[HN Gopher] The 'Zelle fraud' scam: how it works, how to fight back
___________________________________________________________________
The 'Zelle fraud' scam: how it works, how to fight back
Author : picture
Score : 254 points
Date : 2021-11-19 21:37 UTC (1 days ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| yardstick wrote:
| Would it help if the text message included the reason for the
| code?
|
| "This is <bank>, you requested a password reset. Your code for
| this is 123456. Using this code will change your password. Call
| us if that's not what you want."
|
| Or something along those lines.
|
| Yeah it's still a fundamentally flawed process, but until they
| replace the entire process with something better, a slight change
| in wording would help save some people.
| notahacker wrote:
| One of my banks actually sends two SMSes, a generic warning
| one, with the actual code following a minute later (the website
| tells you this will happen). Annoying when you're short of
| time, but I suspect it's very successful at countering this
| sort of social engineering. You open the message the scammers
| tell you they've sent, and it just tells you to beware of
| people ringing you up and asking for codes. Probably you don't
| stay on the line waiting for the actual security code.
| jrib wrote:
| I agree this would be an improvement. Many people won't
| actually read the message but for those who do it adds some
| security.
|
| At the very least there should be distinct codes for identity
| verification when on the phone with your bank and when
| performing other activities.
| ralph84 wrote:
| My girlfriend got hit with this one. According to her the scammer
| was very convincing on the phone. American accent. Empathetic
| tone. "Don't worry, we'll get your money back, we just need to
| make sure it's really you not the person trying to steal your
| money."
|
| Luckily her credit union was quick to restore the funds with
| minimal hassle.
| rocqua wrote:
| It seems like a 'simple' case of using SMS codes as a single
| factor. If it is enough for a password reset, it's a single
| factor.
|
| It seems to me that SMS codes are much more often abused like
| this than other second factors are.
| [deleted]
| hn_throwaway_99 wrote:
| I wish there was a coordinated public service campaign around
| "Hang up, Look up, Call back". I feel like if we could really
| ingrain those 6 words that it would go a long way to blocking
| these types of phishing scams.
|
| Number one thing I tell folks in my security training is to
| _never_ respond or click a link on an _inbound_ message. Instead,
| look up your bank or service provider and make an _outbound_ call
| (or direct URL navigation) to them.
| coderintherye wrote:
| There is, sort of: https://scamspotter.org/ Discussed here
| earlier today: https://news.ycombinator.com/item?id=29278411
| JulianK wrote:
| I recently heard about an incident where hanging up turned out
| to be more difficult than it should have been. Stay calm. Call
| from another phone perhaps?
|
| https://bc.ctvnews.ca/beware-of-the-delayed-disconnect-phone...
| david_allison wrote:
| Definitely call from another phone if using a landline.
|
| https://security.stackexchange.com/questions/100268/does-
| han...
| tzs wrote:
| If you don't have another phone would it be safe to first
| call some other known number and see if that goes through?
|
| If it does, then you should be able to infer that the
| previous inbound call has (probably [1]) hung up, and it is
| now safe to call your bank.
|
| [1] A sophisticated enough scammer could hold the line,
| give a fake dial tone, detect that the number you are
| dialing is not the bank number they expected you to dial,
| dial that number themselves on a different line, and relay
| between that line and yours to convince you that you really
| did have a clear line, and then keep holding the line when
| you then hang up and try to call the bank.
| silvestrov wrote:
| You can hardly teach a large part of the population how to
| drive a car and use the indicators when switching lanes. How
| can you expect to be able to teach them security processes?
|
| The only working approach would be to make a law that phone
| companies must ensure that caller numbers cannot be spoofed in
| any way and make them responsible for loses due to spoofed
| numbers.
|
| And require that banks publish which phone numbers they call
| customers from (like spf is for email), and do so in a format
| that mobiles can use. So the mobile can show the customer "this
| is really your bank" or "unknown caller".
| andrewljohnson wrote:
| I just never answer my phone unless you are in my contacts or I
| suspect I'm due a call from something local. It's mostly spam.
|
| The lesson in these times is don't answer your phone... the
| phone companies are completely overrun.
| weaksauce wrote:
| has there been a breach of credentials associated with clicking
| on a link and having firefox or chrome fill in your password
| saved from the site? i am pretty paranoid but if firefox says
| it's able to fill in a saved cred from this site i assume it's
| probably the right site. now i am paranoid enough that i don't
| do this for sites with a lot of downside like banking or the
| like... those are a strict "i'm calling the number on the back
| of the card or lookup the number from their website" kinda
| things.
| frosted-flakes wrote:
| Firefox/Chrome will link the saved credential to the domain
| name, so unless your bank lost control of its domain name,
| that's an unlikely attack vector. To be safe you can confirm
| that you're on the right site by manually looking up the
| domain name.
| weaksauce wrote:
| Yeah that I get but I am curious if there is a more subtle
| hack or technique that would bypass that somehow. like a
| MitM attack or something more clever.
| lokedhs wrote:
| That would be nice if it worked.
|
| I had a call from my bank, and they before the they could even
| tell me what it was about, they asked me to answer some
| security questions. When I pointed out out how ridiculous that
| was, and I asked them to prove their identity first, they
| didn't even have process for it. Calling back was also
| impossible since apparently there was no way to get connecter
| back to the person with whom I was speaking.
|
| I was unable to get back in touch with them, and a week later
| someone else called from the bank trying to do the same, and
| the same thing happened again. I refused to answer their
| security questions and they had no way to prove their identity.
|
| The next time they called, they didn't ask for the security
| questions anymore and just got to the point immediately. They
| have never asked for it since. I wonder if I'm flagged in their
| database as someone who shouldn't be asked security questions.
| JumpCrisscross wrote:
| > _there was no way to get connecter back to the person with
| whom I was speaking_
|
| You shouldn't have to get back to that exact person. Just
| their department.
| lokedhs wrote:
| That is what I assumed as well, but when I did call back
| they had no idea what the topic was.
|
| Hopefully, this particular experience is rare, but the fact
| that it can happen at all is somewhat concerning
| cortesoft wrote:
| What were they trying to reach you about? Was it actually
| important to you or was is something you could have
| ignored?
| lokedhs wrote:
| They wanted to tell me that I hadn't made my loan
| payment. They were right about it. I did miss it. I had
| made a larger payment a few months earlier, and I hadn't
| resumed regular payments.
| ollien wrote:
| One would think this wouldn't be such difficult
| information for a L1 rep to tell you. _sigh_
| mindslight wrote:
| Most banks have separate customer facing departments and
| back office departments that process paperwork. In the full
| evolution of this setup the customer facing departments are
| basically useless, and answer your questions by putting you
| on hold while calling up a back office department. Getting
| the actual details of some issue is like pulling teeth with
| these arrangements, because the front end has no domain
| knowledge. But every so often a person from the back office
| will call you to ask a question and you'll get to speak to
| a real human who can intelligently tell you the status of
| an issue. And so when you get calls like that, your choice
| is to either just roll with their insecure process where
| they want to verify you but you don't verify them, or give
| up getting that additional visibility and ultimately spend
| more time on the phone working through the front end.
| prox wrote:
| This is where the marketing department sits in an entirely
| different building and doesn't know a thing what's happening
| around them.
| pdonis wrote:
| _> That would be nice if it worked._
|
| It looks like you didn't even try it. In order to do what the
| GP described, when your bank calls you, you say nothing and
| answer nothing. You hang up and call back on a number you
| know.
|
| _> Calling back was also impossible since apparently there
| was no way to get connecter back to the person with whom I
| was speaking._
|
| You don't have to. You just ask the bank when you call them
| back: did someone just call me a little bit ago? What about?
|
| If the bank can't answer that question, it's time to find
| another bank. Any reputable bank will be able to look at your
| file and see that a call was made to you and what the issue
| was.
|
| _> The next time they called, they didn 't ask for the
| security questions anymore and just got to the point
| immediately. They have never asked for it since._
|
| This does not look like success to me. It looks like failure.
| What your bank should be doing is sending you a message via
| some known channel--like the message center on their website,
| where you can see messages for you when you log in--telling
| you that there is an issue that you need to call them about.
| If you're giving information to someone who calls you out of
| the blue and says they're from your bank, you're setting
| yourself up to be scammed.
| lokedhs wrote:
| > It looks like you didn't even try it. In order to do what
| the GP described, when your bank calls you, you say nothing
| and answer nothing. You hang up and call back on a number
| you know.
|
| I did do exactly that. I asked them for a reference that I
| could give when I call back. They couldn't give me that. I
| then did try to call them back, and said "someone called me
| about something just now, what was it?" and they were not
| able to tell me.
|
| > If the bank can't answer that question, it's time to find
| another bank.
