this post was submitted on 15 Mar 2024
208 points (97.7% liked)

Technology

58303 readers
9 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

I was tricked by a phone-phisher pretending to be from my bank, and he convinced me to hand over my credit-card number, then did $8,000+ worth of fraud with it before I figured out what happened.

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 137 points 8 months ago (4 children)

When a fraud department calls you, you don't need to provide any more information than your name and yes/no answers. If they are asking for any additional information, tell them that you don't trust their authenticity and that you'll call the number on the credit card. A legitimate agent will politely end the conversation there.

Then you better call that number on the card quickly.

[–] [email protected] 43 points 8 months ago

This is the solution.

Had this happen once, followed those steps, and the CSR was very interested in getting the details of the call. They put a freeze on that account for a bit as well. Nothing was taken.

[–] [email protected] 19 points 8 months ago (3 children)

True for any company asking for anything sensitive.

I've gotten scams from my internet provider asking me if I want to upgrade my plan with a new discount. Caller ID was spoofed and it sounded pretty legit, until they started asking me about my current plan tier and price. I was like "uh, you tell me. You're the one with access to my account info." After they hemmed and hawed about that, I just hung up.

Honestly, you should be suspicious of ANY incoming calls at this point. There are convincing scams that spoof the voices of people you actually know using trained AI. It's actually pretty easy to do now, since you only need a few seconds of audio to use as a training sample. Anyone who's ever posted a video with their voice on social media can potentially have their voice spoofed. I've warned my family about this, since most of us have our voice out there somewhere.

Phone calls are dumb. SMS is dumb. Phone numbers are dumb. Phone line security is basically non-existent. It's wild that phone numbers have become the de facto ID on the internet; almost everything requires SMS auth to register now. PHONE NUMBERS ARE NOT PERSONAL IDS.

[–] [email protected] 12 points 8 months ago (1 children)

An unanswered phone is a happy phone.

[–] [email protected] 3 points 8 months ago

Moss seal of approval.

[–] [email protected] 4 points 8 months ago

The worst thing imo is when a form will say they need to verify your identity, so they ask you to give them a phone number you can receive a text at to do a 2fa.

...how, exactly, does that verify anything other than that I own access to a phone number that can receive a text?

[–] [email protected] 3 points 8 months ago

SIM swapping to hijack OTPs is insane.

[–] [email protected] 5 points 8 months ago (1 children)

They should already have your name too if they're calling you

[–] [email protected] 5 points 8 months ago

They're going to ask for your name so as to confirm they've gotten a hold of the right person

[–] 0x0 2 points 8 months ago

Any department really, but that's just me.

[–] [email protected] 75 points 8 months ago (1 children)

Props to him for talking about it. A lot of people get too embarrassed to tell anyone they got scammed. The reality is that phishing works on a ton of people and we should avoid shaming the victims. Everyone's acts like they're a digital security expert until their credit card gets stolen.

[–] [email protected] 14 points 8 months ago

Told a family member the same when she almost got tricked by a scammer & called me to see if it was legit. They wouldn't try it if it wasn't convincing enough to catch people in the scam to make it worth their time to do this crime instead of some other.

[–] [email protected] 50 points 8 months ago* (last edited 8 months ago) (2 children)

Never, ever, ever, ever volunteer personal information, for any reason, on a call you did not initiate, with a number you haven't verified from a trusted source, like a brick and mortar branch, or your online banking account.

[–] [email protected] 14 points 8 months ago (2 children)

He said someone in the bank's supply chain was compromised, as they knew a lot of details that should have been known only to the bank. Also that the only information he gave away were the last digits of a card number.

[–] [email protected] 13 points 8 months ago (2 children)

When a possible fraud department calls you, you shouldn't need to verify any digits of the card. Answer only yes or no.

Call them back if you need to give additional information.

[–] [email protected] 13 points 8 months ago (2 children)

I've never had a legitimate contact from a fraud department that wasn't an automated message stating to call the number on the card. I've never had a human call me to initiate a live discussion.

[–] [email protected] 3 points 8 months ago

My bank has called me a few times. Each time they ask about specific transactions, so it's mostly yes/no answers. (Occasionally I've asked for additional clarifying info, but they never asked about card numbers or the like.) Usually it's been abnormal transactions that i know about, but a few times it was a cloned card number being used elsewhere, (before chip became standard) and then I had the card shut down.

