Voice Phishing Scams Are Getting More Clever (krebsonsecurity.com)

← Back to Stories (view on slashdot.org)

Voice Phishing Scams Are Getting More Clever (krebsonsecurity.com)

Posted by BeauHD on Sunday October 7, 2018 @11:23AM from the sneaky-bastards dept.

Security researcher Brian Krebs highlights several clever methods scammers are using to obtain your personal information. In one example, someone used a fully-automated voice to try and scam "a cybersecurity professional with more than 30 years of experience" by greeting him with a four-note AT&T jingle, "followed by a recorded voice saying AT&T was calling to prevent his phone service from being suspended for non-payment."

"It then prompted me to enter my security PIN to be connected to a billing department representative," Jon said. "My number was originally an AT&T number (it reports as Cingular Wireless) but I have been on T-Mobile for several years, so clearly a scam if I had any doubt. However, I suspect that the average Joe would fall for it." Krebs reports of another, more sophisticated scam attempted on Matt Haughey, the creator of the community Weblog MetaFilter and a writer at Slack: Haughey banks at a small Portland credit union, and last week he got a call on his mobile phone from an 800-number that matched the number his credit union uses. Actually, he got three calls from the same number in rapid succession. He ignored the first two, letting them both go to voicemail. But he picked up on the third call, thinking it must be something urgent and important. After all, his credit union had rarely ever called him. Haughey said he was greeted by a female voice who explained that the credit union had blocked two phony-looking charges in Ohio made to his debit/ATM card. She proceeded to then read him the last four digits of the card that was currently in his wallet. It checked out. Haughey told the lady that he would need a replacement card immediately because he was about to travel out of state to California. Without missing a beat, the caller said he could keep his card and that the credit union would simply block any future charges that weren't made in either Oregon or California.

This struck Haughey as a bit off. Why would the bank say they were freezing his card but then say they could keep it open for his upcoming trip? [...] The caller then read his entire home address to double check it was the correct destination to send a new card at the conclusion of his trip. Then the caller said she needed to verify his mother's maiden name. The voice in his head spoke out in protest again, but then banks had asked for this in the past. He provided it. Next she asked him to verify the three digit security code printed on the back of his card. Once more, the voice of caution in his brain was silenced: He'd given this code out previously in the few times he'd used his card to pay for something over the phone. Then she asked him for his current card PIN, just so she could apply that same PIN to the new card being mailed out, she assured him. Ding, ding, ding went the alarm bells in his head. Haughey hesitated, then asked the lady to repeat the question. When she did, he gave her the PIN, and she assured him she'd make sure his existing PIN also served as the PIN for his new card. Haughey said after hanging up he felt fairly certain the entire transaction was legitimate, although the part about her requesting the PIN kept nagging at him. Long story short, two fradulent charges were made on his account totaling $3,400. "People I've talked to about this say there's no way they'd fall for that, but when someone from a trustworthy number calls, says they're from your small town bank, and sounds incredibly professional, you'd fall for it, too," Haughey said.

122 of 201 comments (clear)

Min score:

Reason:

Sort:

Whoa. by msauve · 2018-10-07 11:39 · Score: 5, Insightful

If they're calling you, they don't have any reason to ask you to provide any confidential info to verify you are who they called. If they ask, get a name and extension, and call them back via a published number.

--
"National Security is the chief cause of national insecurity." - Celine's First Law
1. Re:Whoa. by PPH · 2018-10-07 11:52 · Score: 4, Insightful
  
  If they ask, get a name and extension,
  Always this. They can spoof the legitimate bank customer service number. So don't assume the caller ID is correct. Always tell them that you will call them back at a convenient time.
  
  --
  Have gnu, will travel.
2. Re:Whoa. by ShanghaiBill · 2018-10-07 12:33 · Score: 5, Interesting
  
  They can spoof the legitimate bank customer service number.
  But only because the telecom companies let them, and the government has done nothing to ban the practice.
  Spoofing should be illegal unless the company doing the spoofing owns both numbers.
  That this is mostly an American+Canadian problem. The practice is illegal in most other countries.
3. Re:Whoa. by arth1 · 2018-10-07 12:47 · Score: 1
  
  19 out of 20 telephone calls who are not friends and family are scams
  Really? Are you sure it's not 18 out of 19?
4. Re:Whoa. by ShanghaiBill · 2018-10-07 13:16 · Score: 2
  
  making things illegal won't stop criminals.
  We don't need to stop the criminals. We only need to stop the telecoms from enabling them.
5. Re:Whoa. by ShanghaiBill · 2018-10-07 13:21 · Score: 3, Insightful
  
  backwards compatibility be damned.
  What is the legitimate use case for 3rd party number spoofing?
  
  it's 2018 why haven't we solved the SPAM problem yet????
  Stupid analogy. Spam is a problem worldwide. There is no obvious solution.
  3d party number spoofing is an America+Canada only problem. The solution is obvious, and most of the world has already done it.
6. Re:Whoa. by arth1 · 2018-10-07 13:29 · Score: 2
  
  So is fraud; making things illegal won't stop criminals.
  Actually, it will, in that you can arrest, jail, prosecute and imprison them once it's illegal, but if it's legal, they can continue at will.
7. Re:Whoa. by mark-t · 2018-10-07 13:53 · Score: 1
  
  The telecom companies that is forwarding that info to you has no way to know that the caller spoofed their caller ID. Not only do you have to trust the exchange you are getting the call from, but you must trust the exchange that connected to that exchange, and so on, all the way to the original caller, and there is no way for the receiver to positively identify these exchanges if the original caller happened to send false information in the first place.
  The only fix for this would completely break backwards compatibility and would in general make it all but impossible to make long distance calls.
  
  --
  File under 'M' for 'Manic ranting'
8. Re:Whoa. by mark-t · 2018-10-07 13:57 · Score: 1
  
  There isn't any... but in general, an exchange has no way to know what exchange a call *ACTUALLY* originated from if it didn't originate in the exchange connected directly to it.
  
  --
  File under 'M' for 'Manic ranting'
9. Re: Whoa. by ShanghaiBill · 2018-10-07 14:53 · Score: 2, Insightful
  
  A. Number portability. I can no longer be certain that an AT&T assigned number is still with AT&T.
  Why does this require 3rd party number spoofing?
  
  B. Many companies assign the main corporate number to all outbound calls. This is a feature that shouldn't be broken.
  C. VOIP service. I want calls from my cell and voip to be transparent. It's also nice to be able to call as, so I can call as me or as my corporate phone number from one phone.
  Neither of these require 3rd party number spoofing.
  Spoofing is fine if the same company owns both numbers. That is legal almost everywhere.
10. Re:Whoa. by ShanghaiBill · 2018-10-07 14:59 · Score: 4, Insightful
  
  So there are legitimate reasons to allow caller ID spoofing
  Of course there are, and you listed several, but that WAS NOT THE QUESTION,
  Let me repeat: Is there any legitimate use case for THIRD PARTY phone number spoofing?
  This means you call from a number that you own and control, and you make it look like it is coming from a number that you do NOT own or control, and do not have permission to use. This is obviously useful to criminals. Is it needed by anyone else?
11. Re:Whoa. by Ol+Olsoc · 2018-10-07 15:01 · Score: 1
  
  The telecom companies that is forwarding that info to you has no way to know that the caller spoofed their caller ID. Not only do you have to trust the exchange you are getting the call from, but you must trust the exchange that connected to that exchange, and so on, all the way to the original caller, and there is no way for the receiver to positively identify these exchanges if the original caller happened to send false information in the first place.
  The only fix for this would completely break backwards compatibility and would in general make it all but impossible to make long distance calls.
  I see, So whay didn't I get any of this crap back in say - the 1980s?
  And are you seriously suggesting that it is impossible to make certain that the number that pops up is the number that is calling?
  Such a complex system that a call announcing system was developed that is not capable of ever working. Someone should be fired over developing that never working device.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
12. Re:Whoa. by Anonymous Coward · 2018-10-07 15:06 · Score: 1
  
