Voice Phishing Scams Are Getting More Clever

Security researcher Brian Krebs highlights several clever methods scammers are using to obtain your personal information. In one example, someone used a fully-automated voice to try and scam "a cybersecurity professional with more than 30 years of experience" by greeting him with a four-note AT&T jingle, "followed by a recorded voice saying AT&T was calling to prevent his phone service from being suspended for non-payment."

"It then prompted me to enter my security PIN to be connected to a billing department representative," Jon said. "My number was originally an AT&T number (it reports as Cingular Wireless) but I have been on T-Mobile for several years, so clearly a scam if I had any doubt. However, I suspect that the average Joe would fall for it." Krebs reports of another, more sophisticated scam attempted on Matt Haughey, the creator of the community Weblog MetaFilter and a writer at Slack: Haughey banks at a small Portland credit union, and last week he got a call on his mobile phone from an 800-number that matched the number his credit union uses. Actually, he got three calls from the same number in rapid succession. He ignored the first two, letting them both go to voicemail. But he picked up on the third call, thinking it must be something urgent and important. After all, his credit union had rarely ever called him. Haughey said he was greeted by a female voice who explained that the credit union had blocked two phony-looking charges in Ohio made to his debit/ATM card. She proceeded to then read him the last four digits of the card that was currently in his wallet. It checked out. Haughey told the lady that he would need a replacement card immediately because he was about to travel out of state to California. Without missing a beat, the caller said he could keep his card and that the credit union would simply block any future charges that weren't made in either Oregon or California.

This struck Haughey as a bit off. Why would the bank say they were freezing his card but then say they could keep it open for his upcoming trip? [...] The caller then read his entire home address to double check it was the correct destination to send a new card at the conclusion of his trip. Then the caller said she needed to verify his mother's maiden name. The voice in his head spoke out in protest again, but then banks had asked for this in the past. He provided it. Next she asked him to verify the three digit security code printed on the back of his card. Once more, the voice of caution in his brain was silenced: He'd given this code out previously in the few times he'd used his card to pay for something over the phone. Then she asked him for his current card PIN, just so she could apply that same PIN to the new card being mailed out, she assured him. Ding, ding, ding went the alarm bells in his head. Haughey hesitated, then asked the lady to repeat the question. When she did, he gave her the PIN, and she assured him she'd make sure his existing PIN also served as the PIN for his new card. Haughey said after hanging up he felt fairly certain the entire transaction was legitimate, although the part about her requesting the PIN kept nagging at him. Long story short, two fradulent charges were made on his account totaling $3,400. "People I've talked to about this say there's no way they'd fall for that, but when someone from a trustworthy number calls, says they're from your small town bank, and sounds incredibly professional, you'd fall for it, too," Haughey said.

Nof if only Krebs got readable

His "clever" shtick just isn't.

Re:Nof if only Krebs got readable

“A fool and his money are soon parted”
Never give out any info when contacted.
Call back using the orginal number listed on the card or documents, never a number given by the scam.
If you really want to get rid of your money you can help fund my vacation account.

Whoa.

[msauve]

If they're calling you, they don't have any reason to ask you to provide any confidential info to verify you are who they called. If they ask, get a name and extension, and call them back via a published number.

Re:Whoa.

[PPH]

If they ask, get a name and extension,

Always this. They can spoof the legitimate bank customer service number. So don't assume the caller ID is correct. Always tell them that you will call them back at a convenient time.

Re:Whoa.

[coastwalker]

Quite, very funny story. 19 out of 20 telephone calls who are not friends and family are scams, they all go to voicemail. Always look up the vendors phone number and call them direct if you actually think you need to speak to them. You must be completely bloody insane to answer any questions from a call to you, the odds of it not being a scam are almost infinitesimal.
I hope Krebs lost his money, what a berk.

Re:Whoa.

[ShanghaiBill]

They can spoof the legitimate bank customer service number.

But only because the telecom companies let them, and the government has done nothing to ban the practice.

Spoofing should be illegal unless the company doing the spoofing owns both numbers.

That this is mostly an American+Canadian problem. The practice is illegal in most other countries.

Re:Whoa.

[arth1]

19 out of 20 telephone calls who are not friends and family are scams

Really? Are you sure it's not 18 out of 19?

Re:Whoa.

[Kaenneth]

> The practice is illegal in most other countries.

So is fraud; making things illegal won't stop criminals.

Re:Whoa.

[ShanghaiBill]

making things illegal won't stop criminals.

We don't need to stop the criminals. We only need to stop the telecoms from enabling them.

Re: Whoa.

I refuse to give out any information if they call me and will either call the bank or the number on the back of the card

Re:Whoa.

If they ask, get a name and extension,

Always this. They can spoof the legitimate bank customer service number. So don't assume the caller ID is correct. Always tell them that you will call them back at a convenient time.

Unfortunately, the reason this scam is so effective is the average person still doesn't know what "spoof" means in the digital world.

Re:Whoa.

[ShanghaiBill]

backwards compatibility be damned.

What is the legitimate use case for 3rd party number spoofing?

it's 2018 why haven't we solved the SPAM problem yet????

Stupid analogy. Spam is a problem worldwide. There is no obvious solution.

3d party number spoofing is an America+Canada only problem. The solution is obvious, and most of the world has already done it.

Re:Whoa.

[arth1]

So is fraud; making things illegal won't stop criminals.

Actually, it will, in that you can arrest, jail, prosecute and imprison them once it's illegal, but if it's legal, they can continue at will.

Re: Whoa.

A. Number portability. I can no longer be certain that an AT&T assigned number is still with AT&T.

B. Many companies assign the main corporate number to all outbound calls. This is a feature that shouldn't be broken.

C. VOIP service. I want calls from my cell and voip to be transparent. It's also nice to be able to call as, so I can call as me or as my corporate phone number from one phone.

Re:Whoa.

[Linsaran]

What is the legitimate use case for 3rd party number spoofing?

If you run a business/call center and have 100s of lines, you probably want to direct incoming callers to a single main phone line rather than to the desk of a specific call center rep. Especially if that rep takes a break or is off duty for a time.

Another example; I use google voice as my business phone line. It will ring to my personal cell phone when I'm out of office on the road. When I call someone back I don't want them to see my personal number, so google voice spoofs the caller ID to match my google voice number even though I'm calling from my cell phone.

So there are legitimate reasons to allow caller ID spoofing; but it should be more carefully restricted. Problem is there's no incentive from the telecom industry to do so; and the government hasn't forced it on them yet.

Re:Whoa.

[mark-t]

The telecom companies that is forwarding that info to you has no way to know that the caller spoofed their caller ID. Not only do you have to trust the exchange you are getting the call from, but you must trust the exchange that connected to that exchange, and so on, all the way to the original caller, and there is no way for the receiver to positively identify these exchanges if the original caller happened to send false information in the first place.

The only fix for this would completely break backwards compatibility and would in general make it all but impossible to make long distance calls.

Re:Whoa.

[mark-t]

There isn't any... but in general, an exchange has no way to know what exchange a call *ACTUALLY* originated from if it didn't originate in the exchange connected directly to it.

Re: Whoa.

Call spoofing is also illegal in the US. "Truth in Caller ID Act".

Re:Whoa.

My bank would never call and ask for that kind of info! And if they did, they would NEVER get it! I would be calling the bank from their published number to as if they had called, and then go and see them IN PERSON to lock my account until a new card could be issued!! I don't give even my first name over the phone. If there were any problems with my account, it would be locked, and I would be contacted to come to the bank to take care of it.

Re: Whoa.

[ShanghaiBill]

A. Number portability. I can no longer be certain that an AT&T assigned number is still with AT&T.

Why does this require 3rd party number spoofing?

B. Many companies assign the main corporate number to all outbound calls. This is a feature that shouldn't be broken.

C. VOIP service. I want calls from my cell and voip to be transparent. It's also nice to be able to call as, so I can call as me or as my corporate phone number from one phone.

Neither of these require 3rd party number spoofing.

Spoofing is fine if the same company owns both numbers. That is legal almost everywhere.

Re:Whoa.

[Ol+Olsoc]

> The practice is illegal in most other countries.

So is fraud; making things illegal won't stop criminals.

So the answer is to eliminate all laws to insure peace.

Re:Whoa.

[ShanghaiBill]

So there are legitimate reasons to allow caller ID spoofing

Of course there are, and you listed several, but that WAS NOT THE QUESTION,

Let me repeat: Is there any legitimate use case for THIRD PARTY phone number spoofing?

This means you call from a number that you own and control, and you make it look like it is coming from a number that you do NOT own or control, and do not have permission to use. This is obviously useful to criminals. Is it needed by anyone else?

Re:Whoa.

[Ol+Olsoc]

The telecom companies that is forwarding that info to you has no way to know that the caller spoofed their caller ID. Not only do you have to trust the exchange you are getting the call from, but you must trust the exchange that connected to that exchange, and so on, all the way to the original caller, and there is no way for the receiver to positively identify these exchanges if the original caller happened to send false information in the first place.

