Terence Eden
You receive a call on your phone.
The caller says they're from your bank and they're calling about a suspected fraud.
"Oh yeah," you think. Obvious scam, right?
The caller says "I'll send you an in-app notification to prove I'm calling from your bank."
Your phone buzzes. You tap the notification This is what you see.
Still think it is a scam?
1/3
Mrs Cloudy
@essjax @Edent I had the same in Scotland. I hung up because I thought it was a scam, so they froze my account. I had to find a still open branch and go in person to make an appointment because the branches no longer have phone numbers. At said appointment, I asked why they didn't use the banking app they pushed me onto, to inform me of a suspect transaction, and was told they aren't set up to do that.
essjax
@Edent I had my bank call me about suspected fraud and they had no way for me to confirm they were legit. I said I'd call them back and they didn't have an external number I could call. Their tone suggested nobody had ever checked. One of the biggest banks in Australia / NZ.
Terence Eden
The scammer is on the phone to you.
Their accomplice is on the phone to your bank, pretending to be you.
Your bank send you the notification.
You accept, and scammers proceed to drain your account.
Someone has just lost £18,000 because of this.
https://www.reddit.com/r/UKPersonalFinance/comments/1cih3kd/been_scammed_over_18000_through_my_chase_account/
2/3
Terence Eden
It *is* a genuine notification. But it isn't confirming the bank is calling you.
Should the bank word that differently?
In a rush, would you read it thoroughly?
Most likely, in a panic about the fraud, you'd confirm it was a genuine notification (it is!) and accept it.
3/3
Dan McDonald
Wow a man-in-the-middle attack with a real life person actually in the middle! 😮
MadMike77
@glitzersachen @CaptainJanegay @Extelec @Edent I've grown up with computers and work as a DevOps. I regularly speak with friends about security.
This scam is unsuspicious as hell. A good reminder that I'd need to remind myself why the person needs my passcode.
I'd have fallen for this MITM, I'm pretty certain.
Glitzersachen.de
@CaptainJanegay @Extelec @Edent
It's a men in the middle attack. And quite obvious in my opinion.
Only proper reaction: I call you back, gimme a number and your name. Then phone via the front desk of your bank.
Captain Janegay 🫖
@Extelec @Edent That's normal. It's to confirm that someone else hasn't just stolen your phone. The rest of the thread explains, but this *is* a legitimate notification, it's just being misused.
Extreme Electronics
@Edent Id go with yes, its a scam, Why does it need your passcode if you are already logged in to their app.
a libi rose
@Edent you're making a leap by assuming i answer phone calls
Simon Wood
@flabberghaster @Edent I have had my actual bank call me, and then ask me (via security questions) to verify that I am actually me. I feel that was *training* customers to divulge information insecurely, as I had no way of knowing that they were who they were, and they wouldn’t have provided it if I’d gone along with their request.
Simon Wood
@Edent I think I’d be taken in by that. My thought was: why do they need to check they’re on the phone to me if *they* called *me*? But on balance I’d decided it was just poor wording or an ill thought through system (both of which I still think, in fact!) so I wouldn’t have challenged it.
flabberghaster
@simonwood @Edent one might assume even if they believed the bank was calling them, that they still need to confirm they got you and not someone else.
SuperDicq
@Edent@mastodon.social Another good reason to say no to proprietary banking apps. My bank account can only be accessed using a physical non-internet connected 2FA key device.
SuperDicq
@Edent@mastodon.social You can't get fooled by notifications like this if you don't have a banking app.
Terence Eden
@SuperDicq my banking app also supports a physical 2FA token. So what?
Terence Eden
@SuperDicq sure, but you also can't check your balance. Send money to friends. Receive an alert when your card is used fraudulently. Or any of a 100 useful things.
Telling people to give up extremely convenient features isn't the answer here.
SuperDicq
@Edent@mastodon.social I can still do those things, my bank in particular has a decent API and someone wrote a CLI client for it actually.
But yeah I know giving up "convenience" isn't a good answer here. First of all it's educating people on how to not get scammed. and Secondly it's telling banks to take security seriously by also making them liable in case one of their customers gets scammed by fraud like this.
Terence Eden
I've written up the above scam in more detail.
Remember, no matter how clever and security-conscious you think you are, these criminals are highly sophisticated.
You have to be lucky every single time. They only have to be lucky once.
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.