[–] [email protected] 1 points 8 months ago

I have. More than once. I always hang up and call back anyway.

[–] [email protected] 10 points 8 months ago (1 children)

You say that, but I've had my credit card call me about a charge and the information they asked was too specific. I hung up and called the official number and they confirmed it was indeed true and didn't understand why I thought the way they did it was a scam.

[–] [email protected] 4 points 8 months ago* (last edited 8 months ago) (1 children)

It's scary how oblivious banks can be, and I think Brokkr is either lucky or optimistic about their procedures - I have seen even large banks like HSBC make "facepalm" mistakes like you described, and it sounds like Cory's much smaller credit union might even have outsourced their nighttime call handling to someone very close to the fraudsters.

Still curious how they managed to use Cory's card with just the card number and not the CVC2 code - is that a regional thing where some online shops aren't required to use it?

[–] [email protected] 3 points 8 months ago

Depending on the credit card system used, there's various levels of fraud detection. Some stores use a point-of-sale system for in-person transactions, and those generally don't need the CVV code because you're supposed to have the physical card. It doesn't stop some businesses from using the system incorrectly, allowing them to charge a card without a billing address or security code.

This is part of why credit card signatures are basically useless compared to a pin that's required for all in-person transactions.

[–] 0x0 2 points 8 months ago

No, he gave away the last seven.

load more comments (1 replies)
[–] [email protected] 44 points 8 months ago (1 children)

I hadn't given [the scammer] the last four digits of my card.

Wait a sec.

He hadn't asked for the last four digits. He'd asked for the last seven digits. At the time, I'd found that very frustrating, but now – "The first nine digits are the same for every card you issue, right?" I asked the VP.

I'd given him my entire card number.

Huh. I hadn't realized the institution prefix was so long.

[–] [email protected] 4 points 8 months ago (1 children)

I didn’t know that either but I’d also never divulge that info on an inbound phone call.

[–] [email protected] 2 points 8 months ago

It's public info, you can just Google "what does my card number mean" and there's tons of results

[–] [email protected] 26 points 8 months ago (4 children)

The real answer here is to have decent digital ID as 2-factor authentication.

This scam would be practically impossible in Sweden with BankID for example.

[–] [email protected] 28 points 8 months ago (2 children)

Adding multiple factors to authentication just adds another step to the scam, it doesn't make it impossible by any means.

[–] [email protected] 20 points 8 months ago (2 children)

For BankID it somewhat does, because only registered services can make the request - so they'd need to register a scam service and then use that. Which also makes it an easier job for anti-fraud police.

So it'd be a lot more complicated.

Like obviously at a certain point if someone is willing to do everything they can - then they will be scammed, see this for example: https://www.bbc.com/news/uk-england-leeds-67208755

But the more steps there are, the higher the chance the person realises it is a scam.

[–] [email protected] 8 points 8 months ago* (last edited 8 months ago) (1 children)

For BankID it somewhat does, because only registered services can make the request

I'm not an expert on digital banking, but this sounds like a no-brainer... Aside from marginally increasing compliance costs, why would this not just be the norm everywhere?

I mean... It was rhetorical. I know why.

[–] [email protected] 7 points 8 months ago

It kind of is the norm.

Just a few countries like the US are really backward in terms of accessible banking - mainly due to having no federal ID, residence registration, etc. too on top of outdated bureaucracy.

[–] [email protected] 4 points 8 months ago

"A chain is only as strong as its weakest link" - We are the weakest link in any security chain, and always will be. Social engineering is one hell of a drug.

[–] [email protected] 11 points 8 months ago

It doesn’t matter how many locks you have if you give the scammers the keys. And so many people give up the keys

[–] [email protected] 25 points 8 months ago (2 children)

Another thing is that I feel like the era of the private phone number has passed. I see the use case for phone numbers for businesses, but people just don't use them very much anymore otherwise.

Like, we don't memorize them. We don't dial them. They're just entries in our contacts.

At this point, we could create an alternative way of contacting private phones. Something based on whitelisting instead of blacklisting. Something that can be easily shared but not easily guessed. Something that would be easy to trace who called you.

All of these phone scams rely on the idea that a stranger can just up and contact you without any effort. It's ridiculous. If we got rid of that, we'd save people from untold billions of dollars of scams almost instantly.

