I've got a number of calls from my bank over the years (usually the Visa department asking about international charges) and my standard response has always been "I'm sorry, as a rule I do not discuss personal details with someone who called me, since I don't know who you are" and they typically respond with "no problem, please call the number on the back of your credit card". I still wish they wouldn't try to initiate a call (usually they launch straight away into verifying who I am, asking me a ton of personal details before I even know that they're legit... sigh) and would just ask me to call them back on an official number (not one they give me over the phone, obviously) instead. If that were standard practice, I think these kind of scams would be a lot easier to detect.
>my standard response has always been "I'm sorry, as a rule I do not discuss personal details with someone who called me, since I don't know who you are"
Amex got quite offended when I did this, and almost chastised me when I got through to an agent after making the outbound call myself. They argued that because they only asked for limited personal information (DOB) it was fine...
I had that same issue with Amex, they phoned, said there was a concern with my card and then wanted me to go through identity checks before saying more. They also got quite stroppy when I refused and asked them to prove their own identity first!
Eventually they did suggest I call the number on the back of my card, but I was annoyed by their lack of professionalism by this point (I mean, they are asking me to do stuff - giving out information to unknown callers - which they themselves always tell customers never to do!) I said I wasn't going to phone a general number and get stuck on hold for hours over an unknown issue - either give me some reference to get through quickly to the right person, tell me what the problem is now, or send me a letter. But they kept claiming that they couldn't send out letters in the post :-(
In the end, I finally received a letter by mail telling me that there were problems with my direct debit payments. So it was a genuine call but their inability to securely make these calls is frustrating.
Call the number of the back of the card - "Press X if you have been given a code by us". Effectively, you're calling <number on the back of the code> + <reference to queue skip>.
I was just thinking about how the agent could generate ephemeral PBX extensions. OTP-like would definitely be the way to go.
Edit: perhaps the extension would be per transaction, not per-agent, and when the customer calls the extension, the agents system can automatically pull up the customer’s account. These extensions should expire, but given the length of some customer calls, and how often I’ve been disconnected from customer service lately, perhaps it should be on the order of hours, not minutes or seconds
Not a different number to call, but instead a shortcut through the usual automated phone menus - e.g. I've had a bank tell me to phone their number and then enter an extension to take me straight through to the right person.
Phone calls are cheap especially for nonconnected or robocalls (which would cost for a postal contact).
Postal mail costs $0.50 US in postage alone. The full-up cost of a mail campaign is often several dollars per mailed item, though in bulk, and with bulk rate, I believe it's closer to $0.40 (postage plus a few cents for paper and envelope).
That would cover many thousands of email contacts, possibly nearly as many phone/VOIP attempts.
And the systems required to successfully and accurately generate a postal response on request are also high.
Not sure if it’s true, but I’ve heard that mail (at least in the US) is safer because the cost to send letters is high enough to deter bulk sends vs email/phone, that postal inspectors are relatively effective at catching people, and that the laws around mail fraud make prosecutions easier.
It might not be genuine. But what one should do to resolve the problem described in the letter is to go to the regular amex website, log in, and update your debit information.
My preference is to have multiple points of contact. Email+phone and the alert is sent simultaneously both ways. This happened recently when a purchase I made was flagged. I got a text asking to approve the charge. Not trusting SMS I checked my email and saw the same message as the text and a link to take further action.
I was disappointed that no alert was sent through the banking app. That would be the most secure option but is explicitly disallowed in the notification settings.
I also do this every time when my doctor's office or insurance calls. They have to verify your identity to give you medical information. I need to verify their identity to give them my personally identifiable information.
I think eventually they got the point because now they have a secure online email system and just leave a message asking me to call back. They still leave a return phone number, but it's getting better.
At least with an email you can hopefully verify the headers. A phone number is too easily spoofed these days and the end user has no real means of verification.
My bank always says "There is an issue with your credit card/account, please call the number on the back of the card/your branch as soon as possible." and has for years.
The only time they do otherwise is on very specific instances where they provide the info, "did you just buy something at store XXX for approximately $YYY"
All banks and credit institutions should be required by law to do this.
Capital One has an app, every time my card is used I get a push notification. This is the best solution in my mind. I can actively monitor my card usage and call if I see something suspicious.