The only fix for this would completely break backwards compatibility and would in general make it all but impossible to make long distance calls.

I see, So whay didn't I get any of this crap back in say - the 1980s?

And are you seriously suggesting that it is impossible to make certain that the number that pops up is the number that is calling?

Such a complex system that a call announcing system was developed that is not capable of ever working. Someone should be fired over developing that never working device.

Re:Whoa.

If they're calling you, they don't have any reason to ask you to provide any confidential info to verify you are who they called.

"Why yes I am totally my d.. I mean Mr Smith."

But that said, I do agree with "get a name and extension, and call them back via a published number".

Re:Whoa.

I had one scam call my mom claiming they had all her information, but they needed to confirm information to extend her insurance.

I told my mom to ask one simple question, what colour is my car. If they have all the information that is easy to answer and do not invade any personal info.

They stayed on the line for about ten minutes trying to get mom to give they any info, but she stuck to her guns, if they have her info then they can tell her the colour of her car.

Now guess what, my mom later died and I still have that car, and it has been seven years since that call and I still have no problems with insurance.

E.C.P.

Re:Whoa.

I see, So whay didn't I get any of this crap back in say - the 1980s?

Why didn't you see caller ID spoofing before the advent of caller ID? Is this an actual question?

Re:Whoa.

[wierd_w]

Define "Legitimate"

Here's one all the same though,

Fortune 500 company decides that it wants to use the services of "Call center cubefarm dystopia" for part of its service call needs.

Call center cubefarm dystopia INC clearly is not Fortune 500 Inc, but has an agreement to PRETEND to be, with Fortune 500 Inc. Fortune 500 Inc DOES NOT WANT customers to know that Cubefarm Dystopia Inc is who is really handling their support calls, because that's just bad PR. They also do not want to train, retain, or operate the support staff themselves, because $$$.

So, Cubefarm Dystopia Inc spoofs being Fortune 500 Inc on their caller ID.

Re:Whoa.

[jpaine619]

I gotta agree with the GP.. If the telecoms don't permit third party spoofing, it wouldn't happen.. They control the network... They can enable/disable it...

If it doesn't occur in Europe, then they have apparently figured out how to disable it..

First party spoofing is fine.. As many have pointed out, it's nice that all outbound calls from a single company have the same Caller ID.

On the other hand, I shouldn't be able to show "Joe's Fish Shack" as the caller ID from a call on my home phone if I have no connection to Joe's Fish Shack. The technology to permit this should not be in place.. Telecoms should assign the Caller ID.. Not the asshole making the phone call.

Re:Whoa.

[ShanghaiBill]

The only fix for this would completely break backwards compatibility

Nonsense. An obvious solution would be to ban all American companies from 3P spoofing, and ban them from connecting to foreign networks that allow it. Give them six months to implement it.

During those six months, any country that wants to continue to connect to America's phone system (i.e. all expect North Korea) would scramble to fix their own phone systems. Most would need to do nothing, since 3P spoofing is ALREADY ILLEGAL. In India, 3P spoofing is already illegal for domestic calls, but allowed for international calls, so it would be only a minor change.

Re:Whoa.

[superdave80]

Not only do you have to trust the exchange you are getting the call from, but you must trust the exchange that connected to that exchange, and so on, all the way to the original caller

But how does a call get too a phone number then? If I dial phone number 1234, how does my carrier know what final exchange that number is located at? And if they do, why are they accepting a phone number dialing out from a different exchange that doesn't match the info for me placing a call to 1234? I'm sure there is some technical reason for it, but It still seems screwy to me.

Re:Whoa.

[Ichijo]

Why can't you route your call through your office in order to avoid the need to spoof your number? That would be like a VPN for telephone calls.

An alternative would be something similar to SPF so the recipient knows that you own both numbers (cell+office) and displays your office number when they receive a call from your cell phone.

Re:Whoa.

[mark-t]

It doesn't know what final exchange the number is at, it only knows what exchange it will have to talk directly to in order to route to that number... there may be an unknown number of exchanges inbetween you and the target number. If the caller fakes their number, for example for a single line for a large company to forward the 1-800 number for the company instead of the in-house line that the caller may be calling from (and for which there would be no direct phone access to from the outside), the next exchange down the line has no way to know that the number is not real.

Re:Whoa.

[Calydor]

Contract signed by both number holders.

Next fringe case?

Re:Whoa.

[dissy]

I see, So whay didn't I get any of this crap back in say - the 1980s?

You did, it was just rarely abused and not cheap or easy to gain access to.

Any company owning a PBX system trunked to the phone exchange, was the owner of the device (the PBX) being asked by your exchange, what the caller ID should be.

The staff that programmed the PBX defined the caller ID rules, and as is common practice, would have defined all "internal only" extensions to return a different phone number, likely the companies main number or reception desk.

A PBX wasn't cheap, nor was the trunk fees to connect it to the network.

Today we have a new thing that didn't exist in the 80s, called VoIP, where the PBX is replaced by software (some even free), and "trunk" connections over IP that cost less per month than the average person spends at mcdonalds.

Being cheap and easily accessible only now and not in the 80s, is exactly why you see this kind of crap now and not in the 80s.

And are you seriously suggesting that it is impossible to make certain that the number that pops up is the number that is calling?

There is, it is called ANI, and part of the networks billing system.
It isn't that it doesn't exist, it has since the 60s as far as I'm aware (probably longer), but you likely don't want to pay for the requirement to decide it nor the service levels needed for the phone company to offer it.

If you get a toll or toll-free number, you will be given access to the ANI info of the caller, since for toll-free it will be you paying for the call and so you need to know what that will cost before answering.
You also need to be trunked into the network, a POTS or cell line has no method to transmit this info to you.

Now you can certainly argue this shouldn't be the way it is, such service should be free, and the phone company should be forced to pay for the hardware to give to you at a loss.
But that's another story unrelated to the technology existing.

Re: Whoa.

[sg_oneill]

I've been waging bit of a personal war against local utilities for the last year over robocalls and phoning up asking for identifications. I want it banned. The average user , the people is IT professionals are meant to protect have no chance of identifying a well done scam if the legitimate phonecalls are indistinguishable from the fraudulent ones, and it's damn irresponsible for these companies to continue to use these tactics when they put everyone at risk. It costs peanuts to rent a handful of lines, an asterisk server on a free tier AWS instance and a bit of time recording a plausible sounding robocall message. Build a list of suckers from the net and cha-Ching it's free money. And it all starts with irresponsible debt collectors and public utilities following irresponsible debt collection practices

Re: Whoa.

[sg_oneill]

Hell go the whole hog. Judge Death style. Eliminate crime by eliminating life. No people, no laws. Everyone wins!

Re:Whoa.

[wierd_w]

It only takes ONE kind of case if there are multiple millions of dollars of "shareholder value" on the line.

It is much easier to make cherry backroom deals with the telecoms to look the other way over such things (as a rule rather than an exception, so that end users have no real means of identifying that Callcenter Dystopia Inc is really who is answering all the support calls, so that Fortune 500 Inc can post EVEN BETTER quarterlies.) than it is to pay callcenter people at the pay grades otherwise demanded within their organization (especially from people that are supposed to be competent enough to answer difficult support calls about edge cases, and at call volumes and response times normally found only in telemarketing firms) and so it is not in the telecom's financial interests to "Fix" the problem.

In fact, they get paid a lot by "legitimate" players to do the opposite.

That was kinda the point here.

Re: Whoa.

[houghi]

In Belgium you would still need to make sure you are talking to the right person. Otherwise you could be liable to give out personal information.

That is why, where I work, automated systems will just ask you to call, not even saying the reason, just the company name.

We even do not say a reason on an answering machine, if the full name of the person was not said. The number could be owned by somebody else.

Re: Whoa.

[houghi]

The call will most likely not go to an agent. It will however be some random number that cpuld be occupied a lot, if it is even programmed to take calls. Most agents do not have their own number.

Re:Whoa.

[tlhIngan]

But only because the telecom companies let them, and the government has done nothing to ban the practice.

Spoofing should be illegal unless the company doing the spoofing owns both numbers.

That this is mostly an American+Canadian problem. The practice is illegal in most other countries.

Spoofing may not be illegal, but scamming still is. And "other countries' have plenty of scams still. In fact, there are the old "microsoft tech support scam", the "refund scam" which is especially popular in the UK and plenty more.

To be honest, I can't tell you if the number is spoofed - you can say the number is for the Canada Revenue Agency, but on my phone, I see a bunch of digits. I don't' recognize the number, so spoof or not, I can't tell. (Do you know the number of the IRS without looking it up?)

The tax scam is pretty useless - when you're a family of 3 taxpayers, the message that says "we have discovered an irregularity in your tax filing" is a scam - WHOSE tax filing was bad? "Your" could mean any one of three taxpayers, and you know the government isn't that bad at identifying someone.

The refund scam and tech support scams are still rampant elsewhere in the world. Even if you eliminate spoofed numbers, you'll just be talking about a different set of scams.

