You receive a call on your phone.The caller says they're from your bank and they're calling about a suspected fraud.
-
@Edent This two-factor authentication is useless when both factors go to the same phone. One of my banks does this, and I can't figure out why they think it is secure.
-
@Edent I'm sitting here in 2024 wondering why we still don't have authenticated caller id.
-
@Edent My bank or any other entity I do business with (cable, doctor etc), I hang up and call them using a number in my phone.
-
Tristan Slominskireplied to Terence Eden on last edited by [email protected]
@Edent "If someone called you and you did not call the bank, hang up and report fraud" at the beginning would help.
Directionality is important in this protocol and needs to be of prime importance.
-
Pass the Dutchiereplied to Terence Eden on last edited by
@Edent I got a call saying it was my bank. Almost got me. But I decided to call my bank and hung up. The bank said they will never call me. The same scammer called me several more times trying the same tactic.
-
@Edent
My bank just went out of business. So I'm protected from this scam.
-
@infosec_jcp ππ done differentlyreplied to Terence Eden on last edited by
This speaks to a CNE either in app being targeted or #StateSponsoredMalware already on the phone and this is just the #SSM
being used with a phone call to get you to authorize and give passcode to scammers for later banking behind the scenes. Alert the Chase Bank 
via the number on the back of the card and cease using the banking app until you clear the SSM off you phone.Banking Class security doesn't deal with SSM very well in my experience. Alerting them CAN help their fraud department and let them know to monitor so monitor your in/out on your accounts and look for anomalies like recurring charges, cloned card behavior using gas stations and ATM
off bank. -
Terence Edenreplied to @infosec_jcp ππ done differently on last edited by
@infosec_jcp @Ric
It isn't SSM. It isn't a vulnerability in the app. Read the rest of the thread. -
@Edent I'd say out of the gate, "Oh, I'll be right there!" Then I'd hang up and call my bank directly. Cause I don't believe anything that comes in a phone call or email unless I instigated it from a system I'm familiar with and it's simple, like verifying a doctor visit, etc.
-
Glitzersachen.dereplied to Captain Janegay π« on last edited by
@CaptainJanegay @Extelec @Edent
It's a men in the middle attack. And quite obvious in my opinion.
Only proper reaction: I call you back, gimme a number and your name. Then phone via the front desk of your bank.
-
@Edent @offby1 it is so frustrating, seeing this q and immediately knowing what the scam is and how to fix it and never being anywhere near proximity to the actual decision makers who can prevent stuff like this. Like please point me at a bank executive and let me give them a security design and threat modeling training, for the love of god
-
I wonder how long it would take for banks to put in security measures to prevent this if they had to pay for the losses, instead of passing them on to their customers?
"The scammer is on the phone to you.
Their accomplice is on the phone to your bank, pretending to be you.
Your bank send you the notification.
You accept, and scammers proceed to drain your account."Someone has just lost Β£18,000 because of this."
-
@Edent Chiming in to say I experienced this scam with Capital One, who uses in app notifications or text messages for verification. I only barely caught on to it in time to tell them I'd hang up and call them back.
Come to find out, Capital One does not cold call you for suspected fraud under any circumstances.
-
Word of Mouth π :emacs:replied to Terence Eden on last edited by
@[email protected] Definitely. My habit is to receive the fraud notice call, then hang up, and dial the number on the back of my bank card. If it's really fraud, they'll know about it and we continue. Otherwise, it was a scam and I dodged a bullet.
-
@Greengordon
In the UK, banks often *do* have to pay.
https://www.theguardian.com/money/2023/jun/07/uk-banks-to-reimburse-victims-under-new-rules-regulator-confirms -
@[email protected] Easy one: I'd judge by the dialect. My bank is located in a small western Norwegian town called Voss. Everyone who work there speak the Voss dialect. And people at Voss don't do frauds
-
John Mark Ockerbloomreplied to Terence Eden on last edited by
@Edent I'd think that knowing this, the message should say "Did you call Chase?" (maybe with a note that if it appears that Chase called *you*, you should hang up and dial their number). That might not stop everyone from pressing Yes anyway and confirming, but it might stop some of the scams from succeeding.
-
Terence Edenreplied to Word of Mouth π :emacs: on last edited by
@notroot
How often do you receive fraud notices? -
@glitzersachen @CaptainJanegay @Extelec @Edent if you think this is quite obvious I feel sorry for your users.
-
@Edent If you call Bank of America, they will verify you using a code sent by SMS that contains, βDO NOT share this Sign In code.β
Iβll confirm with the agent that theyβre asking for the one that says under no circumstances am I to share with anyone, and they reply cheerfully, βyeah thatβs the one.β
β
οΈ#bank #security #SecurityFail #phishing
