I was recently a target of a UK online bank phishing scam (not Monzo). They were highly sophisticated. They knew details of recent transactions, including bank transaction numbers that don’t show in any qif export or anything. They had a plausible reason to call (based on said visibility). They had researched my name and everything about me and my family that is online. They faked caller ID. Their ‘patter’ was so advanced that I do not know this extra layer of protection would have helped much. Luckily I didn’t finish the steps and lost no money.
It is clear the bank has had a severe exfiltration event. There are other reports that online. IMHO the law should make banks report breaches to the ICO and a record of the nature and size of the breach be public.
Through the process I learned that in the UK you can call 159 to directly contact your bank fraud dept (most banks) https://stopscamsuk.org.uk/159
The phisher was very determined. They called back in 15 minutes claiming to be from the bank fraud dept returning my call. Then 2 weeks later they called back claiming to be from Action Fraud.
However prepared you think you are for such an attack, my advice is to have utmost caution for every single call from anyone claiming to be anyone.
I also have a Monzo account. Even if they called me
I wouldn’t use this. Hang up. Call them. Don’t let them call you.
On landlines IIRC there is some feature that allows them to stay on the line after you hang up. So when you try to call the bank, you get the scammers again.
Now that is insane. Totally sounds like one of those things that paranoid old people believe about newfangled technology, but nope, just extremely weird protocol design.
Its not really weird if you look at it in context.
People who are not Gen-Z whipper-snappers will recall the era.
Before cell phones, before DECT home phones, before wireless cordless home phones you had fixed phones.
You had a master socket and then, optionally, one or more secondary sockets (depending where you lived, you were either permitted to install these secondary sockets yourself, or you had to call in the telco to do it).
Anyway, so what would happen is that your friend from school would call you up. Inevitably your parent would answer the phone because they were, for example, in the kitchen cooking your dinner.
There would then be a shout across the house "Bobby its Johnny ... AGAIN !".
The call-transfer process would involve your parent hanging up and you picking up the nearest secondary handset.
Hence the exchange needed to keep the A-end of the call live whilst you completed the B-end "transfer".
The same generation of people will also recall the ability to abuse the mechanism to quietly spy on someone else using the phone. :)
UK analogue strowger exchanges did not permit the called party to clear down the line - that was the job of the calling party. A legacy function of being 'patched through'.
"Called Subscriber Held", a feature that was carried into early digital exchanges because people expected it to work in the manner you describe, even though afaik it was designed for the other purpose of keeping the line open whilst operators patched it through, trunk lines picked up the tone, etc.
My grandpa was a something like chief engineer for the West Coast of Scotland phone network. I have so many questions I wish I could ask him these days.
... although they can hear each other through the devices in their hands. More likely the person in the kitchen just put the handset down on the table and continued cooking.
It's still weird and unnecessary. This happened everywhere, but people just picked up the phone before the other person in the house would hang up. You mention it yourself because of the ability to spy.
Remember it used to be a switched physical circuit. In the early days the switching was done by people, later it was automated. But you still had a circuit from phone to phone.
When one side hung up, the circuit is still live. Eventually it timed out and the switch disconnected it, but it took a while (don't remember how long). So you could hang up a phone, walk to a different room and pick up another phone and the same call circuit was still live (as long as the other side didn't also hang up meanwhile).
It's worth noting that many landline phones now allow you to enter a number that you're intending to call, then pressing the call button at which point the number is automatically dialed.
If the dial tone is heard at all, it is for a very brief period, and might be entirely missed. This would make the scam you're describing even more readily achieved.
... the autodial feature may well be waiting for dialtone in order to dial. I've not looked into this and you're probably best off testing this yourself on your own equipment.
This was, IIRC, a regional thing based on how the internal network was set up And all the legacy stuff. Half the country experienced this and the other half didn't so it always causes fun stories like this And expected gotchas from those who are learning it for the first time.
This also exists (existed?) for mobile numbers, and was used by newspapers to 'hack' certain celebrities' voicemail. Including some cases where they deleted existing messages when the mailbox was full, so they could get more.
I thought they just called their phones when they weren't in and used the default voicemail PIN (which most people don't change) to access their messages.
> Even if they called me I wouldn’t use this. Hang up. Call them. Don’t let them call you.
This has become increasingly difficult in my experience. Where calling the local branch I have the actual relationship is just dumped into the IVR. They make it very hard to speak to an actual human being bank employee.
All I can get is callbacks for some places. This is newish. You can call, wait in the queue for 20+ minutes, get routed to voicemail, and leave an option for a callback. That’s it. And the CSRs won’t reveal any semi-secret info to confirm who they are, they just want info to confirm your identity. It is frustrating because “calling them first” for anything billing related has been my go-to for a decade.
The (US) banks I've experienced will give you an "incident number"[1], you can call the number on e.g. your credit card or bank's website and say you have an incident number and you'll be connected to a rep who can pull up the details.
[1]: or something like that, I forget the exact words
My card has an international number which is US +1-(AreaCode)-XXX-XXXX. It used to bypass the IVR and send you directly to the top of the queue to a CSR. Because who has time to putz around the IVR when you're paying .25-.50/min to make an international call. Sadly, because some customers figured it out, it just routes you into the queue.
I have experienced an increase in just flat out hang ups as well. If the automated system doesn't understand you, it'll just say "it looks like we're having a problem, goodbye". It's infuriating.
Could the breach be at an Open Banking service that lets you view and aggregate your bank details such as Emma, Money Dashboard, TrueLayer? Some marketing/voucher companies are also using this sort of integration now such as Airtime Rewards.
This is possible. I had the account linked to a very well known and popular service that is owned by another bank. I don’t want to use names. But “bank transaction ids” were known I do not know if this is part of the spec. My theory was some export from bank 1 for openbanking was breached or in bank 2’s import was breached. But the news items are about bank 1. Also, they knew details like the date of account opening which was different to date of first transaction. I was not using openbanking in many places but I have now turned it off everywhere.
No paper bank statement. No email bank statement. Only qif/csv export. iPhone app only (not web). Fairly sure it was either an inside job and/or openbanking API implementation.
The best advice for dealing with this kind of fraud is knowing that there are exactly three things that can happen in a conversation with the fraud department.
1. "Did you make these purchases?"
2. "Yes" -> "Thanks, bye."
3. "No" -> "Thanks, we're disabling your card, and sending a new one to your address. If your address has changed, please pick it up at the branch."
Any deviation from this is a scammer posing as the fraud department. Any attempt to gather any information from you, besides 'Did you make these purchases?' is a scam.