As for spoofing, there are valid reasons for it - there are often more numbers than lines at a business, so being able to return the proper DID number (or main line number) is useful instead of a completely useless line identifier. VoIP would collapse if they couldn't spoof - VoIP providers would return a random phone number to called parties who would probably not answer your phone call because they don't recognize the phone number.

What should happen is providers do filtering of the number - if you're going to spoof, the number you spoof will only be of what you actually have. Similar to how source IP filtering works but for phone numbers. This pretty much leaves legitimate entities to spoof.

Re:Whoa.

[fgouget]

If it doesn't occur in Europe, then they have apparently figured out how to disable it..

Caller id spoofing happens just the same in Europe. A number of calls are placed from abroad and spoof local numbers. The phone system is a worldwide system so the solution must be deployed worldwide for it to work.

Re: Whoa.

[Sique]

Third party number spoofing is the effect, not the cause.

You can spoof any number by sending a user provided caller ID. The only reason the other party doesn't see the caller ID you provided is because the provider strips it from your signalling. If you are behind the phone switch of your company, the provider has no way to determine if the extension your phone switch signals to PSTN is correct. Depending on your trunk configuration, the provider thus either accepts the signalling, or strips it and replaces it with the trunk dial-in number (e.g. the number of the company's attendant switch board), so no callback will get through to the extensions.

If you are a company with several number blocks (e.g. several locations with their own trunks), and the company wants to show a central dial-in number for callbacks, the provider has a problem. It doesn't necessarily know all the locations of your company, because some might be with a different provider. Or the company has for redundancy reasons bought connectivity with different providers, with separate trunk numbers, but wants always their main number of the first trunk as the caller ID.

In this case, the company gets a "CLIP no screening" contract, where it is the sole responsibility of the company to signal the right caller ID, and the provider takes it without further checks, as it has incomplete information anyway and wouldn't be able to determine if the caller ID provided is valid or not. Only if there are complaints about wrong caller IDs coming from the trunk, the provider will cancel the "CLIP no screening" and no longer trust the information, strip it and replace it with the trunk number (or cancel the contract alltogether).

But if the calls with the spoofed number are crossing several providers, it will take a long time until the rogue trunk is determined that is using the wrong caller ID, because at the exchange points, the providers have to take the information of the call at face value, not really able to check if they are valid or not.

Re:Whoa.

The phone system is a worldwide system so the solution must be deployed worldwide for it to work.

No, it doesn't. Just as border controls can be applied by any country in any way they wish.

Question: How does phone company A know to bill company B for passing a connection to one of its subscribers ? And if A knows B is allowing illegal stuff passing thru its equipment, can A than not simply block all connections coming from B (or give its subscribers the possibility to do so) ?

Its pretty-much the same as with the internet: if you know a block of IPs is spewing crap you can block them in your (border)router(s). And where the internet malversant can easily move to a new block of IPs, I don't think its that easy for phone numbers (as they are bound to a country).

Re:Whoa.

It is NOT illegal in most countries and is most definitely NOT an American+Canadain only problem. It is the way the worldwide standards for phone systems work, not sure of any country where this is not a problem.

Re:Whoa.

[GerryHattrick]

And call back from a different 'phone. At least in the UK a scammer can hold the line open so that your next call comes to them too.

Re:Whoa.

WTF? How can a scammer 'hold the line open' so that my next call "comes to them too"? Huh? So I end a call on my phone, they somehow "hold the line open", and my phone allows me to dial a number and call it, but actually I'm still talking to the original caller? On an Android phone? How can that happen?

Re:Whoa.

[yes-but-no]

So todo: install malware in the target's phone so when the said number is called, it gets routed to our systems.

Re:Whoa.

[parkinglot777]

and the government has done nothing to ban the practice.

This statement is wrong. The government has done something (Truth in Caller ID Act) but it is not enough. The caller (either a real person or robot) clearly and fraudulently intend to obtain importation personal data from the person being called. The problem with the law is that it is not clear enough and no one really enforces it.

Re:Whoa.

I subcontracted a call center to contact customers about upcoming events.
The call center spoofs the number to match my company's primary sales/marketing/service number.

Re:Whoa.

It's required by emergency services so if a 911 or whatever the number is call gets disconnected they can reconnect back to the same dispatcher. It doesn't hold the line open, it registers the link between the two numbers so that if the end user calls back to that multi-agent number it goes back to the same original agent. It's really more that it flags the end number to reconnect it back to the service agent if it calls again. If you call another number that call will not be hijacked or blocked. Just a call back to the service agent/dispatcher/scambot line will be routed back to the original agent if they are available.

Re: Whoa.

[Highdude702]

More to the point of OP

It is designed insecure for reasons stated above so making it illegal does nothing because criminals don't follow laws or they wouldn't be criminals.

Re:Whoa.

[AmiMoJo]

That's the mechanism, not the legitimate use case.

Re:Whoa.

[AmiMoJo]

Just force calls originating from outside the country to have their actual numbers displayed, rather than the caller ID ones.

Companies that have legitimate call centres outside the country will always have an exchange in country anyway, so as to allow for free/low cost calls to their number. In fact in many EU countries it's a legal requirement to have such a number - companies are not allowed to charge more than the cost of a local call to contact them, especially their help/service/complaints lines.

Re:Whoa.

[Gr8Apes]

You've got this wrong. The corporate PBX can be setup to route a set of numbers to the callcenter's PBX, and everything is handled between the two companies. It does require work on the companies part to coordinate, but no "spoofing" required, as it's all internal. It also requires a level of trust, since the callcenter is now legally capable of calling on the company's behalf. Something tells me that potential alternate call center revenue flows would be affected.

Re:Whoa.

[msauve]

Ever since number portability, there's no longer a definite geographic relationship between areas, exchanges, etc.

Re:Whoa.

[PPH]

What sort of software will run on a Western Electric 2500DM?

Re:Whoa.

[PPH]

So, Cubefarm Dystopia Inc spoofs being Fortune 500 Inc on their caller ID.

Fortune 500 Inc configures one of the numbers that they own to be the reported source of Cubefarm Dystopia's calls.

Re:Whoa.

[wierd_w]

That implies that Cubefarm Dystopia does not itself subcontract, or otherwise have very transient operations necessitating it being the one doing the report modification.

We *ARE* talking about seeking the lowest priced option, and covering it up here.

Re:Whoa.

[PPH]

That implies that Cubefarm Dystopia does not itself subcontract,

Correct. It is in the interest of Fortune 500 Inc to be aware of (and monitor for quality control purposes) any subcontractors actually doing work in its name. The entity seeking the lowest price option should be Fortune 500 Inc, not Cubefarm Dystopia.

Re:Whoa.

[fgouget]

Just force calls originating from outside the country to have their actual numbers displayed

You're saying that as if there was such a thing as an "actual (phone) number" for ip. What is the phone number of a computer in a data center? How do you know if that computer is the origin of the call or just the n-th relay?
And what phone number would you display for people calling their family on their own cell phone from abroad? Or is your solution to make cell phones unusable abroad?

Re:Whoa.

[dcw3]

Spoofing should be illegal unless the company doing the spoofing owns both numbers.

Wikipedia says it already is...

United States[edit]

In the United States, telemarketers are required to transmit caller ID.[16] This requirement went into effect on January 29, 2004.[17] Courts have ruled that caller ID is admissible.[18] Providers are required by FCC rules to offer "per-call" blocking of caller ID to their customers. Legislation in the United States in 2007 made caller ID spoofing illegal for fraudulent purposes.

Re:Whoa.

[AmiMoJo]

In the UK such numbers just come up as "unknown", which is reasonable. The display should only show a number if there is a reasonably high level of confidence that it is genuine.

Re:Whoa.

I don't know why companies don't have a way of confirming that they are legit. Every time I get a call, I never provide any information. I tell them they need to confirm to me first that they are the company. Usually the call ends there cause there is no way of doing this yet. They say we cannot provide you with any information, and I am like same.

The system needs to improve, there needs to be a two way handshake on these calls.

What sucks even more is if they are legit calls, you call back and there is usually no record and it is your responsibility to dig deep into what the problem was. One call for me was that Comcast over-charged me for 6 months and they were calling to tell me they were giving me a refund. It took a while for this to happen since there is no way to confirm the person is calling is legit, but they want you to confirm you are legit.

Re:Whoa.

I think you need to re-read the summary.

Re:Whoa.

[fgouget]

In the UK such numbers just come up as "unknown", which is reasonable. The display should only show a number if there is a reasonably high level of confidence that it is genuine.

Every time a city trader / UK retiree calls home from the other side of the EuroTunnel his number comes up as "unknown"? I very much doubt so. Do you have a source? But if that's true then we have different definitions of reasonable.

Re:Whoa.

Brilliant insight. So why do we have any laws at all?

Re:Whoa.

[yes-but-no]

That may need a human to be sent out-doors to tap/fix the twisted-pair. Or may be easier to find some holes in the telephone service providers systems. Or may be directly in the so called bank's 1-800 system. Or the weakest link - human - bribe a human/supervisor in the 1-800 back office.

