraudulent charge on my card. They solved this identity issue by putting a note in their customer support system and had me call the number on the back of the card. On the callback they did their usual phone identity verification and then transferred me back to the fraud department to solve things. Was very confidence inspiring in their security.
If you need "training" to understand such a basic thing you have no place in a fraud department.
I am skeptical of training because I've seen a lot of people do the training sessions and parrot out the knowledge (thus pass any tests) despite not understanding the underlying reasons, so when faced with a slightly different situation than the one in the training session they will fail spectacularly.
Something similar happened to me. Utility company called me with important news about my account. I called them back later and the other department had no record of this call even though it was correct information. So weird.
I'm glad that as far as I know, a lot of the services I make use of - utilities, phone, bank, etc - rarely if ever need any interaction.
I got a letter the other day (yes, snail mail) from my bank (which is one of the more technologically forward ones out there, I've worked for them (as a developer-for-hire) for a couple of years). They said they were rejigging an investment account product I'm using, but all they mentioned is that I should go to the webapp for it and it'll tell me more.
> But he said he still feels like a chump for not observing the golden rule: If someone calls saying they’re from your bank, just hang up and call them back — ideally using a phone number that came from the bank’s Web site or from the back of your payment card. As it happened, Mitch only followed half of that advice.
Banks could normalize this behavior by having their customer service reps ask customers to do this at the beginning of every call.
"Hi, this is <csr> calling from <bank>. We'd like to talk to you about <subject>. To ensure to you that this is not a fraudulent call, please look up the phone number for this bank and call us back. Thank you."
> "Hi, this is <csr> calling from <bank>. We'd like to talk to you about <subject>. To ensure to you that this is not a fraudulent call, please look up the phone number for this bank and call us back. Thank you."
This would be great as long as your call back was recognized and immediately routed to the right person instead of being placed on infinite hold, as is usually the case when you call a bank's or credit card company's number.
I've had this happen. When the fraud department for my credit card company called and I said I wanted to call them back to verify, they gave me a code to enter after I called to go straight back to the agent. It was great.
I recall the same happening. Capital One, I believe.
I really, really thought it was fraud at first until they basically said "yep, go for it, use the number on the back of your card then give us this code".
>as long as your call back was recognized and immediately routed to the right person
It would be great if more companies had this functionality. It would also be useful in the situations where you get disconnected while talking with someone.
> It would also be useful in the situations where you get disconnected while talking with someone.
Most call centres want you off the phone as soon as possible, regardless of whether the problem is solved or not. Making it easy for you to call them isn't in their best interests.
Basically, I'd prefer if pbxes used by these companies providing support did the equivalent of storing short-term 'cookies' that remember you had just called rather than requiring remembering and reentering 'share urls'.
This is especially important now: I just had a credit card company send me a query about a fraud alert. After confirming that it was fraudulent, it tells me to call the 800 number but that now says that you should use the website for anything which isn't COVID-19 related due to very high call volume.
Yes, going to exactly the same person is not always required (depends on how good their customer notes are--in my experience there's quite a bit of variability there).
Going to the right department immediately instead of being placed on infinite hold like someone who just randomly called in is required for something like this to work.
When the police called me they did exactly this but added their extension. This way I could verify that the number belongs to my local police department but still called his number directly.
For CSR, they could use one time extensions so that the service rep doesn't get spammed at later times.
Good idea. Plus, they could trivially implement this, no? The main phone number's first prompt could be, "If you were told to call this number, please enter the 8-digit code you were given at the prompt."
It's just a matter of the company prioritizing that feature. If they think that improved handling of identity fraud will save them money, they will prioritize it.
Used to be the case with certain CC companies that after they put a note/status in my account, any call I made to the main line would immediately route me to their security/fraud department once I entered my abbreviated auth details (last 4 of card# + zip or somesuch).
I wish the regulators for financial institutions would mandate this. One of the reasons I left, years ago, the much-beloved-for-reasons-I-do-not-understand Pacific Northwest darling credit union BECU is because I got griped at by their customer service rep who called me to ostensibly tell me about fraud on my credit card. When the rep asked me "identity verification" questions, they got most upset when I replied that they should have this information and how do I know I'm actually talking to BECU.
"Sir, I'm just trying to help prevent fraud on your account and I need to know that it's actually you who answered the phone."
(Yes, there legitimately was fraud but I had no way to know it at the time. I closed the account about a month later after another issue.)
I recently missed a bill due to an error on behalf of my utility company. It ended up at a debt collector, who when calling me insisted i share my date of birth, address and full name before they'd tell me what the call was regarding. I refused, they got mad and acted as if I was trying to avoid paying the bill. I assumed the call was fraud.
I found it was in fact not fraud when my credit monitoring service informed me that someone reported I refused to pay a bill. One call to the utility company later, it was resolved...unfortunately i'm still trying to fix the credit report.
If anyone else runs into this, I've heard that you can say you'll pay only if they remove their claim from your credit report. Suposedly it's not legal for them to offer (I guess extorsion), but as far as I know, it's legal for you to ask.
It sounds like that option has passed for the parent comment, but you did just try disputing it right? Force them to come up with the proof.
Presently in dispute, no outcome yet. I didn’t actually know it was going to hit my record as i paid through the service provider and no one threatened that. As someone that’s never not paid a bill, i guess i just needed to learn this lesson.