They know who you are, if they didn't, they wouldn't be calling you.
> IMHO the law should make banks report breaches to the ICO and a record of the nature and size of the breach be public.
The law already is that they should report breaches to the ICO, at a minimum you should report this to the ICO and if you can you should name the bank, possibly right here in this thread so that others have a chance to find out. It's a throwaway so why not use it?
This is the golden advice. Never, ever speak to anyone about anything important if they contacted you. Call, text, email, whatever. End it and you contact them.
It doesn’t matter if it’s the bank, power company or telco. Even if HR called me or the CEO. Hang up, call them back. It adds 5 seconds to ensure all is good
Some make it almost impossible to get past their IVR, which always claims to be able to help you with any issues you might have (as long as the issue is wanting to know your balance and last three transactions).
I did. Ironically, it was almost impossible to get to a human representative to close the account: At one point, the IVR would literally end the call after authenticating me due to "problems with your account" (presumably my pending/stuck account closure request).
Not to large corporations. Have you called one lately?
It's a minimum of five minutes of bartering, begging and pleading with the IVR to let you speak to a human, and even then a successful outcome is anything but guaranteed.
Usually doing what the IVR asks is the slowest path. Confusing it by mumbling nonsense so it thinks it can’t understand or ramming never-ending DTMF tones up its input buffer until it chokes works well. For certain companies and certain departments (usually where my ongoing satisfaction is a concern for the company), I’ve sometimes found yelling repeated expletives at the hold music gets me connected faster. I have nothing to substantiate it, but my conspiracy theory is that there’s a customer rage meter that can be gamed (remember “calls may be recorded for quality assurance“). By contrast, when my call is a pure cost center (e.g. product warranty claims), I’ve found there’s a mandatory hold time to encourage you to hang up.
These are by far the hardest kinds of fraud for banks to deal with right now. They’re so convincing that even when the bank detects them, the customer still demands the transactions go ahead because they’re so bought into the fraudsters. We need this kind of authentication to become normal for everyone for any transaction.
I got a call from Amex fraud prevention and the voicemail explicitly told me to “Call X or the number on the back of your card” which I really appreciated.
Honestly, I’m not sure it matters. They’ve all had such incidents. I read somewhere that about 30% of your fees and mortgage interest go toward fraud mitigation,monitoring, and restitution.
I always live by these rules
- call them back, don’t talk to them
- ask why you need to do anything. It’s exceedingly rare a bank would call you to do something legit there and then. “I will do it later” will help. In fact that’s how I caught the phisher as I noted the aggravation in 1% of his voice.
- use credit cards, not debit cards, for purchases. They have far more protection.
- use all the 2FA and password complexity you can
- never use real info for challenge questions. Never use maiden name of mother etc. you can put “14 green fish” as the answer to the question if you like.
- make sure they are FSCS regulated, and try not to exceed that limit.
- understand FSCS does not cover you most phishing attempts, since the bank will claim they tried to warn you and were not negligent
- use private tabs for bank interactions
Through this experience I have learned not to trust “what we know about you” information they share. Do not underestimate HUMINT. A bank snitch could give up something as seemingly innocent (to them) as your “join date” and it be a lynchpin piece of info for a scammer.
This may all seem obvious to an HM reader. But it’s worth refreshing and reiterating.
It’s not coincidental. I had a story to tell and didn’t want to use my main account. Monzo is OK and I have a 2nd business account with them. I find it expensive personally, at £5pm, since other banks offer free service and per transaction costs that total less for me. After the phishing attempt I moved to NatWest, of all places.
Really what we need is reverse 2FA, when I'm on a call with someone who is asking for sensitive info I should be able to generate a 6 digit number in their app or website and request that they verify it, if they can't verify it, they're not with the bank. simple.
I had an issue where a bank (chase) called me to verify a transaction it felt was illegitimate, first thing the bank employee (who claimed to be with the fraud department) did was send me a SMS 2FA code that clearly said "do not share with ANYONE" I told him that and he said "yes, but I need it to confirm you are who I'm trying to reach, if you don't give it to me I will lock your account" ... My account was locked and I had to go into a branch, present 2 forms of photo ID to create a new userID and password and be able to use my cards/access my (new) account again.
I had some very strong words for the branch manager and anyone who would listen about how terrible a security practice it is to give those sorts of conflicting instructions.
The complaint should go to the Office of the Comptroller of the Currency (Chase’s primary regulator) + the Consumer Financial Protection Bureau (their consumer regulator if you’re a non-business account) + the media, not to the branch manager. I doubt the branch manager has any control over this policy or any way to communicate your frustrations to anywhere with power to act on them.
That said, maybe they’ve fixed this since it happened to you: as of 2023, Chase’s Sapphire credit card department seems to be able to verify my transactions as legitimate or fraudulent and complete my live identification to a customer service representative without replicating your experience. They allow me to validate transactions by replying to email or SMS notifications which mention the specific transaction, and they can involve their mobile app in attempts to live verify my identity.
> That said, maybe they’ve fixed this since it happened to you: as of 2023, Chase’s Sapphire credit card department seems to be able to verify my transactions as legitimate or fraudulent and complete my live identification to a customer service representative without replicating your experience. They allow me to validate transactions by replying to email or SMS notifications which mention the specific transaction, and they can involve their mobile app in attempts to live verify my identity.
So, that was all possible back then too, this was specifically for an attempted ACH transaction between my chase account and my discover account, it was a large amount of money and chase didn't think I was the one who initiated the tx even though I'd already verified the other account in chase. they were concerned my actual account was hacked... in that case, as others have said calling a phone number and then sending a text to that same number doesn't add any additional verification for them, if I can answer the phone call I can see the text. Obv, if they suspect my account was hacked there really isn't a way to verify using any of the existing account info.
This is how my bank handles it as well. I just get a text with the charge line and amount, and it prompts me to reply either YES or NO (or maybe STOP, it's been a while). If I say YES or STOP, it stops payment and prompts me to call whatever the department for that is with a phone number.
It seems to also hint to their fraud system. I think the last one I got was when I was traveling, and it quit asking if the charges were authentic after the first couple.
HSBC does this, it's Y/N for them as far as I remember. Accidentally put N one time and found they cancelled my CC. Was super annoying bc I had to wait for a new one to arrive but I guess a scorched earth policy is good (esp when they're liable for fraudulent use).
Are you sure it was really a Chase representative on the phone with you? It’s sometimes possible to cause an account to be locked without being able to log in by doing too many login attempts.
Yea, I’m like 90% sure it was a chase rep in the end, based on what the in branch people were saying. Though it sounded like it was someone in a local office and not part of a large call center team.
