If your card is stolen and you become a victim of fraud, and they manage to take money from your account, and your bank already knows its fraud, there's no urgency on your end.<p>You'll get your money back. I'd go as far as saying that if the bank genuinely wants you to decide fast, it's not to protect you. It's to protect itself. Shenanigans about "do it fast or they'll take more" are bullshit always. The bank is on the hook, not you. So never do things in a rush, take your time to verify yourself that money indeed disappeared. There. is. no. urgency.<p>Sense of urgency is one of the best ways to make people do bad decisions. Salespeople use it, scammers use it. Nobody who is trying to be helpful will come with a story "that needs to be fixed now!!!".<p>If you still want to be safe, and you use a debit card, have 2 accounts. One with the bulk of your money without a card associated with it. One with the card associated with it and no more than whatever you spend in a week. If you use a credit card, it totally doesn't matter, it's the banks money, not yours that they'd steal.<p>So whenever you find yourself in a situation where someone wants you to decide something fast that you didn't know about and isn't a direct threat to your life, don't do it. Think about it first.<p>It's impossible to keep up with all the scams, but if you stop to think and never take rash decisions you don't have to. Slow is safe.
> A lot of the credit that I gave Barry came from my lack of faith in my bank’s systems and security. ... Insecure business practices often don’t stand out as a sign of a con; they just look like another boneheaded but authentic policy.<p>^ <i>THIS</i>. your bank is training you to get phished. your health insurance, by leaving fake-urgent voicemails that require miserable phone tree navigation when you call back, and by having a million different numbers which resolve to 'scam or at least spam' aggregator sites when you google them, is teaching you to get phished.<p>my health insurance has a process which involves calling me and asking for a bunch of personal information. I called them back at a known number to ask if this was their number and <i>they didn't know</i>. I called three agents and they gave me three different answers. One said it was a 'system error that will be resolved in 24 hours'. Another said it was fake, don't trust it. A third <i>called the number</i> while I was on hold and assessed it as 'probably fine'.<p>teach someone to get phished and they're phished for the rest of their life<p>never accept inbound calls
We already covered this, but advice distilled from earlier comments
bears repeating;<p>One special class of vulnerable targets is <i>security experts</i>, and
<i>top ranks</i>. I remind my students that "pride comes before a fall" and
nobody is immune. While doing some training for <BIG INTERNATIONAL
BANK> someone told me they call it the "cocks problem". It's the
handful of 7 figure salary high flyers that get regularly pwned and
cause grief for everybody else, because they are "too cocky". Lowly
secretaries and desk staff are much harder marks. The more training
you give to people who think they're above it the worse they get. It
has to be pitched as participatory advice, as an invitation to
co-create a secure practice.<p>We saw this cavalier attitude just the other day with Boris Johnson
[0]. I bet Johnson was told time and again to use equipment that had
been checked by his security detail. And I still cringe thinking of
this one [1].<p>I suggest there's no correlation between domain knowledge and
behavioural invulnerability. Good security posture is a mind-set. I
also think it's a very strange combination of contradictory qualities
(or attitudes you can be trained to adopt) that are hard to describe,
such as high conscientiousness and humility mixed with utterly cynical
disrespect for "authority", high openness but brutally meticulous
self-checking and introspection. And definitely, never call yourself
an 'expert'.<p>[0] <a href="https://news.ycombinator.com/item?id=31075558" rel="nofollow">https://news.ycombinator.com/item?id=31075558</a><p>[1] <a href="https://www.arrse.co.uk/community/threads/77-bde-twitter-feed-hacked.290788/" rel="nofollow">https://www.arrse.co.uk/community/threads/77-bde-twitter-fee...</a>
I got a call from a bank and they said they wanted to verify my identity. I said, all due respect but you called me. I need to verify your identity. They sounded offended but told me how to continue the discussion when I called back. It was a legitimate call.<p>I was pretty annoyed that they didn't follow good identity practices by encouraging their customers to trust people who could be scamming them.