  I had one scam call my mom claiming they had all her information, but they needed to confirm information to extend her insurance.
  I told my mom to ask one simple question, what colour is my car. If they have all the information that is easy to answer and do not invade any personal info.
  They stayed on the line for about ten minutes trying to get mom to give they any info, but she stuck to her guns, if they have her info then they can tell her the colour of her car.
  Now guess what, my mom later died and I still have that car, and it has been seven years since that call and I still have no problems with insurance.
  E.C.P.
13. Re:Whoa. by wierd_w · 2018-10-07 16:18 · Score: 1, Informative
  
  Define "Legitimate"
  Here's one all the same though,
  Fortune 500 company decides that it wants to use the services of "Call center cubefarm dystopia" for part of its service call needs.
  Call center cubefarm dystopia INC clearly is not Fortune 500 Inc, but has an agreement to PRETEND to be, with Fortune 500 Inc. Fortune 500 Inc DOES NOT WANT customers to know that Cubefarm Dystopia Inc is who is really handling their support calls, because that's just bad PR. They also do not want to train, retain, or operate the support staff themselves, because $$$.
  So, Cubefarm Dystopia Inc spoofs being Fortune 500 Inc on their caller ID.
14. Re:Whoa. by jpaine619 · 2018-10-07 16:22 · Score: 2
  
  I gotta agree with the GP.. If the telecoms don't permit third party spoofing, it wouldn't happen.. They control the network... They can enable/disable it...
  If it doesn't occur in Europe, then they have apparently figured out how to disable it..
  First party spoofing is fine.. As many have pointed out, it's nice that all outbound calls from a single company have the same Caller ID.
  On the other hand, I shouldn't be able to show "Joe's Fish Shack" as the caller ID from a call on my home phone if I have no connection to Joe's Fish Shack. The technology to permit this should not be in place.. Telecoms should assign the Caller ID.. Not the asshole making the phone call.
15. Re:Whoa. by ShanghaiBill · 2018-10-07 16:23 · Score: 2
  
  The only fix for this would completely break backwards compatibility
  Nonsense. An obvious solution would be to ban all American companies from 3P spoofing, and ban them from connecting to foreign networks that allow it. Give them six months to implement it.
  During those six months, any country that wants to continue to connect to America's phone system (i.e. all expect North Korea) would scramble to fix their own phone systems. Most would need to do nothing, since 3P spoofing is ALREADY ILLEGAL. In India, 3P spoofing is already illegal for domestic calls, but allowed for international calls, so it would be only a minor change.
16. Re:Whoa. by superdave80 · 2018-10-07 16:25 · Score: 1
  
  Not only do you have to trust the exchange you are getting the call from, but you must trust the exchange that connected to that exchange, and so on, all the way to the original caller
  But how does a call get too a phone number then? If I dial phone number 1234, how does my carrier know what final exchange that number is located at? And if they do, why are they accepting a phone number dialing out from a different exchange that doesn't match the info for me placing a call to 1234? I'm sure there is some technical reason for it, but It still seems screwy to me.
17. Re:Whoa. by Ichijo · 2018-10-07 16:48 · Score: 2
  
  Why can't you route your call through your office in order to avoid the need to spoof your number? That would be like a VPN for telephone calls.
  An alternative would be something similar to SPF so the recipient knows that you own both numbers (cell+office) and displays your office number when they receive a call from your cell phone.
  
  --
  Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.
18. Re:Whoa. by mark-t · 2018-10-07 17:15 · Score: 1
  
  It doesn't know what final exchange the number is at, it only knows what exchange it will have to talk directly to in order to route to that number... there may be an unknown number of exchanges inbetween you and the target number. If the caller fakes their number, for example for a single line for a large company to forward the 1-800 number for the company instead of the in-house line that the caller may be calling from (and for which there would be no direct phone access to from the outside), the next exchange down the line has no way to know that the number is not real.
  
  --
  File under 'M' for 'Manic ranting'
19. Re:Whoa. by Calydor · 2018-10-07 17:46 · Score: 3, Insightful
  
  Contract signed by both number holders.
  Next fringe case?
  
  --
  -=This sig has nothing to do with my comment. Move along now=-
20. Re:Whoa. by dissy · 2018-10-07 18:15 · Score: 1
  
  I see, So whay didn't I get any of this crap back in say - the 1980s?
  You did, it was just rarely abused and not cheap or easy to gain access to.
  Any company owning a PBX system trunked to the phone exchange, was the owner of the device (the PBX) being asked by your exchange, what the caller ID should be.
  The staff that programmed the PBX defined the caller ID rules, and as is common practice, would have defined all "internal only" extensions to return a different phone number, likely the companies main number or reception desk.
  A PBX wasn't cheap, nor was the trunk fees to connect it to the network.
  Today we have a new thing that didn't exist in the 80s, called VoIP, where the PBX is replaced by software (some even free), and "trunk" connections over IP that cost less per month than the average person spends at mcdonalds.
  Being cheap and easily accessible only now and not in the 80s, is exactly why you see this kind of crap now and not in the 80s.
  
  And are you seriously suggesting that it is impossible to make certain that the number that pops up is the number that is calling?
  There is, it is called ANI, and part of the networks billing system.
  It isn't that it doesn't exist, it has since the 60s as far as I'm aware (probably longer), but you likely don't want to pay for the requirement to decide it nor the service levels needed for the phone company to offer it.
  If you get a toll or toll-free number, you will be given access to the ANI info of the caller, since for toll-free it will be you paying for the call and so you need to know what that will cost before answering.
  You also need to be trunked into the network, a POTS or cell line has no method to transmit this info to you.
  Now you can certainly argue this shouldn't be the way it is, such service should be free, and the phone company should be forced to pay for the hardware to give to you at a loss.
  But that's another story unrelated to the technology existing.
21. Re: Whoa. by sg_oneill · 2018-10-07 18:16 · Score: 1
  
  I've been waging bit of a personal war against local utilities for the last year over robocalls and phoning up asking for identifications. I want it banned. The average user , the people is IT professionals are meant to protect have no chance of identifying a well done scam if the legitimate phonecalls are indistinguishable from the fraudulent ones, and it's damn irresponsible for these companies to continue to use these tactics when they put everyone at risk. It costs peanuts to rent a handful of lines, an asterisk server on a free tier AWS instance and a bit of time recording a plausible sounding robocall message. Build a list of suckers from the net and cha-Ching it's free money. And it all starts with irresponsible debt collectors and public utilities following irresponsible debt collection practices
  
  --
  Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
22. Re: Whoa. by sg_oneill · 2018-10-07 18:19 · Score: 1
  
  Hell go the whole hog. Judge Death style. Eliminate crime by eliminating life. No people, no laws. Everyone wins!
  
  --
  Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
23. Re:Whoa. by wierd_w · 2018-10-07 19:11 · Score: 1
  
  It only takes ONE kind of case if there are multiple millions of dollars of "shareholder value" on the line.
  It is much easier to make cherry backroom deals with the telecoms to look the other way over such things (as a rule rather than an exception, so that end users have no real means of identifying that Callcenter Dystopia Inc is really who is answering all the support calls, so that Fortune 500 Inc can post EVEN BETTER quarterlies.) than it is to pay callcenter people at the pay grades otherwise demanded within their organization (especially from people that are supposed to be competent enough to answer difficult support calls about edge cases, and at call volumes and response times normally found only in telemarketing firms) and so it is not in the telecom's financial interests to "Fix" the problem.
  In fact, they get paid a lot by "legitimate" players to do the opposite.
  That was kinda the point here.
24. Re: Whoa. by houghi · 2018-10-07 19:21 · Score: 1
  
  In Belgium you would still need to make sure you are talking to the right person. Otherwise you could be liable to give out personal information.
  That is why, where I work, automated systems will just ask you to call, not even saying the reason, just the company name.
  We even do not say a reason on an answering machine, if the full name of the person was not said. The number could be owned by somebody else.
  