Did they mail you anything in writing? Not that a letter is worth anything by itself, but if it's asking you for a debt you recognise and asks to call a number that does indeed map back to a debt collection agency (on Google, etc) it's probably legit.
I am not sure whether it's even legal for them to mark you as refusing to pay without making a formal payment demand by mail.
Hospitals are even worse. They would periodically call me with random information about appointments or prescriptions and whatnot and would always start off by asking me my birth date and PII to identify myself to them! They're the ones calling me!
I told them as much and after a few years they finally started sending me secure emails asking me to call them. Certainly I wouldn't trust "call back at..." messages claiming to be from a medical provider, even though they're indistinguishable from the real thing because that's the same thing the doctor's office does. It's bizarre considering how security conscious they have to be.
I got a credit card fraud alert sms text once that asked me to call a number that was different than the phone number on my credit card. I called the card number instead and the alert was legit but they still should have used an easily verified phone number.
A favourite trick in the UK is for scammers to stay on the line when you hang up, and play simulated noises for a dial tone and connection, then pretend to be your bank when you call the number on your card.
A trick I learned to deal with this very thing was just to attempt to call the local time/weather number after getting my dial tone back.
That said, with far-side supervision, I suspect that the call would actually time out after something like 20-30 seconds of either party hanging up. I'd just make it a habit to go put the kettle on and make some tea before placing another call.
If the call doesn't time out, well, it's time to ask BT some hard questions as to why they're allowing that sort of nuisance on their telephone network. AT&T managed to get rid of it here just fine.
> A favourite trick in the UK is for scammers to stay on the line when you hang up, and play simulated noises for a dial tone and connection, then pretend to be your bank when you call the number on your card.
Sure, but that only works for landlines. Is this still a common thing in the UK?
Most broadband "landlines" are not a real BT landline but instead one simulated by your broadband router (it's SIP on the other end). With SIP, once either you hang up or the other side hangs up the session is terminated and there is no way to recover it.
As far as I'm aware BT still have normal landlines to most areas - the phones are separate from the router, they don't go through it first and even support old pulse dial phones.
The United Kingdom phone system has what is called "far-end supervision" where the circuit-switched landline system will only disconnect the call from the receiving caller if the phone where the call originated hangs up.
This trick only works if the receiving caller is on a landline. It will not work on mobile phones.
It should disconnect eventually. And the timeframe for "eventually" has been changed in recent years.
Originally there was a grace period because of pulse dialling. Each "pulse" is actually a hangup - so the system had to tolerate that hangup != disconnect. But the grace period was far too long, and eventually end-users adopted it as a feature - if you wanted to take this on your bedroom phone instead of your hallway phone, you could hang up the phone, go up stairs, and pick up the bedroom phone.
So now we have two problems. One is that the bug has been adopted as a feature. The other is that precisely because of 999/e911 systems, the phone system is incredibly backwards compatible. Most exchanges still support pulse-dialling - it's never dropped intentionally (some exchanges don't, because they're too modernized. But it's not a conscious "lets turn this off now" thing.)
There has been a move in recent years to reduce the grace period, precisely because of this abuse. But until it's dropped short enough to be a non-issue, my advice for anyone who thinks a call is suspect, is to call the talking clock (123 in the UK). It is a paid service, but I don't like bothering the operator for such things. But if you call 123, and reach your bank, you know summat's up.
> my advice for anyone who thinks a call is suspect, is to call the talking clock (123 in the UK). [...] But if you call 123, and reach your bank, you know summat's up.
No no no no no.
Hang up and use another phone. End of. Any advice that you call another number first or whatnot is bad advice. If such advice got widespread, what would scammers do?
Obviously, they would have a DTMF decoder on the other end and they would patch the call through to the number you called. These are sophisticated people who send fake security officers to people's houses to "pick up the compromised card". Call forwarding is trivial.
Good that the UK is moving away from this "feature".
(I still remember that to take a call on another phone, you could just leave the receiver up on the phone you too the call on, provided you're not too lazy to hang it up later).
Only some phone systems in the western part of the US had far-end supervision, so far as I am aware. (This is why movies and TV shows from in and around Hollywood show conversations where the caller hangs up and the callee hears a dial-tone. The phone systems in most of California had only far-end supervision. Tom Scott has a good video on this[0].)
Most of the US uses either near-end, where the recipient hanging up will end the call, or both-end supervision, on POTS/landline systems.
0 - https://www.youtube.com/watch?v=bUIiUXvnkUQ - This video was filmed at the excellent Museum of Telecommunications in Seattle, located in a CenturyLink switching office. When travel is available again, I encourage all phone geeks to come here and check it out.
It only works in the UK where the phone call only ends after both sides hang up. The idea is you can hang up go to a different room and resume the conversation. The results are this fraud is possible.
Definitely used to be the case in Canada. The caller had to hang up: if the receiver hung up it took a (something like 20 second) timeout before the call would terminate. We did used to use that to move to another extension in our house.
Note to kids: we used to have our phones anchored to the wall with these coiled ropes so you couldn't walk away with them To counter that, we had multiple phones in various rooms of the house. They also made the phones so big the wouldn't fit in your pocket as another way to prevent stealing them. They didn't have screens because the vacuum tubes drew too much current and they would get too hot when pressed to your ear.