No. What we really need is a mutual authentication, where both parties talking over a phone can confirm each other's identity simultaneously, as a part of a single process (assuming a previously established secret(s)). Ideally, with a piece of human-readable metadata attached to it that describes the purpose of authentication.
So banks no longer ask you to read back a SMS, and you no longer guess if that's legit and you both know what this authentication is for (spelled out in a natural language).
If you have Internet connectivity, it should use it to perform all the communications, leaving both sides with a simple interface (as simple as tapping "confirm" or "reject"), and if Internet isn't available it should provide an ability to still perform the protocol by reading some phrases and typing in what you hear back.
Some financial institutions are bizarrely inept when it comes to security.
I had one once that had an authentication question in their phone banking script that asked how a certain system was set up, option A or option B. Given that I was calling to set up that exact system, neither answer made sense. The agent I was speaking to was seemingly unable to comprehend this, and I got sent to a branch having failed the ID check.
I went to my local branch with enough ID bearing photos and recent addresses to pass all the usual KYC/AML checks to open a new facility at any major financial institution in my country. Having explained the situation and showed that ID to a bemused but sympathetic member of staff, they called their magic phone number to speak to the relevant team, gave their staff credentials, and confirmed that I was present in person with them and they had personally verified my ID. They were then transferred to apparently the same phone system I’d called from home myself, which got stuck at exactly the same ID check.
Didn’t stay there long, though longer than the place whose “security team” called me and started the conversation with, “Good morning, I’m calling from the security team at (my bank). Before I can talk to you any further, I need to verify some personal details to confirm your identity. Can you please tell me (the top three things I’d need to know if I were an identity thief and wanted to impersonate you with other services)?” I particularly liked the anonymous phone number they were calling from. And in case anyone’s wondering, I did call the bank back at one of their public phone numbers, and they confirmed that the call I’d rejected was from them.
As much as I tend to agree with you, people who have loans, particularly mortgages, which are frequently traded amongst financial institutions, are locked in to a particular company like it or not.
But for retail banking, supposing you actually have the option, yes, absolutely.
> people who have loans, particularly mortgages, which are frequently traded amongst financial institutions, are locked in to a particular company like it or not
When we got the mortgage for our house, we went out of our way to arrange it with a bank with which we had (and have since had) no other dealings.
Result: Our "mortgage bank" has no insight into our day-to-day finances. Our "day-to-day bank" has no insight into our mortgage.
There are certain banks out there that don't sell your mortgage. The bank I have my mortgage through is one of those. Admittedly, they're kind of rare, but do exist.
This is accurate. One would expect a lot better from the fraud department of such a major bank but here we are... Their phone calls are almost indistinguishable from phishing attacks.
I usually politely tell them that I am going to hang up and reach their fraud department through the phone number on their website. I never had my account locked.
Let's assume that whoever you're talking to is either really with the bank or some crook who does not have access to any of your banking information.
You can simply ask the crook to name the amounts and descriptions of the last several transactions in your primary checking account. Or the statement amount of your most recent credit card bill on a particular card.
IMO we need the certs / public key / TLS stuff for phone calls essentially.[1] I call them, they challenge me to prove my identity by enc/sig something in a way only i can, then they have to do the same with both their organizational identity, but also their employee identity (it's an authorized activity on behalf of the bank, and of that person). We've need this kind of thing, and a replacement for Social Security Numbers / Social Insurance Number (or other similar national identities)
[1]: (I'm probably mixing up some of the crypto specifics here, but hopefully a crypto expert can chime in and straighten them out)
Unfortunately in the US it’s a nonstarter because of the perceived privacy issues. People cannot wrap their heads around the fact that we already have a mandatory national ID, and therefore oppose what they see as the creation of one.
The core argument essentially boils down to the fact that they never use their social security number, therefore it’s not an id. Which is obviously incorrect for a number of reasons, but here we are.
The only real solution here is for the problem to get so bad that the angry majority overrules the loud but uninformed nut bars.
That doesn't sound like it adds any security at all to me. They call you on a number and send the SMS to the same number, so anyone with that phone can see the code and repeat it to them. At the very least they should have used a different channel.
It's worse, they call you, while in the same time they try to log in your account, only the 2FA number is missing. So they try to make you dictate the number so they can log in your account.
P.S. I don't know how Chase login happens, not a Chase customer.
IME, username + password along with an occasional and random "we don't recognize your machine" where they send a 2FA code over SMS.
Entertainingly, they seem to sniff user-agents in some way. Firefox on Linux works fine, but I tried to log in with Firefox on OpenBSD recently, and it just kicked me out suggesting I try their mobile app[0]; I tried the ungoogled-chromium package, and it worked. Apparently, this presents a FreeBSD user-agent string.
I sort of want to switch to, well, any other institution, but my family is terrified "what if there's not an ATM nearby?" Strangely, I've never had easy access to a Chase machine on any holiday or business trip I went on.
[0] I love it when they know I'm on a desktop and still encourage you to install their zippy new app. PayPal, I'm sure that iOS app has a Void package.
many smaller banks (or banks without large atm networks) offer fee reimbursements 3-5 times/month for using nonbranded atms. for most people who rarely use atms to begin with this is usually enough.
what he's saying is that the process chase is following doesn't add security, bec they're texting me a code to the same number they're calling me on, if I can answer the phone I call see a text to that phone number.
Ally Bank on the other hand has outsourced its debit card to the worst possible company out there.
They called me and asked me for my social security number.
I said is this a security training?
Are you testing me?
He said no, my card was recently used (it was me I was trying to withdraw USD 400)
and I said I refuse to either confirm or deny anything on an incoming call.
This RUDE person said well my debit card will remain locked until I answer their questions. I said fine I'll call my bank.
> person said well my debit card will remain locked until I answer their questions
You also have the option of reporting them to your state banking regulator [1], the CFPB [2], the FDIC [3] and FTC [4].
A polite way to do this is to write a letter to your bank explaining what happened and Cc’ing the regulators. It will tend to get escalated to their legal department and has a chance of forcing policy change (and producing compensation).
Yep. CC means “Carbon Copy”, as in I’m writing this letter once, and using carbon paper to make copies as I write it. So the main recipient would get the primary copy and the CC recipients would literally get a carbon copy.
That's ridiculous. I have a similar story with Citibank. I decided to buy an M2 Macbook Pro less than 30 mins before the nearest Apple Store closed. So I ran to the store and, in doing so, forgot to bring my wallet. I figured it wasn't going to be an issue, since I have all my cards on Apple Pay.... but as it turns out, attempting to purchase with any of them resulted in a fraud block.