  --
  Don't fight for your country, if your country does not fight for you.
25. Re: Whoa. by houghi · 2018-10-07 19:43 · Score: 1
  
  The call will most likely not go to an agent. It will however be some random number that cpuld be occupied a lot, if it is even programmed to take calls. Most agents do not have their own number.
  
  --
  Don't fight for your country, if your country does not fight for you.
26. Re:Whoa. by tlhIngan · 2018-10-07 20:53 · Score: 1
  
  But only because the telecom companies let them, and the government has done nothing to ban the practice.
  Spoofing should be illegal unless the company doing the spoofing owns both numbers.
  That this is mostly an American+Canadian problem. The practice is illegal in most other countries.
  Spoofing may not be illegal, but scamming still is. And "other countries' have plenty of scams still. In fact, there are the old "microsoft tech support scam", the "refund scam" which is especially popular in the UK and plenty more.
  To be honest, I can't tell you if the number is spoofed - you can say the number is for the Canada Revenue Agency, but on my phone, I see a bunch of digits. I don't' recognize the number, so spoof or not, I can't tell. (Do you know the number of the IRS without looking it up?)
  The tax scam is pretty useless - when you're a family of 3 taxpayers, the message that says "we have discovered an irregularity in your tax filing" is a scam - WHOSE tax filing was bad? "Your" could mean any one of three taxpayers, and you know the government isn't that bad at identifying someone.
  The refund scam and tech support scams are still rampant elsewhere in the world. Even if you eliminate spoofed numbers, you'll just be talking about a different set of scams.
  As for spoofing, there are valid reasons for it - there are often more numbers than lines at a business, so being able to return the proper DID number (or main line number) is useful instead of a completely useless line identifier. VoIP would collapse if they couldn't spoof - VoIP providers would return a random phone number to called parties who would probably not answer your phone call because they don't recognize the phone number.
  What should happen is providers do filtering of the number - if you're going to spoof, the number you spoof will only be of what you actually have. Similar to how source IP filtering works but for phone numbers. This pretty much leaves legitimate entities to spoof.
27. Re:Whoa. by fgouget · 2018-10-07 21:03 · Score: 2
  
  If it doesn't occur in Europe, then they have apparently figured out how to disable it..
  Caller id spoofing happens just the same in Europe. A number of calls are placed from abroad and spoof local numbers. The phone system is a worldwide system so the solution must be deployed worldwide for it to work.
28. Re: Whoa. by Sique · 2018-10-07 21:42 · Score: 5, Informative
  
  Third party number spoofing is the effect, not the cause.
  You can spoof any number by sending a user provided caller ID. The only reason the other party doesn't see the caller ID you provided is because the provider strips it from your signalling. If you are behind the phone switch of your company, the provider has no way to determine if the extension your phone switch signals to PSTN is correct. Depending on your trunk configuration, the provider thus either accepts the signalling, or strips it and replaces it with the trunk dial-in number (e.g. the number of the company's attendant switch board), so no callback will get through to the extensions.
  If you are a company with several number blocks (e.g. several locations with their own trunks), and the company wants to show a central dial-in number for callbacks, the provider has a problem. It doesn't necessarily know all the locations of your company, because some might be with a different provider. Or the company has for redundancy reasons bought connectivity with different providers, with separate trunk numbers, but wants always their main number of the first trunk as the caller ID.
  In this case, the company gets a "CLIP no screening" contract, where it is the sole responsibility of the company to signal the right caller ID, and the provider takes it without further checks, as it has incomplete information anyway and wouldn't be able to determine if the caller ID provided is valid or not. Only if there are complaints about wrong caller IDs coming from the trunk, the provider will cancel the "CLIP no screening" and no longer trust the information, strip it and replace it with the trunk number (or cancel the contract alltogether).
  But if the calls with the spoofed number are crossing several providers, it will take a long time until the rogue trunk is determined that is using the wrong caller ID, because at the exchange points, the providers have to take the information of the call at face value, not really able to check if they are valid or not.
  
  --
  .sig: Sique *sigh*
29. Re:Whoa. by GerryHattrick · 2018-10-07 22:02 · Score: 1
  
  And call back from a different 'phone. At least in the UK a scammer can hold the line open so that your next call comes to them too.
30. Re:Whoa. by yes-but-no · 2018-10-07 23:40 · Score: 1
  
  So todo: install malware in the target's phone so when the said number is called, it gets routed to our systems.
31. Re:Whoa. by parkinglot777 · 2018-10-08 00:07 · Score: 1
  
  and the government has done nothing to ban the practice.
  This statement is wrong. The government has done something (Truth in Caller ID Act) but it is not enough. The caller (either a real person or robot) clearly and fraudulently intend to obtain importation personal data from the person being called. The problem with the law is that it is not clear enough and no one really enforces it.
32. Re: Whoa. by Highdude702 · 2018-10-08 00:44 · Score: 1
  
  More to the point of OP
  It is designed insecure for reasons stated above so making it illegal does nothing because criminals don't follow laws or they wouldn't be criminals.
33. Re:Whoa. by AmiMoJo · 2018-10-08 00:46 · Score: 1
  
  That's the mechanism, not the legitimate use case.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
34. Re:Whoa. by AmiMoJo · 2018-10-08 00:50 · Score: 1
  
  Just force calls originating from outside the country to have their actual numbers displayed, rather than the caller ID ones.
  Companies that have legitimate call centres outside the country will always have an exchange in country anyway, so as to allow for free/low cost calls to their number. In fact in many EU countries it's a legal requirement to have such a number - companies are not allowed to charge more than the cost of a local call to contact them, especially their help/service/complaints lines.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
35. Re:Whoa. by Gr8Apes · 2018-10-08 01:24 · Score: 1
  
  You've got this wrong. The corporate PBX can be setup to route a set of numbers to the callcenter's PBX, and everything is handled between the two companies. It does require work on the companies part to coordinate, but no "spoofing" required, as it's all internal. It also requires a level of trust, since the callcenter is now legally capable of calling on the company's behalf. Something tells me that potential alternate call center revenue flows would be affected.
  
  --
  The cesspool just got a check and balance.
36. Re:Whoa. by msauve · 2018-10-08 01:30 · Score: 1
  
  Ever since number portability, there's no longer a definite geographic relationship between areas, exchanges, etc.
  
  --
  "National Security is the chief cause of national insecurity." - Celine's First Law
37. Re:Whoa. by PPH · 2018-10-08 01:51 · Score: 1
  
  What sort of software will run on a Western Electric 2500DM?
  
  --
  Have gnu, will travel.
38. Re:Whoa. by PPH · 2018-10-08 01:55 · Score: 1
  
  So, Cubefarm Dystopia Inc spoofs being Fortune 500 Inc on their caller ID.
  Fortune 500 Inc configures one of the numbers that they own to be the reported source of Cubefarm Dystopia's calls.
  
  --
  Have gnu, will travel.
39. Re:Whoa. by wierd_w · 2018-10-08 02:12 · Score: 1
  
  That implies that Cubefarm Dystopia does not itself subcontract, or otherwise have very transient operations necessitating it being the one doing the report modification.
  We *ARE* talking about seeking the lowest priced option, and covering it up here.
40. Re:Whoa. by PPH · 2018-10-08 02:28 · Score: 1
  
  That implies that Cubefarm Dystopia does not itself subcontract,
  Correct. It is in the interest of Fortune 500 Inc to be aware of (and monitor for quality control purposes) any subcontractors actually doing work in its name. The entity seeking the lowest price option should be Fortune 500 Inc, not Cubefarm Dystopia.
  