In Sweden both sides had to hang up, not sure how it is now. My mother used it for kids prank calling. She just left it open until the parents came home and wanted to call, then she explained that their kid had been prank calling us.
Most seniors I know have a mobile phone. How else would they be able to show off pictures of their grandkids? Also, that's how hearing aids work these days.
In the UK landlines almost always start with 01 or 02 so it's easy to identify who is using a landline. You can also go through the phone book (which only lists landlines) looking for "elderly" names. People who don't bother / know how to opt out of the phone book are probably easier targets as well.
Not both parties, the caller. And there's a timeout which these days is set to about 2 seconds. Here's the BT Openreach (the last mile provider and thus de facto the supplier of landline telephone service to almost all of the UK) write-up for when it was reduced to 10 seconds in 2014.
That would be preferable. I had a call from my bank once that went like this.
> CS: Hello, this is X from Y Bank. Is this Z?
> ME: Yes, this is Z.
> CS: Z, can you confirm your last 4 digits of your social security number so I can confirm who I am speaking to?
> ME: Uh... How do I know you're the bank? I can't just tell any person who calls that information.
> CS: Z, we are from your bank, Y Bank. Please provide the last 4 digits of your social.
> ME: There has to be another way to do this, right?
> CS: Please hold... (puts me on hold for 30 seconds)
> CS: Hi Z, I'm back. Can you look up our phone number on Google and give us a call back and ask for me by name, X?
> ME: Sounds good.
It was them. I got quickly reconnected to the same woman. I'm still concerned that the norm should be something closer to what you commented, even if it adds friction and will probably result in lazier people not calling back for something important. It's better to normalize this than allow for the alternative, which is to normalize people telling random strangers their sensitive, personal information.
Any time this topic comes up, I immediately worry about my parents and grandparents falling for this sort of thing if real scammers are out there trying. I realize the last four digits of my social security number are not as great as the whole thing, but as far as I know, it's enough to be dangerous.
In Sweden the whole personal number is public information. Anyone can just call the tax department and get it without any questions asked. Still some use it as proof that you are you...
Just yesterday there was an article on HN about a guy who was called by someone from the NSA who gave him detailed instructions on how to get back to him through publically availible information like 411
Used to offer this when working on fraud in <a Big Corp>, but have to give them my name so main number switchboard can route call. Very few people did, but those that did appreciated it. Only costs you a few minutes while they find the old time printed phone book, look up <a Big Corp> and call back.
What about if that puts you into an hour long phone queue where the person who you eventually get through to has trouble helping you with what the initial call was about?
A few years ago I got a call from Revenue Canada and around the same time it was extremely popular for scammers to pose as Revenue Canada agents. So immediately I just assumed it was a scam and got extremely annoyed and angry at the person... turns out it was a real Revenue Canada agent and I had somehow forgot to submit my taxes a few years back...
Ha ha same here but I got a call from an FBI agent. I had lost money to someone and 2-3 years later he got caught in some other sting and they wanted me to be another witness since they found my name in his books. For me somehow the connection clicked as soon as the agent mentioned the name of the company (but not when he said I am calling from the FBI). I even got login to I think an FBI website to keep updated on the status. Unfortunately after communication every few months, they decided to not pursue the case, after maybe 2-3 years of elapsed time.
Or, you know, send a letter or e-mail. Not that e-mails are secure per definition, but services like gmail spend a lot of time and effort on detecting and blocking spam and scams.
Why not use reverse verbal passwords (i.e. have the bank give you a secret phrase)? That should eliminate a large amount of issues without the need for a call back.
That can still be gamed by any malicious SEO wizard. People will trust the top Google hit for "bank of america phone number" before they bother with finding it on the website.
Suspicious activity. Suddenly using your card in the UK, when you're in the US. "Swipes" several hundred miles from your normal location, but also occurring in your normal location on the same day.
Ah, I never use my real card on the net, maybe that's why. I used to get a virtual card unique for every purchase but that has been discontinued now. Got a separate card for online usage that I only put money on when I want to buy something. Also needs to be opened up for Internet usage and many places require an electronic signature with the bank id app. Hoping this will be mandatory soon.
But numbers can change (lapses of mergers), is website would be best as card info can become stale over time —and enterprising outfits could scoop up that number.
They could, but I just tried calling the numbers on the back of two cards from merged/acquired banks and they both forwarded to the acquiring bank. Yes it's a small sample size, but I suspect that there's enough money on the line and enough legacy contracts and systems that banks keep their communication channels active for some time.
> But numbers can change (lapses of mergers), is website would be best as card info can become stale over time —and enterprising outfits could scoop up that number.
How long are bank cards valid? I'd say they expire within 5 years? Also, if there is a merger, wouldn't they send you a new card with updated branding?
Credit cards typically expire after some number of years, and mergers will typically include those phone numbers. If for some reason the acquiring company decides it wants to sunset its acquired phone numbers, it just needs to do so after the expiration date for the last card issued with that number still printed.
I wouldn't call it worse. Google maps entries seem to receive less scrutiny than search results, but I also suspect that nobody use as a phonebook. Most people would use google search, or the back of their card.
How is a random fraudster going to suddenly get the top Google result for "Bank of America phone number"?
I'm sure it's possible, but it strikes me as a pretty large hurdle. And even if they manage to pull it off, they also need no one from the bank to notice and report it.