Here's the thing. Phones fucking suck. Anyone can call anyone, and that's insane. It's like the phone book, it's a dated concept that just does not scale.<p>Phone numbers as a proxy for "who is calling me" is terrible. Numbers change, numbers can be spoofed, numbers can be stolen. All identification that happens via a phone is fundamentally <i>bad</i> and it is only getting worse.<p>The trick is, don't use phones. Really. Block every number that isn't someone you know, for starters. If someone calls you and it's a bank ask them to contact you via email, and only use the phone to confirm what has already been discussed via email - for example, if you are performing a wire transfer, initiate that via email, and if you confirm information via the phone never <i>offer</i> any information, just validate what they say.<p>This issue is so common and pervasive that, as the author demonstrates, we just assume <i>everything is horribly broken</i> and when something is suspicious we just think "well, everything's horrible, so why wouldn't this be horrible?".<p>"Silly but plausible" - this is the cost of security theater. I have to jump through hilariously stupid loops sometimes.<p>But ultimately I blame phones being used as proxies for identity.
Thought perhaps this was posted previously, but it's just a very similar story.<p><a href="https://news.ycombinator.com/item?id=30869427" rel="nofollow">https://news.ycombinator.com/item?id=30869427</a><p>"I'm a scam prevention expert and I got scammed" (544 comments 20 days ago)
> Nothing the bank might want to talk about could be urgent enough to interrupt an unseasonably sunny March afternoon.<p>Wrong. Some banks, and with certain account types, the bank will absolutely make a courtesy call to you if something unusual is happening.<p>I had a call from my bank while spending a few hundred on cocktails in Bali (I'm from London), I hadn't used my card yet on that trip as I'd taken cash.<p>They also called me to check a payment into my account with an "unusual" reference; a joke from a friend returning the money he owed for a holiday I paid for, but which made it look like he was paying me for "special services".<p>They called me to query a payment at a home furniture store for a couple thousand pounds in a city ~300 miles from where I live only hours after I'd used the card near home; I'd driven to this particular store to check out the furniture.<p>If you're not sure, the _real_ bank will suggest you hang up and call their number found on your card or their website (or in your contacts list, where I keep it) and will never pressure you to answer or provide them information, and they'll NEVER, EVER ask you to read a security code out to them sent to your phone, or using your banking app.<p>EDIT: To further clarify; my particular bank's app, has, on rotation, a series of warnings, displayed each time I log in, saying things like "BEWARE; if someone [calls/texts/etc] asking/telling you to do [XYZ] ...", e.g. to get this code or that code, or do something else in this app, you're being scammed, "WE WILL NEVER ASK YOU FOR [XYZ]...".
This is the second very similar report on HN where the end-goal was ApplePay. There must be something poorly done in their card linking/payment process that hackers are targetting. I don't use it, so I'm not familiar.<p>Collectively, we software engineers that have security focus, have done a piss-poor job with 2FA. Users should've been trained from day-one that 2FA codes sent to their email or SMS should never, EVER, be repeated back to a human. All the additional text sent with the code should clearly and emphatically state that this number is between you and a website that you are reasonably certain represents a secured entity and that you explicitly requested during a login flow. It's like the combination to a safe: that code is between you and the dial on the safe, if it ever verbally leaves your mouth, you're doing something wrong.<p>Any orgs that use 2FA codes to authenticate a user to a CSR are screwing it up for everyone. Don't do that: you should be able to mutually authenticate using shared knowledge that a hacker isn't likely to have (not an address, FFS), like the previous transactions thing the OP requested. 2FA codes are for computers only.
Part of this comes indeed from not trusting the banks -- like, I know the banks do irrational insecure things, and I also don't trust that if I don't do <i>exactly what they say</i> they will actually cover me in case of fraud (which we know does happen, a lot, now).<p>Like, let's say I insisted on hanging up and calling the number on the back of my phone -- are there any cases that would be disastrous for me, would end up in me losing money, and I really <i>should</i> have stayed on the phone with the person who called me, who really was a non-fraudulent representative?<p>I'm not confident there are not.
I've recently noticed that I reflexively answer my phone with "<i>MyName</i> speaking", it occurred to me that this is bad security practice.<p>Any suggestion on how I should politely and professionally answer a call without giving away my identity?