  --
  Have gnu, will travel.
41. Re:Whoa. by fgouget · 2018-10-08 02:39 · Score: 1
  
  Just force calls originating from outside the country to have their actual numbers displayed
  You're saying that as if there was such a thing as an "actual (phone) number" for ip. What is the phone number of a computer in a data center? How do you know if that computer is the origin of the call or just the n-th relay?
  And what phone number would you display for people calling their family on their own cell phone from abroad? Or is your solution to make cell phones unusable abroad?
42. Re:Whoa. by dcw3 · 2018-10-08 02:55 · Score: 1
  
  Spoofing should be illegal unless the company doing the spoofing owns both numbers.
  Wikipedia says it already is...
  United States[edit]
  In the United States, telemarketers are required to transmit caller ID.[16] This requirement went into effect on January 29, 2004.[17] Courts have ruled that caller ID is admissible.[18] Providers are required by FCC rules to offer "per-call" blocking of caller ID to their customers. Legislation in the United States in 2007 made caller ID spoofing illegal for fraudulent purposes.
  
  --
  Just another day in Paradise
43. Re:Whoa. by AmiMoJo · 2018-10-08 03:30 · Score: 1
  
  In the UK such numbers just come up as "unknown", which is reasonable. The display should only show a number if there is a reasonably high level of confidence that it is genuine.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
44. Re:Whoa. by fgouget · 2018-10-08 04:36 · Score: 1
  
  In the UK such numbers just come up as "unknown", which is reasonable. The display should only show a number if there is a reasonably high level of confidence that it is genuine.
  Every time a city trader / UK retiree calls home from the other side of the EuroTunnel his number comes up as "unknown"? I very much doubt so. Do you have a source? But if that's true then we have different definitions of reasonable.
45. Re:Whoa. by yes-but-no · 2018-10-08 05:50 · Score: 1
  
  That may need a human to be sent out-doors to tap/fix the twisted-pair. Or may be easier to find some holes in the telephone service providers systems. Or may be directly in the so called bank's 1-800 system. Or the weakest link - human - bribe a human/supervisor in the 1-800 back office.
46. Re: Whoa. by nukenerd · 2018-10-08 06:04 · Score: 1
  
  making it illegal does nothing because criminals don't follow laws or they wouldn't be criminals.
  I keep hearing this, so I'm persuaded. We'll do away with all laws then; it will save paper and as a bonus I'll be able to murder anyone I want.
47. Re:Whoa. by thsths · 2018-10-08 06:31 · Score: 1
  
  Yes, that is true.
  Unfortunately, my bank has a nasty habit of doing exactly this. And no, you cannot call them back, because it is usually a call from back office (and they only call, they do not usually take calls).
  I think that banks has long trained customers to fall for this scam.
48. Re: Whoa. by Highdude702 · 2018-10-08 07:05 · Score: 1
  
  So you're telling me that criminals follow laws? Kind of seems like what your shitty analogy means.
49. Re:Whoa. by AmiMoJo · 2018-10-08 07:29 · Score: 1
  
  It depends. Where there is an agreement the real number comes up. Where there isn't it says "out of area" or "international".
  That's my experience.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
50. Re:Whoa. by Ol+Olsoc · 2018-10-08 10:21 · Score: 1
  
  I see, So whay didn't I get any of this crap back in say - the 1980s?
  Why didn't you see caller ID spoofing before the advent of caller ID? Is this an actual question?
  Pay attention to the conversation. The guy I was replying to was saying it wasn't possible to fix call spooking without destroying backwards compatibility. Seems like 1980's is backward.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
51. Re:Whoa. by Ol+Olsoc · 2018-10-08 10:27 · Score: 1
  
  I had no idea that it was almost impossible, in any rate incredibly and prohibitively expensive for a phone company to tell who is making a call. Go figure.
  Sounds like they lose a lot of money on each call.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
52. Re: Whoa. by im_thatoneguy · 2018-10-08 12:37 · Score: 1
  
  What needs to happen is phone companies need to start policing who they are willing to connect to. If you are AT&T and 90% of your spam calls are coming from XYZTelco's switches then you tell them that they have 30 days to eliminate spam or they will no longer be connected. XYZTelco isn't actually responsible but they will look at the list and tell the switches they connect to "You have 30 days or we'll disconnect you." Rinse and repeat and I guarantee you that the 2nd and 3rd level providers will find a way to ensure their services aren't used for spam real quick when they risk their entire existence being cut-off from access to US major telecoms like AT&T and Verizon.
  Our phone system is at a fundamental risk of collapse in the next 12 months. If Spam isn't stopped people are going to kill their phone lines entirely. 90% of calls to our office now are spam.
53. Re:Whoa. by redeye-mcgee · 2018-10-08 13:07 · Score: 1
  
  I have a client that provides onsite nursing services. They accept incoming calls to a single number that I do not own. Their calls are rerouted to my service. Depending on the time of the day, day of the week, holidays or other factors determines who the call is routed to. I accept the caller id from the carrier that came with originating call and forward the call to the on-call person along with the originating caller id instead of my services's caller id. I do not own the recipient number either.
  
  The nursing service does not have an brick and mortar office nor do they ever expect to have one. Their services have been well received and they expect within the next few years to expand to over 1,000 nurses, no fly-by-night service.
  
  I am currently working on expanding the service to accept calls to/from landlines, cell, SIP and WebRTC. The initial integration is complete I just need to work out some issues on some edge cases.
  
  I have other clients that do not own their called number, I do, though these are the exception. Not because people want another number but because when a person or business orders an internet connection they are forced to get a phone line too. They just have all calls forwarded to me.
  
  And I have clients that I own the cell phones that receive the call, so I own that number as well.
  
  Another business model I provide is for a client that runs a sales campaign. They will place an advertisement in two or three different media each with a different number. The numbers are routed to me and I forward them to the client. This process provides the client with immediate feedback on their sales campaign, not just which number gets called the most but which number has the most sales closed.
  
  In this instance I do not own the originating number, the called number nor the destination number. Again, when the call is received I forward the call to the client along with the caller id of the originating caller. To be specific there is the originating call, the client's sales campaign number, my inbound number, my outbound line and the destination number, five numbers total.
  
  There are other services I provide, you were asking for a specific instance of a legitimate business that spoofed the caller id even if the business did not own the originating or destination numbers.
  
  Historically we have viewed a phone number as an identification for the device we received the call on. The reality is a phone number is a program we run on a remote computer to route a call from me to a desired destination.
54. Re:Whoa. by Tony+Isaac · 2018-10-08 16:28 · Score: 1
  
  Or better yet, don't answer calls from businesses. If it's important, they can leave you a message. They usually won't. If they leave a message with a number to call, disregard the number and call the published number.
55. Re: Whoa. by Sique · 2018-10-08 21:17 · Score: 1
  
  Caller ID was for informational and convenience purposes anyway. It is not necessary for the inner workings of the PSTN. Thus there is not much more security built in than in the sender address on a letter envelope.
  911 service calls, where the exact location of the caller is important, don't leave the provider network, and they get the native trunk number (and thus via the provider database the address of the calling site) directly without any caller ID magic. It is thus important for a phone switch with several PSTN trunks and locations to route the 911 calls to the right trunk depending on the location of the calling station.
  