One gets a call from the bank, they give you a number to ring, you type the number in to Google search, the results come back listing that number and the bank's name -- identity confirmed!?!
The fraudsters just need _a_ website listed by Google.
My insurer called me out of the blue: I said I'd call back. Their number was not listed on any of the companies websites. I called the company, and said what has happened, took them about 10 minutes to confirm they'd called me and that the phone number I was called on was valid.
As it happened someone was trying to commit insurance fraud, saying we'd crashed in to them; but that's by-the-by (ie not relevant to the main story).
You don't need your site to be #1, especially if you can manipulate one that is already high-ranking-- just astroturf GetHuman with fraudulent numbers.
But I admit-- having just done a search for every institution I could think of, it seems Google AMP has done a lot to promote legitimate numbers. It used to be sites like GetHuman competing with or outranking the actual company website for contact information.
Should be solvable by making sure there's an easy, reliable, uniform way to get this info within the call.
> "Hello. Please find the callback number on boa.com/contact. Please enter code XYZ to be connected directly to the agent regarding this matter. Thank you & goodbye."
It's not perfect & you'll still have some percentage of fraud that goes through, but I'd be interested to see the impact this has on fraud rates.
* EDIT: Callback number via the card as the other commentor noted probably works too.
For people that can't afford a new phone every year with a contract. You can buy cheap button-phones and get a phone card that cost you money every time you call but is free while you don't call.
I got an call on my Verizon phone. It showed up as Verizon on the caller ID. The guy said there was a problem with my payment but I was busy and said I'd call back later. When I called that number back later they didn't know what I was calling about. I said "you called me" and they said "oh that's a scam, we never call you. If we call don't pick up"
If Verizon can't stop people from spoofing their own customer support number on their own network, we're all screwed.
They (all phone providers) can stop the caller ID spoofing. They just don't want to invest the time and money to do so. It's finally a bipartisan issue but as long as Ajit Pai is the FCC chairman, nothing will happen aside from a few pay to block gambits.
I just had this experience from pnc bank. I don’t even bank with them, but a member of my household does.
The incoming message was automated, asking for (person who lives here) with a visa debit card that has fraudulent transactions. The caller id was a number not listed on the back of the card.
Pressing “1” puts you into the next phase, which asks you to “verify” your identity by - guess what - typing in your full 16 digit debit card number!
At this point I am convinced this is a scam. You google the phone number and you see tons of links saying it’s a scam.
The person calls their regular number on the back of her card and they claim no fraudulent activity.
A few days later I still get these calls so I decide to investigate. Pressing zero a bunch and asking for an agent finally gets me to a live individual. He claims they’re from pnc and they are a different section not connected to the “main” number. He’s able to recite details about the account that only pnc would know, so now I’m not sure.
I email abuse@pnc.com asking them to please either say the calls are fraudulent or acknowledge that the phone number associated with these calls is legitimate (it doesn’t appear anywhere on pnc’s web site)
I did get a response - good! But they didn’t actually change the site ... so I suppose in this case anyone who receives notification of fraud on their pnc debit card should email abuse@pnc.com to validate the calls are legitimate?
> I email abuse@pnc.com asking them to please either say the calls are fraudulent or acknowledge that the phone number associated with these calls is legitimate (it doesn’t appear anywhere on pnc’s web site)
Note that faking the number you are calling from is fairly trivial, so do not trust the callerid as proof of identity.
My company expense card is from pnc. I’ve had many bad experiences with it that make them seem very unprofessional and not competent technically. First time I needed to update my pin to use the card and their databases were down...
But yeah their fraud detection is lacking and reporting it was a pain, and they are slow to resolve anything. They did not detect the fraud at all.
> He’s able to recite details about the account that only pnc would know, so now I’m not sure.
That's the creepy part. There is so much of our info available on the darkweb that even engaging with scammers potentially verifies it and makes it more valuable, although it is unlikley a purchaser of a phishing database is going to provide feedback to the point of origin, they may feed it forward if they resell and augmented dbase. [For example, if someone buys 1,000,000 phone numbers, and that person finds 250,000 are bogus, they can sell the "cleaned" database again claiming it's been slightly sanitized. DefCon has taught me to fear the world.]
> “When the representative finally answered my call, I asked them to confirm that I was on the phone with them on the other line in the call they initiated toward me, and so the rep somehow checked and saw that there was another active call with Mitch,” he said. “But as it turned out, that other call was the attackers also talking to my bank pretending to be me.”
Jesus Christ. This is some Inception-level shit. I do not operate on this many levels of meta in real life.
It's not the first time I've heard of a scam like this. Scammers are increasingly sophisticated about this, basically performing a kind of man-in-the-middle attack on the phone between you and your bank. And phone protocols aren't secure enough to deal with this.
Krebs mentioned that Mitch logged into his bank account while on the phone with the scammers. That's a HUGE no. We live in a threshold period where acoustic emanation attacks are about to become much more commonplace due to increasing computational capabilities. [0]
Getting you to browse your computer for 10-20 minutes and then log into your bank account could be enough to gain access to your account.
And 2FA is proven insecure with SIM hijacking. These methods have a high up front time investment but will take even less effort than Mitch's gambit once deployed.