Re: Whoa.

To keep lawyers busy. Since they are all insufferable cunts it's handy to keep them all in one place and away from our professions.

Re:Whoa.

True, but in the case of Chase bank, good luck calling back and finding anyone who has a single fucking clue about the legitimate fraud alert THEY sent out. It took me two business days to find someone at Chase that knew about their alert, even though the fraudulent charges already showed up as pending from their first email to me. Made their legit email seem like a phish, even though it listed the correct number for the bank.

Re: Whoa.

[nukenerd]

making it illegal does nothing because criminals don't follow laws or they wouldn't be criminals.

I keep hearing this, so I'm persuaded. We'll do away with all laws then; it will save paper and as a bonus I'll be able to murder anyone I want.

Re:Whoa.

[thsths]

Yes, that is true.

Unfortunately, my bank has a nasty habit of doing exactly this. And no, you cannot call them back, because it is usually a call from back office (and they only call, they do not usually take calls).

I think that banks has long trained customers to fall for this scam.

Re:Whoa.

That implies that Cubefarm Dystopia does not itself subcontract, or otherwise have very transient operations ...

We *ARE* talking about seeking the lowest priced option, and covering it up here.

I suspect that Dystopia may actually be a Russian boiler room operation that underbid everyone else to get access to Fortune 500's customer records.

Re: Whoa.

[Highdude702]

So you're telling me that criminals follow laws? Kind of seems like what your shitty analogy means.

Re:Whoa.

[AmiMoJo]

It depends. Where there is an agreement the real number comes up. Where there isn't it says "out of area" or "international".

That's my experience.

Re: Whoa.

You are an idiot,

Re: Whoa.

I don't think the rest of the world would care all that much.

Re: Whoa.

But why not introduce PKI to text messages? Kind of like a "this message approved by" in political ads

Re:Whoa.

[Ol+Olsoc]

I see, So whay didn't I get any of this crap back in say - the 1980s?

Why didn't you see caller ID spoofing before the advent of caller ID? Is this an actual question?

Pay attention to the conversation. The guy I was replying to was saying it wasn't possible to fix call spooking without destroying backwards compatibility. Seems like 1980's is backward.

Re:Whoa.

[Ol+Olsoc]

I had no idea that it was almost impossible, in any rate incredibly and prohibitively expensive for a phone company to tell who is making a call. Go figure.

Sounds like they lose a lot of money on each call.

Re: Whoa.

The reason we haven't solved the spam problem is this: All the progress made at the state level (such as in Virginia) was erased by the spam-enabling Public Law 108-187, known as the [You] Can Spam Act of 2003. Sponsored by Senators Conrad Burns and Ron Wyden, it was essentially bought by the email marketing industry. I'm not sure why the sponsors were not investigated for this. It was beyond obvious, simply because it preempted state laws that were actually working to stop spam and made it ridiculously easy to spam the crap out of the entire country. Now you know why spam has been such a huge problem. Thanjs, Senators Burns and Wyden! Way to go!

Re: Whoa.

[im_thatoneguy]

What needs to happen is phone companies need to start policing who they are willing to connect to. If you are AT&T and 90% of your spam calls are coming from XYZTelco's switches then you tell them that they have 30 days to eliminate spam or they will no longer be connected. XYZTelco isn't actually responsible but they will look at the list and tell the switches they connect to "You have 30 days or we'll disconnect you." Rinse and repeat and I guarantee you that the 2nd and 3rd level providers will find a way to ensure their services aren't used for spam real quick when they risk their entire existence being cut-off from access to US major telecoms like AT&T and Verizon.

Our phone system is at a fundamental risk of collapse in the next 12 months. If Spam isn't stopped people are going to kill their phone lines entirely. 90% of calls to our office now are spam.

Re:Whoa.

[redeye-mcgee]

I have a client that provides onsite nursing services. They accept incoming calls to a single number that I do not own. Their calls are rerouted to my service. Depending on the time of the day, day of the week, holidays or other factors determines who the call is routed to. I accept the caller id from the carrier that came with originating call and forward the call to the on-call person along with the originating caller id instead of my services's caller id. I do not own the recipient number either.

The nursing service does not have an brick and mortar office nor do they ever expect to have one. Their services have been well received and they expect within the next few years to expand to over 1,000 nurses, no fly-by-night service.

I am currently working on expanding the service to accept calls to/from landlines, cell, SIP and WebRTC. The initial integration is complete I just need to work out some issues on some edge cases.

I have other clients that do not own their called number, I do, though these are the exception. Not because people want another number but because when a person or business orders an internet connection they are forced to get a phone line too. They just have all calls forwarded to me.

And I have clients that I own the cell phones that receive the call, so I own that number as well.

Another business model I provide is for a client that runs a sales campaign. They will place an advertisement in two or three different media each with a different number. The numbers are routed to me and I forward them to the client. This process provides the client with immediate feedback on their sales campaign, not just which number gets called the most but which number has the most sales closed.

In this instance I do not own the originating number, the called number nor the destination number. Again, when the call is received I forward the call to the client along with the caller id of the originating caller. To be specific there is the originating call, the client's sales campaign number, my inbound number, my outbound line and the destination number, five numbers total.

There are other services I provide, you were asking for a specific instance of a legitimate business that spoofed the caller id even if the business did not own the originating or destination numbers.

Historically we have viewed a phone number as an identification for the device we received the call on. The reality is a phone number is a program we run on a remote computer to route a call from me to a desired destination.

Re:Whoa.

[Tony+Isaac]

Or better yet, don't answer calls from businesses. If it's important, they can leave you a message. They usually won't. If they leave a message with a number to call, disregard the number and call the published number.

Re: Whoa.

[Sique]

Caller ID was for informational and convenience purposes anyway. It is not necessary for the inner workings of the PSTN. Thus there is not much more security built in than in the sender address on a letter envelope.

911 service calls, where the exact location of the caller is important, don't leave the provider network, and they get the native trunk number (and thus via the provider database the address of the calling site) directly without any caller ID magic. It is thus important for a phone switch with several PSTN trunks and locations to route the 911 calls to the right trunk depending on the location of the calling station.

Re:Whoa.

I told my mom to ask one simple question, what colour is my car. If they have all the information that is easy to answer and do not invade any personal info.

Your car is white, please send me your PIN.

Re: Whoa.

[Highdude702]

How does the hopping of the long distance swatting shit work? I know fuck all about the POTS systems outside of the building.

Re:Whoa.

"Stupid analogy. Spam is a problem worldwide. There is no obvious solution."

Sure there is - put the power of the military to figuring out who the spammers and scammers are and have the military kill them. Problem solved.

Kill the DID!

Incredible that phone numbers still exist. Eventually, phones will just be replaced by apps.

Joke's on them

I never answer the phone. Email, text, or voicemail. Those are your only options brah.

Haughey is a dumb-ass.

[fahrbot-bot]

So "alarm bells" went off in his head four times and he kept giving out his information? He should have said he would call his bank branch directly or the 800 number listed on the back of his card and hung up.

The "bank" called him, at his phone number, so he doesn't need to confirm anything - the bank needs to confirm themselves. Both of my banks say they will never ask for personal information if they contact me, not only for my safety but because -- spoiler alert -- they already have my information. (I, however, need to provide my information if I call them to prove that I am me.) In addition, why would they ask him to confirm information that won't be changed?

Haughey banks at a small Portland credit union, and last week he got a call on his mobile phone from an 800-number that matched the number his credit union uses.

Caller ID can be spoofed. Never trust it.

"People I've talked to about this say there's no way they'd fall for that, but when someone from a trustworthy number calls, says they're from your small town bank, and sounds incredibly professional, you'd fall for it, too," Haughey said.

No. Just no.

Re:Haughey is a dumb-ass.

[MachineShedFred]

More than that, when they asked for his PIN, twice, he should have hung up then and there. Banks never have, and never will ask for your PIN. It is always set either by yourself at a bank branch keying it into a terminal, or when you activate the card by dialing the number on the card sent to you at the time of activation.

The other stuff is semi-legit if you include all practices that banks have used since the beginning of time, but many of them are not in use anymore. Example: mother's maiden name is easily gained information in the age of The Book of Faces.

Re:Haughey is a dumb-ass.

[Todd+Knarr]

Pretty much this. I have a simple policy: it doesn't matter whether I believe the call is legitimate or not, I do not give out information or try to resolve a problem when it's the other party calling me. I note who it is and what they claim the problem is, then I call the contact number from my own records for that person/company (from my address book, the credit card itself, the last bill, their Web site from my bookmarks, etc.) and ask to be connected to the correct department for the problem. Now I know I'm talking to the right people and not a scammer. This usually takes all of a minute or two, and saves me from ever falling for even the most convincing scams.

If you're truly interested in tracking down the source of calls, see about a toll-free incoming line handled by software like Asterisk and get your caller's identity from the billing information rather than CID. That's too expensive for me, though.

Re: Haughey is a dumb-ass.