  --
  .sig: Sique *sigh*
56. Re: Whoa. by Highdude702 · 2018-10-09 11:00 · Score: 1
  
  How does the hopping of the long distance swatting shit work? I know fuck all about the POTS systems outside of the building.
Haughey is a dumb-ass. by fahrbot-bot · 2018-10-07 11:46 · Score: 4, Insightful

So "alarm bells" went off in his head four times and he kept giving out his information? He should have said he would call his bank branch directly or the 800 number listed on the back of his card and hung up.
The "bank" called him, at his phone number, so he doesn't need to confirm anything - the bank needs to confirm themselves. Both of my banks say they will never ask for personal information if they contact me, not only for my safety but because -- spoiler alert -- they already have my information. (I, however, need to provide my information if I call them to prove that I am me.) In addition, why would they ask him to confirm information that won't be changed?

Haughey banks at a small Portland credit union, and last week he got a call on his mobile phone from an 800-number that matched the number his credit union uses.

Caller ID can be spoofed. Never trust it.

"People I've talked to about this say there's no way they'd fall for that, but when someone from a trustworthy number calls, says they're from your small town bank, and sounds incredibly professional, you'd fall for it, too," Haughey said.
No. Just no.

--
It must have been something you assimilated. . . .
1. Re:Haughey is a dumb-ass. by MachineShedFred · 2018-10-07 11:56 · Score: 3, Informative
  
  More than that, when they asked for his PIN, twice, he should have hung up then and there. Banks never have, and never will ask for your PIN. It is always set either by yourself at a bank branch keying it into a terminal, or when you activate the card by dialing the number on the card sent to you at the time of activation.
  The other stuff is semi-legit if you include all practices that banks have used since the beginning of time, but many of them are not in use anymore. Example: mother's maiden name is easily gained information in the age of The Book of Faces.
  
  --
  Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
2. Re:Haughey is a dumb-ass. by Todd+Knarr · 2018-10-07 11:57 · Score: 1
  
  Pretty much this. I have a simple policy: it doesn't matter whether I believe the call is legitimate or not, I do not give out information or try to resolve a problem when it's the other party calling me. I note who it is and what they claim the problem is, then I call the contact number from my own records for that person/company (from my address book, the credit card itself, the last bill, their Web site from my bookmarks, etc.) and ask to be connected to the correct department for the problem. Now I know I'm talking to the right people and not a scammer. This usually takes all of a minute or two, and saves me from ever falling for even the most convincing scams.
  If you're truly interested in tracking down the source of calls, see about a toll-free incoming line handled by software like Asterisk and get your caller's identity from the billing information rather than CID. That's too expensive for me, though.
3. Re: Haughey is a dumb-ass. by Cmdln+Daco · 2018-10-07 12:33 · Score: 1
  
  If, as they claimed, they asked for his PIN so it could remain the same on the new card... why wouldn't they already have it on file?
4. Re: Haughey is a dumb-ass. by olsmeister · 2018-10-07 12:53 · Score: 5, Insightful
  
  There is just so much about the story that doesn't make sense in hindsight, but the advantage that the scammers have is that they've called you, given you some alarming news, and are offering to fix it for you. People probably are so upset hearing that their card is being improperly used that they aren't slowing down to think about what is being asked them.
  The news needs to be spread far and wide that you always just thank them for the information and inform them you'll be calling their fraud line.
5. Re: Haughey is a dumb-ass. by oneunixguy · 2018-10-07 13:04 · Score: 1
  
  Apparently in 30 years heâ(TM)s learned nothing. If heâ(TM)s being paid for his cyber security experience he ought to be fired. A simple call and he gave it all. As others have said and as I do, if someone calls me and wants me to verify any information, I ask for their name and employee number and call back to a well publicized phone number for that office or company. AND I didnâ(TM)t need 30 years of cyber security expertise to figure it out.
6. Re: Haughey is a dumb-ass. by Ostracus · 2018-10-07 14:06 · Score: 2
  
  My fraud line called ME, and said "did you make these charges"? No. They denied them, and issued me a new card. No other verify needed.
  
  --
  Shai Schticks:"You don't make peace with friends, you make peace with enemies"
7. Re: Haughey is a dumb-ass. by dryeo · 2018-10-07 15:40 · Score: 1
  
  I'd be surprised, but not too surprised, if banks had peoples pins on file. Whenever I've got a new card, the teller takes me to the ATM, explains things and then turns their back on me while I enter my (new) pin.
  
  --
  https://en.wikipedia.org/wiki/Inverted_totalitarianism
8. Re:Haughey is a dumb-ass. by superdave80 · 2018-10-07 16:27 · Score: 1
  
  So "alarm bells" went off in his head four times and he kept giving out his information?
  Because no alarm bells went off. He's just trying to make it sound after the fact that he isn't completely naive, I suspect.
9. Re: Haughey is a dumb-ass. by houghi · 2018-10-07 19:31 · Score: 1
  
  Working with Credit Cards and never needing to see the card number, let alone the PIN number, you would be amazed how many people hand put that info without being asked.
  And I mean by email orjust over the phone. "Hello, my cardnumer is .... and my PIN is ...." Callagents are trained to interupt people. Emails are scanned for cardnumbers.
  This even happens when they come from banks. And then there is the number of people who hand over card and code to somebody else. If that is found out, all risk is for the customer. (No, not even touyou spouse. Getthem their own card)
  
  --
  Don't fight for your country, if your country does not fight for you.
10. Re: Haughey is a dumb-ass. by Megane · 2018-10-07 21:55 · Score: 1
  
  A few months ago, my bank sent me a new ATM card. Except it was a debit card now. Apparently the Pulse card I got back in the mid '90s (yes, I was still using a card that was over 20 years old!) was just too old of a technology to support. Back then, the PIN was set by me pressing four digit keys on this enormous typewriter-like machine (my vague recollection of that day) that embossed and encoded the card. For the new card, the number to dial for activation handled setting the PIN. I suppose that call could have been wire-tapped to get the DTMF of setting it, but it's a lot more secure than an actual human in the loop.
  
  --
  #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
11. Re: Haughey is a dumb-ass. by No+Longer+an+AC · 2018-10-08 04:12 · Score: 1
  
  Its been spread far and wide for years. The first time I received one of these calls was in the mid-90s claiming to be from the IRS. I was a little slow to realize it back then, but after they started asking me information I decided to call the IRS myself. Of course it wasn't actually the IRS.
  Even back then I had heard of these scams.
  Now it's not uncommon for me to get a call or text about suspicious activity on my credit card - about once a year. I NEVER call the number back. I call the main number and they already have my account flagged and it goes directly to their security department. So far none of them have been phishing scams.
  It's mildly annoying because now I have to wait for a new card, but not alarming. I'm actually thankful that my bank recognizes that I probably didn't spend $700 in Dubai.
12. Re: Haughey is a dumb-ass. by nukenerd · 2018-10-08 06:18 · Score: 1
  
  "you'd fall for it, too,"
  No, no we wouldn't.
  This. I don't believe that even the average Joe would give out their PIN to a caller, otherwise we would hear of far more successful scams than there are. In the UK, practically every bit of correspondence from banks hammers the point that you should never give out your PIN, even to bank staff (real or fake).
I can vouch for this by Applehu+Akbar · 2018-10-07 11:47 · Score: 5, Interesting

The creepiest voice phish I ever got was the call from my little brother, exactly his voice and intonation pattern, telling us he was in jail in Mexico and needed money. The only way I knew it was a scam, besides the Mexican authorities suddenly accepting payment in Bitcoin, was knowing that he had been sick for years and unable to travel.
1. Re:I can vouch for this by toejam13 · 2018-10-07 12:30 · Score: 4, Interesting
  
  With voice-mimicking software getting better and better, I imagine that these sorts of spear-fishing scams will become more prevalent, especially against the elderly.
  Scour social media for videos of identifiable individuals, find all familial elder links, train the software, and then make a call in that individual's voice using their number in the caller ID field about a phony issue that asks them to send money.
2. Re:I can vouch for this by Applehu+Akbar · 2018-10-07 13:24 · Score: 4, Interesting
  