The Apple rep told me Amex was the worst, so I figured I'd call Citi. The person on the phone said "I've just sent a code to your phone". I got the text, which reads (and I quote): "Citi ID Code: 671865. We'll NEVER call or text for this code". I told him "this text says you'll never call for this code, yet you're on the phone with me asking me to give it to you". He laughed and said "yeah, I know it says that, but you have to read it to me"
I reluctantly read it to him, he unblocked my card, I tried purchasing again and it got blocked again. I ended up having to run home to get my wallet and run back. The Apple rep was kind enough to let back into the store with like a minute left before it closed.
This was ~6 months ago. My Citi app says my card is blocked to this day and that "[they] need to speak urgently with me", yet I can still make purchases with it as if it weren't blocked. I'm letting it linger in this limbo state to debug what happens. I have also never used this card again unless the POS really won't take Amex.
Amex asked me, via text, to call a number they provided to verify a potentially fraudulent charge and the first thing the number you call asks for is your full credit card number, all digits, not last four, all of them. The line doesn't even identify them as being from amex (not that you should trust it).
I called the fraud line on the back of the card (which was different than the number in the text) and they confirmed it was authentic but man, everything about that is straight up phishing.
TD Bank is also one that's horrible. Their online banking portal is myonlineaccount.net which is straight up a domain you'd use for phishing.
My mortgage got sold to M&T Bank whose web presence is at www3.mtb.com. I love that for them. I wonder what happened to their cert/HSTS setup on www ;)
I generally use it to log in to my account as 2FA or when shopping online when some merchants also implement a payment process that taps into Citi's, when it also requests it as 2FA. Meaning I'm using it myself in some software rather than handing it over to someone else (even if by using software I'm also technically giving it to someone else)
Citi’s fraud prevention and identity verification systems are absolutely bizarre.
I’ve had them block my card and refuse to talk to me until I read them back a code from a letter in the mail more than once. The code is single-use, so this adds about a week of latency.
On the other hand, they once called me about fraudulent transactions on my card and didn’t hesitate at all to ask me for very personal details on that inbound (to me) call. I hung up and wasn’t able to get back to whatever department made that call due to the reasons above.
It's unbelievable how bad at security financial institutions are. At an old job I had to set up our company with the accounts payable system of a customer. They used a system run by US Bank. They told us that we would receive set up instructions by mail, and a week later we got mail. It said "to begin the set up process go to https://bit.ly/..." and I knew I was being phished. Then I stopped to think and how would anybody know to send the set up packet to exactly the right place at the right time? Must be an insider. So I called US Bank, and they confirmed to me that the packet was in fact legit and this was supposed to be a bitly link. JFC.
I had a similar experience with Sainsbury’s Bank in the U.K.
Called me out of the blue after a failed transaction, I refused to give them the info they wanted and so they locked my account. Unlocking needed me to send them physical info that would have cost me.
Easy to sign up for an alternative. Lost a customer after 15 years. Well done Sainsbury’s Bank.
While their security practices sound woeful and you did the right thing, why haven't you called your bank to unlock your card and give the feedback that the outsourcing is awful?
When the WF credit cards were leaked someone claiming to be WF called and asked for my CC# and SSN to see if I'd been hacked. I laughed and told them that if they are hackers they can go F off and if they are truly WF then I need to speak to the manager immediately. I never got to chat with that manager.
This is disappointing to read. I've had nothing but excellent service from Ally. Whenever I've called their customer support, they are quick to answer, polite, competent, and have always resolved whatever problem I was having. But, I don't use their debit card.
Ally remains my favorite and main bank.
It is just really complex and difficult to run a national bank
as seen by out darling simple bank getting passed around like a hot potato before disappearing entirely.
I think simple never really had a chance.
I have nothing but good things to say about ally itself.
This is a nice feature but the root problem is how trusting people are of the totally insecure phone system. We all have to have “the talk” with our elderly parents, where we try to convince them to never do business over phone or e-mail unless they themselves initiated the conversation. No legitimate business will call you and expect you to pay money, give them access to a computer, ask for security codes, or anything like that. Always hang up, and if you think it’s actually life-or-death important (hint: it isn’t), call them back in their official number.
My parents got scammed in the past so they are on the lookout, but I still don’t think they are careful enough. And due to their age they get attacked a lot! Last time I visited, their phone was ringing every hour or two--all scam/spam. It’s only a matter of time until the next one is clever enough to get through.
I think these “external caller” scams are going to be with us until that generation dies out. The “trust the phone” instinct is too strong. Of course for my generation, the scammers will find something we inherently trust and exploit that, I have no doubt.
> My parents got scammed in the past so they are on the lookout, but I still don’t think they are careful enough. And due to their age they get attacked a lot!
I'd bet that it's not because of their age, but because they have been scammed in the past, so their data now is on the lists of "verified victims" which get passed around as those are thought to be more likely to fall for the next scam than simply a random number.
I think this should be hammered into everyone's head and am surprised it isn't already.
I get regular emails from retailers and banks reminding me that they will never call and ask for money or personal info. Then they state exactly what you said; hang up and call the institution's official number if you're unsure who is calling.
(Note: a quick way to find the official number is by looking on your debit/credit card. It should be printed on there.)
(Note note: Don't sign your credit/debit card. Put "SEE ID" or something in the signature area.)
> Note note: Don't sign your credit/debit card. Put "SEE ID" or something in the signature area.
When is the last time anybody has even looked at the back of your card?
Signature comparison (or even asking for a signature) is no longer required in most circumstances under the card schemes’ rules, whatever the signature panel says.
But not a meaningful one. It's a signature panel, not an endorsement one like on checks, or a free-form message to card-accepting merchants.
Best case everybody will ignore it; worst case your card will be declined because somebody will still actually attempt to compare the signatures on the receipt and card, and “SEE ID” is not a signature.
The purpose of "SEE ID" is that a cashier or server actually requests a photo ID like a license and verify the name and visual identity to the person presenting the card.
This seems like the second most secure form of identity check (chip + PIN #1) if everyone could be made to follow it consistently.
> This seems like the second most secure form of identity check (chip + PIN #1) if everyone could be made to follow it consistently.
Yes, but that's not happening since there is no incentive for the merchant to do it. Merchants are generally not liable for card-present lost/stolen card fraud, so the only thing this does for them is add friction.
It's a textbook principal-agent problem (in addition to requiring a human in the loop), and I highly doubt that the schemes would ever introduce anything like that, especially given that there are viable alternatives available (PIN entry on the terminal, on-device authentication for mobile wallets etc.)