|
| Thankfully, that's not my normal bank. This was the bank
| that has by car loan. That's my only interaction with them.
| It's unlikely I'll have more business with them.
|
| > This does not look like success to me. It looks like
| failure.
|
| Absolutely. This along with the other issues suggests that
| they value convenience over security. Also, this is not a
| small bank we're talking about.
|
| I have never seen issues this bad with other banks, but the
| problem is that when there are banks that get away with
| this, that suggests people in general do not make a fuss
| about it and simply accepts whatever people tell them on
| the phone. If nothing else, it proves why phone scams work.
|
| If the bank didn't even have an answer when I asked them to
| authenticate themselves, that suggests very few people even
| ask.
| lelanthran wrote:
| > You don't have to. You just ask the bank when you call
| them back: did someone just call me a little bit ago? What
| about?
|
| > If the bank can't answer that question, it's time to find
| another bank. Any reputable bank will be able to look at
| your file and see that a call was made to you and what the
| issue was.
|
| That won't help: all the phisher has to do is make a call
| at around the same time that the legit employee called you.
| The person you called back would probably not be able to
| tell you what the call should be about anyway.
| b3morales wrote:
| > all the phisher has to do is make a call at around the
| same time that the legit employee called you
|
| How does the phisher have information about what time the
| bank is calling?
| zerocount wrote:
| The idea is to call the institution back, often customer
| service, or log in to your account and check for alerts
| or messages. If customer support knows nothing about the
| contact attempt, I presume it's not legitimate.
| lelanthran wrote:
| > The idea is to call the institution back, often
| customer service, or log in to your account and check for
| alerts or messages. If customer support knows nothing
| about the contact attempt, I presume it's not legitimate.
|
| And I'm saying that even if the customer support _knows
| about the call_ , that doesn't mean that the next call
| you get in 2m from the bank is legitimate.
|
| In all cases, anyone reaching out to you from your bank
| should be treated as not legitimate. The only way to do
| this is to call the bank yourself, and get put through to
| the person who wants to talk to you.
|
| Any other way _including the way you said you 'd do it_
| is vulnerable to phishing.
| wccrawford wrote:
| You're not wrong about the incoming calls, but I can't
| figure out who you're replying to. Nobody above you in
| the thread seems to be suggesting that the bank _ever_
| call you. And certainly not call again in a short time.
| lelanthran wrote:
| The post I replied suggested that checking with the bank
| will indicate whether a call was legitimate or not.
|
| I'm saying that checking with the bank doesn't indicate
| that a call was legitimate, so there's no point in
| checking with the bank.
| jamesknelson wrote:
| The issue I imagine here is that calling the bank can be costly
| both in hold time and in phone fees. If banks were able to
| remove this disincentive to call by ensuring that their phone
| lines have zero wait time, and offering to immediately call
| back to avoid billed-by-the-minute phone charges (or in the
| case that they already offer this, by making it clear to
| customers), then I think there's be a larger uptake of the idea
| of "hang up, look up, call back".
|
| As it stands, I'd be afraid of needing to wait 30 minutes in
| hold, and getting billed 30 minutes of call time by the phone
| company for the privilege. I'm not from the US, so it's
| possible that your banks are doing this part better than the
| local ones, but that's always the worry with the phone for me.
| dv_dt wrote:
| A citibank security call I received impressed me, they seemed
| to completely understand me wanting to call back and gave me
| instructions to get back to them through the phone menu of
| the corporate line (that I looked up). Iirc it included a
| case id that got you right back to the same security team.
| notyourwork wrote:
| As it should. The engineering (or lack there of) that goes
| into current processes is embarrassing.
| mcny wrote:
| On that note, I should name and shame T-Mobile USA. They
| called me back after my line got disconnected and
| proceeded to ask security questions to verify me and
| pretended to not understand my concern when I said how do
| I know you are who you say you are. They were calling me
| on my T-Mobile line.
| cyberlurker wrote:
| They are terrible with security all around.
| stjohnswarts wrote:
| this is why I have a credit union with multiple locations
| nearby and they only have 1 phone number for customer service
| and I know it by heart, good luck scamming me over email or
| txt, at least when it comes to my bank account :)
| likecarter wrote:
| The context is for everyday people. Not everyone has the
| time, patience, or ability to do that.
| NavinF wrote:
| > 1 phone number for customer service and I know it by
| heart
|
| Ehh that doesn't change anything as far as having to call
| back. CallerID is trivially spoofed everywhere.
| Talanes wrote:
| It immediately eliminates anyone not thinking to spoof-
| call GPs small credit union. Given that most of the
| scammy calls I receive are about accounts with places
| that I don't have accounts, I don't think that level of
| targeting is the norm.
| passivate wrote:
| Apparently this is a thing..
|
| https://symantec-enterprise-
| blogs.security.com/blogs/threat-...
| vlovich123 wrote:
| Banks have 1-800 numbers which are free and generally most
| phone plans I'm aware of are unmetered by minute
| MattGaiser wrote:
| The person above is not from the USA. Unlimited everything
| plans aren't even that common in Canada.
| vlovich123 wrote:
| I was replying to this:
|
| > I'm not from the US, so it's possible that your banks
| are doing this part better than the local ones, but
| that's always the worry with the phone for me.
|
| Since the person is asking about what it's like here I'm
| providing that perspective. In Canada banks also provide
| 1800 numbers so it should generally be free. I thought
| Canada has mostly unlimited plans but I haven't had a
| Canadian phone plan in over a decade.
| frosted-flakes wrote:
| Pretty much all Canadian phone plans have unlimited
| Canada-wide calling. For most people, the only limitation
| is data caps.
| afavour wrote:
| I'm a lot more concerned about the time wasted being on
| hold for an hour than the minutes I'm burning...
| wongarsu wrote:
| Maybe it's not a good bank if you can't get a hold of
| them in a reasonable timeframe
| na85 wrote:
| I mean if there's actually a real problem with your
| account, spending an hour on hold might not be wasted
| time.
| tobr wrote:
| It's still wasted time, and what's worse, if it's an
| urgent problem, that's a situation where you can't afford
| wasting that time.
| bostik wrote:
| While that's a real problem in general, I would think
| that _for this particular group of people_ it might be
| less of an issue.
|
| We are well paid, and as such majority of HN'ers should
| qualify for premier banking. One of the advantages in
| that is that you get access to quality in-house customer
| service, and may be able to call them directly from the
| banking app. (A really nice feature.) They tend to have
| good availability too. The plural of anecdote is not
| data, but I've never had to wait for longer than five
| minutes when I do have a problem that requires CS's
| involvement.
| [deleted]
| tlogan wrote:
| But banks will never call you. At least not ones in US.
| [deleted]
| skoskie wrote:
| USAA calls me frequently. This broad statement is just
| wrong.
| tlogan wrote:
| What are they calling about? Just curious - it seems like
| I'm wrong. Also maybe there is opportunity to develop
| some service for them so they do not need to call.
| banana_giraffe wrote:
| I have absolutely been called by Bank of America, both by
| an automated "did you really do this?" sort of fraud
| detection, and by a human calling to tell me my card number
| was known to be stolen and make arrangements.
|
| Heck, I'm pretty sure I've gotten sales calls from them as
| well, though I never stay on the line long enough with
| those to be sure.
| ChrisMarshallNY wrote:
| Same here. I also have a BoA account for most of my day-
| to-day stuff.
|
| I use credit cards (in particular, an Apple Card) for
| almost every transaction. In fact, I seldom carry cash,
| which has been a problem, from time to time.
|
| I won't use Venmo, or PayPal with direct bank account
| connection. It has earned me scorn, but you really only
| need to have a problem _once_ , to learn religion. I
| don't use credit cards for Venmo or PayPal for cash
| transactions, because cash advance fees.
|
| I always pay my account in full, every month. It also
| means I get Apple Cash, for a slush fund.
|
| I do use direct bank account connection for a few things
| like utility bills, but that is a fairly primitive setup
| process, where there is no doubt about the other end.
| Even so, many outfits now allow bill pay, via credit
| card.
| romwell wrote:
| Yeah, no.
|
| When I initiated a wire transfer, my bank did call me to
| confirm it.
|
| What's worse, when I called back, I didn't reach the same
| department and it took half an hour to sort it through.
|
| It was all legit, but was indistinguishable from a scam
| attempt.
| tlogan wrote:
| What is the name of the bank?
| albedoa wrote:
| I've been called by Chase and at least one other for
| fraud alerts. If I recall correctly, the Chase message
| instructed me to call back using the number on my credit
| card.
|
| It is not correct that banks will never call you in the
| US.
| mcny wrote:
| However, a bank should not ask you to verify your
| identity when they call you. This is the missing piece.
| If anyone calls me, I should not give them any
| information they don't already have. If they are the
| fraud department, they already know everything.