  I'm guessing that they phone-scraped voice from his job, which was buyer for a hinge manufacturing company in LA. He had to spend a lot of time on the phone.
Basic phone security by registrations_suck · 2018-10-07 11:54 · Score: 2

Donâ(TM)t call me, I will call you.
If you get a call from ANYBODY claiming whatever, hang up and call that supposed somebody at a known good number. Every time.
1. Re:Basic phone security by Anonymous Coward · 2018-10-07 12:13 · Score: 1
  
  and get that number off your statement or from a printed telephone book, or for credit cards (or insurance), use the customer service number ON THE CARD itself... that's why it's printed on the damn card in the first place.. so you have the issuing company's legit telephone number.
  NEVER blindly (i.e. without checking via above methods) call back the number they provide, or the number on the caller id.. and never, ever, EVER EVER ask google for a customer service or support number. many of those are ads or scams that hijack search results.
Caller ID? by Anonymous Coward · 2018-10-07 11:55 · Score: 1

In his 30 years of being "a cybersecurity professional" he never learned that caller ID is trivially faked? Standard practice for dealing with something like an incoming call from a bank is to hang up and call them back at a previously established number, such as from the back of your debit card. Next to the number is probably printed something along the lines of "we'll never ask you for secrets over the phone", to help out those who aren't "cybersecurity professionals".
1. Re:Caller ID? by Sigma+7 · 2018-10-07 12:51 · Score: 1
  
  There's another type of Caller ID known as Automatic Number Identification (ANI). How easy is it to fake that?
  Some parts of the telephone system need a way to provide perfect information about who called, such as with Psychic Buddy's 1-900-SUC-KERS toll lines. If that is faked (even outside real-time), then those people would lose out on money from inbound callers.
2. Re:Caller ID? by arth1 · 2018-10-07 13:31 · Score: 2
  
  In his 30 years of being "a cybersecurity professional" he never learned that caller ID is trivially faked?
  
  Anyone using "cyber" as part of their description are fake themselves.
3. Re:Caller ID? by Ol+Olsoc · 2018-10-07 15:04 · Score: 3, Funny
  
  In his 30 years of being "a cybersecurity professional" he never learned that caller ID is trivially faked?
  Anyone using "cyber" as part of their description are fake themselves.
  What about us cyber-punks, you insensitive clod?
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
4. Re:Caller ID? by Ol+Olsoc · 2018-10-08 13:54 · Score: 1
  
  You're fake. You aren't a real punk. You wanna walk, talk, and act like a punk but you don't want the fights, jails, and heroin addiction to go along with it. Your joke isn't funny. Take your pathetic whoosh and shove it up your twat, wanker.
  U mad bro?
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
If they call my cell phone... by WoodstockJeff · 2018-10-07 11:59 · Score: 1

... it's a guaranteed scam. NOTHING legitimate has my cell phone number.
1. Re:If they call my cell phone... by msauve · 2018-10-07 12:05 · Score: 1
  
  You must be an old fart like me, who still has a landline number. Most of the young 'uns have nothing but a cell phone number.
  
  --
  "National Security is the chief cause of national insecurity." - Celine's First Law
2. Re:If they call my cell phone... by arth1 · 2018-10-07 12:57 · Score: 1
  
  I had a cell phone number back in the 90s, but I have cut the wireless. Now I am corded only.
  This was a great liberation. I can no longer be reached at any time, anywhere. No texts, send me an e-mail, to be read at my convenience, not yours. I have a phone that still works through power outages (because power to the landline system is supplied through the phone wires), including DSL still working through power outages. This saved me when we had a ten day power outage here, and all cell phone towers were down. Neighbours came over to make phone calls, and asked whether they could send some e-mails through my WiFi, because their cable and fibre connections were down, down, deeper than down.
3. Re:If they call my cell phone... by Fly+Swatter · 2018-10-07 14:03 · Score: 2
  
  Your situation will be good until the old copper develops an intermittent issue somewhere off your property that they won't fix because 'copper is deprecated, so we will convert your line to fiber at no cost to you'.
4. Re:If they call my cell phone... by Anonymous Coward · 2018-10-07 14:10 · Score: 1
  
  What power source were you using for your router?
5. Re:If they call my cell phone... by superdave80 · 2018-10-07 16:31 · Score: 1
  
  This is one of the main reasons I still have a landline. All companies that I do business with have the landline number, and I never give out my cell for any reason. They call my landline during the day (while I'm not there), I listen to whatever voicemails they leave, and I don't worry about getting constantly bugged on my cell all day.
6. Re:If they call my cell phone... by mhail · 2018-10-07 17:47 · Score: 1
  
  What power source were you using for your router?
  Shhh don't ask questions, just go with the fantasy.
7. Re:If they call my cell phone... by nukenerd · 2018-10-08 06:23 · Score: 1
  
  He said that neigbours asked to send emails, not that they got to send them. I also have a landline phone that will work through power cuts.
8. Re:If they call my cell phone... by arth1 · 2018-10-09 04:36 · Score: 1
  
  What power source were you using for your router?
  I have multiple 1500VA UPSes, as well as a gasoline generator for longer outages. That didn't do much good for the cable internet being down, but because I also have bridged DSL over copper, I still had internet.
  And the phone service doesn't even require that. If you have an old laptop with a built-in modem (or a modem that doesn't require external power) you can still do dial-up in worst case, to let people know you're still alive.
Re:Dont speak to Indians by PopeRatzo · 2018-10-07 12:07 · Score: 1

its quite simple, if they are Indian then hang up.
That's racist. You're telling us you wouldn't take a call from Sitting Bull?

--
You are welcome on my lawn.
This just means they're running out of obvious by rsilvergun · 2018-10-07 12:29 · Score: 1

marks and are forced to move away from the Nigerian prince method (so ridiculous only someone who's not all there in the head would fall for it) and into trying to scam people who have some of their senses left.

--
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Security professionals become easy targets by thogard · 2018-10-07 12:49 · Score: 1

As people age they stop remembering details of scams but seem to remember they are smarter than the scammers so they can't be scammed. The result is they get taken. People who worked in security along with retired police and criminal lawyers are easier to scam after they retire than the average person.
1. Re:Security professionals become easy targets by nukenerd · 2018-10-08 06:33 · Score: 1
  
  Citation?
Rule Number F-cking One by Beeftopia · 2018-10-07 12:57 · Score: 1

Rule Number F-cking One: Never give out information to anyone who contacts you first.
It's just that simple. You find the number or confirm the number they left is legit, and you initiate the contact.
CSB: Once I was being legitimately audited by the IRS, and the IRS employee/contractor calls me and asks for my SSN. I was 99% sure it was the IRS, and the person threatened me with escalation, and I know you don't eff with the IRS. But I did not give out my SSN because it violated Rule Number F--king One. Ultimately it worked out, I'd done nothing wrong, they dropped my case. But wow.
1. Re:Rule Number F-cking One by anegg · 2018-10-07 15:36 · Score: 1
  
  My wife and I have had some interesting stand-offs like this. Legitimate caller stupidly asks for us to verify who WE are by providing our personal information to them. We refuse to provide the information, because they haven't verified who THEY are. Hilarity ensues.
2. Re:Rule Number F-cking One by dryeo · 2018-10-07 16:13 · Score: 1
  
  There's been a lot of scams up here where the scammers pretend to be from the CRA (Canada Revenue), demanding payment now to avoid arrest. Some people don't even catch on when they demand payment in itunes cards.
  