"Privacy & settings – where it lives now – is a natural home for it, but we think it should appear elsewhere too."
Seems like the next step would be to send an app push notification before the call and to have a banner that's visible as soon as you log in to the app. Some sort of visual indicator that appears everywhere in the app that you should not be on a call may also reduce an attackers chance of succeeding.
I don't know how iOS handles this, but on Android you can get permissions to check if the user is currently in a call. Often this is done to mute media when you accept a call, but I can also imagine any sensitive apps popping up a message on their home screen to indicate whether or not a real customer support agent is trying to reach out to you.
I don't think you can get details about the call that easily (like phone number and such) but with the right permissions it may also be feasible to maintain a scam number list based on user reports that sends out a notification when a known scammer is trying to call you.
Phone number is unfortunately not reliable, since it can be spoofed (and phone companies are broadly uninterested in doing more than the bare minimum to address this).
There are plenty of scams based on impersonating some official (FBI, IRS, etc). It's not hard to imagine a scammer spoofing your bank's phone number [0, 1, 2, 3].
> Phone number is unfortunately not reliable, since it can be spoofed (and phone companies are broadly uninterested in doing more than the bare minimum to address this).
I think this can be solved far more simply by only showing the notification/warning (or showing it more visibly) when the app detects you are in a call.
Right. I was commenting specifically on the effectiveness of
> with the right permissions it may also be feasible to maintain a scam number list based on user reports that sends out a notification when a known scammer is trying to call you.
That's my biggest worry about this: That every app on my phone that considers itself important decides to attempt to notify me during every call, leading to a wall of notifications.
Disabling notifications is easy (hold notification, click "disable") so if it rolls out and you don't care, it's quite trivial to get rid of the notification wall.
So far, no apps that I know of have any such feature. If only one single app does it, it shouldn't cause a problem for anyone.
Many apps make this impractical by not separating the notifications into separate categories, so you either have to accept the spam, or break functionality that spans from convenient (credit card payment notifications) to critical (2FA push prompts that may only be accessible from the notification).
> If only one single app does it, it shouldn't cause a problem for anyone.
> Many apps make this impractical by not separating the notifications into separate categories
I can't say I share your experience. There are apps that spam you with notifications and intentionally don't use categories but I generally just uninstall those.
That's not not the right idea. The absence of a visual indicator is not a good way to let me know my current call is fraudulent. Especially since it's most likely most people will not have a call with their bank almost ever, so they'll not have any familiarity with the fact that such a banner is supposed to be there.
Unfortunately, the only way people are going to know to check in the buried menu is by reading that link. At which point that link might as well just say "if we are on the phone with you, the app will say so" [screenshot].
yes but there's no way a customer would know to check in the menu in the way they've implemented it to know that the call is valid unless they already knew about it. at which point the customer outreach is the same.
My bank has done similar for a few years. If someone calls you, they ask you to open the phone app and you get an in-app notification (banner in the app itself, not OS related) that says “Click OK to confirm <rep name> is talking to you” (or some such). They can’t access you account details until you click it.
> If someone calls you, they ask you to open the phone app and you get an in-app notification
You mean that if a genuine bank representative calls you then they prompt you to verify it. A fraudster will not do that and if the customer doesn't challenge them then the scam can continue.
One of my fears around getting older is not having the wits to protect myself from bank fraud like this. I don't have a solution.
Enduring Power of Attorney (in the UK, now called Lasting Power of Attorney [1]) is a solution of sorts. You given up the ability to access your accounts to a third party, usually a relative. It's used when people lose their mental faculties and are incapable of acting for themselves; it can be elective, or imposed by the court in a very long process.
Scams can be so sophisticated in execution now that I'd quite expect someone to become a victim to one far before they otherwise appear to need the LPA to be used.
I have made it extremely clear to my older (not even elderly) relatives to never, ever agree to anything involving TeamViewer or any other kind of remote connection on a computer or phone. Take a number to call back if they want (do not agree to be called back later), then hang up and call me. And never, ever click anything in an SMS: not only can I not really explain how URL structures work, but companies keep using scammy-looking short URLs that even I can't tell apart, so complete interdiction on ever clicking a URL in a text is the safest way. And if I call saying I'm in jail, ask me for my car model and colour.
But I don't really know how to explain to them what is and isn't a scam on the 40 billion apps you're expected to use for banking, travel, parking, utilities, communications, everything with it's own security systems, quirks and bugs[1]. It's probably only a matter of time before a scam gets through (luckily the relatives are mostly not credulous enough or greedy enough to fall for most of them), but that doesn't mean I should execute an LPA and remove access to everything for their own good. Not least at that point they'll probably not be considered to be lacking capacity, a necessary condition for using the LPA, by the OPG just because they don't understand their mobile network's new login flow.
[1] which won't be fixed because most of these apps are consultancy effluence and they've been delivered and signed off on. So, the consultancy doesn't care any more and the recipient doesn't know how to maintain it even if they wanted to. Not only have they probably not got their own engineering these days, the app is an unmaintainable rush-job that is 90% technical debt and enough duct tape to get it over the acceptance wall before anyone notices. At best the issues will be fixed when the app is so completely untenable that another consultancy gets hired to rewrite from scratch. Then everyone gets a new app and a new set of "is this a scam" decisions to make.
Oof ... a PoA is a bit of a sledgehammer to crack a nut for many people, especially those who still have a perfectly fine mental faculty.
Most UK financial companies will have a third-party authority process. Its the sort of thing used to give professional advisors access to the account, but there is absolutely no reason it cannot be used to give other sorts of third-parties access.
The core difference is that a TPA is technically temporary (and thus will need to be renewed on a schedule, typically annually), whilst a POA is a more permanent affair and that's why a POA is a pain in the rectum to setup.
Right this thing only works if people are aware of it, but the only way for them to be aware of it is to do it every time. This Monzo approach is near useless. The one Sen described sounds quite good.
> Right this thing only works if people are aware of it, but the only way for them to be aware of it is to do it every time*
It need to be done every time and it needs to happen frequently enough that people internalize an expectation that anything else is sketchy.
Now, how often does a bank representative call you? For me it's like once a year when their fraud department thinks that one of my monthly bills is sketchy, even though they've been unchanging for years.
Is that enough to build an expectation? I don't think it is, particularly for elderly clients.
Whenever I get a call from somebody claiming to be X organization I assume it's a fraud by default and don't provide them with any personal information. It has worked fine so far, as far as I can tell.
