You receive a call on your phone.The caller says they're from your bank and they're calling about a suspected fraud.
-
@Edent Your bank wouldn't do this.
-
Terence Edenreplied to Terence Eden on last edited by [email protected]
It *is* a genuine notification. But it isn't confirming the bank is calling you.
Should the bank word that differently?
In a rush, would you read it thoroughly?
Most likely, in a panic about the fraud, you'd confirm it was a genuine notification (it is!) and accept it.
3/3
-
@Ric actual Chase app.
-
@Edent I think I’d be taken in by that. My thought was: why do they need to check they’re on the phone to me if *they* called *me*? But on balance I’d decided it was just poor wording or an ill thought through system (both of which I still think, in fact!) so I wouldn’t have challenged it.
-
@Edent I had to look up what Chase is. As sophisticatingly horrifying as this is, I guess those of us who aren't with Chase are not vulnerable to this?
Yes, that was a legit question
-
@engravecavedave it depends. Does your bank's app send notifications like this? If so, you're probably vulnerable.
-
@simonwood @Edent one might assume even if they believed the bank was calling them, that they still need to confirm they got you and not someone else.
-
@flabberghaster @Edent I have had my actual bank call me, and then ask me (via security questions) to verify that I am actually me. I feel that was *training* customers to divulge information insecurely, as I had no way of knowing that they were who they were, and they wouldn’t have provided it if I’d gone along with their request.
-
@Edent How and what is faked there then?
-
@derickr nothing is faked in app. It is a genuine notification from your bank.
-
@simonwood @Edent yeah, same. I had told my bank I intended to travel internationally and then when I got there my card stopped working and they called me saying there was suspected fraud on my card. I knew it was legit because I called back on the number on my card, but I think it's bad practice to initiate calls.
-
Shannon Skinner (she/her)replied to Terence Eden on last edited by
@Edent
The remedy is to hang up and call the bank directly, right? -
Richard W. Woodley RNKD BLTS 🇨🇦🌹🚴♂️📷 🗺️replied to Terence Eden on last edited by
@Edent
Nothing in that image to prove it's actually your bank app . -
Chris Ferdinandi ⚓️replied to Terence Eden on last edited by
@Edent Yea, I definitely think it's a scam.
-
@[email protected] in this example you can assume the notification came from the Chase application itself, the one installed on your phone.
For the sake of example you could also substitute this with an SMS 2FA, that is a similar attack vector.
-
@Edent Could be scam, no?
Method:
1. Scammer calls you and Chase at same time
2. Chase is unsure of scammers identity, so sends them in-app 2FA dialog
3. You hit yes, and Chase thinks scammer is you -
@zoe bingo!
-
Captain Janegay 🫖replied to Extreme Electronics on last edited by
-
funbaker #AssangeIsNotGuiltyreplied to Terence Eden on last edited by
@Edent there used to be a time where they told customers at every possibility: our employees will never ask for your password etc.
I think they still do.
Wtf happened. -
Terence Edenreplied to funbaker #AssangeIsNotGuilty on last edited by
@funbaker they haven't asked for your password.
You haven't given the person on the phone any details.