Dupe from a few hours ago: <a href="https://news.ycombinator.com/item?id=31108897" rel="nofollow">https://news.ycombinator.com/item?id=31108897</a>
Nobody in any kind of profession are immune to scamming. People have bad days, you could be hit by a novel scam, or your accounts/systems could already be partially compromised—allowing an attacker more intel than you would expect them to have.<p>I’d caution any security professional or engineer to think they’re too smart or savvy to avoid this stuff. Assume you will be compromised at some point and make damn sure you can recover accounts or assets that are important to you. Failing that, get insured or figure out ways to mitigate the worst of your liabilities.
> stay safe while also successfully transacting with clumsy companies whose legitimate policies seem like hoaxes<p>IMO, those sorts of companies are the root cause of why there's so many scams like this one today. In particular, I remember one time while renting a car, I got a call from the rental company. They said there was a problem but wanted me to verify my identity before they'd give me any details about what it was. Obviously, I refused, so I ended up going back in person to see what was going on and take care of it, and they verified the call was legitimate, but what their caller did is <i>exactly</i> what a scammer would try to do.
Reading or entering codes from SMS is really risky. If the message doesn't say who it's from in the body, there's no safe way to proceed.<p>Let's say you're trying to create an account on website A. It sends says you need to confirm your phone number and sends you an SMS and you need to give it the code. The SMS says "Your verification code is 395724". Do you type it in? There's no way to know whether that was legitimately sent by website A, or was sent by one of the 100 other websites you have accounts on and was sent due to website A trying to hack that account.<p>Even if it does say "395724 is your Facebook Password reset code", 90.5% of people won't pay attention to it saying "Facebook" and will just type the code into whatever website they're trying to sign up for.[1]<p>[1] <a href="https://www.ieee-security.org/TC/SP2017/papers/207.pdf" rel="nofollow">https://www.ieee-security.org/TC/SP2017/papers/207.pdf</a>
...this person is a security engineer? It is literally rule number 1 that you do NOT share MFA codes with anyone. Many sites even clearly say that when sending you the code!<p>This is also a common craigslist scam<p>Also how does a security engineer NOT know that phone numbers are super easy to spoof?!
> The internet tells me that caller IDs are easy to spoof, which I didn’t know but doesn’t surprise me<p>A security engineer does not know THIS? I'm confused.
A conman has all the time in the world to lay down a path for their marks to follow. They can hone their process over time and have the benefit of running the same scan over and over to improve it. A mark has a single moment to react to these well laid plans, a moment in which they can be distracted and not thinking in a security context. There is a scale of conman skill vs mark awareness but pretty much anyone could fall for a con given the right situation.<p>For those disparaging this person's job title of security engineer: an engineer dealing with network security of IP traffic is a different skillset from a security consultant advising on human involved phishing attempts & cons. The context also matters here. Being on your computer & working on network security, looking for threats, is a very different and incomparable situation from being in the park living your non-work life and getting a call from the bank.
> I knew that I should hang up and call the number on the back of my card<p>Everything after this, where the guy DIDN'T call the number on the card, is where it went wrong.<p>The guy went along with the social engineer who was calling him <i>inbound</i>, and used a SMS-based password token reset to get into his account. After that, it was game over.
Being targeted by unsolicited inbound calls or SMS is absolutely dangerous and I could possibly fall in that trap specially when I have some impending business with my bank (say, renewing my cards).<p>Subject to regulations, banks take all types of precautions to identify <i>you</i>. Would not regulation force them to comply with how can <i>you</i> identify your bank in one of these touchpoints?<p>My best suggestion would be to have something like reverse 2FA in the mobile banking app: the calling agent should be able to tell you the number you are seeing in a specific screen on your phone app.
Scamming 101: Just keep trying.<p>The scammers don't care how savvy you are, they just target that one iota of a second when you just blabber out that crucial information. Everyone has bad days, and worst moments of those bad days. And the scammers are hunting for that very special moment. If the stars align just right, you are in a world of pain.
I played along with one of these out of curiosity. I got the call while I was browsing the SF Costco by the Selecttech 552 dumbbells. The memory is vivid af. They claimed that money had been transferred out of my Coinbase account. I had a sum of money similar to what they claimed in USD in there in ETH so I was curious if they knew details about my account.<p>In the end, there was nothing clever about it. They just talked about how to reverse the payment etc. etc. and then wanted to send me a link to share screen or point my phone at my Coinbase screen or something. So if the link didn't download malware, there must be some sort of sequence of things they would have me do that would compromise me. Perhaps they'd got my password and they'd ask me to type in my 2 FA code and they'd just type it in first as it was visible? Anyway, at that point, the number of possibilities amplified and I wasn't prepared to play the game any more and besides I was at Costco and really didn't have my laptop, so I said "Okay, I'll just go do this at the website" and hung up over their protestations.<p>Honestly, it was pretty obviously scammy because they were trying to apply pressure tactics. I've never had anyone who serves me use pressure tactics on me.