This sounds like as much of an defence against internal attacks than against scammers.
Though it might be helpful if the customer noticed the attacker didn't ask for the confirmation and became suspicious, but that's probably a small number of people and scammers are very good at allaying such worries with plausible excuses.
One thing I wonder is if this works when you call Monzo as well - once you give them your details, does the same thing appear in the app? Because that opens the door for a man-in-the-middle attack. Actually, in that case it makes the attack so much worse, because it legitimises the attacker.
Well that would rely on you being able to call Monzo in the first place. None of the numbers you are able to find take you to a person, instead infinitely redirecting you to use the in-app chat... which is more "Leave us a message and we'll pick it up on Monday" than an actual live chat.
Background: Monzo froze _all_ of my bank accounts for nearly 5 days after triggering some fraud protection measures. Great in theory... until you are completely unable to speak to anyone.
this is true, but for most american's we still use a phone number and do not have any thing like WhatsApp, Signal, or Telegram installed on our phones. The phone number ring is still gold here.
A bank that never calls or messages via traditional phone/mobile network and never uses email is the best. Always use secure in-app communication. And use secure device binding + password/pin + biometric authentication for access. Use a pre-registered and securely couriered FIDO2 token (Yubikey) + in-app video-KYC for initial setup and credential resets. Don't depend on another channel for resetting any of the credentials. Educate the user that you will never contact them via any other means. Establish these secure expectations with the user from day-0. Within the app, always do additional factor authentication for any monetary transaction. On the server-side, have per-transaction, per-day limits for fund transfers. For large value transfers, require payees to be added to the account and have a 1-2 days cooling off period. Notify the user during this cooling-off period and give them ample opportunity to intervene if they think it is a mistake or fraud. Have low-friction instant payments only to pre-verified and registered merchant addresses. For person to person instant transfers, have velocity limits and legal framework to clawback and prosecute in case of fraud. For out-of-network (say international) instant transfers, definitely require payees to be verified and added to payer's account and have fraud protection funds to enable swift clawback and legal frameworks for prosecution across international borders. Without these types of protection, any increasing in banking velocity is bound to result in more fraud harm than traditionally accepted.
I'm a Monzo client and honestly, I'm surprised they even offer the option. They do everything on-line if they can: it's cheaper for them, and I find it more convenient, on top of all the reasons you listed.
I suspect phone calls only happen at the very edge of rare branches, with elderly or handicapped clients, complex transactions, when ID checks fail, etc. They might not do it at all, and had added that feature in the rares of cases they might — but making it visible as “this changes color if we call you” makes a more compelling story than they previous “we never call you” if you are on the phone with a high-pressure scammer.
Banks in the UK are legally obligated to provide phone support to their customers. Monzo mostly doesn’t do outbound calls at all, pretty much the only situation they’ll do an outbound call is if it’s a pre-arranged call to discuss a complaint, or difficult situation (death of a customer etc).
That's very secure. It's also utterly unusable and will result in customers picking another bank, possibly retrieving their deposit through regulators and the court system in some cases because it's easier than going through your impossible account recovery.
That sounds fantastic for more technically sophisticated users… but I strongly suspect the reason banks continue to use phone, email, and SMS is that most users aren’t that technically sophisticated, and strongly want to use the (admittedly unsuited) communication methods they’re already familiar with. There was a post here a while ago about the debt collection industry that had a section of which the essence was “You’d be shocked at how little many people understand about banking and technology and basic math”.
These are all good ideas, but unfortunately really not that easy to implement, largely due to institutional inertia, but also because it would put the bank at a competitive disadvantage with others: Often, security and convenience really are trade-offs.
> Don't depend on another channel for resetting any of the credentials.
What if a customer's house burns down with their phone and Yubikey in it?
> For person to person instant transfers, have velocity limits and legal framework to clawback and prosecute in case of fraud.
That's not up to a single bank.
> For large value transfers, require payees to be added to the account and have a 1-2 days cooling off period.
"Why are you telling me what I can and can't do with my own money!?"
Sometimes, large value transfers really do need to happen quite spontaneously to a previously-unknown recipient, e.g. for a used car purchase.
> Use a pre-registered and securely couriered FIDO2 token (Yubikey)
That would indeed be great, but not a single bank I've done business with supports FIDO. In fact, I haven't even heard of one that does (I might just open an account with them!)
> use secure device binding + password/pin + biometric authentication for access. Use a pre-registered and securely couriered FIDO2 token (Yubikey) + in-app video-KYC for initial setup and credential resets.
Does this work with a privacy-respecting ROM like GrapheneOS? If not, then it's nowhere near the best solution for me.
> Use a pre-registered and securely couriered FIDO2 token (Yubikey)
Banks are awful enough with software, I don't want any hardware from them. Increasingly mobile apps are becoming first class citizen for online banking, web browsers second class. There doesn't exist reliable non-infuriating workflow with physical security key and a smartphone.
Are there banks/companies proactively trying to trick customers? Call, then throw up some red flags, then educate? Especially for older customers a "near-miss" might be helpful to lower the risk of them getting scammed.
Banks in my country send all sorts of emails with "scammy" subjects, and then when you open them their banner says "Don't fall for such scams" or "Scams start this way". Maybe if they added an option to opt-out of such emails, it would be pretty nice! Now it's just more inbox noise.
And of course, their "scam-like" emails end up in the inbox, while real scammers emails would end up in the Spam folder.
Banks in the UK do all sorts of scammy things, not for that purpose, but as part of their usual business
Judging by their frequent and long lectures about how I'd be liable for any fraud, it sounds like they've absolved themselves of responsibility too well to need to improve fraud protection
They send email from an unfamiliar domain, not the one customers know from their website, nor a subdomain thereof
They call customers and ask for security information
They ask for one-time codes on some calls from customers, but they also separately say it's something that only fraudsters do
All of the above risk causing customers to lower their guard to fraud
They fail to recognise repeat payees to validate payment details when taking international transfer instructions by phone, which risks fraud (if an invoice seeming to be from a regular supplier is actually from a fraudster) or other loss (if the payment details are misheard)
They also fail to recognise repeat payees when using transaction history to flag unusual activity, which only increases false positives, so it isn't as bad, but it's still annoying
I thought that only in my country the banks' "security" turned fucking retarded but it seems it's a global trend. Recently I received legit email from my bank with warning against scammers and the title was "The first step of the scammer will be will be sending an email, text message, or calling you". Is it a double intelligence test or they just admitted to being scammers?
> And of course, their "scam-like" emails end up in the inbox, while real scammers emails would end up in the Spam folder.