[Cmdln+Daco]

If, as they claimed, they asked for his PIN so it could remain the same on the new card... why wouldn't they already have it on file?

Re: Haughey is a dumb-ass.

[olsmeister]

There is just so much about the story that doesn't make sense in hindsight, but the advantage that the scammers have is that they've called you, given you some alarming news, and are offering to fix it for you. People probably are so upset hearing that their card is being improperly used that they aren't slowing down to think about what is being asked them.
The news needs to be spread far and wide that you always just thank them for the information and inform them you'll be calling their fraud line.

Re: Haughey is a dumb-ass.

[oneunixguy]

Apparently in 30 years heâ(TM)s learned nothing. If heâ(TM)s being paid for his cyber security experience he ought to be fired. A simple call and he gave it all. As others have said and as I do, if someone calls me and wants me to verify any information, I ask for their name and employee number and call back to a well publicized phone number for that office or company. AND I didnâ(TM)t need 30 years of cyber security expertise to figure it out.

Re: Haughey is a dumb-ass.

"you'd fall for it, too,"

No, no we wouldn't.

Re: Haughey is a dumb-ass.

[Ostracus]

My fraud line called ME, and said "did you make these charges"? No. They denied them, and issued me a new card. No other verify needed.

Re: Haughey is a dumb-ass.

My Bank called me once like this and a pre-recorded message said that I should call back ASAP at the number listed on the back of the card.

Re: Haughey is a dumb-ass.

[dryeo]

I'd be surprised, but not too surprised, if banks had peoples pins on file. Whenever I've got a new card, the teller takes me to the ATM, explains things and then turns their back on me while I enter my (new) pin.

Re:Haughey is a dumb-ass.

[superdave80]

So "alarm bells" went off in his head four times and he kept giving out his information?

Because no alarm bells went off. He's just trying to make it sound after the fact that he isn't completely naive, I suspect.

Re:Haughey is a dumb-ass.

My bank emailed me for important information. Nothing corresponding came up in my online account, so I assumed spam and ignored it and about 5 repeat emails. Then my card was suspended, so I headed into a branch: turns out the dimwits had, in fact, sent the emails *and required a response that involved clicking on links in said emails and filling out security information*.

I tried to explain that they were basically training people to fall for phishing scams but the idiot behind the counter was either too dim or belligerent to understand the concept. So I sorted the mess then moved to another bank.

Re: Haughey is a dumb-ass.

[houghi]

Working with Credit Cards and never needing to see the card number, let alone the PIN number, you would be amazed how many people hand put that info without being asked.

And I mean by email orjust over the phone. "Hello, my cardnumer is .... and my PIN is ...." Callagents are trained to interupt people. Emails are scanned for cardnumbers.

This even happens when they come from banks. And then there is the number of people who hand over card and code to somebody else. If that is found out, all risk is for the customer. (No, not even touyou spouse. Getthem their own card)

Re: Haughey is a dumb-ass.

[Megane]

A few months ago, my bank sent me a new ATM card. Except it was a debit card now. Apparently the Pulse card I got back in the mid '90s (yes, I was still using a card that was over 20 years old!) was just too old of a technology to support. Back then, the PIN was set by me pressing four digit keys on this enormous typewriter-like machine (my vague recollection of that day) that embossed and encoded the card. For the new card, the number to dial for activation handled setting the PIN. I suppose that call could have been wire-tapped to get the DTMF of setting it, but it's a lot more secure than an actual human in the loop.

Re: Haughey is a dumb-ass.

[No+Longer+an+AC]

Its been spread far and wide for years. The first time I received one of these calls was in the mid-90s claiming to be from the IRS. I was a little slow to realize it back then, but after they started asking me information I decided to call the IRS myself. Of course it wasn't actually the IRS.

Even back then I had heard of these scams.

Now it's not uncommon for me to get a call or text about suspicious activity on my credit card - about once a year. I NEVER call the number back. I call the main number and they already have my account flagged and it goes directly to their security department. So far none of them have been phishing scams.

It's mildly annoying because now I have to wait for a new card, but not alarming. I'm actually thankful that my bank recognizes that I probably didn't spend $700 in Dubai.

Re: Haughey is a dumb-ass.

[nukenerd]

"you'd fall for it, too,"

No, no we wouldn't.

This. I don't believe that even the average Joe would give out their PIN to a caller, otherwise we would hear of far more successful scams than there are. In the UK, practically every bit of correspondence from banks hammers the point that you should never give out your PIN, even to bank staff (real or fake).

I can vouch for this

[Applehu+Akbar]

The creepiest voice phish I ever got was the call from my little brother, exactly his voice and intonation pattern, telling us he was in jail in Mexico and needed money. The only way I knew it was a scam, besides the Mexican authorities suddenly accepting payment in Bitcoin, was knowing that he had been sick for years and unable to travel.

Re:I can vouch for this

[toejam13]

With voice-mimicking software getting better and better, I imagine that these sorts of spear-fishing scams will become more prevalent, especially against the elderly.

Scour social media for videos of identifiable individuals, find all familial elder links, train the software, and then make a call in that individual's voice using their number in the caller ID field about a phony issue that asks them to send money.

Re:I can vouch for this

[Applehu+Akbar]

I'm guessing that they phone-scraped voice from his job, which was buyer for a hinge manufacturing company in LA. He had to spend a lot of time on the phone.

Re:I can vouch for this

Best present troll.

98004 / https://batleg.com/saber/

The Rubicon of., no less understood concourses.

Basic phone security

[registrations_suck]

Donâ(TM)t call me, I will call you.

If you get a call from ANYBODY claiming whatever, hang up and call that supposed somebody at a known good number. Every time.

Re:Basic phone security

I had this happen to me. It was a phone call from Wells Fargo about 10 years ago letting me know that I had about a thousand dollars taken out of my checking account. They started asking me for information to confirm my identity. I didn't give them information. I called them back at a number on the Wells Fargo web page. It turns out it was real thought. It sounded like the scamiest phone call ever. This kind of stuff was somewhat new 10 years ago so maybe they didn't have much training on how to handle situations like that. It all worked out though.

Re:Basic phone security

and get that number off your statement or from a printed telephone book, or for credit cards (or insurance), use the customer service number ON THE CARD itself... that's why it's printed on the damn card in the first place.. so you have the issuing company's legit telephone number.

NEVER blindly (i.e. without checking via above methods) call back the number they provide, or the number on the caller id.. and never, ever, EVER EVER ask google for a customer service or support number. many of those are ads or scams that hijack search results.

Caller ID?

In his 30 years of being "a cybersecurity professional" he never learned that caller ID is trivially faked? Standard practice for dealing with something like an incoming call from a bank is to hang up and call them back at a previously established number, such as from the back of your debit card. Next to the number is probably printed something along the lines of "we'll never ask you for secrets over the phone", to help out those who aren't "cybersecurity professionals".

Re:Caller ID?

[Sigma+7]

There's another type of Caller ID known as Automatic Number Identification (ANI). How easy is it to fake that?

Some parts of the telephone system need a way to provide perfect information about who called, such as with Psychic Buddy's 1-900-SUC-KERS toll lines. If that is faked (even outside real-time), then those people would lose out on money from inbound callers.

Re:Caller ID?

[arth1]

In his 30 years of being "a cybersecurity professional" he never learned that caller ID is trivially faked?

Anyone using "cyber" as part of their description are fake themselves.

Re:Caller ID?

[Ol+Olsoc]

In his 30 years of being "a cybersecurity professional" he never learned that caller ID is trivially faked?

Anyone using "cyber" as part of their description are fake themselves.

What about us cyber-punks, you insensitive clod?

Re:Caller ID?

He's also not learned that you never give your pin out ever to anybody, not your bank, not anybody? Who is he so we can know not to ever hire him?

Re:Caller ID?

You're fake. You aren't a real punk. You wanna walk, talk, and act like a punk but you don't want the fights, jails, and heroin addiction to go along with it. Your joke isn't funny. Take your pathetic whoosh and shove it up your twat, wanker.

Re:Caller ID?

[Ol+Olsoc]

You're fake. You aren't a real punk. You wanna walk, talk, and act like a punk but you don't want the fights, jails, and heroin addiction to go along with it. Your joke isn't funny. Take your pathetic whoosh and shove it up your twat, wanker.

U mad bro?

If they call my cell phone...

[WoodstockJeff]

... it's a guaranteed scam. NOTHING legitimate has my cell phone number.

Re:If they call my cell phone...

[msauve]

You must be an old fart like me, who still has a landline number. Most of the young 'uns have nothing but a cell phone number.

Re:If they call my cell phone...

[arth1]

I had a cell phone number back in the 90s, but I have cut the wireless. Now I am corded only.
This was a great liberation. I can no longer be reached at any time, anywhere. No texts, send me an e-mail, to be read at my convenience, not yours. I have a phone that still works through power outages (because power to the landline system is supplied through the phone wires), including DSL still working through power outages. This saved me when we had a ten day power outage here, and all cell phone towers were down. Neighbours came over to make phone calls, and asked whether they could send some e-mails through my WiFi, because their cable and fibre connections were down, down, deeper than down.

