I’ve been complaining to banks for over a decade that they train people to fall for this kind of scam. They cold call their customers and require the customer to authenticate by providing information about the account, before the bank will tell you anything. At the start of the conversation, neither party knows that the other party is who they claim to be but the bank has a bit higher confidence because they’ve called a number that’s on file. The customer has absolutely know information in the other direction: they have the caller ID number, which can be forged, and absolutely nothing else. The burden should be on the bank to prove that they are the bank, at the start of the conversation.
In the last year, Barclays has finally started doing something about it. The people that cold call you are now able to send a secure message through the app. If they call you, you log into the app, and see a message saying ‘hello, I am {person} from Barclays, I am talking to you on the phone’ then you know that one of the following is true:
They are from the bank.
They have compromised the bank’s back-end system.
They have compromised the device that you’re running the app on.
Of these, the first is probably a safe assumption. If it’s the second, you’re completely screwed anyway in the short term, but it’s definitely the bank’s liability. If it’s the third then they have probably compromised the app to the extent that they could also instruct it to make transactions on your behalf, so there’s not much of a downside to talking to them.
A few years back, a friend of mine was at the bank when he received a phone call from the corporate call centre of that same bank. He did trust the unsolicited call, so he turned it over the the assistant branch manager he was currently speaking with to confirm that this wasn’t a scam.
Several weeks later, he got a call back from the branch manager confirming that it had been a legitimate call. It had taken their own security team that long to figure out whether or not their own calls were legit.
My company just switched to SAP Concur for expense reporting. Soon after, I got an email asking me to complete my profile. The link went to “http://links.concurtechnologies.mkt7817.com/els/v2/XXXXXXXXX”. Going to mkt7817.com showed a generic Anti-Spam and Privacy statement. Nothing to do with SAP Concur, although there’s an “abuse@silverpop.com” email listed; silverpop.com gets bounced to “acoustic.com”, which talks about “Curating the Banking Experience.” Despite all appearances, it was a legitimate email.
I have no clue why a purportedly experienced and professional company would think this is OK.
100%. I just got a call from my local Chase branch the other day: “Hi this is Jack from Chase, I wanted to discuss your account.” A google of the phone number didn’t even link back to the bank. I told him I needed some verification.
He sent me an email from his Chase email account that was verifiable, but I remember having the same feeling like, given the scams that are ongoing why would Chase communicate with customers like this as a policy?
Here it’s phishing email. The banks I’m with have clear communications, strong paper-based auth since before apps, and perpetual warnings about frauds everywhere.
Their problems are with UX and shitlisting rooted androids/Sailfish’s android support, but scams are easy to pick up on cuz it’s all email.
Or I’ve been lucky and only received those “support” calls from “Microsoft”.
I’ve been complaining to banks for over a decade that they train people to fall for this kind of scam. They cold call their customers and require the customer to authenticate by providing information about the account, before the bank will tell you anything. At the start of the conversation, neither party knows that the other party is who they claim to be but the bank has a bit higher confidence because they’ve called a number that’s on file. The customer has absolutely know information in the other direction: they have the caller ID number, which can be forged, and absolutely nothing else. The burden should be on the bank to prove that they are the bank, at the start of the conversation.
In the last year, Barclays has finally started doing something about it. The people that cold call you are now able to send a secure message through the app. If they call you, you log into the app, and see a message saying ‘hello, I am {person} from Barclays, I am talking to you on the phone’ then you know that one of the following is true:
Of these, the first is probably a safe assumption. If it’s the second, you’re completely screwed anyway in the short term, but it’s definitely the bank’s liability. If it’s the third then they have probably compromised the app to the extent that they could also instruct it to make transactions on your behalf, so there’s not much of a downside to talking to them.
A few years back, a friend of mine was at the bank when he received a phone call from the corporate call centre of that same bank. He did trust the unsolicited call, so he turned it over the the assistant branch manager he was currently speaking with to confirm that this wasn’t a scam.
Several weeks later, he got a call back from the branch manager confirming that it had been a legitimate call. It had taken their own security team that long to figure out whether or not their own calls were legit.
My company just switched to SAP Concur for expense reporting. Soon after, I got an email asking me to complete my profile. The link went to “http://links.concurtechnologies.mkt7817.com/els/v2/XXXXXXXXX”. Going to mkt7817.com showed a generic Anti-Spam and Privacy statement. Nothing to do with SAP Concur, although there’s an “abuse@silverpop.com” email listed; silverpop.com gets bounced to “acoustic.com”, which talks about “Curating the Banking Experience.” Despite all appearances, it was a legitimate email.
I have no clue why a purportedly experienced and professional company would think this is OK.
100%. I just got a call from my local Chase branch the other day: “Hi this is Jack from Chase, I wanted to discuss your account.” A google of the phone number didn’t even link back to the bank. I told him I needed some verification.
He sent me an email from his Chase email account that was verifiable, but I remember having the same feeling like, given the scams that are ongoing why would Chase communicate with customers like this as a policy?
How was it verifiable? I bet most Chase customers aren’t able to verify DKIM signatures reliably…
Most are not, I’m a security engineer so it’s not a big deal for me. Actually I have Thunderbird set to verify DKIM automatically.
The banks here have been doing electronic ID for about 20 years and I don’t recall getting a single call ever.
I wonder what the scams here are like.
Here it’s phishing email. The banks I’m with have clear communications, strong paper-based auth since before apps, and perpetual warnings about frauds everywhere.
Their problems are with UX and shitlisting rooted androids/Sailfish’s android support, but scams are easy to pick up on cuz it’s all email.
Or I’ve been lucky and only received those “support” calls from “Microsoft”.
I’m not sure my banks have a phone number for me. If they tried to call me they would only get voicemail.