Also, they still expect you to authenticate when they phone you. No, I'm not going to tell you my birthday when you phone me. No wonder so many people get scammed, when banks are training people on how to get scammed.
Recently had to call Discover because of unauthorized use of card, apparently to buy Facebook ads of all things. They didn't call me, just locked my account and said I had to call them. I couldn't even pay the balance until I did.
Anyway they needed to verify my identity, so they ask me for some info from the back of the card and a phone number that they can send the OTP to. I give them a phone number, it's not even the one on the account, they send the text to it. The text message says that the bank will NEVER ask for the code over the phone. They ask for the code, I give it to them, identity verified.
> and a phone number that they can send the OTP to. I give them a phone number, it's not even the one on the account, they send the text to it.
This regularly blows my mind.
Presumably it’s some data broker or phone carrier integration, because for me, the answer is usually “sorry, we can’t verify that number, is this a postpaid contract in your name?”
No, it’s not. Oh, that’s a requirement for doing business with you? In that case, I won’t.
People get new phones and new phone numbers. Frequently, compared to landline days. The alternative is to be permanently locked out of everything if you get a new phone number.
Well, I’m not doing business with a company that trusts any random phone carrier’s identity assertion more than me in determining what is and isn’t my phone number, so I guess it works out nicely.
And if a company can’t be bothered to have a fallback verification flow in case I do lose access to my phone number somehow, that doesn’t increase confidence either. I’m a person, not a phone number.
The parent's gripe is presumably about many bad SMS-based 2FA implementations banning non-post-paid numbers from use.
E.g. Blizzard (assuming they still do this)
If they want to be aggressive about fraudulent activity, fine, but don't restrict perfectly valid phone numbers from being used in their required 2FA scheme.
Background check for a new employer resulted in me getting an email to my personal account:
"Hi, I'm XYZ from XYZ background checks, I'm conducting your pre-employment check, and I just want to confirm that your full name is V, your DOB is W, your place of birth is X, your address is Y and your full SSN is Z...
... and that this is the correct email address for you. Please confirm."
Holy hell. Thankfully I reached out to the employer about this (and the background check company's attempt to reach out to my partner on Facebook for ... something? This wasn't a security check, just a regular employment background) and they were as horrified as me, apologized, and fired their background check provider.
Hah, my employer in Sweden recently started using one of these security training companies. They send you emails with some online courses you're supposed to do and then send occasionally phishing attempts etc. and when you fall for one they send you an email what you did wrong.
Out of interest I clicked on the link in one of their "phishing" emails and I was redirected to a link where they essentially told me "never click on links in emails, you never know where they lead to". One week later I get an email "please click on this link to complete the second part of your course". Obviously I never completed their course, they told me never to click on links.
What's even worse is that they don't even use their own domain for the courses, but some random looking domain.
I'm a software dev. When I get phising mails I often click the links to check out what the scam is. I open in a separate browser I don't usually use, so there isn't anything in it for the phising site to gobble up. And yeah I trust that the browser sandbox I good enough, that no one is going to waste a zero day exploit on me in order to break it - hackers also have economic constraints. If I was working on something super sensitive, then I should use a vm, but I'm not so I don't.
I also did this at work, and yeah it was a fake phising mail sent by a security company, and I had to do a quick 20 min online course on email security best practices. Yay. Me and like 3 other dudes, who clearly all also understood it was phising and were just curious about the scam.
When they introduced the weird fake phishing mails at my last work place I checked the email headers and just filed it into a separate folder. My coworkers were happy to get rid of the spam as well.
Wells Fargo too. Every other banking institution says never to give an OTP to someone on the phone, but that's exactly how WF verifies you when you call them. The only thing is that they do text the number already on file with them, not a number you give them on the fly, but that's only microscopically more secure.
My rule is simple: if you contact me, you are the one that had to authenticate. Otherwise you are probably a scammer.
Although, I haven’t had many instances of communications from my bank where I cared about them authenticating. Like, if they tell me there is a problem, I can go check it out through the app, website, or whatever the user-initiated channel is. When I feel like it.
I don’t have a good way to authenticate someone is calling from the bank on my end.
I ask what the basic issue is, then call the general bank number (or a number to their department, which I validate online before calling it). That way I’m initiating the call to a trusted number, and they can go through their process to authenticate me. Every time I’ve done this the person calling has understood and seemed to appreciate the caution.
Unless the system you use the check that balance is compromised on your end or their end. If you have malware, they can be looking at the same numbers you’re looking at, so that isn’t fool-proof. If your account is already compromised, they may just be phishing for 2fa tokens to initiate some kind of account change, like the kind that would complete their total account takeover, at least until you or the bank notices suspicious activity.