[–] [email protected] 8 points 8 months ago

Yeah, my ex was scammed this way too - exactly like Cory describes, they happened to ring right as she was going through the whole visa and tax process and pretend to be regarding the IRS, etc. and since she was dealing with a lot of similar calls it was an easy mistake to make.

More services available online and e-mail communication makes this a bit better.

[–] [email protected] 3 points 8 months ago

PSTN is easy for surveillance to be just replaced with a modern system.

It is also relied on by business models of many things, like WhatsApp and Telegram and what not.

The something you are talking about seems suspiciously similar to the Internet with cryptographic IDs.

[–] 0x0 2 points 8 months ago (1 children)

He gave them his CC number over the phone. How would Sweden's BankID protect against that?

[–] [email protected] 4 points 8 months ago

More that you'd never need to provide it, but many transactions will also require 2FA, even by the credit card.

[–] [email protected] 1 points 8 months ago (1 children)

I think this is true in most of the EU banks.

[–] [email protected] 1 points 8 months ago (1 children)

Spain and the UK have no real digital ID (Spain has some horrible Java certificate based system, but you can't use it for much). I think Germany's digital ID is in a similar position too although it's been many years since I lived there now.

The UK is in the same position as the US with no national ID or residence registration at all.

Only the Netherlands, Finland and Scandinavia really have it sorted out for banking and government services.

[–] [email protected] 1 points 8 months ago

Wait, I was talking about the fact that most EU bank (if not all) need to have a two factor authentication system in place, which limit a lot what a scammer can do.
In this case I think that a scam like this would not be possible or at least it would be stopped in the moment the bank app would ask to confirm what I am supposedly doing.

A national digital ID system is nice (in Italy we have the SPID), but it does not limit anything if you really can do everything with just the credid card number.

[–] [email protected] 13 points 8 months ago (1 children)

Good article as usual from Cory Doctorow. I was very surprised by the title, but reading what happened made more sense.

I had something similar happen while job hunting. I didn’t give away any useful info before I caught on, but it was a combo of two factors that caught me with my shields down:
• I was using my phone instead of my desktop, so it didn’t show the email address (just the person’s name)
• I had never heard of a recruiting scam before

I’m not sure, but I figure they’d have asked for my direct deposit info when I was “hired” and then use that to steal money.

[–] [email protected] 6 points 8 months ago* (last edited 8 months ago)

Edit: speaking from US banking, I think it’s probably different in other countries with updated banking practices.

Recruitment scams tend to involve the hirer sending you a large check to cover office setup purchases from the hirer’s “trusted vendor” and you keep the excess as your first paycheck. Unfortunately, the check is fake and the vendor is just the hirer behind a fake website. But the check “clears” in a couple of days, so you think you have the money, and you spend that money in the fake website, then your bank lets you know the check was fake and takes all the money back.

I’m sure there are other scenarios but they all involve a fake payment that eventually gets taken back. Glad you weren’t taken in.

[–] [email protected] 7 points 8 months ago (1 children)

Just got a 'group' SMS this morning trying to phish multiple people at the same time, it is never ending.

[–] [email protected] 5 points 8 months ago

I get those about once a week. "Your package cannot be delivered" Come on over here you spammy bastards, i'll deliver a package of my goddamn BOOT up the side of your arse! That's what I say. It helps me feel better, because why not feel better?

[–] 0x0 4 points 8 months ago (1 children)

My rule of thumb is to never give away any information, always call back. And I don't have credit cards, never have, whenever I need I just use virtual disposable CCs from my banking system.

[–] [email protected] 1 points 8 months ago

Anything that requires any personal info from me needs to come in the form of a physical letter. I do not give out anyone over the phone. Emails are not legally binding.

[–] [email protected] 3 points 8 months ago (1 children)

Hold on the scammer could spend 8000 usd without even knowing the card's PIN number?

[–] [email protected] 3 points 8 months ago (1 children)

It's a credit card, they don't typically have pins like debit cards do. They do have a 3 digit CVC code on the back, but 3 digits is pretty easy to get just by brute force guessing.

[–] [email protected] 10 points 8 months ago

Three digits is not that easy to get by brute force. It'll be locked for fraud pretty quickly.

However the CVV is usually only required for card-not-present purchases. One way around that is to imprint the number onto their own magstripe card and run it as a card-present transaction.

load more comments
view more: next ›