| pdonis wrote:
| _> The issue I imagine here is that calling the bank can be
| costly both in hold time_
|
| The solution to the time wastage problem is for the bank to
| have a better method of sending you information than random
| calls out of the blue. Most banks have a message center on
| their website, where you can see any messages waiting for you
| when you log in and can send messages in reply.
| makeitdouble wrote:
| I think it will work way better when companies will plain stop
| calling customers at all.
|
| As it stands now I receive 'legitimate' calls from a credit
| card company to open new options on my account. Or from my
| phone company to switch my plan. And the interesting part is
| that as it is ultimately to improve the caller's monthly
| numbers, they won't offer the same conditions online or through
| mail, I tried. And calling back the same person is a royal
| PITA. So in some cases, it costs me to not deal with
| transactions on the phone, inbound, from a person I need to
| trust to be what they say they are.
| cbhl wrote:
| The tricky bit is I know some legitimate departments of my bank
| follow this policy -- so if they make an outbound call to me,
| they will trust what I say on the phone, but if I hang up and
| call them back, they will take down my number and call me back
| later.
| wcarss wrote:
| unfortunately, trust is a two way street!
| fossuser wrote:
| Even worse Morgan Stanley will ask you for two factor codes
| over the phone(!).
|
| It's impossible to implement good user behavior when the
| banks themselves are wildly negligent.
| lowercased wrote:
| I tried to buy something, but it was a large amount - over
| my normal usage. I had to call the bank, and they said
| "we're sending a code to your phone..." and the text
| message said "DO NOT share this code. We will NEVER call
| you or text you for it. Code xxxxxx. Reply HELP if you
| didn't request it."
|
| So... they then say "what is the code?" that specifically
| says "DO NOT share this code". I know what's going on,
| mostly, but it was still confusing.
| lokedhs wrote:
| It was definitely poorly written. It's correct, since
| they never called you, it was you who called them. But it
| does raise the question as to how to teach people that
| who initiates the contact is very important and
| completely changes the security analysis.
| smaccona wrote:
| It's worth pointing out that if you are not the one
| initiating the call, then this is a legitimate attack
| vector, and not just via SMS text message or email two
| factor but also any type of OTP. The attack goes like
| this: (1) given that the whole point of two-factor auth
| is to prevent access to your account in the event that
| your primary authentication tokens (usually a username
| and password) are compromised, let's assume for this
| attack that a bad actor already knows your username and
| password. (2) the attacker calls you up and says "this is
| <your bank>", then (3) the attacker logs into your
| account with the username and password they already know
| (4) this either triggers an email or text message with
| the second factor, or if you use a hardware token or an
| app then the code is available there. Either way, the
| attacker requests you to read back the code over the
| phone (5) the attacker uses this secondary code to gain
| access to your account, and can then take any action
| including changing your password and 2nd factor setup. I
| think this is the reason security teams set up these
| messages to say things like "NEVER share this code!" and
| the like.
| [deleted]
| vmception wrote:
| Unfortunately financial companies act outside of the best
| practices that make it impossible for the consumer to
| distinguish.
|
| After being transferred during after hours, American Express
| asked me for some unnecessary information and I hung up. I
| called back and got someone different with a local US accent
| and I told them what I encountered and they said that's normal
| ( _facepalm_ ).
|
| I called back during normal business hours and the more
| expected experience occurred.
| tlogan wrote:
| Strange. I have American Express and they clearly say:
| American Express will never call you to ask for your
| information.
|
| Even if some transactions is suspicious they tell me to call
| them.
| ectopod wrote:
| Say "if it's important send me a letter". Hang up. Don't waste
| your time running round after these idiots.
| jaredsohn wrote:
| Can't that be faked in the same way?
| vishnugupta wrote:
| Sure it can be faked.
|
| But but it'll filter out most of such scams which are
| "online-only".
| bitreality wrote:
| Most cyber criminals have a script. They don't deviate from
| the script unless they think they have a potential home
| run. Even then, going from this to sending out fake mail
| correspondence... That's a whole different toolbox. 99%+ of
| the time they will not even consider it. Especially since
| it's not scalable.
| ChrisMarshallNY wrote:
| I remember that scammers got in touch with my wife,
| trying to get personal info. It was fairly elaborate. She
| got a call from a man that she said had "a golden voice,"
| followed by official-looking mail correspondence (very
| quickly, which was suspicious, in itself -it can take
| many days for my bank to get me correspondence). They had
| our home phone number, her name (not mine), and address;
| either through public records, or via a breach (which is
| why "they didn't get customer credit card info" is a
| worthless reassurance).
|
| It was "Synchrony Bank," telling her she was victim of a
| fraud. I contacted the real Synchrony Bank, and let them
| know about the fraud. The contacts stopped.
| pfortuny wrote:
| But it is much costlier (time, materials, logos...) and a
| different technique.
| ectopod wrote:
| Many telephone scams rely on creating sustained panic in
| the victim. Transfer your money to thwart the
| cybercriminals! There's no time to think.
|
| A letter can be discussed with friends and family. It's
| much easier to dismiss without a con artist whispering in
| your ear.
| josephcsible wrote:
| Don't these sorts of emails already say things like "nobody
| legitimate, including our employees, will ever ask you to tell
| them this code"? I'm not sure how to stop scams that are already
| only possible because of people's lack of reading.
| bullfightonmars wrote:
| The problem is that banks totally ask for codes when you call
| them to do things like password resets.
| dmitrygr wrote:
| There are only space for so many characters available in an
| SMS, so they may not include this very important warning.
| [deleted]
| ollien wrote:
| Ally's message does.
|
| > Ally: As Security measure, we will never ask for this
| number over the phone. Security code: xxyyzz. Call
| 1-877-247-2559 if you did not request a code.
| djbusby wrote:
| Wells Fargo has a warning in their SMS - for Zelle and non-
| Zelle things.
| djrogers wrote:
| Cap1 does this: "Capital One won't call you for this code.
| The temporary code you requested to sign-in is 091657. Please
| use this code to complete your request."
|
| IIRC, there was one time I did have to verify a code over the
| phone, and the message that came with it was completely
| different.
| paxys wrote:
| Major ones have it, but there are thousands of banks in the US
| and I'd wager almost all of them provide some form of online
| banking experience. Outside the larger ones security isn't
| really up to par.
| vegetablepotpie wrote:
| > the victim has never even heard of Zelle, nor did they realize
| they could move money that way.
|
| Financial institutions do not take security seriously, and they
| don't take their customers time seriously.
|
| The onus is always on the consumer to protect their accounts.
| When institutions decide to change their features the customer is
| not at the table, they're on the menu.
| throw7 wrote:
| "many credit unions offer it by default as part of online
| banking"
|
| I remember I had to opt-in to get zelle transfers activated.
| Information, terms of the service, and separate activation of
| email/phone were done at that time just for zelle. I suppose
| nowadays it's streamlined... which is not so good if customers
| don't even know what zelle is.
| _jal wrote:
| I've gotten these texts twice, so far.
|
| There was another one that came in between them that felt the
| same (language that I think of as "conversational robotese"), but
| appeared to be VPN phishing.
| patio11 wrote:
| Circle that bit of advice around Regulation E folks. (Not a
| lawyer but I have had a lot of experience citing Regulation E on
| behalf of various folks. It, unsurprisingly, works the way that
| regulators say it does.)
| swat535 wrote:
| This may sound very simplistic but I block all calls that are not
| in my contacts list on my iPhone.
|
| It directly goes to voicemail and they can leave a message if
| it's important. Should the message involves anything that I might
| consider important, I simply call my bank and ask for a follow
| up.
|
| If it's an absolutely critical matter and I don't call or follow
| up, the bank will send a letter instead which I can then either
| call or go to the bank for further inquiries
|
| I do the same thing if I get a suspicious email / text from my
| bank.
|
| Finally, I never really click the links in the emails because I
| have my bank's website as a bookmark so I'll just use that.
| nnf wrote:
| Any telco people here that can explain the technicals of how or
| why it's still possible to spoof a phone number? Is this just how
| the whole system works?
|
| When I use Twilio, I have to prove to them that I control a phone
| number before I can use Twilio make outbound calls or send SMS
| messages that appear to originate from my number. This suggests
| to me that the system is built with assumed trust, like email was
| originally. Is everything too ingrained at this point to add some
| type of authentication that would prevent this type of spoofing?
| Something similar to a CAA record, where the owner of a phone
| number could say "legitimate calls from this number will only
| originate from $TELCO and $SMS_PROVIDER" would be nice.
| hermes8329 wrote:
| Because the phone companies are not held accountable for
| facilitating it
|
| If they were this would have been solved yesterday
| ipython wrote:
| Agreed. The joke is ultimately on them, though, as a new
| generation of people grow up and their only experience with
| the pstn is that every incoming call is fraudulent. What good
| is having a phone number at that point? It's just a
| liability.