It is such a goddamned tragedy that we’ve come to this. And also an avoidable one: every E2E messaging app (WhatsApp, Android Messages, iMessage) should be able to properly authenticate the caller. But I presume services are asking too much money for this, and nobody wants to hand yet another vital service to Apple/Google/Meta. So instead we all suffer.
Be careful what you wish for. This problem is solved in China — you can contact many government agencies and major companies over WeChat and be sure that you're talking to the real entity, but the downside is that WeChat has a copy of your passport and knows everything about you.
Most scams in China are a mix of romance and investment scams.
Since WeChat allows accounts created outside of China, it's these accounts that are used. And it's why there are times it's a pain to create a WeChat account outside of China.
The financial transactions all take place outside of WeChat.
I stick to this except when I make some unusual credit card purchase and immediately get called to verify it. I don't like it, but usually I need to make the purchase. If someone had the feed of risk denied CC purchases, they could gather a lot of personal information. Probably there is lower hanging fruit for fraud.
Can be both. You need something from a bank (for example a money transfer), and they call you to confirm. In my case this is 99% of all incoming bank calls to me.
I don't know what your point is then. I've gotten important calls about fraud that it was certainly in my interest not to ignore. And it's easy to call back to verify it's the bank.
It's stupid to give out credentials over the phone, but it's stupider still to have a system where one's birth date is a credential that is supposed to remain confidential.
If only there was tamper-proof, cryptographically secure chip in everyone's pockets, coupled with a handheld device that can wirelessly "read" that chip.
If it's in your pocket, then you might leave it in your other pants. Better to just have that chip embedded in your palm. You can even fashion it with LEDs that change color with your age. When you reach 30, you can then be told your Last Day has arrived and they are ready for Carrousel. I'm sure we can fold in plenty of other sci-fi tropes all at the same time too
Birthdates are frequently asked in US health settings not as a protection against attack, but as a protection against mistake.
They are not worried that someone is going to come in, and steal your appointment. They are worried that someone with the same name as you might show up on the same day and the doctor might treat the wrong patient with the wrong information.
This is an completely different risk profile than a form on the internet.
I have the same name as my father (first and last, , different middle). We live at the same address. It’s a small town so we share a lot of the same doctors. We use the same pharmacy.
For just a bit of extra spice are birthdays are only two days apart.
This is how we unintentionally found a relative of my former girlfriend. Went to a small pharmacy to pick up medicine for DF, where the F is a really weird last name. They were like I just filled that, reached back and grabbed it and set it on the counter. I noticed it was the wrong address...
A person she hadn't seen or talked to in 20 years had moved to this town neither of them were from and named their kid the same name.
For sure, my dad lives in the same town as someone with the same (relatively uncommon) name as him who is roughly the same age. This causes confusion all the time with local services and organizations (especially since the other guy has had some, err, unflattering encounters with the legal system).
They also should be specific to ask you to say it, not confirm what they say
Because I have literally seen this go wrong: “Mr John Smith, you’re here for procedure X, yes?”
“Yes”
Some other provider overhears: “I thought that was Mr Jones for procedure Y”
“Are you Mr smith or Mr Jones?”
“Mr Jones”
“Then why did you say yes when I asked if you were Mr Smith”
“I assumed you knew best”…
I had someone ask for my name. I told them my first and last name. They said it wasn't correct. After a few minutes of discussion, it turns out the person wanted my name as it appeared on my card, which is first name, middle initial, last name and a suffix. I told the person as feedback that what they asked for and what they wanted were two different things. I'm not optimistic that anything will change.
No it’s the lack of the banks setting up incentives that allow these agents to act in a better manner.
They have metrics and bosses. They do what they’re instructed to do by the banks, full stop. Or likely more precise the company that the bank contracted for the service.
It’s dehumanizing to suggest these folks lack critical thinking skills, given the incentives of the whole thing from the top down incentives their behavior. They’re only responding to the incentives of the system
The complete lack of ANY kind of security, usability, and reference-ability in telephones and the continued use of them as the default communication method in business is absolutely fucking baffling to me. It's literally the worst communication method for anything: It requires verbal back and forth between two parties that's entirely dependent on your hearing the other person, with built in opportunities for mishearing. The immediate back and forth puts pressure on people to have everything they need ready lest they have to take time to respond while they figure something out. The entire conversation unless recorded is completely lost to the ether as soon as it ends, there's no way to reference back to any history, and transcriptions over crappy phone connections are less than useless. And to top it off, there is NO security AT ALL for these things, and any attempt to screen by contacts is constantly thwarted by every business that exists having between 4 and 4 billion fucking phone numbers because everything is done with phones and everyone working there needs one.
I swear, if I got one wish from a genie, I would banish the phone from existence. It's the worst for goddamned everything. Video calls, skype calls, discord, email, texts, messaging, literally everything is better than the shitty old phone.
