The scammer is on the phone to you.
Their accomplice is on the phone to your bank, pretending to be you.
Your bank send you the notification.
You accept, and scammers proceed to drain your account.
@Edent I love this scam. The banks need to repeat the standard advice of never passing information to a caller about your account, ever. Their security advice is you must call back on their standard number.
It's definitely the bank's failure to not make this explicit on the app notification. I hope they are rushing to fix it :blobsweats:
@Edent I'd think that knowing this, the message should say "Did you call Chase?" (maybe with a note that if it appears that Chase called you, you should hang up and dial their number). That might not stop everyone from pressing Yes anyway and confirming, but it might stop some of the scams from succeeding.
@Edent
Theres also the problem that, even if I suspected it was a scam, I really struggle to do the sensible thing and call my bank - because all my experience with calling large institutions on the phone is long annoying call queues and difficulty getting any help.
My bank is probably better, but I've just been trained to avoid calling any businesses because so many are so bad.
@Edent My response is always. Okay, let me call you back and we can start this process. A scammer will insist they handle it for you. A bank may say they can handle it but will usually let you hang up and call back. Fraud departments don’t make commissions so there’s no reason for them to hold you on the line.
@Edent I think I’d be taken in by that. My thought was: why do they need to check they’re on the phone to me if they called me? But on balance I’d decided it was just poor wording or an ill thought through system (both of which I still think, in fact!) so I wouldn’t have challenged it.
@flabberghaster@Edent I have had my actual bank call me, and then ask me (via security questions) to verify that I am actually me. I feel that was training customers to divulge information insecurely, as I had no way of knowing that they were who they were, and they wouldn’t have provided it if I’d gone along with their request.
@simonwood@Edent yeah, same. I had told my bank I intended to travel internationally and then when I got there my card stopped working and they called me saying there was suspected fraud on my card. I knew it was legit because I called back on the number on my card, but I think it's bad practice to initiate calls.
@dolmen@flabberghaster@Edent I left it to them to prove who they were. Surprisingly it took the guy a while to come up with the answer - it obviously wasn’t a procedure he was familiar with! But it was simple enough - we switched over to secure messaging via the online bank.
@simonwood@Edent The bank do need to confirm that: they only know that they called your number, but they can't be sure that you picked up - maybe someone else has access to your phone, or it's been lost or stolen, or you changed your number and forgot to tell them.
Unfortunately this only makes this attack more persuasive.
Telling them you'll hang up and call back on the main number is a good option, and the bank employee should always be happy for you to do so.
@CaptainJanegay@Edent Maybe someone else has access to your phone, so they’re going to send a push notification to your phone to verify it's really you? 🤔
@simonwood@Edent Well, it asks for your password as well, which would significantly increase their confidence - although ofc this notification is not actually used to verify your identity in that situation.
But my point is that it's entirely believable that the bank would need some kind of verification when they call you, and a lot of people won't pick up on inconsistencies like this, especially when they've just been told someone has fraudulently taken £300 out of their account
Asking for verification is ok, but it amazes me they don’t work on customer expectations - what you will be asked for when the bank calls - and also customers’ fraud literacy - how we can and should verify them!
@simonwood I tend to be suspicious. The only time my bank ever called me was from the security dept and I refused to believe it was them and called back on the main number and asked to be transferred.
That’s not to say that I wouldn’t be taken in by a different fraud, of course
@Sbectol@simonwood@Edent this is it right here. If they're calling you out of the blue, hang up and call back using the number on your card. If they try to keep you on the phone, definitely hang up.
@Edent There’s probably lots of good reasons not to, but I wonder if they could change the notification to show which number they think you’re calling from. Presumably their system knows, it’s just a question of whether it could be hooked into the notification sending infra.
@philip@Edent I would bet a lot of people would see a different number and just assume their IT department messed up, since there’s rarely a shortage of prior support for that. That goes double if the scammer successfully gets the person into a panic state first.
@acdha@Edent Fair, there’ll never be perfect technical solutions to these human problems, just trying to imagine what we might do better.
Could the banking app use the phone’s phone API to check whether the call is being made on that device, and then at least show something like “You are talking to us on THIS PHONE” vs “You are talking to us ON A DIFFERENT PHONE THAN THIS ONE”?
Again, not perfect, but maybe that would help some number fewer people get scammed.
@dolmen@philip@Edent not in the background, no, but what if the OS mediated it so it got a system confirmation dialog each time or had an API effectively allowing it to ask if your call was to a set of numbers?
One problem is that this will probably lead to even more efforts targeting landline users, who trend older.
@philip@Edent yes - it’s a brutally hard problem because banks have to assume some customers will have lost phones/ID, be confused, etc. and the fraud industry is large enough to have decent IT, training, etc.