Re:If they call my cell phone...

[Fly+Swatter]

Your situation will be good until the old copper develops an intermittent issue somewhere off your property that they won't fix because 'copper is deprecated, so we will convert your line to fiber at no cost to you'.

Re:If they call my cell phone...

What power source were you using for your router?

Re:If they call my cell phone...

[superdave80]

This is one of the main reasons I still have a landline. All companies that I do business with have the landline number, and I never give out my cell for any reason. They call my landline during the day (while I'm not there), I listen to whatever voicemails they leave, and I don't worry about getting constantly bugged on my cell all day.

Re:If they call my cell phone...

[mhail]

What power source were you using for your router?

Shhh don't ask questions, just go with the fantasy.

Re: If they call my cell phone...

My bank has it. Got a call from them on a sumday saying that he called from London. I live in Belgium and knes their callcenter was in Barcelona. Was clearly an Indian guy speaking.

So I hung up. Called my bank on Monday. It was all legit. Their fraud prevention was in Lindon and they had called. Also the person Never asked any details.

Re:If they call my cell phone...

Don't know about him, but I have a few spare car batteries and an inverter I used the last time we lost power for about a week. When a battery started getting low I'd just hook it up to the car and recharge it. Couldn't use a generator, as they kind of frown on those things in an apartment.

Re:If they call my cell phone...

[nukenerd]

He said that neigbours asked to send emails, not that they got to send them. I also have a landline phone that will work through power cuts.

Re:If they call my cell phone...

[arth1]

What power source were you using for your router?

I have multiple 1500VA UPSes, as well as a gasoline generator for longer outages. That didn't do much good for the cable internet being down, but because I also have bridged DSL over copper, I still had internet.

And the phone service doesn't even require that. If you have an old laptop with a built-in modem (or a modem that doesn't require external power) you can still do dial-up in worst case, to let people know you're still alive.

If I don't know the number

I don't answer.

If they leave a VM I delete it and don't even listen to it.

Re:If I don't know the number

[nukenerd]

What exacly are you afraid of? Of breaking down into a jibbering wreck and blurting out all your passwords and PIN numbers?

Re:Dont speak to Indians

[PopeRatzo]

its quite simple, if they are Indian then hang up.

That's racist. You're telling us you wouldn't take a call from Sitting Bull?

Only apps can app apps!

Apps that app other apps are appier than LUDDITE telephones!

Apps!

This just means they're running out of obvious

[rsilvergun]

marks and are forced to move away from the Nigerian prince method (so ridiculous only someone who's not all there in the head would fall for it) and into trying to scam people who have some of their senses left.

Duh

I thought everyone knew to call the known 800 number back in situations like that. A cyber security professional? Come on. Im in INFOSEC and I would embarrassed to admit such a thing to Krebs.

Security professionals become easy targets

[thogard]

As people age they stop remembering details of scams but seem to remember they are smarter than the scammers so they can't be scammed. The result is they get taken. People who worked in security along with retired police and criminal lawyers are easier to scam after they retire than the average person.

Re:Security professionals become easy targets

[nukenerd]

Citation?

If you are stupid enough to pick up

You deserve it.

Rule Number F-cking One

[Beeftopia]

Rule Number F-cking One: Never give out information to anyone who contacts you first.

It's just that simple. You find the number or confirm the number they left is legit, and you initiate the contact.

CSB: Once I was being legitimately audited by the IRS, and the IRS employee/contractor calls me and asks for my SSN. I was 99% sure it was the IRS, and the person threatened me with escalation, and I know you don't eff with the IRS. But I did not give out my SSN because it violated Rule Number F--king One. Ultimately it worked out, I'd done nothing wrong, they dropped my case. But wow.

Re:Rule Number F-cking One

[anegg]

My wife and I have had some interesting stand-offs like this. Legitimate caller stupidly asks for us to verify who WE are by providing our personal information to them. We refuse to provide the information, because they haven't verified who THEY are. Hilarity ensues.

Re:Rule Number F-cking One

[dryeo]

There's been a lot of scams up here where the scammers pretend to be from the CRA (Canada Revenue), demanding payment now to avoid arrest. Some people don't even catch on when they demand payment in itunes cards.

Re:Rule Number F-cking One

Scammers get around that by making you call them, e.g. with those fake "Windows detected a problem with your computer, call support here" messages you get in shady ads.

Yea those are dodgy as fuck but a lot of people don't know any better.

Re:Rule Number F-cking One

There's a great video on Youtube about this from the guy who does the Electroboom videos.

Re:Dont speak to Indians

[arth1]

That's racist. You're telling us you wouldn't take a call from Sitting Bull?

He died in 1890, still waiting for a dialtone. He actually had a candlestick phone, but it had not yet been connected.

Easy Fix

[nehumanuscrede]

Start holding the Telecoms responsible for failing to fix the ability to spoof Caller ID.

They start footing the bills for fraudulent shit like this they'll have that shit fixed in no time.

Re:Easy Fix

Start holding the Telecoms responsible for failing to fix the ability to spoof Caller ID.

They start footing the bills for fraudulent shit like this they'll have that shit fixed in no time.

This makes sense to me, but unfortunately with the current government, I find it extremely unlikely they are going to do jack shit to protect the little guy from the irresponsible big guy. If you don't much like that for the status quo, then, well voting is the solution, well that or running yourself. Obama created the consumer financial protection agency, while Trump's gutting it. Fixing this aint that hard, but if your waiting for corporations to suddenly care, well don't hold your breath.

Why should use have less confidence in caller id than an address bar in a browser?

Beyond that, you just have to assume that almost any call you didn't expect is illegitimate and at best call a known number for who they are pretending to be.

Re:Easy Fix

Sue. I believe the tort is called Contributory Negligence. Or perhaps it is Reckless. Perhaps both.

Re:Easy Fix

Start holding the Telecoms responsible for failing to fix the ability to spoof Caller ID.

They start footing the bills for fraudulent shit like this they'll have that shit fixed in no time.

Sure, by removing the Caller ID function completely, all calls will be from "Unknown Number" from now on.

How would you like that?

Honestly, it doesn't matter

People need to get more saavy. You don't accept phishing from real human beings, let alone technology. Education, education, education.

Amazingly

This is 90s security advice. And it's still good advice. Better than just about everything the "security" s'kiddies manage to offer. It's not difficult at all, you just have to do it.

Red Flags, All Over The Place!!

That's what that call was. Oh, BTW, when a bank (or credit-whatever) issues a new card, they ALWAYS give out a new PIN!!

Re:Red Flags, All Over The Place!!

[dryeo]

That's what that call was. Oh, BTW, when a bank (or credit-whatever) issues a new card, they ALWAYS give out a new PIN!!

My credit union walks me to an ATM, tells me to enter a pin and turns their back while I do it.

Re:Dont speak to Indians

[dissy]

You're telling us you wouldn't take a call from Sitting Bull?

I dunno, is he calling to confirm my address and ask for my PIN?

Mod parent up

Is voice scam

Re:Dont speak to Indians

[PopeRatzo]

He died in 1890,

That's just what he wants you to believe. He's lying in the tall grass, waiting to strike, and cashing them casino checks.

moron

What moron gives out their PIN? idiot

Researcher?

[senileoldfart]

Wow! Some security researcher we have here. Might I recommend a book ? 'Lying on the Couch' by Irving D. Yalom

Never tell anybody anything

[petes_PoV]

sounds incredibly professional, you'd fall for it, too," Haughey said.

Errr, no.

The first principle of phone banking is to never give out personal information to anyone who calls you. Never.
If you feel there is an issue that does need information to be passed, hang up and phone them on the public number. Just make sure you have actually hung up, there is a long-standing scam where the thieves actually recommend you call the bank, yourself. They then make the sound of hanging up but stay on the line. When you dial the bank's number, you are still actually talking to the scammers.

Re:Never tell anybody anything

[Tony+Isaac]

Or, if the caller isn't a friend or family member, let it go to voice mail, always. If it's a business, and it's important, they can leave a message. Usually, the phishers won't. If they do, call back on the published number, not the number they leave.

don't give out private info to a cold call!

[roc97007]

Don't EVER give out private information to a cold call. Never, for any reason. If there's a problem, and it's urgent, tell them you'll call them back on a known number. (Not a number they provide./duh) Legitimate callers will agree to this. Non-legitimate callers will try to steer you to a different number or insist that you must take care of this now, on this call. Don't fall for it.

Let me repeat this for the cognitively impared: If they call YOU, do NOT give out private information. If you call THEM on a legitimate number, it's a different story.

Let's be safe out there.

Falling for it? No way!

[war4peace]

"you'd fall for it, too"

No, I wouldn't. I might not be very knowledgeable in how banks work, but I know one thing for sure: personal card info is personal. Nobody from the bank will ever ask you for your PIN number or the three digits on the back of your card. Nobody, ever. If they ever do, change the bank because they are not handling your personal data professionally.