People say if you get a call from your bank, just ask what's the deal, hang up and call them back to make sure you talk to your bank. While for banks that may be true, a lot of companies outsource their call centers. I once called DHL for a question regarding a package that was on its way to me and the guy asked weird stuff like what my password for their internet portal was and the answers to the security questions to reset it. Of course I didn't answer anything of that and he was getting mad. I ended the call, double checked the number I just called (it was correct) and simply hit redial, ending up at another person that actually just answered my question without asking for all my credentials. After the call I contacted a higher tier level of customer service and it was simply waved off as "There was probably just a misunderstanding".<p>tl;dr even if you hang up incoming calls and call them back (or initially call them without getting called first) you might end up getting scammed.
I seem to be protected from most of these types of scams because I never answer the phone unless the number is known. If it is important they will leave a voicemail.<p>Yes caller ID can be spoofed, but it’s not as easy as it used to be, and a lot of spam call appears to have moved to overseas numbers.
The prevalence of payments by card on American websites is often making me nervous. At least several websites know my card numbers, such as Amazon, Microsoft and Unity Asset Store, and they are able to make payments without my permission at any time. In Poland, paying by card is rare, and websites don't need to save your card details. Most payments are done through payment processors who send a payment request to the bank and have the bank website do the authentication part, usually through SMS or bank mobile app. So there isn't really an option to make a payment without your permission.
Whenever I have had a 'fraud detected' type call from my bank, doing the right thing (phoning back using the number on the back of my card) has resulted in sitting on hold, then being passed around until they can find the right department . It would be great if they normalized and streamlined this, by giving you a reference you could type into phone banking to get back through to the same agent/someone that is up clued up on the issue.
> "I was suspicious, but the bank’s systems could easily be a wasteland archipelago of isolated micro-services that used different phone lines."<p>Anecdotally, I've found that the frustrating thing is that real banks/financial institutions tend to also commit a bunch of super sketchy (security wise) behaviors. I've encountered the following when applying for a credit card issued by a certain four letter bank:<p>Applied for the card online, but instead of getting a card in the mail, got a letter about "suspicious activity" on the card. Mind you, the card had yet to be issued to me and I didn't even know what the # was going to be so the card referred to in this letter may as well have been anything! Since it was my first card with them, I'm thinking "okay they probably mean that they want to re-confirm my ID and just used a weird template". So I call the phone # in the letter, making sure to first confirm that it matched one of the service numbers listed on the bank's website.<p>I get rerouted to a customer service agent after a bunch of automated prompts and the agent tells me they'll need to call me instead of me calling them. Weird, but, OK, maybe they want to confirm my phone number is real. So I hang up and promptly get a callback from a completely unrecognized number that was not listed on the bank's website (and turned up no useful search results). Again, sketchy, but hey maybe they have different outgoing phone lines.<p>The agent is then like "I need to confirm your identity for the credit card. Do you have some checking account with another bank?" Ok, again weird but whatever, so I go "yeah, I have an account with *** bank" "Ok we'll have you verify your account with *** bank". Then proceeds to _forward me a call they've made to the telephone banking service of *** bank_, which prompts me to enter stuff like my user ID and _password_.<p>Knowing how telephones (and authentication systems) work, I'm like "uhh what... no... I'm not comfortable entering anything here because you'd be getting my full login info for this other bank..." and subsequently had to work out a different way of doing the verification. All said and done, they did end up happy with the ID I provided and the card arrived a week or so later. But still, super sketchy interaction throughout...<p>tl;dr: A real bank's credit card dept. essentially tried to MITM my login credentials to another bank's phone banking service as a part of verifying id.
“I’ve cancelled that charge and sent a new card out to you,” said Barry. “I’d like to enable enhanced security on your account, but I’ll need to text you a confirmation code first. Is that OK?”<p>This should have been the end of it.
What’s worse is when they just have your phone number and relentlessly try to scam call you to convince you to give them bank info they need to take your money
Anyone can be a "security engineer" on paper if they get the necessary training... but that doesn't give you the personality that you need for the job. The author does seem to have the personality to some extent... so he should be fine... but I don't think he'll ever be among the best because he did trust someone enough to have a child with them... and he took his child to a public park. That level of trust will seriously hinder his professional development as a security engineer.