I think expecting the phone companies to do more is the future. I’d bet a lot of people would use an international/VoIP block and they could setup a system where you can’t reset passwords, transfer, change your address, etc. except by starting the call in their app.
Hey, thanks for this. Too many have been scammed the last few years, especially seniors.
I just stay safe and will ignore these as I do online banking or in person banking.
The bank website also says at the top..'We will never call you unless you ask us to.'
@Edent there used to be a time where they told customers at every possibility: our employees will never ask for your password etc.
I think they still do.
Wtf happened.
@Edent I got a call saying it was my bank. Almost got me. But I decided to call my bank and hung up. The bank said they will never call me. The same scammer called me several more times trying the same tactic.
@Edent I'm pretty savvy, but can't say for certain that I would have been able to see through this in the heat of the moment. Thanks for posting this. The implications go well beyond a bank fraud scenario. So many services have taken to using in-app verification as their way to validate authenticity and all of those can be gamed under the right circumstances.
@Edent I'd say out of the gate, "Oh, I'll be right there!" Then I'd hang up and call my bank directly. Cause I don't believe anything that comes in a phone call or email unless I instigated it from a system I'm familiar with and it's simple, like verifying a doctor visit, etc.
@Edent Banks should never initiate a phone call to a customer. If a bank declares that policy, customers will know any unexpected call claiming to be from the bank is bogus.
It’s interesting how a relatively simple change in the message on the alert (as you describe here) could dramatically reduce the effectiveness of this scam.
@Edent most banks are absolutely terrible at wording their SMS confirmation messages.
I've had genuine incoming "give us your details first to pass security" calls recently and it's frustrating. They follow it up with a generic code via SMS, which is the same one they use if you call them so the whole process is totally vulnerable to a MITM attack.
If I didn't have a need to make timely progress with something I'd start taking their "NEVER SHARE YOUR VERIFICATION CODE" message literally.
@Edent my rule is never to give any information to someone who calls me - ever. I don't answer calls from numbers I don't recognise, which I think also deters this kind of scam. If I get a notification, receive a letter in the post (has happened), or get a call about fraud, I call the bank on the number on my card or on their web site.
I wonder how long it would take for banks to put in security measures to prevent this if they had to pay for the losses, instead of passing them on to their customers?
"The scammer is on the phone to you.
Their accomplice is on the phone to your bank, pretending to be you.
Your bank send you the notification.
You accept, and scammers proceed to drain your account.
@Extelec@Edent That's normal. It's to confirm that someone else hasn't just stolen your phone. The rest of the thread explains, but this is a legitimate notification, it's just being misused.
This is what I do. Thanks for the warning. Then I go to whatever site they say was hacked and check it out myself.
... Actually no. I tell them to piss off, I don't have an account with that bank. That's one of the benefits of using a very small, very local credit union.
I think this specific attack only works if you are customer at a bank which uses a similar app as Chase and if the attackers know (from other sources) that you have an account there. Mind: There must be a second attacker on phone with the bank there.
"Then I go to whatever site they say was hacked and check it out myself." => Not sure what you mean. If you refer to "phone back", then also not the "via the front desk" (...)
(...) meaning not using the number they gave you. If you meant "the bank" by "whatever site they say was hacked". I am not sure I understand you there.
"Then I go to whatever site they say was hacked and check it out myself."
"=> Not sure what you mean."
If it is a call from 'Amazon' I hang up and go to the Amazon page. If my Credit Union called, I would hang up and go to their site to see if there's a problem.
OK, I get it. Thought I am pretty sure my bank would not show on their "site" if my credit card (for example) got hacked. Calling my bank is perfectly valid (and secure) way t conduct bank business. Indeed, I always did this for larger transactions until quite recently (because I had set a very very low limit on online transactions ...)
@glitzersachen@CaptainJanegay@Extelec@Edent it’s obvious to us that have to deal with fraud every day. Not so obvious to someone who is concerned about losing their life savings in the moment.
@glitzersachen@CaptainJanegay@Extelec@Edent I've grown up with computers and work as a DevOps. I regularly speak with friends about security.
This scam is unsuspicious as hell. A good reminder that I'd need to remind myself why the person needs my passcode.
I'd have fallen for this MITM, I'm pretty certain.
@MadMike77@glitzersachen@CaptainJanegay@Extelec@Edent Same. I'm always very careful to properly call back for verification, but in this case the validation via the application makes it seem legit, even though it isn't after thinking about it.
If I was in a hurry, I can almost guarantee I'd fall for it too, so this post was a very useful reminder.
Edit: I think he meant he'd ask for a name and badge number and then call a published phone number (the front desk) and ask to be connected to that person. This is the correct answer but most banks make this difficult in practice.