I don't know how things are in the USA, but in my country all banks allow you to change your PIN at the card issuer's ATMs, the card is mailed to you in a special envelope which makes it impossible to read the PIN number without compromising the envelope's integrity and you need to activate the card at a bank's ATM before being able to make any purchase. I have never heard of a phone purchase which requires you to give out your PIN or CCV to a human being. They might be a thing in other countries, though. If my bank calls me unexpectedly (only happened twice), they verify my identity through my equivalent of a SSN (here it's called Numeric Personal Code) where they ask me for half of it, then ask me for my first 4 and last 4 digits of my card. Never the whole number. If I express distrust, they tell me I can call them back or e-mail them at the phone number or contact e-mail provided on their main page, with instructions on how to reach that person afterwards (usually it's the department and the person's name), e.g. "I received a call from Jane Doe, private credit cards department".

With that being said, the phone scams here are simpler but very effective. You usually receive a call from an exotic phone number (Mauritius, Vanuatu, Gibraltar, etc). The phone rings once, maybe twice then stops. Most people are curious enough to call back... reaching a special line which costs 10 to 50 dollars per minute, where automated messages play back to you in your national language, telling you about issues with your bank account, guiding you through entering your card number, PIN, etc, all while sucking lots of money through your phone bill anyway. Now, if you actually answer the call, a prerecorded voice is going to tell you that there are issues with your account and instructing you to call back ASAP. Then the call ends. This costs them pennies because they rent entire trunks for cheap. One person calling back for a couple minutes covers a few thousand calls' worth from their side.
I would have fallen for it at first because the nature of my job involves receiving the odd call from a weird country every now and then. Luckily, I don't call back unknown numbers because I'm busy anyway and if there's an emergency I know they will call again and again. Anyway, I developed a habit of quickly answering those calls and letting them play through. Lately, I only receive one a week, or less. I guess they will eventually stop because they would realize they are wasting their pennies on me.

Re:Falling for it? No way!

I'm in the UK.
Giving up the CCV in an over the phone payment is quite a regular thing.
The security here comes from the trust you have in the vendor you called not to reuse that information.
Just like you trust the bank not to have an IT breach and expose your data.

It's not perfect by any means.
I've had my bank ring me on a potential fraud call and ask me to verify information.
It told them to identify themselves first and they gave me info but not secret enough so I told them to go fish and rang them back.

There should be an assumption that if they have called your registered number there is a good chance they have got the right person and they should be forking over information not the other way round.
If we need to go this route it's high time the banks recorded some sort of verification that we come up with. Not mothers madien name (is this relevant and not sexist these days? and wont somebody think of the orphans) etc crap, but where we give them some random information that only we know for them to verify with.
Unfortunately people are stupid and generic and this is why we have crappy fixed questions for security and not free form.

Re:Falling for it? No way!

"Most people are curious enough to call back..."

Based on what evidence? Oh - wait - NONE. You made it up.

Re:Falling for it? No way!

[war4peace]

Based on what evidence?

Mine. And my mobile provider's. As previously mentioned, different countries, different cultures.. Here, mobile subscriptions are really cheap, one of mine costs 5 EUR a month and you have free unlimited voice minutes to all landlines with very few exceptions, and thousands of international minutes, etc(*). So yes, people do call back most times because it costs them nothing. If I call someone and they don't answer, they call back almost without exception. The culture here is usually: texting is for things that can wait, phone calls are for things that can't wait, so if you have a missed call, you call back. Not all people do that, of course, but most do.

Now, when my mobile provider starts issuing warnings about this type of scam calls, you realize it's a problem and that people indeed do call back. Otherwise it wouldn't be an issue, would it?

(*) Google Translate of the original page: https://translate.google.com/t...

Re: Falling for it? No way!

The problem with calling a number back is that a lot of times scammers are spoofing cell phone numbers as well. So a "number" that called you might be some other person that is confused when you call them and claim to have missed their call. Just never call anyone back unless they leave a message and tell you what they want.

So says Canada Bill Jones

[JThaddeus]

"It's immoral to let a sucker keep his money."

sounds like he fell for a scam

[gravewax]

hmm I suspect this security professional actually fell for one of these scams.

when someone from a trustworthy number calls, says they're from your small town bank, and sounds incredibly professional, you'd fall for it, too

No I really wouldn't and I don't think anyone I know or where I work would either, I have been targeted with these before and know many others that have received similar types of calls and not even for a nanosecond would I fall for it. Hell when I have had legitimate calls from my bank I ask for a name/extension and tell them I will call the banks switchboard and ask for them. It isn't rocket science, if they called you DON'T TRUST THEM WITH ANYTHING.

I'd fall for it too, eh?

This has happened to me, twice. I get a call from my legitimate bank phone number telling me they're contacting me about fraudulant charges. I tell them that's very worrying and that I'll call my bank immediately and talk to them about it. Both times the conversation went south from there. First time they just hung up on me, second time they told me it wasn't necessary because I was already speaking with them, they'd developed a tactic by that point I think. I ended up hanging up the second time. Both times when I called my bank there had been no strange transactions and all my purchaces / balances checked out. It seems preferable to me to spend a few minutes on hold after dealing with the infuriating automated service to check this kind of thing out..

Sure, it's easy to get scammed. Smart people seem to think they're immune yet it happens a lot to them too. I don't think I'm smart or immune, so much so that I'm maxed out paranoid about being caught out so I take it to the extreme; I have a tactic that works for now, that's all. With that said though: Haughey can damn well speak for himself.

Root problem: spoofing

[bradley13]

It's easy so say "I wouldn't fall for this", but some scammers are good. The ones that call you are excellent actors, and can be damned convincing. Just look at the number of elderly people who fall for the "grandkid in trouble" scams. Yes, this guy shouldn't have given out his PIN - that was one step too far.

However, the root problem in this particular case remains spoofing. There is absolutely no excuse for spoofing numbers to still be possible, after all these decades of abuse. The phone company (or VoIP service, or whatever) knows what connection is placing the call, and the service should set the calling number accordingly. Since providers themselves are not always trustworthy, it must also be possible for the receiving company to verify the number, or at least to verify that it is legitimately under the control of the originating phone service. Sort of a DNS for phone numbers...

Re:Root problem: spoofing

No the root problem is NOT fucking spoofing, if it wasn't spoofing it would be something else. The root problem here is trust in a random caller asking for information. It is simple, if they called you trust should be ZERO and information provided ZERO, if they ask for anything you need to be asking for a name and telling them you will call them back on the published phone number for the Bank/provider or whatever. It is not hard, my 70 year old mother was able to learn it, my IT illiterate wife was able to learn it and our kids have learnt it. The root problem is stupidity.

"""trustworthy""" number

[Megane]

but when someone from a trustworthy number calls

Caller ID is not "trustworthy", and any number you get via that is by extension not trustworthy. Anyone who hasn't learned that just from the all the "same exchange" spoofing (all but last four numbers same as yours) these days is a fool.

Banks need a well-known, simple verification page

Whenever your bank calls, you should be able to simply go to something like mybank.com/trust , which should display two numbers: one for you to read, and the other for the person calling to read. If they can't provide the second number, it is a scam.

It would be incredibly simple to implement, and yet I am unaware of ANY bank which does this.

Ask for a call back number

Even when my bank or credit card company calls, I would simply call them back at a known number to verify its really them. Its so easy to input any number into caller ID these days. But I do know of a few people who take everything at face value and don't question anything. They are taken advantage of because they fail to question obvious red flags.

Verification.

[ledow]

Sorry, but if you want something from me, do it in writing. It's that simple.

If I want something from you, you demand I call your main number and agree/sign things. You have to do the same. Except I have to verify myself to you when I call, so when you call me I expect you to verify yourself to me.

Any automated or inbound call that doesn't give me information I demand ("Okay, can you tell me my last transaction and my account number please?") doesn't get anything from me. Yes, I've actually asked my bank for that. Guess what... they tell me that they can't tell me. Cool, then I can't deal with you. Because if the tables were reversed I'd expect you to not deal with a customer phoning up claiming to be me who also refused to give you the required information.

So now if it's important, you'll send me something on paper. It's really quite easy. Or you'll put a "secure message" inside my online banking account. And I'll go there myself to check (not just click and take your word for it that it'll take me there - same way I don't just follow the guy to the bank when he knocks on my door claiming to be from my bank needing money from me).

Security and verification work both ways. And anything legally-binding will end up on paper, especially if I say - on the call - "Sorry, I don't think you're my bank... could you prove it to me? No? Then I'm afraid I won't deal with you and I suggest you contact me in some more official way that I can verify you". Imagine that recording before a court of law, when the bank say "Oh, but we phoned him to tell him about the outstanding amount".

Sorry, but I don't even conduct such business via phone or email for any of my personal accounts. I don't even have bills dropping on my doorstep. I get literally zero post apart from junk mail (which I can't stop as it's just random minimum-wage people paid to put crap through every door on the street).

