hckrnws

What drives me nuts is companies deliberately doing customer contacts which violate basic security principles.

* Walgreens auto-calls me with prescription updates. For "verification purposes", their system asks for my date of birth. I hang up.

* Bank of America sends out emails with clickable links on them. I've reported that to their own security reporting address, but they still do it.

In the US, the legal protections for false charges on credit cards are pretty good, while the ones for debit cards are terrible. So avoid debit cards, Zelle, PayPal, etc.

Reading about this problem makes me sick. Scams are harmful far beyond their direct consequences. They tear at the fabric of a society. If we’re always wary of a scam we have to spend so much time and effort defending ourselves in all of our actions. The paranoia is a tax on everyone.

It’s also sad how many people are willing to participate directly in these scams. The person calling and pretending to be “Miss Barbara” was not committing some targeted crime of passion. She was going to work every day and calmly stealing from trusting strangers. Someone who can do that day in and day out is seriously sick.

And there are many higher value things that simply require trust.

I’ve had many artists or their brokers that could have scammed me, or made things very inconvenient, but did not.

If you drop 4, 5 or 6 figures at an art show, you walk away and leave the piece on display. “My people will contact your people in a few weeks” kind of interaction. It can absolutely get taken advantage of.

After Citibank ignored many requests to fix a bug that would not allow me to register my phone number for my credit card, I tweeted.

I was immediately contacted by their social media customer support team.

They then phoned me to arrange the change. I told them off for bypassing security, but I was pretty confident it was them and did not give them any private info.

But if you insist on the bank acting securely, your life will be even more of a hassle. Note that in this case they had ignored my normal messages, so if I brushed off this call, most likely I would make no progress at all.

This could be prevented SO EASILY if the text message also described the action that will happen as soon as verification is completed, rather than just the verification code. Sheesh. So many banks and merchants, and no one puts that in there? Is it because of the 140 character limit (another dumb limit these days)?

For my bank account in Germany, every text message with a security code will list precisely what entering that code will do, so it might read: "Enter code 12345 to send $12.34 to Dr Strange, account 1234 at Mystery Bank."

Mandating that by law in the US would easily make these scams a lot more difficult to pull off.

I feel every bank should default to sending you a notification text and/or email on every transaction.

Most banks have the feature but it can be annoying to setup. Another issue I have had is both email and phone providers may start rate limiting or marking as spam if you get too many automated messages.

My €uro bank does that....within seconds of using my card a notifiction appears with the amount withdrawn/ deposited. Further under the 'push notifications' i opted for 'all', so also my direct debit bills get flagged to me.

My bank does, but only if I install their app and enable notifications. Even then, I still had to slowly tap through layers upon layers of menus to setup rules that actually triggered the alerts.

Latter part is somewhat fine, even if an opinionated default ("report all, no exceptions") would have sufficed.

Former is the annoying part, mostly because Bank of America's app is just slow and still isn't up to par with their website. Notably, the virtual card function is not present on the mobile app, even after many years (imagine a really bad Privacy.com clone, like really bad, but it still has virtual numbers at least).

I asked (at the branch, in person) to get such notifications but was told I'd have to set up online access to my account, to get them. I asked how to get such online access to be "read only" (so it couldn't withdraw from my account) but was told that wasn't possible.

With another financial institution, I did have online access and had set up notifications, but despite doing so, I wasn't getting them. Complained, but employees were unconcerned.

I asked to get notifications if anyone asked to access my safe deposit box, or at least to let me require a password for such access, but was told that's not possible.

Monzo in the UK sends a notification in the app on every transaction. You then even have the option of freezing your card immediately if you think something's up.

Barclays and American Express do this as well. It really should be standard practice now.

Most German banks do it now, I'd say. It's a fantastic feature.

My bank First Direct sends an SMS message every day there is a transaction and has for at least 15 years. Visa updates are weekly.

One suspects if the legal system put liability on the banks, they'd very quickly find some good solutions.

All my bank accounts (UK) have some variant of "Never share this code with anyone, not even us." appended or prepended whenever they send a verification code. It's so universal I assume this is mandated by law. I'm guessing this isn't the case in the states?

That is not going to cut it

Because people just get used to this being boilerplate and anyway services such as Plaid “override” that, so why wouldn’t “the bank’s own employees” do it?

No, we need exactly what I said above

Mine do that as well. I.E they also say use xxxx to log in to online banking. Or use xxx to approve this transaction / new payee / standing order.

Can you elaborate on the "override"?

People think "yeah, the text message SAYS not to give it to anyone, but they say it all the time and this is Plaid, I mean come on, it's Plaid, I can trust them, right?" and they think that even more for a Bank Employee (TM)

Everyone should have a policy of never giving out personal info or confirming any digits until they HANG UP AND CALL BACK on the corporate number to discuss any issue.

There's no such limit anymore. It costs more, but all phones support SMS concatenation

I noticed banks have generally modified their message to warn people: “Please use 123456 as your TD security code to log in. We will never contact you for this code. Do not reveal it to anyone else.”