|
| Most likely the only reason a young person will ever have to
| interact with the phone system is to call 911 for emergency
| services. Ultimately the spam problem will kill the pstn as
| we know it.
| LinuxBender wrote:
| SS7 was not really designed with any security. It assumed only
| telcos would be using it and that stopped being true in the
| 1980's/90's as the bar to entry for getting your own SS7 link
| was lowered. Even if SS7 were retrofitted to support this type
| of validation it would be negated by the fact that numbers are
| portable. A number can legally originate from anywhere.
| Validation will have to occur out of band by some other means
| or by replacing or deprecating the telco network entirely.
| DaiPlusPlus wrote:
| The PSTN is frozen-in-time: despite SIP and fancy
| intra-3G/4G/5G tech everything else is built around Signalling
| System 7 from 1975:
| https://en.wikipedia.org/wiki/Signalling_System_No._7
| djbusby wrote:
| There are some PSTN gateway providers that you can basically
| makeup your outgoing CID on. Les.net used to let me do that for
| example - no validation.
|
| Twilio is doing their own enforcement to help their reputation.
| wildrhythms wrote:
| These gateway providers, in addition to simply spoofing the
| outgoing number, will also sell blocks of legitimate domestic
| numbers to the scammers- knowingly- to use for callback
| numbers. Truly disgusting
|
| https://www.justice.gov/opa/pr/district-court-enters-
| permane...
| djbusby wrote:
| Yea, I wasn't tryna call anyone out, there are legit use-
| case and I like Twilio approach and yet, it's so easy so
| fake a CID :(
| makeitdouble wrote:
| Not telco, so I hope there will be better answers.
|
| Phone numbers are basically identical to IP numbers in their
| use, and they are declared by the emitting party. Just as you
| can spoof IPs in the packet headers, you can spoof the
| telephone number at the tranport level.
|
| We could upgrade to more secure connections, but the whole
| point of using the telephone network is because of the legacy.
| I can't imagine a telco putting significant money into
| improving the network when no customer will pay more for that
| (right now arguably, spammers are their first class customers
| ).
| josephcsible wrote:
| But for IPs, don't we at least have reverse path filtering
| available?
| jimktrains2 wrote:
| that doesnct work for publicly available services and the
| initial routwr passes the traffic. This is how things like
| dbs and ntp amplification attacks work: you spoof your
| origin ip and have the server generate traffic to the
| targwt/spoofed ip address.
| thedufer wrote:
| The big difference is that if you send a packet with a
| spoofed source IP, the reply won't get to you. The phone
| system allows you to set up a full two-way channel without
| the receiving party ever needing the correct identifier for
| the caller.
| perl4ever wrote:
| "A gracious hello. Here at the Phone Company, we handle eighty-
| four billion calls a year. Serving everyone from presidents and
| kings to the scum of the earth. So, we realize that, every so
| often, you can't get an operator, or for no apparent reason
| your phone goes out of order, or perhaps you get charged for a
| call you didn't make. We don't care!"
| willhinsa wrote:
| We don't care. We don't have to. [0]
|
| From the 1976 SNL sketch, starring Lily Tomlin. [1]
|
| [0] https://i.imgur.com/VDdfwNQ.png
|
| [1] https://vimeo.com/355556831
| wildrhythms wrote:
| If there was ever a public service job where I could receive
| scam reports, and trace every single scam text and call back to
| its source and take action against the gateway carriers
| allowing these scams to enter domestic copper, I would apply
| immediately. So much time, needless worry and anguish imposed
| on innocent people who simply want to trust a communication
| protocol that _should_ be trustworthy.
| RNCTX wrote:
| Funny you mention that. I'd say based on personal
| recollection that in "public service" you'll likely find
| people in on the scams.
|
| Former congressman from NOLA, Bill Jefferson, orchestrated
| scams involving securing minority-preferred business loans to
| found rural phone companies. Those rural phone companies
| would then pay him back by getting pre-arranged contracts
| from African countries like our phone scammer friends in
| Nigeria.
|
| When hurricane Katrina hit, they found $90,000 in cash in his
| freezer. Was pretty close to the $100,000 in cash that the
| DOJ had videotaped him receiving from the Nigerian
| government's vice president a few days before.
|
| https://www.nola.com/news/article_ed0819a4-9aab-5510-b68c-41.
| ..
| hereforphone wrote:
| There is an effort underway to fix this.
| https://en.wikipedia.org/wiki/STIR/SHAKEN
|
| There is not much motivation to fix PSTN (and cell networks
| that rely on or emulate PSTN) as it's being phased out. So
| things move slowly.
| karlshea wrote:
| Until my half dozen robocalls per day end I don't believe
| this will actually help. I guess I'll find out in 11 days.
| wmf wrote:
| SS7 and TDM may be phased out but phone numbers and phone
| calls will still exist. It seems like the replacement
| protocols (SIP?) are still copying SS7 security flaws
| exactly, with STIR/SHAKEN as a bandaid on top instead of a
| fundamental fix.
| nostrebored wrote:
| Yes, the ability to present CNAM in SIP will continue to be
| a thorn for ages.
| closeparen wrote:
| The authentication you're talking about is called STIR/SHAKEN
| and it's an ongoing retrofit. I will describe the status quo
| based on my brief time in a business VoIP form.
|
| The concept of a "phone line" with a fixed number belongs to
| residential service. Pretty much any business premise has a PBX
| on it, and that PBX is connected to the PSTN by a bundle of
| circuits including some voice channels and some signaling
| channels. Some number of inbound numbers may be routed there.
| Or not! But that has nothing to do with the signaling on
| outbound calls.
|
| Now for a small business it would probably be sensible to limit
| outgoing caller IDs to the inbound numbers routed there. In a
| larger business, PBXes at different sites are connected to each
| other by an enterprise network, and to the PSTN through
| different telecoms in different regions. You may have branch
| offices that only receive calls via the enterprise network, but
| make outbound calls on local transit. You may route a call from
| elsewhere on the enterprise network to exit to the PSTN via
| that branch office, for cost or redundancy reasons. That's how
| Twilio itself works. Lots of IT departments have internal
| Twilios, in that sense.
|
| The upshot is that you need a fairly sophisticated cross-
| telecom standard for establishing authorization to present a
| number on caller ID, and no one got around to building or
| driving adoption of that until pretty recently.
| supersunshine wrote:
| What could go wrong with mandatory digital IDs?
| MR4D wrote:
| I have had a crazy theory for awhile now. It goes like this...
|
| Scammers have a do not call list. The only people on it are
| violent drug lords and members of congress. The first will kill
| them, the second will kill their business (by fixing the phone
| system).
| hamiltonians wrote:
| Regarding crypto fraud, why isn't anyone talking about the
| massive amount of Elon Musk spam and hacked twitter accounts.
|
| https://scaminvestigations.substack.com/p/better-than-the-ma...
| cyral wrote:
| Probably because those scam accounts have been going on for
| _years_ and nothing has been done
| jedimastert wrote:
| My parents just got hit for a couple thousand dollars. Somehow
| someone got ahold of their online banking info, pulled money from
| a savings account to a debit card, and send the money God knows
| where through "Remitly", a services I've never heard of until
| tonight. Their bank is contacting Remitly, but they have to nuke
| all of their accounts and cards and start over, and they're out
| the cash until the bank comes through. It's really awful to see.
|
| What's wild is my parents aren't the phishing victim types. They
| know about not reusing passwords, not sending passwords, not
| trusting phone calls, all of that good stuff. I'm really curious
| how they got got.
| orhmeh09 wrote:
| This isn't really helpful, I know, but Remitly is a real
| company and I've met someone who worked there -- it sounded
| pretty legit. But like with Western Union, pretty much anything
| that lets you transfer money internationally is prone to
| misuse. It sounds really stressful what your family us going
| through and I hope they get their money back.
| jedimastert wrote:
| Yeah, from what I could tell there wasn't much Remitly could
| have done to prevent this outside of like checking
| citizenship documents and contacting the bank. They seem
| legit enough.
| programmer_dude wrote:
| Why would I ever need to talk over the phone if I can do
| everything online? This looks like a US only problem.
| johnnyApplePRNG wrote:
| +1 for crypto logins.
|
| No way a fake banker can get you to sign a nonce for them using
| your private key.
| somebodythere wrote:
| https://cryptonews.com/news/thief-steals-usd-8-2m-from-nexus...
| 0des wrote:
| Sure, easy for us to say that, but imagine teaching someone
| less technically competent what that even _means_.