I work with phishing content on a daily basis, ashamed to say I fell for a scam on a dating app once, but I was careful enough to use a burner credit card, cancelled it right away with no loss to myself. I don't think I can fend off a well planned scam or phish no matter how careful I am. At the end of the day I have to be a normal human being with predictable weaknesses and psychological vulnerabilities. Instead, I try to rely on security controls that don't rely on my psychological hardening.
The article references another one of the author's articles: <a href="https://robertheaton.com/2019/06/24/i-was-7-words-away-from-being-spear-phished/" rel="nofollow">https://robertheaton.com/2019/06/24/i-was-7-words-away-from-...</a><p>I find it quite amusing that the scam used the domain `people.ds.cam.ac.uk`, which contains `s.cam`.
I believe I saw this exact same scam on another recent Hacker News article. Same premise of "I'm from the bank and you are a victim of fraud and I need to deactivate your Apple pay but I am actually activating my own Apply pay with your card"<p>Also had a similar title along the lines of "I give presentations on scams and I still got scammed"
Just being a security engineer doesn't instill you with a defensive or paranoid mindset. I work with security analysts who use TAILS to browse random websites and security engineers who torrent cracked software and install whatever they find directly on their baremetal PC/laptop.
Any reasonable bank would freeze the card before even contacting you.<p>If they want a confirmation, they'd rather use an automated method. Like send an SMS: "Did you spend $X on Merchant, Inc? Reply with Yes or No".<p>They can't afford a human calling you for every fraud suspicion.
I almost got scammed by a SMS that woke me up.<p>Local couriers often send links by SMS when an international package needs customs duty paid, and they often shorten URLs due to SMS limits. So they might send a URL like couri.er/1ea6dz. Often the payment sites look a little dodgy too, frequently just an un-themed Worldpay form.<p>Unfortunately I was expecting an international package and an SMS woke me up saying delivery would happen today provided I pay the customs duty. I luckily had gained my senses enough by the time the page had loaded to double check everything, but it could have got me.<p>When the legit request to pay customs duty came through, it didn't look all that different...
I appreciate that the OP calls out his bias towards bank mismanagement and "the system". Scammers (like this one) are using the stereotype to run their scams. Are bank systems often disjointed bureaucracies and less than stellar examples of best practices? Absolutely, but scams are so common now I believe it's time that we accept them as the default conclusion until proven otherwise.
"Yeah, I *69'd you. I never pick up my phone." -- Tyler Durden, Fight Club.<p>I'd also logon to the bank website first to look at recent transactions myself so that I "do my own research" before talking to a person at the bank.<p>Most often the fraud check is something like an apple hardware purchase that I made months ago which only just went through after I got the front of the waiting list. I'd want to debug that stuff myself first. If I'm out doing something and a text/VM comes in while I'm on thumbs I'll happily wait until later that night to debug the problem. Like the top thread here says, there's no urgency.<p>Really helps to be an introvert where you very actively don't want to call someone up and chat on the phone about shit, so you first seek to avoid having to talk to anyone in person, and then have all the information you can acquire ready first to keep the phone call as short as possible.
This was a great read. I think the biggest takeaway I had was how some banks and credit card companies themselves are not doing a great job at building trustworthy systems. That leads consumers into treating things that seem gray, like confirmation code texts coming from unknown numbers, as credible.
I have a dumb fraud story.<p>A fraudster called me up (I knew it was a fraudster right away). I played along as he said there had been some fraudulent activity on my account - payments from random locations etc.etc.<p>The crux was that he wanted to send me a verification code from PayPal. This is where I was dumb. I assumed it was from a fake PayPal messaging system and they knew the number already. When they asked me to repeat it back to them I pretended to be dumb and gave a fake number back, repeatedly. I at first thought they knew the number. It then hit me that they didn't know the number and were actually trying to break into my PayPal account. I was so dumb! Still no bad outcome other than me looking stupid.
I do sympathise with how the whole "I dont want to call back and get placed in a queue with elevator music" was a big factor in the scam almost being successful here.<p>"Hopefully" enough people get scammed at such organisations, such that having the ability to easily contact a human at the company becomes a valid selling point, and lack of it an actual pain point for the company, so that pointy-haired CEOs start to appreciate it again.<p>I had to add my wife's name to our gas bill recently. There was no option to do this from the online system. I had to call 4-5 times to get this fixed. Each time I had to wait about 50 minutes before getting to a human at the other end.