I'm surprised that this isn't a requirement for banks considering the very large number of scams going on in the US.
In India, getting an SMS/Email confirming every card usage is a legal requirement imposed by the Rserve Bank of India. The same goes for card usage itself. All credit and debit card POS transactions need the card PIN to be approved. Likewise, all online transactions require MFA.
applepay, for all my cards, gives me an immediate push notification, despite some cards not doing so for regular chip/swipe transactions. really like that feature & also wish all cards did it for all transactions.
These are what I usually see, or else an automated call with the same approximate script. Is there anything insecure about doing this one? The only thing I can think of is a MiTM where your account credentials are already compromised and they are using your answers to reset your password.
These fraud alert calls (in my experience of course) generally don't have any ID verification so there's no real danger from the user side in interacting with them. They just ask do you recognize these charges and that's it and then initiate any fraud response. From the bank side the worst is if the number has been hijacked but the user would still be able to dispute the charges later through the normal means but CC cloners probably rarely do that so it's not a huge issue.
You should be careful even about doing that if you are on a landline. There is a landline scam where they don't let the call disconnect, so when you hangup and then think you are dialing the bank, you are actually still connected to the scammer.
Always use your mobile phone to make the call (although I'm sure its only a matter of time before even that is compromised).
While spoofing numbers on incoming calls is far easier, it is also possible for an attacker to redirect your outgoing calls from the right place in the phone network.
You just shouldn't consider any aspect of the phone network to provide authenticity or confidentiality.
I had an experience indistinguishable from the phishing attack being discussed - with the only difference that I initiated the phone call. A transaction I had initiated had triggered some fraud warnings and my account was locked.
They asked for my account number, name, and address for verification. When they got to the point that they sent me a code over SMS and wanted me to tell it to them over the phone, I stopped them and explained that this is also the exact set of steps required to reset my account and that I wouldn’t do it.
I went to a branch in person to unlock my account and the person helping me asked me to enter my password on their terminal so that they could “see the error message”.
I’m still not sure if some parts of this were a more advanced phishing scheme than I had thought was possible, even though it does just seem like a set of confusing practices by the bank.
I wonder if bank staff are in on it sometimes. I once was at a bank branch and had the teller pick up the phone, call another teller and tell her my balance in a foreign language that I happen to speak fluently (but don’t look like I should).
I wanted to ask her why she would be doing that, but I was a bit more meek in my younger days.
I had something not exactly like this occur to me. It wasn't something I overheard, but I'm pretty sure it went something like this:
1. You talk to a teller at a branch, and they bring up your account details. The teller see's you have a mortgage with the bank, but registered to a different branch.
2. They have some sort of incentive from the mortgage specialists at their own branch or management, to refer those accounts to their own mortgage team.
3. The mortgage department at the new branch calls me, and says I can do an early renewal at a lower rate, if I come in and see them.
Anyways, I did the early renewal at my original branch, as I had a connection to a manager at that location. Either way, I ended up shaving a good chunk of interest by renewing a year early.
Ah sorry, maybe it's a Canadian thing. I have a mortgage with an amortization that's say 20 years. But I actually enter into an agreement and a rate for say 3 years. At 3 years myself and the bank need to enter into a new agreement, or I can shop around for the best rate for the next term with other providers (although some banks have been clever in the rules trying to prevent this).
An early renewal would be doing a renewal with the same bank at say the 2 year mark for a new term and interest rate. The bank allows the old contract to expire early, since they're getting the new one for an extended period, like another 3 years. These terms can vary, with 5 years being the most common, but can be shorter or longer and apply to both variable and fixed rate mortgages.
Note: I'm not an expect on this or how it compares to other regions.
Ah, that's interesting and subtly different from the way it works in the US. The most common mortgage loan here is simply a 30-year fixed rate loan. We do have 3 and 5 year fixed loans, but they just revert to a floating rate after the fixed term so there's no presumption that you have to get a new loan at the end of the fixed term even though it's often a good idea. Those loans have also fallen out of favor substantially since 2008. Are full-term fixed loans not a thing in Canada?
My understanding is that this style of loan, balloon payment mortgage, used to be common in the US too, but government intervention in the form of Fannie Mae loan purchases made the 30-year fixed loan widely available.