| supernova87a wrote:
| Well, my opinion is that a ridiculous root cause of all this is
| the lack of a central, government-supervised, secure,
| instantaneous, free, direct payments system. Such that all these
| stupid private bank-based services are attempting to fill that
| void and don't get it right when they do it.
|
| Not to say that such a service would not also have
| vulnerabilities. But you hear about all the bounced check /
| advance fee / text message validation scams going on now, and you
| would think that the banks would want to get this liability off
| their hands and into a central service that they can just be rid
| of the responsibility. (ok, on the other hand, having an
| irrevocable transfer system might introduce new problems as well,
| but still...)
|
| I find it unfathomable why we continue to saddle ourselves with
| one of the most ancient check-writing based systems in the world
| that people in other countries laugh at us for (or ask in
| puzzlement, "what is that?"), and have to make all these terrible
| workarounds to deal with.
| rootusrootus wrote:
| This scam doesn't seem to have anything to do with actual Zelle
| aside from using it to enhance the social aspect of the
| phishing. If Zelle didn't exist, they'd use some other service
| that gave their scam a patina of truth.
| bob331 wrote:
| This is not an "increasingly clever" attack, it is monumentally
| oblivious to anyone but a luddite
| ransom1538 wrote:
| I love how the article omitted an important fact: zelle has a
| daily and monthly transfer limits. The max this scam can make is
| ~1k. After the first zelle send - these scammers reset your
| password, you are sent an email your password is reset, so! you
| most likely will login to see what happened etc. It is an
| interesting scam but nothing compared to wiring money.
| bredren wrote:
| > If a criminal initiates a Zelle transfer...that fraud is
| covered by Regulation E, and banks should restore the stolen
| funds,"
|
| This seems great but there's value in these transfers as well.
|
| I had a pair of Apple Watches I was selling and someone wanted to
| use Zelle to pay for them.
|
| No one has ever wanted to pay for a p2p transaction with me using
| Zelle.
|
| I said since they had the money in the bank, they would just need
| to pull it out on the way over. (It was still during banking
| hours)
|
| They wouldn't do it. Kept pushing Zelle as a safe way to send
| money.
|
| By targeting people who will trade real items for Zelle
| transfers, it doesn't matter if the compromised account owner
| gets their cash back.
| skinnymuch wrote:
| I'm confused about this. What's the target here? It's
| shady/weird to want to use Zelle, but couldn't this have been a
| legit person wanting to use Zelle?
| bredren wrote:
| Yes. But if they have the cash and bank hours are open, why
| not just get the cash out?
|
| I even offered to meet them at the bank. They were scamming.
|
| The target is the unaware seller, who has no recourse when
| the funds magically disappear from their account. They are
| out whatever goods they had for sale.
|
| It is not typical to take down the license plate or copy the
| drivers license of someone buying something from you.
| cgijoe wrote:
| > The caller's number will be spoofed so that it appears to be
| coming from the victim's bank.
|
| I feel like this is a solvable problem. Don't allow anyone to
| spoof the caller ID. Ever.
| paxys wrote:
| That part is pretty inconsequential. How many people even save
| their bank's number on their phone?
| smileysteve wrote:
| But this makes it more complex.
|
| If the bank's phone number can't be "spoofed" then it can only
| have 1 outgoing call at a time, otherwise, each agent will have
| an independent line and a unique number.
| kzrdude wrote:
| Good, maybe they will pay the operator for allocating 500
| outgoing lines Bank #1 - Bank #500 for them
| mindslight wrote:
| > _Consumers who suffer unauthorized transactions are entitled to
| Regulation E protection, and banks are required to refund the
| stolen money. This isn't a controversial opinion, and it was
| recently affirmed by the CFPB here [0]. If you are reading this
| story and fighting with your bank, start by providing that link
| to the financial institution._
|
| Props for including this in the article! All too often the basic
| legal situation is never explained, leaving victims to believe
| that blatantly illegal crap is "just the way it is". For example,
| "identity theft" and fraudulent medical bills.
|
| [0] https://www.consumerfinance.gov/compliance/compliance-
| resour...
| yumraj wrote:
| I recently had a weird issue: some random dude sent me $1.xx over
| PayPal. Naturally I refunded it and thought matter closed.
|
| Then, some days later I got 3 more payments in similar $1.xx
| amounts. I refunded 2, but for the 3rd one PayPal wanted to
| charge some fees. At which point I just blocked the dude.
|
| No idea if this was a genuine mistake or a scam. Anyone knows??
| sushid wrote:
| Not sure but I _think_ what they want is for you to pay them
| $1.xx back (rather than refund). Then they can try and initiate
| a refund on their end, which allows them to pocket the amount
| you gave them for free.
| MattGaiser wrote:
| They want you to pay it back rather than refunding perhaps?
| bluedino wrote:
| I've had things for sale and then buyer sends the money, then
| wants me to ship to some foreign country, always a pain in the
| ass to refund them
| hamiltonians wrote:
| THey are probbly checking to see if it is active.
| 2muchcoffeeman wrote:
| I used to deal with some online merchant facilities. I used
| to see loads of $1.xx charges on clients that were not
| careful with their merchant details.
| nlh wrote:
| I had a similarly weird thing happen to me with an even weirder
| outcome:
|
| I was in the Dominican Republic last year and I got a
| notification that someone had sent me $100 via CashApp. It
| wasn't a person I recognized, she looked clearly Dominican in
| her photo, and I presumed it was a similar sort of scam. (I
| assumed someone saw I had whatever "send to someone nearby"
| setting turned on, saw I was a foreigner, and decided to try
| for an easy mark).
|
| I didn't refund it, I didn't cancel it - I just did nothing.
| And you know what happened?
|
| Absolutely nothing. I waited for the phone call asking me to
| send the charge back. Nada. I waited for a text explaining it
| was a mistake. Nada.
|
| It was over a year ago and I still have the $100. So.....maybe
| it was an actual, genuine mistake?
| SavantIdiot wrote:
| I once panicked that someone was getting ready to withdraw
| funds from my account because I saw those two <$1.00 auth
| charges. I called my bank, and _they_ panicked, and immediately
| created a new account, moved the money into it, and closed the
| other one. Like within 5 minutes.
|
| Turns out I forgot I told a friend to reimburse me for beers we
| had a few weeks before that, and his payment service was
| verifying my account.
|
| Online banking and all of this digital access to my monies
| makes me nervous as heck. Double-edged sword. (Yes, I have 2TF
| hard tokens on all major accounts.)
| niij wrote:
| Those are called micro deposits and are only used to verify
| ownership of an account you own. Your friend was incorrectly
| setting up an external transfer account via ACH. Next time
| they should use a check, zelle, etc etc.
| SavantIdiot wrote:
| Yes, I know that. I said so.
| x86_64Ubuntu wrote:
| I saw the same thing with Venmo. Someone was sending money to
| someone else in smallish amounts $25>. But it was being labeled
| as me so I would get emails of "You sent $20 to SomeBody". I
| told Venmo, they didn't seem to care, but I was curious about
| how their scheme worked. I ended up creating a Trash rule for
| such emails.
| thowaway959125 wrote:
| I fell for this, and I have never fallen for a computer scam in
| my life, nor even had so much as a virus in the last two decades.
|
| However, it is very sophisticated. They somehow managed to
| actually get a fraudulent charge on my card. When I got the
| spoofed message from "my bank", the first thing I did was log
| onto my legitimate account. Sure enough, there was a charge I did
| not recognize.
|
| The rest was just a series of unfortunate "rookie" mistakes on my
| part. But the person who called me was highly professional,
| easily could have been a real customer support representative and
| spoke English perfectly with no accent.
|
| They took the max, $5,000. My bank thankfully refunded it.
| tedunangst wrote:
| If you're already looking at the website, why not just click
| "dispute" on the bad charge?
| judge2020 wrote:
| When I was with Bank of America in 2019, there was no dispute
| button. Any attempt to dispute went to their help center that
| said 'call the number'.
| thowaway959125 wrote:
| Can't dispute until posted, and the way the scam works is
| they get you on the phone as quickly as they can in order to
| continue to the scam.
|
| Obviously, in hindsight the correct way to handle this is to
| call the bank yourself. The way the scam works is they spoof
| your bank's caller ID, and you get a standard "do you
| recognize this charge? Press YES if you recognize, NO if
| not".
|
| When you type NO, you get a message stating "our fraud team
| will be reaching out to you momentarily to resolve this
| issue", followed immediately by a call from a very convincing
| "customer support" person, again coming in as a caller ID
| from your bank.
|
| At this point, I made some "rookie" mistakes as I'd
| mentioned, but hindsight is 20/20 in these cases where they
| are trying to keep you on your toes.
| CogitoCogito wrote:
| Maybe this will become harder soon when phone companies are
| required to verify the call back number?