  --
  https://en.wikipedia.org/wiki/Inverted_totalitarianism
Re:Dont speak to Indians by arth1 · 2018-10-07 13:02 · Score: 1

That's racist. You're telling us you wouldn't take a call from Sitting Bull?
He died in 1890, still waiting for a dialtone. He actually had a candlestick phone, but it had not yet been connected.
Easy Fix by nehumanuscrede · 2018-10-07 13:06 · Score: 4, Insightful

Start holding the Telecoms responsible for failing to fix the ability to spoof Caller ID.
They start footing the bills for fraudulent shit like this they'll have that shit fixed in no time.
1. Re:Easy Fix by Anonymous Coward · 2018-10-07 14:34 · Score: 1
  
  Sue. I believe the tort is called Contributory Negligence. Or perhaps it is Reckless. Perhaps both.
Re:Dont speak to Indians by dissy · 2018-10-07 14:08 · Score: 1

You're telling us you wouldn't take a call from Sitting Bull?
I dunno, is he calling to confirm my address and ask for my PIN?
Re:Red Flags, All Over The Place!! by dryeo · 2018-10-07 16:16 · Score: 1

That's what that call was. Oh, BTW, when a bank (or credit-whatever) issues a new card, they ALWAYS give out a new PIN!!
My credit union walks me to an ATM, tells me to enter a pin and turns their back while I do it.

--
https://en.wikipedia.org/wiki/Inverted_totalitarianism
Researcher? by senileoldfart · 2018-10-07 17:10 · Score: 1

Wow! Some security researcher we have here. Might I recommend a book ? 'Lying on the Couch' by Irving D. Yalom
Never tell anybody anything by petes_PoV · 2018-10-07 17:12 · Score: 2

sounds incredibly professional, you'd fall for it, too," Haughey said.
Errr, no.
The first principle of phone banking is to never give out personal information to anyone who calls you. Never.
If you feel there is an issue that does need information to be passed, hang up and phone them on the public number. Just make sure you have actually hung up, there is a long-standing scam where the thieves actually recommend you call the bank, yourself. They then make the sound of hanging up but stay on the line. When you dial the bank's number, you are still actually talking to the scammers.

--
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
1. Re:Never tell anybody anything by Tony+Isaac · 2018-10-08 16:44 · Score: 1
  
  Or, if the caller isn't a friend or family member, let it go to voice mail, always. If it's a business, and it's important, they can leave a message. Usually, the phishers won't. If they do, call back on the published number, not the number they leave.
don't give out private info to a cold call! by roc97007 · 2018-10-07 17:12 · Score: 2

Don't EVER give out private information to a cold call. Never, for any reason. If there's a problem, and it's urgent, tell them you'll call them back on a known number. (Not a number they provide./duh) Legitimate callers will agree to this. Non-legitimate callers will try to steer you to a different number or insist that you must take care of this now, on this call. Don't fall for it.
Let me repeat this for the cognitively impared: If they call YOU, do NOT give out private information. If you call THEM on a legitimate number, it's a different story.
Let's be safe out there.

--
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Falling for it? No way! by war4peace · 2018-10-07 18:15 · Score: 1

"you'd fall for it, too"
No, I wouldn't. I might not be very knowledgeable in how banks work, but I know one thing for sure: personal card info is personal. Nobody from the bank will ever ask you for your PIN number or the three digits on the back of your card. Nobody, ever. If they ever do, change the bank because they are not handling your personal data professionally.
I don't know how things are in the USA, but in my country all banks allow you to change your PIN at the card issuer's ATMs, the card is mailed to you in a special envelope which makes it impossible to read the PIN number without compromising the envelope's integrity and you need to activate the card at a bank's ATM before being able to make any purchase. I have never heard of a phone purchase which requires you to give out your PIN or CCV to a human being. They might be a thing in other countries, though. If my bank calls me unexpectedly (only happened twice), they verify my identity through my equivalent of a SSN (here it's called Numeric Personal Code) where they ask me for half of it, then ask me for my first 4 and last 4 digits of my card. Never the whole number. If I express distrust, they tell me I can call them back or e-mail them at the phone number or contact e-mail provided on their main page, with instructions on how to reach that person afterwards (usually it's the department and the person's name), e.g. "I received a call from Jane Doe, private credit cards department".
With that being said, the phone scams here are simpler but very effective. You usually receive a call from an exotic phone number (Mauritius, Vanuatu, Gibraltar, etc). The phone rings once, maybe twice then stops. Most people are curious enough to call back... reaching a special line which costs 10 to 50 dollars per minute, where automated messages play back to you in your national language, telling you about issues with your bank account, guiding you through entering your card number, PIN, etc, all while sucking lots of money through your phone bill anyway. Now, if you actually answer the call, a prerecorded voice is going to tell you that there are issues with your account and instructing you to call back ASAP. Then the call ends. This costs them pennies because they rent entire trunks for cheap. One person calling back for a couple minutes covers a few thousand calls' worth from their side.
I would have fallen for it at first because the nature of my job involves receiving the odd call from a weird country every now and then. Luckily, I don't call back unknown numbers because I'm busy anyway and if there's an emergency I know they will call again and again. Anyway, I developed a habit of quickly answering those calls and letting them play through. Lately, I only receive one a week, or less. I guess they will eventually stop because they would realize they are wasting their pennies on me.

--
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
1. Re:Falling for it? No way! by war4peace · 2018-10-07 23:46 · Score: 1
  
  Based on what evidence?
  Mine. And my mobile provider's. As previously mentioned, different countries, different cultures.. Here, mobile subscriptions are really cheap, one of mine costs 5 EUR a month and you have free unlimited voice minutes to all landlines with very few exceptions, and thousands of international minutes, etc(*). So yes, people do call back most times because it costs them nothing. If I call someone and they don't answer, they call back almost without exception. The culture here is usually: texting is for things that can wait, phone calls are for things that can't wait, so if you have a missed call, you call back. Not all people do that, of course, but most do.
  Now, when my mobile provider starts issuing warnings about this type of scam calls, you realize it's a problem and that people indeed do call back. Otherwise it wouldn't be an issue, would it?
  (*) Google Translate of the original page: https://translate.google.com/t...
  
  --
  ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
So says Canada Bill Jones by JThaddeus · 2018-10-07 19:07 · Score: 1

"It's immoral to let a sucker keep his money."

--
"Love is a familiar; Love is a devil: there is no evil angel but Love." --William Shakespeare ('Love's Labors Lost')
sounds like he fell for a scam by gravewax · 2018-10-07 20:54 · Score: 1

hmm I suspect this security professional actually fell for one of these scams.

when someone from a trustworthy number calls, says they're from your small town bank, and sounds incredibly professional, you'd fall for it, too
No I really wouldn't and I don't think anyone I know or where I work would either, I have been targeted with these before and know many others that have received similar types of calls and not even for a nanosecond would I fall for it. Hell when I have had legitimate calls from my bank I ask for a name/extension and tell them I will call the banks switchboard and ask for them. It isn't rocket science, if they called you DON'T TRUST THEM WITH ANYTHING.
Root problem: spoofing by bradley13 · 2018-10-07 21:03 · Score: 1

It's easy so say "I wouldn't fall for this", but some scammers are good. The ones that call you are excellent actors, and can be damned convincing. Just look at the number of elderly people who fall for the "grandkid in trouble" scams. Yes, this guy shouldn't have given out his PIN - that was one step too far.
However, the root problem in this particular case remains spoofing. There is absolutely no excuse for spoofing numbers to still be possible, after all these decades of abuse. The phone company (or VoIP service, or whatever) knows what connection is placing the call, and the service should set the calling number accordingly. Since providers themselves are not always trustworthy, it must also be possible for the receiving company to verify the number, or at least to verify that it is legitimately under the control of the originating phone service. Sort of a DNS for phone numbers...