Perhaps you meant this the other way around?
Either way, I have received quite a steady stream of rather obvious phishing attempts directly to my inbox on Outlook.com. Once our twice a month I have a missed Amazon package, or some horrible debt, or an being investigated for tax fraud or other such.
No I mean that if my bank sends me an email with a scammy subject, it won't get caught in the spam filter because everything else is legit, like the From field, their verified domain, email signatures, and the body content. They use the same domain and presumably the same email address to send such emails and other important emails too.
But if a scammer sends me a fake email, it'll probably get caught in the spam filter of my email provider (hopefully).
Not for customers per se, but the company I work for will regularly send “scam” emails to us. If you click on the link you get assigned mandatory corporate phishing trainings. Makes you extra cautious.
One time at work I forwarded what I thought was a genuine phishing attempt to abuse at stupid corporate email like I was supposed to and they dinged my manager because I had remote images enabled or something. I don't remember changing this setting and this was on a computer they owned. There is no winning with these people. I have since turned off remote images in emails. If you have remote images in messages to my work email, I won't see them. I refuse to turn on remote images because as far as I'm concerned, that's my security policy.
I still forward all these "training" emails to abuse at corporate because if I'm doing extra work, they're doing extra work. Recently, they've automated this though because when I email abuse, I immediately get a reply saying congratulations, this was a test message. If this were a real bla bla... Anyway, I think it is safer to forward to abuse just in case.
Except they don't do it as a teaching experience, but as part of their normal operations, and if you refuse to do the extremely sketchy, red-flag, never-do-this thing, you will not be able to get your task done.
I've been required to provide part or all my online banking PIN on the phone and my credit card PIN on a random sketchy website (as part of 3DSecure). Different banks. Both legit and repeated.
This is a great idea, but there's one problem I see with it: When I'm in a call, my internet doesn't work if I'm not on wifi, as the modem is busy with the call. I believe this doesn't happen if you have VoLTE, but it does mean that this feature can't work for many many people.
This was tried long ago,then cancelled, in Turkey. Perverts will set it to something they want to hear from call center agent and trigger a call where the poor agent will need to read out loud.
That's pretty easy to work around if there's a will to do it. A single word, a character limit, a dictionary validation or a non-UGC generation are all pretty simple things to implement.
Both a good and bad idea. Obviously dependency on a side/control
channel limits this.
Better? Mix and broadcast authentication beacons over the audio
channel. If it got there, by whatever transport the audio did, you're
good to use them as a MAC against some key.
Sure, what I'm specifically addressing is "can we do it without the
internet bit?", because as a security solution I see it as a bit of a
problem relying on that. Since the person is calling with a duplex
audio link already, by GSM or whatever, why not use that?
There are many, many ways (modems of a kind) of putting an (almost)
inaudible signal into audio. Those could easily be short message
authenticators, just a sequence of digits that derive from some frames
of the audio, they might sound like little high frequency blips. Can
you see how that might work?
[edit]
Forgot to say; those frames would get hashed along with some private
part of a public key, or sym-key that only you (the user) has. A fake
caller wouldn't be able to spoof them easily, and so they wouldn't
decode at the client side correctly.
> what I'm specifically addressing is "can we do it without the internet bit?",
Monzo could open some branches, where it's somebody else's problem to verify the identity of the staff in the building and you can be quite certain the person behind the desk is in fact an employee
Well tbh with you that's how I bank, and I agree with you.
I think that "app based" banking is a shitshow, and will only get
worse, and ultimately more insecure. The entire economic strategy of
dehumanisation is a catastrophe in the making.
And clearly there is no genuine market demand for it, people hate it
with a passion, but it's being forced on the population, probably for
other reasons more nefarious than "convenience" or "efficiency".
That said, if you're going to do telephone banking with another actual
human over an audio or AV channel - which is an acceptable mode of
interaction for me - then you may as well employ that information
stream for more sophisticated authentication as we go into the age of
AI deep-fake voices and video.
Because authentication doesn't need a terribly large bandwidth,
indeed we can do it with tiny amount, side-channels within the audio
stream see a good leverage point.
Do you think telephone-based banking is more secure than app-based banking? What's your argument for that?
My experience with talking to banks on the phone has been that common security measures seem laughable to me - like "last four digits of your SSN" laughable.
Good question. Yes I think it's more secure if complemented with other
good mechanisms. I agree that the current state of most voice based
schemes is pretty poor. But those that involve a separate codebook can
be quite tight.
Like all things it's more secure in the hands of people moderately
educated in protocols and sufficiently sceptical.
A general security problem, perhaps a paradox, is that the more we try
to hide it for "convenience", the more opaque and automatic, the more
people come to blindly depend on the mechanism at some other layer and
stop thinking.
I suppose what makes voice based interaction more secure is that it's
slower. It gives more time for levels of security in depth and for
people to figure out something is amiss.
But we'll have to see how that pans out with sophisticated
voice-spoofing technology because I expect most people, even well
educated and sceptical ones, are easily flipped into trust mode by the
sound of a seemingly familiar voice and some clever replay attacks.
How do you expect that to work? Their app would either need to have access to all your phone calls, or you'd need separate hardware to detect and authenticate the audio?
Correct, an app would need to read the audio stream and do some
preparatory DSP to extract audio short codes.
Of course you could build standards in at a point closer to the radio
basebands. I mean, why is basic source authentication not built in as
far back as SS7 given we had the technology even in the 1970s?
The only time you'd be using the app would be if receiving a call from
an untrusted caller. And if you don't trust the app period, then the
game is off anyway. In theory the same app could hold certs from a
number of "trustworthy" sources you might like to check; much like a
TLS certificate.
But in the end you'd wind up with too many, and hard to keep track of,
and then buffoons like those from the EU commission would be wanting
to "force trust" upon you to authenticate "approved government
sources" - Which sadly is the problem with all source authentication
schemes that work with PKI this way. You really need to keep the
application layer relation 1-to-1.
I prefer simpler, elegant solutions - like your bank should never
call you or push ANYTHING which is why I called it both a good and
bad idea, and generally I distrust the whole ecosystem, of "apps"
anyway.
Right - so why not simply ask people to call them? It would make it a lot simpler to ensure there's no fraudulent calls. No need for some fancy verification method like the one outlined in this article.
The app verification method is better - it helps protect against people being tricked into calling a fake number (through a deceptive text message, email or internet search).
If people can be convinced to use the app for verification, why can't they be convinced to use the app to find the correct number to call? I think the latter is much more natural for most.