|
| https://www.fcc.gov/call-authentication
|
| https://docs.fcc.gov/public/attachments/DOC-363399A1.pdf
| perfectstorm wrote:
| You can't dispute a charge until it's posted (at least with
| two of my banks) and it can take up to 2-3days before a
| charge is posted. A charge will almost always show up
| immediately on my bank's website as pending.
| vmception wrote:
| (They still got the $5,000 and won't be arrested)
|
| I always thought there was an underserved market if scammers
| are just filtering for gullible people. So, about time to see
| more sophisticated scammers casting a broader net.
| kristopolous wrote:
| Sorry to hear about that.
|
| It's given me an interesting idea.
|
| If we know the bank will refund through insurance than there's
| a second level fraud where the victim is in on it for a cut of
| the profits.
|
| Essentially the theatrics of fraud is done and then victim is
| refunded by the bank and then secretly compensated by the
| "fraudster" for their participation.
|
| I may be convinced of that kind of scam. Everyone wants to feel
| like they're outsmarting the system. There's so many unknowns.
| Will I get the partial compensation? Will the bank reimburse
| me? I don't know, but I can see myself doing it. That's a
| problem
| rocqua wrote:
| If you want more certainty, demand half of the money from the
| fraudster up front.
| fallingknife wrote:
| And then ghost so all you've done is scam a scammer.
| [deleted]
| suction wrote:
| But in order to pull it off, they had to ask you for a secret
| over the telephone at one point, which you gave them, correct?
| ravel-bar-foo wrote:
| > "In the background, they're using the username with the forgot
| password feature, and that's going to generate one of these two-
| factor authentication passcodes," Otsuka said. "Then the
| fraudster will say, 'I'm going to send you the password and
| you're going to read it back to me over the phone.'"
|
| It seems like a simple mitigation on the bank's end would be to
| add warning text to the 2 factor authentication.
|
| "You have requested to change your password via our web portal at
| yourbank.com. If you did not request to change your password via
| the web portal, or if someone asked you to give them this number,
| then it is possible that someone pretending to be a bank
| representative is attempting to hack your account. The code to
| change your password is ..... Do not share this code with
| anyone."
| rocqua wrote:
| Note that, in this case, the SMS code is not a second factor.
| It is a single factor that is enough to get full control of the
| account.
|
| Besides that, I think you are right. Binding 'signatures' to
| what you are authorizing is one of the ways to prevent your
| authorization from being re-used. There are parallels in
| cryptography where you sign not just data but also what it will
| be used for. Otherwise an attacker might reuse your signature.
| gurchik wrote:
| The 2FA messages I get from my bank are already something like
| "Your security code is 0123456. Do not share with anyone. We
| will never call to ask for this code." But it wouldn't surprise
| me if victims are too scared to read it properly, so some
| improvement could be helpful. It doesn't help that _other_
| banks regularly ask for SMS codes over the phone, entraining
| into people to do it without thinking.
|
| I would personally feel a lot better if every bank had the
| ability to _only_ allow 2FA via OTP, or _only_ physical key, or
| even email. My bank uses a "Security Word" which is crazy to
| me.
| underwater wrote:
| The scammers get you panicked and hold you in that state so
| that you're stressed out and not thinking rationally.
|
| They also exploit a small slip up and escalate it into a
| catastrophic one. For example the scam might start with the
| assumption that caller ID is accurate, or the assumption that
| because there is fraud on your account the person is actually
| from the "fraud department", or the assumption that hanging
| up a landline terminates the call.
|
| Each of those are small slipups, but they get people bought
| into the fiction, and then as the scam escalates they don't
| stop and think through the sequence and realise that the
| initial assumption was flawed.
| mndgs wrote:
| It's so strange to read this is still happening in US. I live in
| Europe - 95% of such attacks are prevented by something called
| Strong Customer Authentication, which anybody serving or
| providing access to an account (cards including) must implement.
| Basically, that's 2FA implemented in myriad different ways. So,
| this Zelle thing wouldn't be possible at all: Zelle would have to
| ask for a SCA verification from the customer, just to connect/use
| his/her account in the first place. That would eliminate ground
| for such scamming messages ever appearing (if the customers knew
| and were accustomed to SCA).
|
| Though to be fair, scamming is still present here, typically
| involving calling older people and trying to persuade them to
| reveal bank access codes during a phone call. There two
| differences with US banks here: - banks are required never to ask
| for access credentials over insecure channel (phone/email)
| (though SMS is also not perfect in this regard); - banks are
| required to educate customers that they never ask for such
| credentials, educate about fraud scenarios, etc. And they do (at
| least the reputable ones)
|
| Seems that the PSD2 regulation (including SCA) are really making
| payments much safer in Europe when you compare to rest of the
| world.
|
| Also, to admit: I'm a head of financial institution here, quite
| knowledgeable of the field, both on regulatory and on technical
| level.
| sschueller wrote:
| I have the feeling there is no interest in fixing these things
| in the US. Too many people making money of certain outdated
| services. From printing paper checks to minting pennies.
|
| Like everything, it will require a gigantic scandal before
| anything is fixed/changed and it will open the door for new
| issues.
| thathndude wrote:
| It will change when it becomes the economically rational
| choice for banks.
|
| I won't bore with details, but I'm a lawyer who primarily
| sues banks for customers. And I've seen the lawsuits I file
| lead/contribute to changes in bank behavior and policy.
|
| The regulatory protections are there. Now lawyers need to
| punch banks on the nose until they decide they want to do
| more to stop the fraud in the first instance.
|
| But it's strange, clients have almost like a Stockholm
| syndrome with the banks. Their rational is often something
| like "I don't want to sue them and make them mad, because
| that might mean I won't get my money back"
|
| But you're not going to get your money back unless you sue.
| Meanwhile deadlines pass and then you're screwed (and
| embarrassed)
| le-mark wrote:
| Can you expand on what regulations are allowing successful
| suit to be brought, and maybe an example or two of how that
| works in practice?
| baybal2 wrote:
| SCA will not do a thing. SMSes are hackable, and SS7 network is
| routinely exploited.
|
| Google has made things worse by making confirmation SMSes very
| easily identifiable, and interceptable at scale with their SMS
| verification service which is now being pushed down developer's
| throats. (Google yr66t3YYkAe that's a Google 2FA ID of some
| bank, seemingly already actively exploited)
|
| Adding confirmation links inside SMSes is what some money
| transfer companies did responding to the threat of SMS
| interception, but I think this made it even worse, at least on
| Android. It's trivial to coax dozens of popular apps into
| opening a link in the browser, or webview using Android's
| "intents," thus completely negating any CSFR protection.
| tgb wrote:
| I don't understand how 2FA would stop this attack. The attack
| described involves phishing for a one time code like what most
| 2FA methods give.
| Tenoke wrote:
| The actual transaction then has another 2fa, seperate from
| the logging in. In one of my banks this is approving the sum
| of the transfer in an app after logging in with a
| password(you can't transfer the app to another device
| easily), in another it's approving by using an authenticator-
| like app + a seperate pin, in a bank before that it included
| a whole seperate device for me to put my debit card in. In
| neither case would simply logging in or getting my account
| password be enough.
| tgb wrote:
| Interesting. The attack seems to be primarily on people who
| don't already have Zelle so in the analogous case in Europe
| wouldn't the attacker just be able to setup the app as the
| victim and authorize the transfer themselves?
| Tenoke wrote:
| You can't just install the app on another device with the
| login details, you need to talk to the bank and go
| through a whole process when changing a device (in one of
| my banks it can only be done in person even).
| signal11 wrote:
| > Then the fraudster will say, 'I'm going to send you the
| password and you're going to read it back to me over the
| phone.'"
|
| In the UK, banks have put in quite a lot of messaging around
| the fact that they'll never ask for a password -- so the above
| line from the article _ought to_ set off alarm bells in most
| customers ' minds.
|
| Of course, there are people, particularly older or vulnerable
| users, who are impacted by this as they might not be aware.
| Phone scams to get 2FA codes aren't going away anytime soon,
| sadly.
|
| Also, as an industry, I wish we could move away from SMS-based
| 2FA. It's kind of amazing that SMSes these days are a barren
| wasteland -- mostly automated messages, scams, ... and two-
| factor codes. And _some_ institutions still use SMSes to
| deliver two factor codes ... including Paypal in the UK.
| Ntrails wrote:
| > Of course, there are people, particularly older or
| vulnerable users, who are impacted by this as they might not
| be aware.
|
| It always fascinates me how poorly people understand the
| nature of scamming and confidence fraudsters. The banks could
| have every customer recite on video that they have heard and
| understood the message - many of them will still be
| vulnerable.
|
| Each small step along the pathway is only a little more wrong
| than the last - so by the time the guy on the phone says "and
| we need you to confirm this code with is" on the phone...
