Slashdot Mirror
Voice Phishing Scams Are Getting More Clever (krebsonsecurity.com)
Security researcher Brian Krebs highlights several clever methods scammers are using to obtain your personal information. In one example, someone used a fully-automated voice to try and scam "a cybersecurity professional with more than 30 years of experience" by greeting him with a four-note AT&T jingle, "followed by a recorded voice saying AT&T was calling to prevent his phone service from being suspended for non-payment."
"It then prompted me to enter my security PIN to be connected to a billing department representative," Jon said. "My number was originally an AT&T number (it reports as Cingular Wireless) but I have been on T-Mobile for several years, so clearly a scam if I had any doubt. However, I suspect that the average Joe would fall for it." Krebs reports of another, more sophisticated scam attempted on Matt Haughey, the creator of the community Weblog MetaFilter and a writer at Slack: Haughey banks at a small Portland credit union, and last week he got a call on his mobile phone from an 800-number that matched the number his credit union uses. Actually, he got three calls from the same number in rapid succession. He ignored the first two, letting them both go to voicemail. But he picked up on the third call, thinking it must be something urgent and important. After all, his credit union had rarely ever called him. Haughey said he was greeted by a female voice who explained that the credit union had blocked two phony-looking charges in Ohio made to his debit/ATM card. She proceeded to then read him the last four digits of the card that was currently in his wallet. It checked out. Haughey told the lady that he would need a replacement card immediately because he was about to travel out of state to California. Without missing a beat, the caller said he could keep his card and that the credit union would simply block any future charges that weren't made in either Oregon or California.
This struck Haughey as a bit off. Why would the bank say they were freezing his card but then say they could keep it open for his upcoming trip? [...] The caller then read his entire home address to double check it was the correct destination to send a new card at the conclusion of his trip. Then the caller said she needed to verify his mother's maiden name. The voice in his head spoke out in protest again, but then banks had asked for this in the past. He provided it. Next she asked him to verify the three digit security code printed on the back of his card. Once more, the voice of caution in his brain was silenced: He'd given this code out previously in the few times he'd used his card to pay for something over the phone. Then she asked him for his current card PIN, just so she could apply that same PIN to the new card being mailed out, she assured him. Ding, ding, ding went the alarm bells in his head. Haughey hesitated, then asked the lady to repeat the question. When she did, he gave her the PIN, and she assured him she'd make sure his existing PIN also served as the PIN for his new card. Haughey said after hanging up he felt fairly certain the entire transaction was legitimate, although the part about her requesting the PIN kept nagging at him. Long story short, two fradulent charges were made on his account totaling $3,400. "People I've talked to about this say there's no way they'd fall for that, but when someone from a trustworthy number calls, says they're from your small town bank, and sounds incredibly professional, you'd fall for it, too," Haughey said.
"It then prompted me to enter my security PIN to be connected to a billing department representative," Jon said. "My number was originally an AT&T number (it reports as Cingular Wireless) but I have been on T-Mobile for several years, so clearly a scam if I had any doubt. However, I suspect that the average Joe would fall for it." Krebs reports of another, more sophisticated scam attempted on Matt Haughey, the creator of the community Weblog MetaFilter and a writer at Slack: Haughey banks at a small Portland credit union, and last week he got a call on his mobile phone from an 800-number that matched the number his credit union uses. Actually, he got three calls from the same number in rapid succession. He ignored the first two, letting them both go to voicemail. But he picked up on the third call, thinking it must be something urgent and important. After all, his credit union had rarely ever called him. Haughey said he was greeted by a female voice who explained that the credit union had blocked two phony-looking charges in Ohio made to his debit/ATM card. She proceeded to then read him the last four digits of the card that was currently in his wallet. It checked out. Haughey told the lady that he would need a replacement card immediately because he was about to travel out of state to California. Without missing a beat, the caller said he could keep his card and that the credit union would simply block any future charges that weren't made in either Oregon or California.
This struck Haughey as a bit off. Why would the bank say they were freezing his card but then say they could keep it open for his upcoming trip? [...] The caller then read his entire home address to double check it was the correct destination to send a new card at the conclusion of his trip. Then the caller said she needed to verify his mother's maiden name. The voice in his head spoke out in protest again, but then banks had asked for this in the past. He provided it. Next she asked him to verify the three digit security code printed on the back of his card. Once more, the voice of caution in his brain was silenced: He'd given this code out previously in the few times he'd used his card to pay for something over the phone. Then she asked him for his current card PIN, just so she could apply that same PIN to the new card being mailed out, she assured him. Ding, ding, ding went the alarm bells in his head. Haughey hesitated, then asked the lady to repeat the question. When she did, he gave her the PIN, and she assured him she'd make sure his existing PIN also served as the PIN for his new card. Haughey said after hanging up he felt fairly certain the entire transaction was legitimate, although the part about her requesting the PIN kept nagging at him. Long story short, two fradulent charges were made on his account totaling $3,400. "People I've talked to about this say there's no way they'd fall for that, but when someone from a trustworthy number calls, says they're from your small town bank, and sounds incredibly professional, you'd fall for it, too," Haughey said.
More than that, when they asked for his PIN, twice, he should have hung up then and there. Banks never have, and never will ask for your PIN. It is always set either by yourself at a bank branch keying it into a terminal, or when you activate the card by dialing the number on the card sent to you at the time of activation.
The other stuff is semi-legit if you include all practices that banks have used since the beginning of time, but many of them are not in use anymore. Example: mother's maiden name is easily gained information in the age of The Book of Faces.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
Define "Legitimate"
Here's one all the same though,
Fortune 500 company decides that it wants to use the services of "Call center cubefarm dystopia" for part of its service call needs.
Call center cubefarm dystopia INC clearly is not Fortune 500 Inc, but has an agreement to PRETEND to be, with Fortune 500 Inc. Fortune 500 Inc DOES NOT WANT customers to know that Cubefarm Dystopia Inc is who is really handling their support calls, because that's just bad PR. They also do not want to train, retain, or operate the support staff themselves, because $$$.
So, Cubefarm Dystopia Inc spoofs being Fortune 500 Inc on their caller ID.
You can spoof any number by sending a user provided caller ID. The only reason the other party doesn't see the caller ID you provided is because the provider strips it from your signalling. If you are behind the phone switch of your company, the provider has no way to determine if the extension your phone switch signals to PSTN is correct. Depending on your trunk configuration, the provider thus either accepts the signalling, or strips it and replaces it with the trunk dial-in number (e.g. the number of the company's attendant switch board), so no callback will get through to the extensions.
If you are a company with several number blocks (e.g. several locations with their own trunks), and the company wants to show a central dial-in number for callbacks, the provider has a problem. It doesn't necessarily know all the locations of your company, because some might be with a different provider. Or the company has for redundancy reasons bought connectivity with different providers, with separate trunk numbers, but wants always their main number of the first trunk as the caller ID.
In this case, the company gets a "CLIP no screening" contract, where it is the sole responsibility of the company to signal the right caller ID, and the provider takes it without further checks, as it has incomplete information anyway and wouldn't be able to determine if the caller ID provided is valid or not. Only if there are complaints about wrong caller IDs coming from the trunk, the provider will cancel the "CLIP no screening" and no longer trust the information, strip it and replace it with the trunk number (or cancel the contract alltogether).
But if the calls with the spoofed number are crossing several providers, it will take a long time until the rogue trunk is determined that is using the wrong caller ID, because at the exchange points, the providers have to take the information of the call at face value, not really able to check if they are valid or not.