The passcode to call your bank for basic customer service probably shouldn’t be the same passcode that lets people spend money on your account. Even TOTP is better than this.
There are absolutely ways to intercept a call from a targeted user that would be viable to use to gain access to a mid to high value user's funds.
SS7 call routing and rogue 2G base stations are some potential approaches.
In terms of banking security, a good (ideal) architecture would treat the user PIN as a credential which is not transmitted over insecure means. Unfortunately many banks don't do this right, and still support bank-side PIN verification (with the PIN sent over the wire to the bank), rather than using the bank card's smart card features to carry out on-chip PIN verification.
If you built a bank from scratch, for security first, you'd likely still use smart cards as bank cards, but you'd only do PIN verification on-card, so the user PIN is never exposed to even the bank - the card can securely vouch for the PIN in a manner that's far more costly for an attacker to defeat than using a $5 wrench against the user of the card to make them reveal the PIN (h/t to XKCD).
Sending the card number and PIN over the phone is just asking for trouble - mobile phone calls are decrypted at the base station and available in the clear, before being transmitted up into the wider telecoms network.
While this is true, this is a completely different threat model than most people face.
For 99% of people, 99% of the time, what they need to worry about is someone calling them suspiciously asking for key information.
The fact that targeted attacks like that exist does not make it a good idea to treat them as ubiquitous. People with the kind of money that would make executing such an attack worthwhile should be expected to take higher precautions than the rest of us with it.
In Germany, paying for goods online using Sofort (direct bank payment, not buy now pay later) literally involves typing in the same credentials used to log into online banking, that’s your account number, branch and PIN, followed by scanning a “TAN” similar to a QR code using the bank app. The only thing stopping them taking my data and logging into my banking it seems is the TAN app part, that could easily be phished.
Is this another incarnation of Sofort? Fortunately nobody is forced to used the former nor the later, you can either pay with card or just make your own SEPA transfer from any bank in Europe.
At least in Lithuania the "nobody is forced to used" is partly true. Sometimes in checkout flow you get links to big-5 banks and thats it, even tho technically entire SEPA should be ok.
It was a proud day when my bank stopped sending emails with links in them. Of course their outsourced fraud prevention dept still calls and leaves messages with callback numbers, or just asks me for PII. Fuck off.
Send people to the website to find your number, idiots.
My bank also promises to never send links. Instead, it sends all of its messages as images without any alt text, and these images sometimes contain links to retype.
My dad recently got a letter telling him that his bank account would be closed in 30 days if he didn't call the phone number listed on the letter.
Upon calling the number, you get an automated system that immediately asks for your social security number and won't let you proceed until you do.
The phone number was nowhere to be found on the bank's website nor did it appear in a single Google result.
Sounds like an obvious scam, right? Nope. It was genuinely one of the bank's official phone numbers, and I had to nag them through three separate channels to get them to add it to their website, which they did a week later.
Businesses that expect me to hand over PII when they call me certainly do get upset when I point out that I have no idea who THEY are, and that THEY called me so the onus is on them to prove who they are (typically they will claim their phone number is enough, or that I should ring the phone number that they provide).
The actual truth is, though, that the security theatre that they put on is about all that can be done when two strangers meet to prove identity.
Hey you do you know a secret that we know about you? Here's a secret about us that you are supposed to know.
Social Security just tried to authenticate my wife's birthday this way. She told them no, give me your phone #. It googled to SSA in Alabama and she called it up and proceeded from there.
I had a revelation this year, I have a new bank acc and not familiar with their procedure. First few calls they did to me, they have asked some good questions, aside from my name thy were negative - e.g. did you do X thing in your app, when we both know that I did not. But then last time an operator called and asked my PII question (birthday, address etc.). I got triggered and said "eh, sorry, won't tell you because unsafe". And she went "oh, no problem then - I will auth you in the app". Lo and behold, immediately I got push from bank app with her name, phone number calling and some details. So they do have a perfectly 1)safe, 2)repeatably reliable, 3) and fast way to authenticate customers. They just ignore it mostly. I'm still simultaneously like them and is angry on them.
tl;dr - bank calling you can do auth digitally on phone, but don't do it and don't advertise it to clients.
Banking is pretty disfunctional in Sweden. Lots of bank employees seem not to want to work, i.e. they were refusing to open a bank account for me on an EU passport until I asked for written confirmation (which they have to give by law), when suddenly it wasn't a problem anymore (colleague went to the same bank some months later, same employee, was told the same thing, so it's not that they don't know the rules). That said, they do have authentification down. Essentially you use your mobile bank id (an app that you connected via your id card) and when they need to authenticate you they push an notification to your phone that you confirm (using a PIN). Only annoying thing is that mobile bank id only works on android and ios.