| yeah. The victim isn't really objective anymore. They are not
| considering this in isolation, but as part of a relationship
| the scammer has been building for hours if not days.
|
| It isn't that the messaging is pointless, but it simply
| cannot and will not protect people from their own
| fallibility.
|
| Honestly, it is a terribly hard problem - and I actively do
| not know the right way to manage it without simultaneously
| restricting access to peoples own resources
| thathndude wrote:
| I think that's the genius of the scam.
|
| "We'll never ask for your password. And we're not asking for
| your password. This is just a one-time authentication token.
| Your password is safe!"
| mschuster91 wrote:
| In Europe, regulation prevents or at least places strong
| barriers on SIM card theft, which makes SMS 2FA pretty
| secure. You can't just go and transfer a phone number in a
| matter of minutes to someone else - it is always a multiple
| days long process involving numerous SMS notifications prior
| to the actual transfer.
|
| Every time I read post-mortems on hacks and scams in the US,
| my mind is a bit blown on just how easy most could have been
| prevented by tiny bits of government regulation that we
| Europeans take for granted.
| Nextgrid wrote:
| > You can't just go and transfer a phone number in a matter
| of minutes to someone else - it is always a multiple days
| long process involving numerous SMS notifications prior to
| the actual transfer.
|
| I was a phone store monkey working on close to minimum wage
| a few years back in the UK. I could absolutely swap
| someone's SIM with no problems what-so-ever and it
| typically took only a few minutes for the new one to become
| active and start receiving SMSes (the old one will still
| have signal - though no more traffic - for a few hours
| making detection difficult unless you actively try to place
| an outbound call).
|
| While we're _supposed_ to verify someone 's identity, a
| dedicated fraudster could absolutely trick us and we were
| never given any proper identity verification solutions, nor
| enough training, and frankly not being paid enough to care
| anyway (which also exposes us to bribery/insider threats).
|
| SMS 2FA will absolutely not be secure as long as minimum
| wage employees hold the keys to the kingdom, and I'm only
| talking about in-store employees making UK minimum wage.
| I'm sure the situation is much worse in offshore call
| centres.
| mndgs wrote:
| Touche, mister, touche..
| human wrote:
| We mostly need to sue the hell out of companies that don't
| identify correctly their customers when making important
| changes to their account (like transfering a phone number)!
| tata71 wrote:
| SMS is not, and never has been, a secure means of
| communication.
|
| Do not hold the carriers responsible for shit _we 've_
| done.
|
| Hold the carriers and ISPs responsible for their actual
| crimes, like selling our data to the government and
| marketing companies like the world is about to end.
| human wrote:
| I'm not talking about SMS technology but company
| policies.
| hdjjhhvvhga wrote:
| Yeah, basically the only major attack surface is one the SIM
| itself, but I have the feeling telcos learned their lesson and
| verify the identity of the person asking for a SIM replacement
| in a more strict way.
| thathndude wrote:
| For what it's worth, a consumer is pretty well protected after
| the fact by regulatory protections.
|
| But I'll include the PSA I posted on the article as well:
|
| Attorney here (not legal advice).
|
| Please be aware that there is a short deadline required for
| Regulatory disputes (approximately 60 days). That could have an
| effect on your claim. Time is of the essence.
|
| And depending on how soon you notify the institution before the
| deadline, you can be stuck losing up to $500.
|
| Again, please just know time is of the essence and you want to
| reach to an experienced attorney ASAP if you suffer fraud.
| mindslight wrote:
| Something I've been curious about (not asking for legal
| advice). If the deadline to report is 60 days from the
| statement/notification of the transaction, what about
| accounts that only issue statements quarterly or monthly? Is
| it really still workable to contest a transaction say 10
| months after it occurred, if the bank has only just issued
| you a statement?
| BrandoElFollito wrote:
| In the EU it is a year, and you may loose up to 150EUR.
|
| Good luck to the bank which would like to enforce this. One
| tried, I told them I am leaving, they said it is a
| misunderstanding and that of course they did not mean to make
| me pay these 150EUR.
| thathndude wrote:
| Yeah. That's superior to our protections.
|
| Generally, in the US, its 60-90 days (the fact that it's
| variable is obviously not ideal) and $500 loss limit.
| BrandoElFollito wrote:
| In the EU this is a EU regulation, so all banks have the
| same rules.
|
| I just checked, it is now 50EUR only, and only if the
| payment was done with a PIN or SMS/app confirmation. This
| is the maximum amount (so if you had, say 3 times 300EUR
| of fraudulent transactions, you would pay a max of 50EUR
| total - and like I said it is not likely that the bank
| will make you pay anyway)
| drpre wrote:
| PSD2 only took effect in 2019, and for many countries the
| enforcement was delayed for card payments up to a full year due
| to lack of issuer readiness.
|
| 2FA is absolutely the future and I believe globally payments
| should move in this direction... I'm just pointing out that
| even in Europe, this has not been the standard for all that
| long. That said I hope other countries/regions follow the
| example -- the EEA seems to lead the charge on major online
| issues, e.g. payments and privacy.
| contidrift wrote:
| On top of all that, most banks here allow you to create an
| unlimited number of free virtual credit cards which draw funds
| from your real credit card or a debit account.
|
| Cards can be created to suit most cases such as one-time
| transactions, monthly subscriptions and "pre-paid" type cards
| with a defined total which are tied to one merchant. All
| multiple use cards are valid for a max of 12 months.
| BrandoElFollito wrote:
| I am not sure that this is "most", more probably "some".
|
| Out of 6 banks across 2 EU countries, only two allowed for
| that.
|
| Another one had dynamic CVV.
| contidrift wrote:
| Weird, just about every bank here in Portugal allows for
| that. The virtual "visa" card creation/management is
| handled through SIBS, the company that does all national
| card transactions.
|
| I assumed due to convenience and safety that virtual cards
| were more widespread in Europe, not least because of the
| requirements such as 3DS for card payments.
|
| At least fintech companies like Revolut and N26 should be
| available for most Europeans and they offer virtual cards,
| though with other limitations/costs.
| BrandoElFollito wrote:
| Ah, this is interesting - you have a centralized entity
| that handles the transactions? This is indeed what must
| be the reason for the widespread of the availability.
|
| In France I know that Fortuneo gives that possibility,
| but for instance Boursorama or Credit Mutuel do not.
|
| It is funny how the banking is different between
| countries in the EU. France is slowly making its way
| though the 90's while Poland uses a phone based
| transaction system (BLIK). I always saw Portugal as bing
| very modern in that way (you had chips on your identity
| cards for years, we just got them this year, with the new
| credit-card format of id cards)
| CogitoCogito wrote:
| > Though to be fair, scamming is still present here, typically
| involving calling older people and trying to persuade them to
| reveal bank access codes during a phone call. There two
| differences with US banks here: - banks are required never to
| ask for access credentials over insecure channel (phone/email)
| (though SMS is also not perfect in this regard); - banks are
| required to educate customers that they never ask for such
| credentials, educate about fraud scenarios, etc. And they do
| (at least the reputable ones)
|
| This has happened many times in Sweden in the last few years.
| Banks almost always tried to talk their way out of any sort of
| responsibility even though scammers took advantage of their
| pretty bad processes. The banks processes as well as the apps'
| designs have improved, but I think the point is that
| essentially nothing of what happened there in the US wasn't
| happening in Sweden as well. I presume it's the same with the
| rest of Europe.
|
| This quote from the article is key:
|
| > "Consumers -- many who never ever realized they had a Zelle
| account - then call their banks, expecting they'll be covered
| by credit-card-like protections, only to face disappointment
| and in some cases, financial ruin," Sullivan wrote in a recent
| Substack post. "Consumers who suffer unauthorized transactions
| are entitled to Regulation E protection, and banks are required
| to refund the stolen money. This isn't a controversial opinion,
| and it was recently affirmed by the CFPB here. If you are
| reading this story and fighting with your bank, start by
| providing that link to the financial institution."
|
| Good to see US regulators aren't letting banks off the hook.
| They should furthermore come down very hard on any bank that
| even acts like they might not be responsible since that's
| essentially fraud.
|
| At the end of the day it's an issue of securing human processes
| as well as regulators holding banks feet to the fire for
| problems their processes create.
| ljm wrote:
| Like many scams, it depends on the victims being polite, perhaps
| more much than them being naive.
|
| The fraudulent message asks for a yes or no reply but does not
| care about the answer spefically; only that there was an answer.
| So the victims are the people who couldn't ignore the message and
| had to say no. Most likely the people who say yes are still taken
| into account , because they confirmed there was a person behind
| the number. They'll get a new scam later on.
|
| But the people saying no are the target.
|
| A lot of people feel bad if they don't answer the phone, or a
| message, or the doorbell. So you prey on their niceness.