Only HSBC requires a token to authorize transactions that I have found so far (token +PIN) Most happily let you do anything once logged in.

That said, I am sure we have all heard someone complain, “Why am I getting these login codes from my bank? I am not trying to login”. Most people don’t make the connection to fraud attempts.

I gave a then-rarely-used phone number to someone in an organization that regularly deals with elderly people. A day or so later, that phone got a 'fail' text message from a bank that I'm not a customer of. I reported it to them as phishing but didn't hear back.

I'm not sure they are typically fraudulent attempts - I think many people are unable to remember/enter even their usernames/email addresses consistently.

What's even worse is that the code is used as single factor, eg. No extra security besides this code.

Probably they phished the logins otherwise. Normally those sms are the second factor.

The problem being that many of these scams are perpetrated against a generation whose instincts are to to trust any message or call that claims to come from an organisation they are are familiar with.

As an example, an older friend called me the other day to say amazon had phoned him about his prime subscription needing to be renewed that day.

Does he have a Prime subscription - no Does he have an amazon account - no

Yet he still thought the call may have been genuine.

From banking law about 10 years back now, I would expect that the bank would be on the hook for Deborah's transfers in the first story. Deborah didn't in fact authorize the transfers, and it's the banks systems that failed in detecting that. Banks are heavily regulated around these things, especially debit cards (although perhaps wires are different), and I would have taken that case if I were a plaintiff's lawyer. Seems to me the bank will settle with her for a decent chunk of that money. (As opposed to where the CEO/COO gets tricked and does in fact intend to authorize a wire to someone who turns out to be a fraudster.)

> From banking law about 10 years back now, I would expect that the bank would be on the hook for Deborah's transfers in the first story. … I would have taken that case if I were a plaintiff's lawyer.

I disagree, for two reasons. First, an outside-view argument: lawyers who currently practice in that field apparently disagree:

> Deborah reached out to more than thirty attorneys. Only one called her back. Deborah’s eldest brother consulted another, who called her situation “a terminal case.” “There’s no life here,” he said. Her claim was dying, if not already dead.

Second, on the merits: most of the fraud protections have requirements that the defrauded customer notify the bank promptly (either after the fraudulent transfer or after the next bank statement). See, e.g. [0]. It looks like that didn't happen here.

[0] https://www.consumerfinance.gov/rules-policy/regulations/100...

i've been thinking of kitboga and other anti-scammer youtubers/twitch people.

has someone built a library or something we can replicate some of these banks/amazon so that more people can waste scammers time deliberately instead of watching sports for example.

i mean if i have an hour to kill, i could watch a movie or the game or waste an hour of some scammer because scammers are not going anywhere. if they are busy with you in an environment you control, they are not scamming anyone else.

i think there must be resources available so that more people do this. the banks have all sorts of kyc/aml so we can definitely drive their banking channels down as long as crypto is still not in the mainstream.

even then, imagine a dummy bitcoin/xrp client that actually uses testnet but doesn't display that fact to the user, that way we can use the funds in the fake bank to buy fake crypto and spend a day waiting for the bitcoin transaction to reach the testnet address. thats quite a good way to waste their time

The story in the article was completely preventable if banks just tried harder.

The default 2FA solution should be Google authenticator or an analogous tech. If SMS MUST be used, it should be opt in.

Notification of anomalous transactions should be automatic, not something you have to configure.

Anomalous wire transfers should be flagged and require verbal authentication by phone.

Banks should stop sending so much spam marketing email so that when people receive an email from their bank it is something they actually read.

Etc

Some thoughts on app based 2FA, having recently switched phones and needing to redo all my codes:

* I have to redo all my codes, and that’s annoying. I have about 15 and it took me almost an hour of logging in and out of all my accounts to switch the device. It’s very cumbersome and in most cases logs me out of my accounts on other devices. It’s frankly a huge pain. I understand the need for it but there needs to be a better way if we’re going to be 2FA everywhere.

* Most sites/services don’t have an option for “change to new device” although some do. In most cases the way to change the device is to turn 2FA off, then turn it back on with the new device. It’s a terrible user experience (it’s not like it even tells you this is what you have to do, you just have to know it). If 2FA is so critical why do I have to disable it to switch auth devices?

* The flow for using it on many sites still treats 2FA as like this geeky or techie thing, it would be very off putting if I wasn’t familiar with it. They’re not very reassuring about what it does or how it works (although some do try to help the user understand it).

* Backup codes are janky and not always offered. Sometimes when they’re offered they’re explicitly provided when enabling 2FA, sometimes they’re a totally separate menu item and the site doesn’t explain why they’re important, some don’t have them at all, and most just dump a text file of weird letters and numbers in your download folder. No header or anything to say what they are when trying to find them later. Abysmal user experience. I had to resort to printing them out and scribbling with a pen what site they were for. Some sites though do better, and include header info and/or a print button. Just not many.

* The Google Authenticator UI looks utilitarian and unintuitive. It’s nice that it’s so uncluttered, but again if I wasn’t already technical I would struggle with feeling comfortable with it. Why are the numbers blinking? What’s the countdown timer? Oh no the numbers are red now! Did I break something? Wait now they’re green again. What’s going on?