I don't think the techniques and technology have become quite refined enough for this to be widely deployed, at most people are simply experimenting with the idea. But people are taking this seriously because it represents quite an attack vector once things fall into place. The thing is we won't know when we've reached that threshold until the first news stories about a widespread phishing scam using the technique emerge.
> Krebs mentioned that Mitch logged into his bank account while on the phone with the scammers. That's a HUGE no. We live in a threshold period where acoustic emanation attacks are about to become much more commonplace due to increasing computational capabilities.
Huh, this reminds me that a major US bank verifies people on the phone by asking them to log on to online banking.
I love the convenience, but it's never crossed my mind that it was a huge vulnerability waiting to happen.
It will take a series of high profile hacking incidents to finally wake the public up to the need to develop mitigations. We won't see the problem until it's widespread.
A password manager makes this attack vector useless. The sound of my typing my password on any site is the keyboard shortcut to activate it, my finger silently passing Touch ID, and the "enter" key.
On first read, I didn't understand how the call to the bank's customer service department went wrong.
Something about that conversation didn’t seem right, and so Mitch decided to use another phone to place a call to his bank’s customer service department — while keeping the first caller on hold.
“When the representative finally answered my call, I asked them to confirm that I was on the phone with them on the other line in the call they initiated toward me, and so the rep somehow checked and saw that there was another active call with Mitch,” he said. “But as it turned out, that other call was the attackers also talking to my bank pretending to be me.”
What happened is that the attackers made one call to Mitch, and another call to the bank posing as Mitch. When Mitch called the real bank to check up if there was a call in progress, they said yes (the call with the attackers).
I don’t know if I’m just really tired or if the post was just badly written, but I’ll go with the latter since you were confused too.
My understanding is this happened:
1. Attacker got a hold of Mitch’s bank card, PIN, and some personal details.
2. Attacker starts pulling out money and buying things here and there to see if Mitch ever notices.
Mitch never notices so...
3. Attacker calls Mitch on Friday and pretends to be Mitch’s bank. Attacker doesn’t ask for any details, just alerts Mitch that something was going on with his account to get him to think the bank was looking into it.
4. Attacker calls Mitch’s bank and also Mitch at the same time the next day.
5. Attacker asks the bank to send the SMS verification code to Mitch.
6. Mitch gets the code and reads it back to the Attacker.
Side lessons seems to be that scammers have access to a lot of your personal info, which can fool you, and that you should never ever give an OTP over the phone.
An anti nuisance call policy that has served me well and I try to get my folks to adopt is that if there is the merest hint of a delay between my hello and the caller's response, I put the phone down immediately.
I don't think I've ever had an identifiable repeat call, from which I conclude it's both effective and has a low false positive rate.
I take this a step further and don't say anything for the first few seconds if I pick up a call from a number I don't recognize. I used to not pick up those calls at all, but now that spam callers are using local area code caller IDs more and more, that is getting more difficult.
At this point, we should really throw away the current phone system and use an authenticated model. There should also be laws forcing the phone companies to not allow this. I get at least 2 spam/scam calls a day and there is no hope that it will reduce.
Actually, there is a (small) bit of hope: SHAKEN/STIR [0]!
> STIR/SHAKEN, or SHAKEN/STIR, is a suite of protocols and procedures intended to combat caller ID spoofing on public telephone networks.
> ...
> As of 2019, SHAKEN/STIR is a major ongoing effort in the United States, which is suffering an "epidemic" of robocalls. The Federal Communications Commission is requiring use of the protocols by June 2021.
Does anyone know any good guides for being aware of these things, strategies used by scammers, and what to be suspicious of? Something that isn't patronisingly simple, but not aimed at teach expert users either.
> “But as it turned out, that other call was the attackers also talking to my bank pretending to be me.”
I don't understand this part - the _actual_ bank said that he was on a different line with them? Wouldn't that mean that the scammers had authorised as him already, in which case the account is already compromised? Also, the bank asking for 2FA over the phone also sounds like training into bad habits, but I appreciate there's different approaches with different banks.
This is a pretty similar sequence of events to one a reasonably intelligent but non-tech friend of mine fell for this week: Got an email saying that the TV licence needed to be renewed. They followed the link on the email, didn't check the URL and filled out their account details to set up a direct debit.
Two days later, gets a call from their "bank", telling them that they filled out a scam direct debit (gets victim flustered to compromise judgement) but they need to authorise them first before they can speak any further... my friend challenged their identity but they used the exact same "fake caller ID" trick - to the correct bank number since they had the sort code from step 1, and that identifies the bank. I knew this (caller ID) was possible in general, but hadn't heard of it being actively used in the UK - only from stories in the US. After "verifying" they asked for the 2FA device code, then (registered a card for ApplePay and) asked them to "confirm" the code they had just been texted, which is the point I walked in and was "WTF are you doing?"
About 10 minutes later while in the waiting queue for the actual bank, the actual bank called them - when we said that we wouldn't trust the call they instantly gave us a reference number to quickly recall the case and advised us to call back quickly. Luckily, the bank reimbursed the amounts taken before they locked it off (apparently some UK agreement from a couple of years ago.)
They were pretty shaken up from the experience, and want to know what to look for in the future. It strikes me that a lot of these cases are hitting otherwise reasonably cautious people who aren't aware that something they think is authentication, really isn't, like caller ID.