As such, an official letter stands out, but I still don't trust it and will verify. But all my "official" communique are sitting inside secured accounts that only those companies can ever post a message inside. Any email, phone call, text or even letter outside those bounds can only ever really say "Please check your account". That's it. Anything else is suspicious.

It's always a scammy indian chimp

Its always an indian chimp scammer chimpy indian scammer chimpy indian scammer of chimpy chimpy chimps indian chimps indian chimps indian chimps scammers.

DMMF

[epine]

In a correctly designed phone system, it shouldn't be possible to generate DTMF tones on a call you didn't originate yourself without first spelling "DMMF" by a sequence of Morse-code hook flashes.

DMMF = dox me, motherfuckers.

Your address book should have little padlocks beside "verified" numbers, where the name of the organization and the number are known by the smart phone mafia to correspond.

It really ought to be required to originate the call from a verified address book entry in order to access inline DTMF tone generation (in your address book entry—when you enable DTMF tone generation—you would be able to click "I know the risks", and barge through all the shrunken human heads on pointy pikes, just like with broken SSL certificate overrides).

Re:DMMF

[epine]

Hmmm, I was feeling bold today, and didn't click preview, having forgotten that I had used any markup at all.

Very exciting.

Telco could cut down on caller id fraud

[klubar]

The telcos know the originating company. If it's a company that agrees to not allow spoofed caller id your carrier could pass along the caller id, if not your carrier could set the caller ID to LIKELY FRAUD CALL. If not preventing spoofing, it would certainly discourage it and put the recipient on alert for a likely fraud.

The problem is that the telco have almost no incentive to cut down on fraud calls. They get paid the same for a fraud call as a legit one, so why not carry them all?

This One Weird Trick Defeats ALL Scam Calls

Scammers don't want you to know about this one weird trick that defeats their efforts every single time. This works for any kind of scam call: cell phone phishing, bank phishing, and even those annoying scammy sales calls that everyone hates.

Click to the next page to learn about how badly scammers try to prevent you learning how to defeat their scams.

Scammers depend on their targets being uninformed. You and other Kansas residents qualify to learn how to beat them at their own game, every time. They've been fighting our proven program for years, but there's nothing they can do to stop you once you've learned the trick to beating them.

Click to the next page for details about how it works. You don't want to miss it!

Everyone with a cell phone is already equipped with everything they need to beat scammers at their own game. Our easy method is a snap to learn and takes just seconds to respond to a scam call. Whenever a scammer calls, it takes just a single tap on your phone to beat them, and then the magic happens!

Click to the next page to see the magic of our proven method. You're almost a scam-beating warrior!

You're almost there! Enter your email address and phone number below to download the instructions for our proven scam-beating process. Don't worry, it's safe! We promise we won't give away your information. We just need to know where to email you our step-by-step instructions.

***

Congratulations! You've made it! Now you can beat scammers at their own game every time you call. Click _here_ to enter some final information and download our award winning program for a small one-time fee of just $9.99! No, that's not per month. It's just ONE TIME!

***

Beat scammers in just a few easy steps;

1) Whenever someone calls claiming to be from XYZ company, hang up the phone *immediately* after they say the name of the company. It is super important to hang up right after they say the name! Be sure you don't miss the timing!

2) Look up the number for company XYZ - use the company's official website or google maps entry, or if you have an account with the company, get the number from your statement or back of your card.

3) Call the direct number to the company to speak with their customer service, and ask why they were calling. But, make sure you do this within 5 minutes of the scam call! Again, you have to get the timing for this weird trick to work!

Good luck!

Re:This One Weird Trick Defeats ALL Scam Calls

You'd be shocked to know just how much I get paid for designing and implementing psychological ad campaigns. Once you learn how to exploit peoples' innate insecurities and desire for power at the same time, it's like shooting phish in a barrel. These ad campaigns work so well that my clients are happy to pay $50K for a single campaign that takes about a week to design. I do maybe 5 or 6 of them a year and spend the rest of my time goofing off. It's great.

No, I wouldn't fall for it

I wouldn't fall for it for several reasons:
1. When someone legitimate wants to confirm your address, they have you say your address. They do NOT read your address to you.
2. Banks don't care about or need your CVC code from your card. They simply will not ask for this, EVER.
3. You need to activate your new card and set your PIN at that time. You can choose the same PIN or a new one, but you have to set it.
4. Banks will never ask for your PIN. They simply do not need it, and it's a security violation to request it.

There are other things that I can and would do beyond these things. These are just the flags that tell you it's a scam. It's like being asked for a password for your email or anything else: No one legitimate will ask for it.

The hard to do solution

[rickb928]

Ok, so the request for his PIN number didn't set off the alarms.

Really, this is an example of where you make the caller provide some information, then if ti seems wrong hang up and call in to the number you know.

I'm getting 5-15 calls a month from the 'credit card reconciliation center' or some such BS. I haven't listened past them asking me for my name, which if they are my bank or card company they should already know.

uh, no

[cascadingstylesheet]

Long story short, two fradulent charges were made on his account totaling $3,400. "People I've talked to about this say there's no way they'd fall for that, but when someone from a trustworthy number calls, says they're from your small town bank, and sounds incredibly professional, you'd fall for it, too," Haughey said.

Uh, no, really, I wouldn't. If they call me, I give them nothing. I have to call them, on their regular public phone numbers.

Always call them back

Whenever some company you do business with calls you, hang up and call them back using their phone number on your credit card or billing statement. Otherwise you have no idea who you are actually talking with. They have ways to authenticate you when you call them by asking you personal questions. But you do not have any other way to authenticate them unless you initiate the call.

How a real fraud alert works

[AnalogDiehard]

I have gotten legitimate fraud alerts in the past for overseas purchases. They were robocalls requesting me to call back to an automated system that described the date and amount of transaction to the T, then asked to authorize or reject them. No request for address, no request for security code or PIN.

Nothing clever about this voice phishing. The victim forgot the telltale signs of a scam and ignored the bells going off in his head. Scammers are good at psychological skills and they rush the conversation so that you don't have a chance to stop to think. The biggest red flags was that this was an unsolicited call, the caller was requesting address as well as card info, and banks do not "hold the card open" in the event of confirmed stolen card info. Any legitimate bank employee calling you would have the complete info right in front of them and would not ask for that. I stopped giving any out info when I receive an unsolicited phone call.

It is easy to get the last four digits of your cards, they are printed on your statements. Scammers can find your address online, open your statements from your mailbox to copy your bank and card info, then use adhesive to seal the envelope leaving you none the wiser. Or they can scan your computer incognito for statements on PDF or other format. My important mail no longer goes to my mailbox, it goes to a PO Box which is much more secure.

If I got a call like that, I would hang up and go straight to the bank in person. If the bank has no record like the fraud claimed from the caller, I would report a stolen card.

How to avoid phone scams

Never give personal or credit card information over the phone ever.

Already is, Truth in Calling Act. Scamming too

[raymorris]

Scamming people is illegal.
Caller ID spoofing of this type is illegal under the Truth in Calling Act.

Unfortunately the criminals don't follow the law. That's a concept some people forget often.

It's like people forget the head of the animal

[holophrastic]

This is a great story of stupidity. You've "given out that information before" so you can give it out again?! "Before", you gave it to someone you trusted/called/engaged. This time, they engaged you.

Isn't that already enough to tell you to walk away?

How about the ol' if-it-aint-broke-don't-fix-it? Your card didn't stop working for you. Stop trying to solve a problem that you haven't experienced. Either go to the gas station and try your card for yourself, or use your other card (that's why you should have one) in California.

So some chickiepoo called you with a sweet voice, out of the blue, used normal words (not death threats), and you gave her how many pieces of confidential information? Six?

Forget the "clues". There's never any time to speak any PIN aloud -- just like you never sign your signature just for fun.

And why don't people know that caller-id isn't secure at all? It's actually designed to be spoofable, as a form of free-speech, and protected as such.

Six levels of stupid. Hopefully he got to pay the three grand as a lesson.

"you'd fall for it, too"

No. I would not. I tell them that I am calling the number on my card, and that I need an ID number to get back in touch if I need to talk to this specific individual. Occasionally, it's legit. Most of the time, they immediately hand up and go dark. A few become belligerent, start talking about the police or sheriff or make other legal sounding threats. I hang up on them.

Bullpussy

If I owe them fuckers one fucking penny, you can damned well be sure that they'll figure out who I am, where I am, and how to get that money. Quit making excuses for them being cheap. Fraud is profitable.

He Broke The Most Important Rule

[n2hightech]

The most important rule to protect yourself from scammers is never provide information to anyone who calls you. If someone calls you claiming to be from your credit union or bank or credit card company and says you have a problem Do not answer any questions even if the caller ID says the right phone number. Phone numbers are routinely spoofed. Hang up and call them back on a number you have independently verified as being legitimate. When they answer identify who you are and why you called. You can now have confidence and answer any questions they have for you. It's a real shame that the phone system allows people to spoof their number. It could have been a great benefit to security and safety but instead it is an easy method of committing remote fraud.