You receive a call on your phone.The caller says they're from your bank and they're calling about a suspected fraud.

edent@mastodon.social

@Ric actual Chase app.

simonwood@mastodon.social

@Edent I think I’d be taken in by that. My thought was: why do they need to check they’re on the phone to me if *they* called *me*? But on balance I’d decided it was just poor wording or an ill thought through system (both of which I still think, in fact!) so I wouldn’t have challenged it.

engravecavedave@mastodon.social

@Edent I had to look up what Chase is. As sophisticatingly horrifying as this is, I guess those of us who aren't with Chase are not vulnerable to this?

Yes, that was a legit question

edent@mastodon.social

@engravecavedave it depends. Does your bank's app send notifications like this? If so, you're probably vulnerable.

flabberghaster@mas.to

@simonwood @Edent one might assume even if they believed the bank was calling them, that they still need to confirm they got you and not someone else.

simonwood@mastodon.social

@flabberghaster @Edent I have had my actual bank call me, and then ask me (via security questions) to verify that I am actually me. I feel that was *training* customers to divulge information insecurely, as I had no way of knowing that they were who they were, and they wouldn’t have provided it if I’d gone along with their request.

derickr@phpc.social

@Edent How and what is faked there then?

edent@mastodon.social

@derickr nothing is faked in app. It is a genuine notification from your bank.

flabberghaster@mas.to

@simonwood @Edent yeah, same. I had told my bank I intended to travel internationally and then when I got there my card stopped working and they called me saying there was suspected fraud on my card. I knew it was legit because I called back on the number on my card, but I think it's bad practice to initiate calls.

shansterable@c.im

@Edent
The remedy is to hang up and call the bank directly, right?

the5thcolumnist@mstdn.ca

@Edent
Nothing in that image to prove it's actually your bank app .

cferdinandi@mastodon.social

@Edent Yea, I definitely think it's a scam.

julian

@[email protected] in this example you can assume the notification came from the Chase application itself, the one installed on your phone.

For the sake of example you could also substitute this with an SMS 2FA, that is a similar attack vector.

zoe@social.animeprincess.net

@Edent Could be scam, no?

Method:
1. Scammer calls you and Chase at same time
2. Chase is unsure of scammers identity, so sends them in-app 2FA dialog
3. You hit yes, and Chase thinks scammer is you

edent@mastodon.social

@zoe bingo!

captainjanegay@mastodon.coffee

@Extelec @Edent That's normal. It's to confirm that someone else hasn't just stolen your phone. The rest of the thread explains, but this *is* a legitimate notification, it's just being misused.

funbaker@chaos.social

@Edent there used to be a time where they told customers at every possibility: our employees will never ask for your password etc.
I think they still do.
Wtf happened.

edent@mastodon.social

@funbaker they haven't asked for your password.
You haven't given the person on the phone any details.

lexeto@mastodon.social

@Edent I love this scam. The banks need to repeat the standard advice of never passing information to a caller about your account, ever. Their security advice is you must call back on their standard number.

It's definitely the bank's failure to not make this explicit on the app notification. I hope they are rushing to fix it :blobsweats:

"We will never call you and ask for information"

dinosaurdigger@mastodon.social

@Edent no because i never answer my phone