|
| How to fight back? Don't. The way to defeat the scam is to not
| acknowledge it.
|
| Ignore whatever primal urge you have to get involved, or teach
| them whippersnappers a lesson, and cast it into the void.
| krebsonsecurity wrote:
| I agree with your point about not acknowledging these scam
| attempts. Just wanted to point out the "fight back" bit of the
| story was advice for people who've already been victimized and
| are being told their bank won't cover the loss.
| jonas21 wrote:
| I don't think the issue is people being polite. It's that these
| messages look similar to the legitimate fraud alerts that
| credit card companies and banks send.
|
| What happens if you don't respond to those? Presumably, the
| transaction will be blocked -- but can you be sure? It would
| cause me a lot of anxiety not to resolve the issue right away.
| SavantIdiot wrote:
| I'd be really curious to know how many people actually answer
| calls they aren't expecting, on their personal phones (e.g.,
| non-work phones where you must answer customers).
|
| I bet that graph is U-shaped of % of people that answer unknown
| messages vs. age. Kids want to be social, and old people don't
| know any better. With salty Gen-Xers in the middle.
|
| 99.99% of the time I let it go to voicemail. I have since the
| days of cassette-tape answering machines. The only time I don't
| is if some just texted and said they are calling. Even when my
| insurance company hold line asks if I want a callback, I'm too
| paranoid that a scammer could have infiltrated the callback
| process.
| perl4ever wrote:
| >I'd be really curious to know how many people actually
| answer calls they aren't expecting
|
| What do you do when your counterpart won't answer _their_
| phone?
|
| I answer calls I'm not expecting _when I 'm expecting a
| call_. Like from a plumber, a recruiter, a paving company,
| etc.
|
| If I don't, at best I get to play phone tag, and at worst,
| the other person gets ticked off and I lose an opportunity. I
| don't like leaving voice mail, particularly the second or
| third time.
|
| It would be nice if everyone legit had their main number show
| up to identify them, and it would be nice if they all
| answered _their_ phone all day, but they don 't.
| SavantIdiot wrote:
| > What do you do when your counterpart won't answer their
| phone?
|
| I'm not sure what you mean. Like I said, if someone texts
| me and tells me they are calling then i'll pick up. Or if I
| get a voicemail saying, "duh, pick up dingus"... then i'll
| pick up the next buzz.
|
| That never happens because almost no one I care about uses
| the phone anyway. Exvept that 0.01%.
| perl4ever wrote:
| >almost no one I care about uses the phone anyway
|
| Right, even 80-year-olds can text these days. You're
| talking about personal friends who almost never call from
| unknown numbers.
|
| But with professionals? Would you miss an appointment for
| a root canal or spend an extra day without your car
| because you won't answer the phone?
| suction wrote:
| I don't live in a big city or even in a super-internet-
| embracing country like for example South Korea - but even
| in my neck of the woods, dentists, doctors, vets, barber
| shops, car mechanics, contractors, etc. all have shifted
| to messaging instead of calling. Unfortunately most are
| using WhatsApp because of peer pressure. But I'll even
| swallow that bitter Zuckerberg pill because it's so much
| more convenient than doing appointments over the phone.
| SavantIdiot wrote:
| Ugh. Can you at least read my posts next time before you
| start planning your lectures? I already covered this.
| jrnichols wrote:
| I'm a Paramedic here in Northern California and we recently
| went on a welfare check to an apartment - us, fire dept,
| and law enforcement - for a family that could not get ahold
| of their grandmother.
|
| Grandma was fine, fortunately, and she simply turned her
| phone off because it was ringing constantly with scam phone
| calls. She was sick of the auto warranty spam all the time,
| so she unplugged entirely.
|
| The elderly are the ones that still have landlines and cell
| phones too, so they often get hit multiple times. It's
| harder for them to disconnect the landline due to things
| like Life Alert requiring a landline.
| perl4ever wrote:
| I got a call recently about my student loans.
|
| It was...erm...remarkable in its high production values.
|
| Even compared to the auto warranty ones, which I don't
| get often, but every now and then.
|
| I also got a "hello...hello...hello" call, and seven
| hangup/no message calls the same afternoon.
|
| I _assume_ the call I answered was a scammer, but a few
| months ago, I got one just like that and it turned out it
| was from my physician 's office, and I had some trouble
| getting ahold of them.
| maxerickson wrote:
| Medical alert devices that use cellular connections are
| widely available.
|
| There going to be areas where coverage is poor, but for
| many people, working out of the home is going to be a
| considerable improvement.
| jrnichols wrote:
| They are widely available but not as common. We will run
| on 2-3 lifeline calls a day sometimes and while resetting
| them, we rarely see a wireless one.
| ljm wrote:
| I don't answer a single call unless I'm told to expect it, or
| I can antipate one coming (e.g. I ordered takeout and the
| delivery driver is gonna ping me, or I asked a recruiter to
| call me at X time).
|
| If the call comes out of nowhere, or if it's from a hidden
| number, then I'll silence it rather than declining (i.e. hit
| the power button rather than actually acknowledging the call,
| so it carries on ringing in silence until they give up
| instead of being told I'm busy). If it's important they'll
| leave voicemail or send an email.
| [deleted]
| chillwaves wrote:
| I just realized I can keep my phone on DND 24/7 and it's
| wonderful (rings for contacts only).
|
| The bonus of it only ringing for your contacts is that when
| your phone does ring, you know it's something relatively
| important.
|
| Completely changed my relationship with my phone.
| suction wrote:
| Me too. I consider it rude to be called on my phone,
| actually, even by people I know.
| paxys wrote:
| It's not about niceness. When you get a text about a potential
| scam there's an urgency to reply. And you can't just ignore it.
| All major banks send out official text messages to confirm
| large transactions. This has happened to me multiple times with
| Chase, and just recently I blocked a fraudulent ATM withdrawal
| using exactly the method outlined in the article (someone
| skimmed my debit card when abroad, I got a text from Chase when
| they tried to use it, I replied no, got a call from the
| customer service rep). Only thing missing was reading out the
| OTP, obviously, which I would not have done.
| ohazi wrote:
| > Only thing missing was reading out the OTP, obviously,
| which I would not have done.
|
| This is the real red flag here. No workflow that I'm aware of
| ever has you read a one-time code to a human, it _only_ ever
| goes into a text field.
| jrib wrote:
| When calling banks and even telcos, their sop to verify
| identity seems to be to request you to read one of these
| codes
| chime wrote:
| Last week I had to call Wells Fargo to change my home
| address. They texted me a code to read it back to them to
| confirm my identity.
|
| Their standard text messages for auth codes say: Wells
| Fargo will NEVER call or text you for this code. DON'T
| share it. Enter code 123456 online to send $1.00.
|
| Their verification text said: Free Msg: Use Wells Fargo
| verification code 123456 to verify your identity. Reply
| STOP to stop msgs. Call 1-800-869-3557 if you didn't
| request this code.
| underwater wrote:
| It should explicitly say that the code is intended to be
| shared with one.
| JumpCrisscross wrote:
| > _No workflow that I 'm aware of ever has you read a one-
| time code to a human, it only ever goes into a text field_
|
| If I place a large wire with my bank, they text me a code
| and ask me to read it back to them. Granted, I will only do
| that if I initiated the call.
| [deleted]
| curtisf wrote:
| In some cases, banks have trained us not to panic instead of
| taking time to understand what's happening.
|
| A while ago, I scheduled a wire transfer through Chase to go
| through the next day.
|
| While asleep, I got an automated call from Chase asking me to
| confirm that the wire transfer was placed by me.
|
| By the time I had woken up, my online banking and my bank cards
| had been shut off.
|
| This is not consumers fault. Everyone is used to banks not
| being completely impatient and expecting immediate responses.
| For some other example, by law, you only have two days after a
| transaction to respond to fraud, or else you could be looking
| at $500 lost instead of $50. Not immediately answering the
| phone could make a difference of $450!
| Wowfunhappy wrote:
| It seems to me the actual issue here is the banks are using a
| second-factor code as a single factor.
|
| That isn't 2FA.
| vmception wrote:
| Is asking for the texted passcode really necessary? Can't they
| just SS7 hack that part since all SMS is vulnerable to this? Or
| is it really necessary to just carry the conversation flow
| forward by asking the victim themselves.
| lost-found wrote:
| One other red flag: your bank asking you for your username. At
| least for me, my bank would never use anything other than my real
| name.
| fbanon wrote:
| Can we just address the fact that the PSTN is a completely
| insecure, Wild West tier, broken mess? Number spoofing, delayed
| disconnect, SIM hijacking, wtf?
|
| The fact that banks use that as a second authentication factor is
| beyond baffling, and all liability should land on them.
___________________________________________________________________
(page generated 2021-11-20 23:02 UTC)