As a borrower, there's a big risk with a balloon payment that you may not be able to find financing when it's due, so having a full term loan is very desirable.
Nope, 5 years is a maximum term you can get for residential mortgages, fixed or variable, with 25 years amortization most commonly (so you'll renew it at least 4 times).
Maybe there are other weird types of mortgages but they are usually not available for individuals I think.
You initiated the call to what number? The number on your card? If so, that's ridiculous.
(Obviously, initiating a call to a number provided by a potential scammer offers no protection. If someone is intercepting and redirecting your outgoing calls via the phone network, I'd say you probably have a bigger problem than a declined transaction.)
I get these calls from time to time, and any bank with proper training should be 100% okay with you questioning their authenticity. There are some replies which indicate that the agent is annoyed... That's just poor training.
As for them initiating a phone call, it still does remain the best way to contact someone urgently, usually falling back to SMS and/or email when/if you don't answer (this was our SOP when I was in a fraud detection team years ago). We'd also usually tell them to call the number on the bank of your card (because not everyone is able to look up the bank's website, shockingly, so this is the most universally applicable way to give people a number) but my usual spiel was "call us on the number on the back of your card or from our website".
There's also no real way for you to know that they're legit, but an interesting reassurance one bank I know uses is to provide your month and day of birth and ask you for the year (as just part of the verification process). The partial info probably helps some people but I still wouldn't go for it - too many people know my birthday.
I always say to them: I can not identify myself to you because I cannot authentic who you are.
And explain to them that we, as a society, need to come up a way of authenticating inbound and outbound calls to ensure we are connect with who the other party claims to be because when you do this it conditions society in to responding and that’s how phishing attacks occur.
Banks have this in place already - EMV cards have powerful cryptoprocessors. In Germany we can use chipTAN, it's a small cheap reader for your card where you scan a six-binary-blinking screen that transmits the transaction data, then the card signs it and you get a six-digit TAN back. You can also manually enter the hash to be signed ("start code" is the technical term) and you get the TAN.
Customer support could ask you to authenticate using the TAN already, the hurdle is that you would need to carry the reader at all times.
Unrelated to banks, I believe it could be possible to extend SS7 signalling to not just transmit the caller ID but also a crypto signature/public key which the phone then can verify - or your phone provider could. Think of something like HSTS with a global database, if there is no match for the phone number the provider patches the call through, but if there is an entry, all providers can check for the public key transmitted by the caller and refuse to patch the call if it's missing or faked.
I am grossed out by proprietary protocols but proprietary encryption algorithms just make me laugh. Who even though that this would be a good idea? Are they seriously trusting their money with this?
My bank seems to use a similar scheme. It appears akin to TOTP with 8 numbers. But the secret is inside the black box. They also have something like a QR code but with RGB colors (does not work with blue light reducing features).
> "I'm sorry, as a rule I do not discuss personal details with someone who called me, since I don't know who you are"
Correct. If someone calls me, the onus is on them to prove to me that they are who they say they are.
However, I usually just block ALL unscheduled phone calls, period. Not only do I not have time for unscheduled interruptions, but banks have secure websites and if they can't make proper use of them, too bad, they aren't going to reach me by trying to call me. They should know that phones are easy to phish with, and stop using phone calls to initiate communication.
Ideally what I want is an e-mail saying "we saw some suspicious transactions, please /log in/ to check that there is no fraudulent activity" or even a more general "please log in for an urgent message" with a suspend button in the online interface.
Good point, and in fact I haven’t gotten such a call in a long time. All the “did you make transaction X” type calls now go through their app or via sms, so don’t get those calls anymore. I can’t actually remember the last time the bank called me, but maybe 6 or 7 years ago they called me a good few times. Nowadays I actually also block incoming calls unless in my contacts or I’m expecting it. I communicate mostly online and outside family, rarely get phone calls. So I really don’t care to answer a random call.
Why would they need to verify you when they call your phone? When I got theses calls personnaly it was a robot voice that was simply asking if a few of my transactions were done by me. It only happened twice, and I feel they make sure to include both actual transactions and a few fake ones to verify your truthfulness because in both case I had one that was clearly wrong that I never saw in my transaction log and they didn't replace my card.