I think the attacker called the bank and Mitch at the same time. The attacker knew that the bank would send Mitch a SMS code so the attacker asked the bank to send it, Mitch told the attacker, the attacker told the bank.
The bank was on the phone with Mitch and the attacker at the same time. Mitch thought the “other Mitch” was himself on the other line.
1. If someone who calls you asks you for ANY sensitive personal info, just tell them that your policy is to not give any personal info to those who called you, but you’re happy to call the official number. That stops it right there
2. Use email aliases instead of your actual email when creating accounts with eg Amazon Web Services. An email alias is like me+somethinghere@gmail.com — this way the attacker can’t get the customer service rep to give them access to your account easily.
3. If you use your phone as a 2FA, be on the lookout for sim porting - that’s when they trick the rep into porting your phone number.
I had the third one happen, luckily I acted fast. The attackers couldn’t get into my G Suite email but they got into godaddy to port the domain and MX records to their servers. So they could receive email sent to me, and send email as me. They also changed my GoDaddy password. I had my phone as the 2FA at the time. Better to not have one at all, or use an authenticator app.
I called in and luckily GoDaddy restored my account. Too bad they had no tool to check what changed so I had to check every domain manually.
The attacker was too slow in that regard. But it was telling that I received an email with the subject “Test”. That’s what tipped me off.
I've had this issue a few times with credit card companies, loan companies, and on one or two occasions collections agents. Some very nice person calls in order to discuss an issue with me, but wants me to tell them my birthdate, last-four-of-SSN, and other stuff "in order to verify your identity". They then act annoyed and puzzled that I won't just reel that information off to some rando who called me out of the blue, and start pointing to the caller ID as evidence that they're legitimate. The funniest part of the conversation is when they warn me that we won't be able to discuss this problem if I won't verify my identity, at which point I respond that they called me, so if they don't want to spend any more time on the phone, I'm happy to go back to whatever I was doing and they can try reaching me by some non-brain-dead means.
I feel like if we ran a public education campaign about how easy it is to spoof caller ID, a lot of these scams would stop working, but that's probably just me being foolishly optimistic.
Try calling chase. They'll tell you that they'll "call you back". They claimed that they would text me but the texts failed.
The guy claimed that "don't worry it's me". I told the guy that if you call me back to "talk about my account/verify me" you're going to be met with a "go fuck yourself". They do not have any protocols to confirm they are who they claim when they call back.
On landlines on some networks, it used to be that one person on the call hung up but the other didn't, the call would remain connected for a while. So if the person who had hung up, picked up the phone again, they'd still be connected to the same person, and wouldn't hear a dial tone. This was useful: if you wanted to move to a different phone connected to the same line, say, for more privacy, you just tell the other person what you're doing, hang up, and then pick up in the other room. But some scammers found a way to use this.
Basically, the scammer would instruct a suspicious mark to hang up, look up their bank's phone number, and call back, just as Krebs is instructing. As soon as the mark hung up, the scammer would begin playing a dial tone instead of hanging up. When the mark picked up the phone, they would hear the dial tone, so they would begin dialing at which point the scammer would end the dial tone, wait for the dialing to stop, and then play a few ring tones and then pretend to pick up the phone. This was in the 90s so the technology was there to automate it, but it's simple enough it could have been done completely manually by stopping and starting recordings. From the user's perspective, it seemed they had hung up and made a call to the bank, so it seemed impossible that they were connected to someone else.
Cell phones, which don't stay connected when only one party hangs up, are totally immune to this hack. And this hack has probably fallen out of use since the ubiquity of cell phones has deprived scammers of a viable pool of marks.
Beware that there is also no-hang up scam. Below details are from wiki -
Another simple trick used by the fraudsters is to ask the called parties to hang up and dial their bank, but after the victim hangs up, the fraudster does not, keeping the line open and remaining connected when the victim picks up the phone to dial.[4] When in doubt, calling a company's telephone number listed on billing statements or other official sources is recommended, as opposed to calling numbers received from messages or callers of dubious authenticity. However, sometimes hanging up and redialing is insufficient: if the caller has not hung up, the victim might still be connected, and the fraudster spoofs a dial tone down the phone line to entice the victim to dial. Then the fraudster's accomplice answers and impersonates whomever the victim is trying to call.[5] This is known as a 'no hang-up' scam.[6] Hence consumers are advised to use a different phone when dialing a company's number to confirm.
When in doubt: hang up, look up, and call back "from a different number".
I had a legit call a few months ago from the CRA (Canada Revenue Agency). He was nice enough and sounded calm, and I explained that with all due respect, since he called, I have no way of knowing if he is a scammer or not, so I'd like to call back. He was somewhat taken aback, but not annoyed. I asked where to call, and what to say to get to the matter at hand. After hanging up, I looked up the number, called them back, and got the issue settled. But I was truly surprised that he expected me to talk to him when he called.
The CRA is probably the number one pretend-caller in Canada (Or two, after the RCMP - the federal police), so I was surprised they do not employ this as a standard practice and education for people to protect against scam calls.
I was lucky to keep my wits about me, and that the call indeed was legit, but it shows there's a huge opening for scamming less savvy people.