--
Enjoy life! This is not a dress rehearsal.
"""trustworthy""" number by Megane · 2018-10-07 21:40 · Score: 1

but when someone from a trustworthy number calls
Caller ID is not "trustworthy", and any number you get via that is by extension not trustworthy. Anyone who hasn't learned that just from the all the "same exchange" spoofing (all but last four numbers same as yours) these days is a fool.

--
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Verification. by ledow · 2018-10-07 23:48 · Score: 1

Sorry, but if you want something from me, do it in writing. It's that simple.
If I want something from you, you demand I call your main number and agree/sign things. You have to do the same. Except I have to verify myself to you when I call, so when you call me I expect you to verify yourself to me.
Any automated or inbound call that doesn't give me information I demand ("Okay, can you tell me my last transaction and my account number please?") doesn't get anything from me. Yes, I've actually asked my bank for that. Guess what... they tell me that they can't tell me. Cool, then I can't deal with you. Because if the tables were reversed I'd expect you to not deal with a customer phoning up claiming to be me who also refused to give you the required information.
So now if it's important, you'll send me something on paper. It's really quite easy. Or you'll put a "secure message" inside my online banking account. And I'll go there myself to check (not just click and take your word for it that it'll take me there - same way I don't just follow the guy to the bank when he knocks on my door claiming to be from my bank needing money from me).
Security and verification work both ways. And anything legally-binding will end up on paper, especially if I say - on the call - "Sorry, I don't think you're my bank... could you prove it to me? No? Then I'm afraid I won't deal with you and I suggest you contact me in some more official way that I can verify you". Imagine that recording before a court of law, when the bank say "Oh, but we phoned him to tell him about the outstanding amount".
Sorry, but I don't even conduct such business via phone or email for any of my personal accounts. I don't even have bills dropping on my doorstep. I get literally zero post apart from junk mail (which I can't stop as it's just random minimum-wage people paid to put crap through every door on the street).
As such, an official letter stands out, but I still don't trust it and will verify. But all my "official" communique are sitting inside secured accounts that only those companies can ever post a message inside. Any email, phone call, text or even letter outside those bounds can only ever really say "Please check your account". That's it. Anything else is suspicious.
DMMF by epine · 2018-10-08 00:23 · Score: 1

In a correctly designed phone system, it shouldn't be possible to generate DTMF tones on a call you didn't originate yourself without first spelling "DMMF" by a sequence of Morse-code hook flashes.
DMMF = dox me, motherfuckers.
Your address book should have little padlocks beside "verified" numbers, where the name of the organization and the number are known by the smart phone mafia to correspond.
It really ought to be required to originate the call from a verified address book entry in order to access inline DTMF tone generation (in your address book entry—when you enable DTMF tone generation—you would be able to click "I know the risks", and barge through all the shrunken human heads on pointy pikes, just like with broken SSL certificate overrides).
1. Re:DMMF by epine · 2018-10-08 00:24 · Score: 1
  
  Hmmm, I was feeling bold today, and didn't click preview, having forgotten that I had used any markup at all.
  Very exciting.
Telco could cut down on caller id fraud by klubar · 2018-10-08 01:02 · Score: 1

The telcos know the originating company. If it's a company that agrees to not allow spoofed caller id your carrier could pass along the caller id, if not your carrier could set the caller ID to LIKELY FRAUD CALL. If not preventing spoofing, it would certainly discourage it and put the recipient on alert for a likely fraud.
The problem is that the telco have almost no incentive to cut down on fraud calls. They get paid the same for a fraud call as a legit one, so why not carry them all?
The hard to do solution by rickb928 · 2018-10-08 02:16 · Score: 1

Ok, so the request for his PIN number didn't set off the alarms.
Really, this is an example of where you make the caller provide some information, then if ti seems wrong hang up and call in to the number you know.
I'm getting 5-15 calls a month from the 'credit card reconciliation center' or some such BS. I haven't listened past them asking me for my name, which if they are my bank or card company they should already know.

--
deleting the extra space after periods so i can stay relevant, yeah.
uh, no by cascadingstylesheet · 2018-10-08 02:20 · Score: 1

Long story short, two fradulent charges were made on his account totaling $3,400. "People I've talked to about this say there's no way they'd fall for that, but when someone from a trustworthy number calls, says they're from your small town bank, and sounds incredibly professional, you'd fall for it, too," Haughey said.
Uh, no, really, I wouldn't. If they call me, I give them nothing. I have to call them, on their regular public phone numbers.
How a real fraud alert works by AnalogDiehard · 2018-10-08 02:38 · Score: 1

I have gotten legitimate fraud alerts in the past for overseas purchases. They were robocalls requesting me to call back to an automated system that described the date and amount of transaction to the T, then asked to authorize or reject them. No request for address, no request for security code or PIN.

Nothing clever about this voice phishing. The victim forgot the telltale signs of a scam and ignored the bells going off in his head. Scammers are good at psychological skills and they rush the conversation so that you don't have a chance to stop to think. The biggest red flags was that this was an unsolicited call, the caller was requesting address as well as card info, and banks do not "hold the card open" in the event of confirmed stolen card info. Any legitimate bank employee calling you would have the complete info right in front of them and would not ask for that. I stopped giving any out info when I receive an unsolicited phone call.

It is easy to get the last four digits of your cards, they are printed on your statements. Scammers can find your address online, open your statements from your mailbox to copy your bank and card info, then use adhesive to seal the envelope leaving you none the wiser. Or they can scan your computer incognito for statements on PDF or other format. My important mail no longer goes to my mailbox, it goes to a PO Box which is much more secure.

If I got a call like that, I would hang up and go straight to the bank in person. If the bank has no record like the fraud claimed from the caller, I would report a stolen card.

--
Eternity: will that be smoking, or non-smoking? I Corinthians 6:9-10
Already is, Truth in Calling Act. Scamming too by raymorris · 2018-10-08 03:01 · Score: 1

Scamming people is illegal.
Caller ID spoofing of this type is illegal under the Truth in Calling Act.
Unfortunately the criminals don't follow the law. That's a concept some people forget often.
It's like people forget the head of the animal by holophrastic · 2018-10-08 03:35 · Score: 1

This is a great story of stupidity. You've "given out that information before" so you can give it out again?! "Before", you gave it to someone you trusted/called/engaged. This time, they engaged you.
Isn't that already enough to tell you to walk away?
How about the ol' if-it-aint-broke-don't-fix-it? Your card didn't stop working for you. Stop trying to solve a problem that you haven't experienced. Either go to the gas station and try your card for yourself, or use your other card (that's why you should have one) in California.
So some chickiepoo called you with a sweet voice, out of the blue, used normal words (not death threats), and you gave her how many pieces of confidential information? Six?
Forget the "clues". There's never any time to speak any PIN aloud -- just like you never sign your signature just for fun.
And why don't people know that caller-id isn't secure at all? It's actually designed to be spoofable, as a form of free-speech, and protected as such.
Six levels of stupid. Hopefully he got to pay the three grand as a lesson.
Re:If I don't know the number by nukenerd · 2018-10-08 06:31 · Score: 1

What exacly are you afraid of? Of breaking down into a jibbering wreck and blurting out all your passwords and PIN numbers?
He Broke The Most Important Rule by n2hightech · 2018-10-08 16:41 · Score: 1

The most important rule to protect yourself from scammers is never provide information to anyone who calls you. If someone calls you claiming to be from your credit union or bank or credit card company and says you have a problem Do not answer any questions even if the caller ID says the right phone number. Phone numbers are routinely spoofed. Hang up and call them back on a number you have independently verified as being legitimate. When they answer identify who you are and why you called. You can now have confidence and answer any questions they have for you. It's a real shame that the phone system allows people to spoof their number. It could have been a great benefit to security and safety but instead it is an easy method of committing remote fraud.