I love 2FA and think it needs to be way more ubiquitous. But at least right now it’s still pretty shit.

I use Authy, which allows the app to be installed on multiple devices. It's currently on 3 devices, so I never have to redo choices because I changed phones.

I get many emails 'from' one of my financial institutions asking me to give them feedback on how they're doing. These all come from an email address that's from a different domain. This dissuades me from giving the institution feedback that I do think they need.

I have worked in fraud prevention, detection and analysis. Depending on a lot of factors the weakest link is either the retailer where fraud occurs, the bank's protections systems or the customer.

Retailers would a lot of the times not do additional security checks because those cost money. If someone buys something for 5-10$ the retailer doesn't pay for additional verifications to the bank and they are then liable for the loss. Sometimes they won't even pay for that for larger amounts OR that they avoid doing those checks because it breaks the transaction flow and the customer might just cancel the transaction - most of us are impulse creatures and if we're adding additional checks then the impulse could be stopped.

Banks also still use SMS messages for verification. SMS is horribly insecure[1] and it's shocking to see it's still the last line of defence between your life savings and a potential attacker. Yet having worked in this field, I know that the decisions are taken from a purely financial/time frame point of view. "We have 6 months to implement this, our devs have done this before and thus an SMS carousel is the easiest to implement. TADA". Or "we have already the contracts setup, we have done this for this other account type, so we're going to reuse it". There are very few incentives to use anything else and it goes back to adding friction in transactions. If our world wouldn't be obsessed with buying quickly and easily, more defences could be added.

Lastly, banks are horrible at talking to people. They don't know how to do it at all, so they cannot make communications clear. The biggest impact to fraud prevention would come from nationwide campaigns were users are shown some of the most common ways these attacks occur. Common sense suggestions also seem to lack entirely - "if you're ever unsure, pick up your credit/debit card and call the number on the back of it. That's your bank's contact number, it doesn't need a website, you don't need to call a number from a message, just call this one number". One bank I worked at did this small communication exercise and over the next few months it accounted for a significant decrease in phone-related fraud.

It's a very complex issue and I'm seeing Europe being the next big target from what I have seen regarding anti-fraud processes in European companies (a lot of them rely on outdated tech that cannot handle checks fast enough). European banks also move a lot slower than UK banks, transfers move slow, security checks are poor and in general they seem to spend A LOT less money on fraud prevention... Cybercrime is on the rise[2] and we're horribly unprepared.

Blaming people is the worst approach. We can all fall victims to these types of attacks, but we should spend time to educate those around us and exercise a bit of caution, yet understand that we can all be victims.

[1] - https://krebsonsecurity.com/2021/03/can-we-stop-pretending-s... [2] - https://risk.lexisnexis.com/-/media/files/financial%20servic...

Also, the fact that phone companies allow caller ID spoofing, even of well-known bank phone numbers, is extremely lame.

And the fact that calling back means a looooong time on hold discourages people from doing it.

Well, specifically, it seems like the ONLY thing that was not compromised in this particular scam was the SMS.

The scammer must have known before:

1) the victim's telephone number

2) the victim's Login AND Password (or Pin) to the bank website

What the scammer didn't manage to do was to intercept/mitm/whatever the SMS and thus needed the victim to read it aloud.

Or is US bank website access different from here (EU, Italy)?

Here to access the website you need to input login, password then request an SMS code for the authentication, and later you need to request an SMS code to validate any transaction.

It's possible they had enough information on the victim to impersonate her to bank customer service to get the password changed.

Sure, which still means that they managed to get the password.

But they neeeded anyway the login (here it is a customer number, usually).

I was referencing the parent post because - like everyone else - is talking about SMS interception as one of the major flaws in the authentication process, the way this scam has been carried seems instead to make it (the SMS code) the only thing that would have stopped it (if the victim hadn't revealed it, several times).

A problem I encounter is that I'll want to ask the bank, "is X (a sequence I encountered) standard practice for you?", but they'll require that I authenticate myself first, to reach someone there to ask, which I'm reluctant to do in a possibly insecure environment.

And (in a possibly insecure environment) if you try to do a transaction without giving them voice recordings of you saying yes, no, and digits, some automated systems will reject digit presses with an "Aw shucks, you don't have to type on your keypad, just say yes or no".

(I was trying to pay the bill they had sent)

> During the pandemic, millions of Americans were similarly duped; the FTC reported a 70 percent increase in fraud reports in 2021

Fraudulently get a PPP loan, fraudulently get it taken out of your business account from a bank that should be considered to fraudulently subject its customers to poor and arbitrary security measures

Turtles all the way down

What scams are enabled by brick-and-mortar financial institution offices that seem acoustically designed for propagating voices?

I have also come into a bricks-and-mortar branch to find fellows up on ladders adjusting ceiling lights that have a good view of the teller window counter.

What should someone do if they feel there is some scam going on, in multiple dimensions, but it's all just suggestive?