I was getting a bunch of those canada revenue scam calls a while back. They left a message with some robot voice saying 'there was a lawsuit in my name and blah blah blah blah bullshit' so I looked up the number and read about the scam. Apparently they'd actually managed to rip some people off and they were being searched for. So, the next time they called me, I called the number they left me. Some dude with a French accent answered. I started ranting. I told them if they ever called my number again I'd report them to the RCMP and swore a bunch and was fairly rude.
Funny enough, I never got a call back from canada revenue agency for, being less than polite to them, and the spam calls stopped.
My advice, if you actually get a real person on the line, call them out on their shit and tell them to fuck off. It seems to work.
Although satisfying, this isn’t a good idea, they have your number and are capable of asymmetrical warfare eg spoofing your number for the next 10000 scam calls they make.
> Armed with a counterfeit copy of his debit card and PIN, the fraudsters could pull money out of his account at ATMs and go shopping in big box stores for various items. But to move lots of money out of his account all at once, they needed Mitch’s help.
>But if your response to such a scam involves anything other than hanging up and calling back the entity that claims to be calling, you may be in for a rude awakening.
I was recently scammed by either a man in the middle attack or a replay attack due to insufficient authentication of a new party I did business with.
When you are starting a new person to person transaction with an unknown party, it seems impossible to verify that an attack like this is not happening. The attacks could get arbitrarily complex and every defense I can think of has repucussions.
Even trying to start a transaction could be replayed to someone to make it look like I was the one that was doing the scamming.
> The investigator said another man had called in on Saturday posing as Mitch, had provided a one-time code the bank texted to the phone number on file for Mitch’s account.
Wow. In the UK as far as i'm aware no bank uses auth codes over txt, we have a physical devices to generate one time codes for identification or transaction signing using chip and pin.
Most people here are aware txt messaging is not secure, it's enough of an issue for email hijacking, I'm very surprised banks are using it in US.
> Mitch received a call from what he thought was his financial institution, warning him that fraud had been detected on his account. Mitch said the caller ID for that incoming call displayed the same phone number that was printed on the back of his debit card.
Imho, this is where the phone company should be liable. If I let people masquerade as other users in my software, it would be a critical security bug and I'd be in deep trouble. But we just accept this crap from phone companies.
Your software probably isn't a multinational network of literally billions of pieces of hardware ranging in manufacturer and age by half a century, which isn't even owned and operated by a unified group of companies in a unified group of nations, which is used by all sorts of people in situations where its failure could cause people to literally die, so that changes have to be unequivocally backward compatible.
So there's that minor difference. If you decide to do a security upgrade and your software breaks, it probably doesn't mean that an 85-year-old woman dies because her only form of communication, a rotary phone, suddenly stops working and she can't get out of the house.
STIR/SHAKEN[1] is the solution to this problem, but the rollout is scheduled to be completed by June 2021 in the US, and September 2020 in Canada. It's slow, but this is something that you don't want to be rushed. Yes, I get it that Robocalls are terrible: I got 3 calls which I didn't pick up but I assume were robocalls today. But this upgrade is a difficult problem and the stakes are high.
Using that logic, who else should be on the hook for fraud, identity theft, etc. - that they could have prevented:
- governments
- credit card companies
- social media sites
- email providers
- search engines
- long, long list, since basically, any system currently that allows fraud could be prevented if counter measures were invasive enough and were legally required. Problem is no one would agree to such a system and would rather just pay for the fraud either directly or indirectly.
I had someone claiming to be from my bank phone me in relation to certain transactions that actually happened, and like a fool I just answered their questions, without verifying who they were.
Later on I called back, to verify that it was someone from the bank who had phoned me.
The call-centre person in the bank who answered my call was unable to confirm or deny if someone from the transaction-checking department had actually phoned me, because it was all very confidential.
There’s basically no reason to ever answer a call from an unknown phone number, let alone engage and divulge private data. If it’s important they’ll leave a voicemail. Going further, I’d say it’s basically safe to always block missed calls from unknown numbers that didn’t leave a voicemail. If it’s important, you’ll hear about it via some other channel.
"He said he checked his account online several times over the weekend, but saw no further signs of unauthorized activity."
If, in retrospect, you feel someone was attempting to scam you, a better option - I hope - might be to contact the bank's fraud line, explain that you are suspicious, and have them look for suspicious activity.
Mitch was satisfied thinking that the bank was already looking into it, since the attacker pretending to be the bank didn’t ask for any details
/raise any flags.
For the point I am making, it does not really matter what Mich was thinking, but his behaviour over the weekend suggests that he was not entirely comfortable with the outcome. What do you suppose he was checking for? I would guess that he did not need to see his balance more than once.
He says that his suspicions were tweaked, near the end of the call, by the scammer giving an old address for him, and apparently his girlfriend was a good deal more suspicious: "Anyway, the whole time my girlfriend is sitting next to me listening to this conversation and she’s like, ‘This sounds like bullshit.'”
Among many other things in this article, it's a good reminder to simply never use a debit card: use a credit card instead as the most you can be out is $50 for any incident of fraud. And if you need cash? How about going to the bank and talking to a teller (or going through the drive-through during social distancing)?
So the scammers expected the victim to callback the bank to get the secret code? That is pretty sophisticated. But when they first called they knew about fraudulent discharges, and presumably had caused them, right? Or did they break into the victim's computer? Tbh., something is missing in that story.
I think the attackers had Mitch’s bank card and PIN and was making those fraudulent charges to see if Mitch would notice. If he did, the attackers would have been shut out then and there.