<i>I made a note to check my account when I got home</i><p>It would take more than thirty seconds to go online and check the account?<p><i>“I’m calling about some suspicious transactions on your account ending in 1234. Is this a good time to talk?”</i><p>I don't know how it works there, but my bank's fraud alert call is automated and exactly the same every time.<p><i>“I’d like to enable enhanced security on your account, but I’ll need to text you a confirmation code first. Is that OK?”</i><p>Do banks do that there? Mine won't make any kind of account changes unless I show up in person with ID.<p><i>Barry couldn’t use my card to buy anything online because my bank sends me a one-time verification code whenever I use the card on a new website.</i><p>This is great. All banks should do that.
Question: Why banks do not implement bait/decoy codes for people that are aware they are being part of a scam? Wouldn't this provide them at least more information about the scammer? With all the technology that's available, why is not possible to let the scammer believe that he/she is doing a real transaction but behind scenes they are being monitored/traced? I'm asking out of my ignorance on the subject.
The problem is definitely still the security of banks. They regularly call YOU and tell you that you have to verify yourself. It’s an incredibly stupid system.
<a href="https://www.youtube.com/watch?v=YIWV5fSaUB8" rel="nofollow">https://www.youtube.com/watch?v=YIWV5fSaUB8</a><p>Jim Browning is an expert in this area and is sort of famous for his "scamming the scammers" videos where he hacks, tricks, annoys, or otherwise scams scammers.<p>In the linked video he talks about how he was tricked into deleting his account. These things can happen to anyone, even experts.
Uh, I'v got similar calls.<p>Here you can watch video for taking down one of these call centers by police, not so long ago: <a href="https://www.delfi.lv/news/national/criminal/video-latvija-aiztur-82-viltus-brokerus-kas-katru-menesi-izkrapusi-3-miljonus-eiro.d?id=54192518" rel="nofollow">https://www.delfi.lv/news/national/criminal/video-latvija-ai...</a>
In this day and age, how do people still fall for this? This isn't the old days where you would get a physical paper statement in the mail every 30 days and rely on your bank to call you for potentially fraudulent purchases.<p>You have instant access to your financial information. You can easily see "pending" and "posted" charges on your credit accounts without a third party.
I firmly believe that anyone can get scammed if they're caught on a bad day and the scammers happen to get lucky with some details or approach that happens to match something the target is inclined to believe.<p>I don't believe scams are typically designed to maximize success rate per scam; they're designed to cast a very wide net and get lucky on a few targets.
I once was called by my bank on a Sunday. They told me someone had found my credit card at a parking payment machine where I parked approximately 10 minutes earlier. That was a legit and reasonably urgent call. I could go and get it from the couple that found it at a nearby café.
Basically the same scenario as this HN submission: "I'm a scam prevention expert and I got scammed", <a href="https://news.ycombinator.com/item?id=30869427" rel="nofollow">https://news.ycombinator.com/item?id=30869427</a>
Virtually identical story of the scam with ApplePay was here 3 weeks ago. The victim was a scam prevention expert:<p><a href="https://news.ycombinator.com/item?id=30869427" rel="nofollow">https://news.ycombinator.com/item?id=30869427</a><p>EDIT: silly typos
If one of my SEs came to me with this story, I'd be quite worried as his manager. The post he wrote seems to be more therapeutic than instructive...
Similar to another recent post: "I'm a scam prevention expert and I got scammed"<p><a href="https://news.ycombinator.com/item?id=30869427" rel="nofollow">https://news.ycombinator.com/item?id=30869427</a>
I'm not a security engineer, but here's the easiest way to prevent 99% of scams – never pick up the phone. If it is urgent they can leave a voice mail, and you can call back by looking up the official number.
US Banks are so bad that this scenario would be believable? Any security problem where I am would get fixed either via resets on pre established channels or via a visit to the actual bank with ID verification.
> I got through to the bank, but they couldn’t work out why they had called me.<p>The bank said "we have no record of calling you" and it didn't stop there?