I am of course calling the number I know ;-). I am only wanting a phone number from them to give them the opportunity to trip (by giving me a number that would not be an extension of my well known bank). Also it provides me with something to discuss with the front desk: "Look, are numbers from this network from your org?"
@Edent Yes. Anytime there’s any chance of a scam, (random phone call asking for money or account details), always hang up and contact the person of company yourself from a reliable phone number or website.
@Edent@BobDevney Scam. You have no idea who they are, whatever fancy pants “authentication” they offer. Remember that all our private info has been sold and/or stolen too many times to count.
If you really think it’s legit, hang up anyway and call your bank directly at their actual phone number.
Good rule of thumb is: incoming calls are informational only, never "confirm" anything during an interaction that you did not initiate.
Two reasons this holds up:
First, remember that your bank doesn't even want to spend money on enough people to answer incoming calls, much less make outgoing ones. If your bank does need to contact you they'll probably just send an automated email or text.
Second, if your bank calls you, they already know it's your phone.
@Edent they do that here in the uk too!! its very good, or has some scammer actually got into chase's systems and can mimic their notifications? scammers are so sly these days.
@Edent
I find it very disheartening that major banks actively promote risky behavior by:
including links in emails
initiating fraud alert calls and texts and leaving numbers to call back
No. I'm not talking about phishing. I'm talking about actual emails and calls and texts from the bank.
(And don't get me started on CS agents that have told me that my password shouldn't be more than 8 characters because "it can cause problems".)
@Edent have been thinking about this for a bit, 2specially as I got a call a week ago saying it was from my bank and if 750 from an insurance provider was expected. I was ready to tell them if calm them back, but said I don't use "direct line", and they abruptly hung up.
I'd like to think that any call I didn't initiate I'd treat the same, but I do qi der if they'd opened with something like this if it would have caught me out
@Edent I’ve received texts from my bank about specific transactions, where the exact amount and the vendor in question are included. Without those details, I wouldn’t trust any random call, ever.
@Edent tell them you entered your password but don't, if they know you didn't then they at least have access to Chase's system. Do it twice just to fuck with them.
@Edent there’s no major company in the world with enough bored staff on hand to call YOU. That’s the giveaway. Show me a company with thousands of employees like Chase, and I’ll show you a 1-800 number and a phone tree you have to navigate through to speak to anyone. There are mom and pop shops and dental offices with 3 employees who still make calls to their clients and customers… but a Chase bank or Apple or Bank of America or your mortgage servicer or insurance company? Ain’t happening.
@lechter it's a UK account.
I've certainly received calls about fraudulent transactions from my large UK bank - where they've explicitly told me to call back.
@Edent that is an insecure “service” that’s going to get their customers into scam trouble. Like a rep asking for your current password. Spidey sense should tingle. No large company should ever call their customers for fraud. The best way to verify legitimacy is US calling their 1-800 number listed on the back of OUR card and navigating their phone tree. You can also go online to your account portal. If something is amiss you’ll either not be able to login or the whole thing will be lit up in 🚨
@Edent an automated text or phone call telling the customer to call the bank solely using the phone number listed on the back of their debit card. Alternatively a push notification from their mobile banking app if they’ve got that on their phone. The message should specify that replies to the message are unmonitored and it is for informative purposes only.
@Edent whenever you receive and
unsolicited call from whatever company simply hang up and call customer care:
if the problem is real the call center will take care of it, if it's just a scam you'll find out before they can scam you.
@Edent Another good reason to say no to proprietary banking apps. My bank account can only be accessed using a physical non-internet connected 2FA key device.
@SuperDicq sure, but you also can't check your balance. Send money to friends. Receive an alert when your card is used fraudulently. Or any of a 100 useful things.
Telling people to give up extremely convenient features isn't the answer here.
@Edent I can still do those things, my bank in particular has a decent API and someone wrote a CLI client for it actually.
But yeah I know giving up "convenience" isn't a good answer here. First of all it's educating people on how to not get scammed. and Secondly it's telling banks to take security seriously by also making them liable in case one of their customers gets scammed by fraud like this.
@Edent The phone is a very poor way for authentication. It's not an issue of wording or implementation. The mobile phone will always be very poor method of authentication, just because there will be always 1000 ways to fake things on it. The problem is, banks push mobile phone for authentication because it is cheap for them.
@Edent Rule two of answering the phone (or emails, texts). The person making the call has to identify themselves, not the recipient. Rule one is that all businesses calling, mailing or texting you are after your money in some way and are likely to con or defraud you.
When my bank has called me in the past and I insisted on checking. Their procedure was to alternate characters of my password with me. Otherwise I refuse to go on, which pisses off shedloads of telemarketers. But keeps me safe
@Edent I think I might have had pause for thought at “12 digits of your card number” but then I’ve watched/listening to a lot of scam baiting videos and adjacent podcasts. I simply do not answer phone calls.
Add comment