Mitch didn’t notice, so the attackers called Mitch pretending to be the bank. They didn’t ask him for any details so no red flags were raised, they just said “we noticed fraudulent charges and rest assured we are fixing it.”
Next day, attackers call the bank and Mitch at the same time. They needed the code the bank would send to the # on the account, so the attacker requested it from the bank, the bank sent it to Mitch, Mitch read it to the attacker, and the attacker repeated it to the bank.
At some point, Mitch got suspicious and called the bank to ask if they were on another call with him. The bank was on a call with the attacker pretending to be Mitch, so they said yes. Mitch thought the other Mitch was himself.
This is exactly what I meant. If the attackers already could make fraudulent discharges, then why should they put up such a complicated and risky attack? Could they not simply have gotten the money via the debit card?
Probably not anything like $9,800 dollars in one go - there's usually a daily limit. And the scammers may know (e.g. from doing it before) that after a few small transfers, the victim's bank will call him if he had not already noticed, in which case they preempted that call and effectively subverted it for their purpose.
The risk of the scheme not working might be high, but I am not sure that the risk of being caught is much increased.
You got me thinking, so I went back to the report. The victim's call to the bank is something of a red herring, in that the scammers neither need the victim to make that call, nor to know that he did so (and I assume they did not know that.) I am guessing that the bank texted the code to the victim's phone in response to the call made by the fraudulent team, who were just hoping that he would read it back to them... which he did.
The victim unfortunately assumed, on verifying that the bank had a second call, supposedly to himself, in progress, that the bank had placed that call and that it was in fact the call he had received on the first phone.
So, seems that the scammers knew about the fraudulent ones, but apparently not the regular ones. So:
1 - do fraudulent transactions
2 - call card holder and say that those charges might be fraudulent.
3 - because you know the fraudulent charges, card holder believes you are from the bank
4 - profit
This doesn't work for everyone, but if you can do it then it works well. Don't answer any calls from a number outside your contact list. If it is important, they will leave a message. You can then call them back by looking up their number on the website.
This should also be a lesson about having $9k in an account tied to a debit card and not following up on suspicious transactions. If the thieves had done an ATM balance check and seen a combined balance of a number of hundreds of dollars that could be counted on one hand they likely would have settled for withdrawing that and wouldn't have bothered hitting Mitch with the advanced scam to gain the bank info needed for a wire transfer. If Mitch had noticed the test withdrawals he could have called his bank and stopped the fraud there.
For how often you need that kind of cash readily accessible it's simply not worth the risk for the overwhelming majority of people.
This was a really sophisticated attack and fooled even a security conscious person but defense in depth (not having the big bucks accessible from your general use card and/or following up on unknown transactions) would have stymied it. With a good security protocol breaking one rule (not hanging up and calling back) shouldn't screw you.
VoIP has not been worth the billions in thefts that it has enabled via easy call id spoofing. I would happily give up VoIP to have restored trust in the telephone network. But unfortunately that is not where our captured regulators are heading.
That's interesting, I come to the exact opposite conclusion (I am admittedly not a telephone network expert, maybe I am missing some important things).
But I don't see why having voice conversations over the internet is the issue. The issue is these systems keeping compatibility with old telephone networks which prevents solving these problems. If we dropped that compatibility requirement we could require a certificate authority and be able to verify callers and use end-to-end encryption, just like with https.
Or maybe better would be a compromise where all these systems can still fall back to unencrypted/unsigned connections, but on any modern phone or cell phone it would show a big insecure warning like modern browsers do for http.
My problem with the whole thing is that even the companies doing it right aren't initiating it. They need to verify at their end first; and they need to initiate that.
This is our password & credentials, now please confirm your identity.
Banks do this themselves too I think. I seem to have the recent memory where I called Chase, then they called me back. For the life of me I can't remember what I as calling about though
How long until black hat SEO elevates the wrong numbers? If you search for Apple support, you already get ads for sketchy people in India that look like regular Apple support.
I've been in Intelligence and Law Enforcement for the better part of two decades and I put situations like this into the bin of:
If someone really wants your stuff, they are going to get it.
The cost of getting this guy's money was very high relative to the average scam - but it's important to note that the cost of sophisticated multi-factored scams is dropping.
> he quickly logged into his account and saw that there were indeed multiple unauthorized transactions going back several weeks. Most were relatively small charges — under $100 apiece — but there were also two very recent $800 ATM withdrawals from cash machines
How is it possible for someone not to check his/her bank account all this time? There were unknown transactions for several weeks and no one noticed?
IMHO not having alerts for your cards/accounts and not noticing strange transactions is a bigger security risk than trusting the telephone number calling you.
I fully agree that we should call back on the official number for any banking issues and don’t blindly trust whoever is pretending to be from the bank.
Count me in. Text alerts on all financial institutions to a google voice # and monthly reconciles of all acounts plus weekly investment checks.
I have had two fraudulent CC charges in 25+ years, and they both were reversed immediately so I'm not worried about that. More worried about my credit union so I keep as little in there as possible. (Interest rates are a joke so it doesn't matter.)
Did a quick Google search the next day and figured the process is legit but people out there have gotten higher bills than before.
Moral is to fight the human-interaction pressures and be adamant on doing your own research. No shame in that.