I also like that I can skip a lot of the authentication steps by requesting a call from within the app - that way they already have a head start on identifying me when the call starts.
i had someone call me recently claiming to be from coinbase and try to get me to enter a password reset code into a site hosted at “w-coinbase.com”. they claimed my account was compromised and “locked” (it wasn’t).
i humored the guy and asked for a help page from coinbase that listed “w-coinbase.com” as one of their official domains. they genius asked me to trust him, or i could talk to his manager who would share my ssn with me as “proof”.
i talked to the guy for like an hour asking him to put himself in my shoes, or explain why i couldn’t address the issue myself with a password reset or redoing my mfa setup. he got really angry, saying i was berating him for doing his job.
i suggested he give me a case number and i’d call back into coinbase’s support line. he gave me a six digit number and then hung up abruptly when i said i’d call him back.
it was glorious.
anyway, every one should have a feature like this.
Monzo is bleeding edge in many things, but their customer support is making people leave this bank. It used to be one of the best in the UK, now it's just hard to find a worse one.
We're at the point now, particularly where a phone app is part of the security process, that the phone app itself should have direct/private "phone" calling capability between the user of the app and the company. Obviously we have this within common chat apps, and we know there are good open source frameworks for doing this.
Company calls consumer via their private company-to-app system, app alerts user of an incoming communication request, and user accepts and has a voice conversation.
Then of course it becomes a question of the security quality of the app and communication design between it and the company, but presumably if that is broken then any app-based status or verification would also be broken.
Interesting approach, I'd worry call times would get longer (annoying customers, increasing call center costs). I also wonder how many customer would actually check, if it's a small number then it seems like this just pushes liability to the customer.
In some jurisdictions I'm pretty sure you cannot shift this liability and this might just be a way for the bank to cover its own losses instead of ass.
Don't be so sure of that. A lot of really smart people can fall for scams because they are caught off-guard or are focused on getting something done, discarding some necessary caution along the way.
This feels like it would be useful as a general protocol. A signed app on your phone, can register some special endpoint into a registry that responds with if the user logged into the app is being called. Put some button in the phone interface for “Verify”, which pings all of these endpoints, and either shows a logo and a success message, or an unknown caller warning.
You wouldn’t want it to ping these services on every call, so it would have to be an action you just train people to do.
Better than hiding it in an app though, this should be an OS concern somehow.
Hate them, they closed my account a few months after opening it without any reason or ability to appeal.
I did nothing wrong, just a normal user, was just testing it out the first couple of months so didn't use it for much, was about to move everything over to it and then they closed my account and i can never have an account with them again.
Awful company, who pretend to be friendly and cutting edge, but just gatekeep customers and cut them off without warning for whatever reason they wish.
I absolutely love this feature so much. I work at a competitor of Monzo and this is definitely something I'll bring up with our Product team to see if we are thinking about this.
I live in UAE, and everyone here has a pretty sophisticated government ID, linked to a smartphone app, that performs single sign-on for all government services. Your ID number is not especially secret.
Anyway, a frequent scam here is that someone calls you claiming to be the police or the government, and then generates a SSO request on your phone via trying to sign in to a government website using your EID number, and the request certainly adds a layer of seeming authenticity
I'm confused, how easy do they think it is to answer the phone, and then use the phone simultaneously for a call while opening their app and (presumably) authenticating with the app in order to get this information?
I can barely handle adding a calendar event while on a call without accidentally hanging up or something, what a weird UI.
Why do they not just contact you via their installed app if they're going to assume you have it installed...
It's a cat-and-mouse game of banks saving money by closing branches (or never having them in the first place) and wanting to make fraud as much as the customer's fault as possible, and implementing new laws to shift some of the burden back to the banks and other organisations and creating toothless regulators for political marketing purposes.
Bank apps should have the ability to see if you're on a call when the app is opened. If this is the case and the call doesn't actually originate from their systems, they should ask you whether you're currently called by them and freeze your account if yes is clicked.
This is insecure because it relies on people having the app installed and knowing to check it. Why not call the user through the app itself? Why not send a notification through the app telling the user to find the official support line and call that?
Banks should not call you anymore since it cannot be trusted.
For context, the app is monzo bank. You can’t bank with them without the app, they’re a challenger bank. Essentially all interaction is through that app. What surprises me is that they didn’t just put a webrtc call function hidden in the app so they could call you over a secure channel in the rare case that they needed to call you.
If not for the intervention of this genius hacker Vadimwebhack@ gmail'com I would have been in jail for an offense I did not commit. I was accused of diverting money given to me by the company I work for. I only suspected one person who would possibly guess my passwords.
He was my best friend until I had no choice but tohire Vadimwebhack@ gmail'com who granted me full access to all messages on his phone. I was in tears when I read his WhatsApp conversation with another colleague of mine where he said he hates my guts and he will make sure he gets me in trouble with the company and his plan was to divert funds in my name. I am still traumatized I can't even keep friends anymore. If you need help with anything, contact Vadimwebhack@ gmail. com he saved me.
He offers many other services like -recovering lost accounts -credit repair -erasing
After an unfortunate event I managed to teach family members to never do any kind of bank actions in a call where they were the ones being called. Always end that call and then call the bank support back using the number they all know how to find on their credit/debit cards.
Most irritating thing the Amex did recently to me is to call me from a random number and then proceeded to ask me for my personal details like date of birth etc for "verification purposes". I promptly refused to provide any details as I have no way to authenticate them and cut the call. They are basically educating their customers to become vulnerable to fraudsters and I told them as much. But the call center person is the wrong person to hear that from me.
1. Bank notifies you to call them, but you initiate the call.
2. Bank confirms your identity with some inconsequential piece of information: a verbal passcode, the approximate dollar amount of two recent transactions, etc.
If the bank initiates the call, ask for their name and call the bank back.
It is clear the bank has had a severe exfiltration event. There are other reports that online. IMHO the law should make banks report breaches to the ICO and a record of the nature and size of the breach be public.
Through the process I learned that in the UK you can call 159 to directly contact your bank fraud dept (most banks) https://stopscamsuk.org.uk/159
I also learnt about the police’s Action Fraud hotline to report cybercrime. https://www.actionfraud.police.uk/what-is-action-fraud
The phisher was very determined. They called back in 15 minutes claiming to be from the bank fraud dept returning my call. Then 2 weeks later they called back claiming to be from Action Fraud.
However prepared you think you are for such an attack, my advice is to have utmost caution for every single call from anyone claiming to be anyone.
I also have a Monzo account. Even if they called me I wouldn’t use this. Hang up. Call them. Don’t let them call you.