Just before Christmas my Canadian bank (RBC) texted me to say that they'd blocked a suspicious transaction. In the text message they included a phone number that I could call to get more information about the incident. It felt fishy but out of curiosity I called it and they wanted to ask me my "security questions" to confirm my identity.
I hung up and instead called the actual number on the back of the card. The whole thing was real, the bank had actually contacted me by text and sent me a follow up phone number.
Truly I don't understand what they're thinking sometimes.
The bank app was the first thing I checked when I got the text message, because I was so surprised they wouldn't have just sent me a push notification through there. And there was no indication in there was any kind of problem with the card, no sign of the pending/blocked transaction, nothing.
And they definitely have the 2FA-through-app capability because it's used for auth when I sign into online banking on a computer— the app has to grant permission for the new device. But hilariously they don't seem to have it wired up yet for phone interactions.
Really it should be both, where the app asks you to input a code given from the person on the phone (confirms to you they're actually from the bank), and then gives you a code that you tell the person on the phone (confirms to them that you're really the customer).
Of course the more automation you put around this, the easier it becomes to MITM it, like a scammer simultaneously calls both you and the bank and passes the codes back and forth, pretending to you that the call is about a credit card offer, while using the call with the bank to drain your account. That's a lot harder to pull off with a human in the loop as the real bank person will get suspicious at the delayed responses, even barring some amount of stalling ("oh hang on I left my phone downstairs, let me find it oh god it's updating again, let me just get you that code, give me a sec here"). But it becomes trivial if the authentication is moved to IVR and by the time the human operator is on the line the call is already considered safe.
That reminds me of my rant over some recent IRS free-filing stuff. They were basically telling users to go ahead and trust a third-party service named id.me with all their sensitive personal identifying information.
FFS guys, at the bare minimum you should have white-labeled that behind a domain like id.irs.gov! Not just to avoid mis-educating users into terrible security habits, but also to avoid giving some Montenegro DNS folks the ability to intercept or man-in-the-middle all the information.
I had my card paused SEVERAL times over the years for sketchy stuff like getting gas at the same gas station I always get gas at or buying a delivery of pizza on a Big Name Company's website. Then, two times in the past year, someone bought thousands of dollars in iPhones, rental apartments, and gasoline on my card on a different body of land than the one I live on thousands of miles away in rapid succession and each of the two times it was ME who caught it because of notifications I have setup! Fraud departments at banks and card companies are fucking useless.
Another story: I was abroad, and someone got my card details and made purchases for thousands of $ in a different part of the country that I don't usually visit and certainly doesn't purchase there stuff for that amount of money.
Nobody even cared, but a payment I made for 2 euros wasn't accepted becuase reasons, and every online purchase needed some authorization.
When I called them, they said they'll look into the purchases. Well, they cancelled the purchases quite fast, but the surrealism of it all...
When I worked at another large credit card issuer, I was told the algorithm to detect fraud was essentially a black box. No one left at the company really knew how it worked or how to change it, so it was left intact and new rules were simply added on top.
There's always some third party thing I'm trying to figure out why it's telling me 'no' and not providing useful error messages and it's because they can't tell me without also telling the mischief-makers.
This is increasingly not a thing. I haven't had to do this in a very long time and my primary credit cards don't even have it in the apps/website anymore.
It is very common to test stolen cards at gas stations (relatively anonymous and available, and easy to just drive away if the card fails). If that car wash was attached to a gas station, fraud detection algorithms have a tendency for false positives at gas stations because of that.
On the flip side, it's somewhat difficult to buy an expensive TV without showing up on camera at some point. As methods for monetizing stolen cards go, it's pretty uncommon.
It seems more unreasonable to me to make arbitrary exceptions like that. I would want my RNG to be predictably random so that if 123456788 comes up I know that it's not some sort of kludge to avoid a more interesting number.
Ironically enough, that's somewhat part of their point. They're lightly mocking the parent poster who wants to erroneously correlate human intuition on what "looks" or "feels like" the obvious problem despite it having no relation to the outcome. There's absolutely no solid conclusion anyone can draw from their story about why they called for the car wash vs the expensive tv, but they wanted to pretend that it's a clear sign of fault in their fraud detection system versus any plausible explanation. I could very easily craft a narrative to flip your expectation of what should be the 'right' outcome, and in the end it's still completely irrelevant to the topic of security.
Which is to say, if someone used a random number generator and received 12345 and then huffed online about how it isn't generating 'real' random numbers in a security thread, you would be right to second guess anything they had to say if they start with an immediately false premise.
You don’t usually buy much but today you bought a very expensive TV and then got a car wash in a part of town you haven’t been to for two years.
We aren’t calling you about the TV. We’re calling about the $8 car wash.
(Actual incident)