Phishers Get Phoney 236
Nick Johnson writes to mention a new twist on phishing. From the article: "The spammed message warns of a problem with a bank account and instructs the recipient to dial a phone number to resolve it. The caller is connected to a voice response system that is made to sound exactly like the bank's own system. The phone system identifies itself to the target as the financial institution and prompts them to enter account number and PIN."
This... (Score:5, Insightful)
Some revenge possible? (Score:5, Insightful)
Bert
Again the basic rules apply (Score:5, Insightful)
Re:Ah, but how.. (Score:5, Insightful)
Sounds like they ran a credit check on you. All that information is collected by credit reporting agencies (believe it or not, how long you've had an account with one bank, and the average deposits, goes into your credit score...at least, that's my banker told me when I opened my account with her). And I know addresses are kept in credit checks, since the last time I checked mine (last summer) it had addresses going back to 1998. Handy, since around the same time I had to submit all those addresses for my background check when I got my Series 7 and 65.
Long story short: don't ever give out your SSN to anyone unless you're getting money/credit from them. And minimize how many people you do business with in that regards.
Wanna know the easiest way to get a list of current addresses and SSNs?* Send out a mailing to 100,000 people in a given city, offering a car loan or something (which of course you have no intention of actually giving them). Statistically, at least 1000 of them will send you their full name, address, SSN, bank account information, even mother's maiden name. And yes, people are that stupid.
*I don't know if anyone's ever done this, and if it happens after this I specifically disclaim any responsibility for it.
For this level of effort... (Score:5, Insightful)
Security & Stupidity (Score:3, Insightful)
No security technology or technique is strong enough to defy stupidity!
And phishing exploits stupidity!
800 Number? (Score:2, Insightful)
Re:Ah, but how.. (Score:3, Insightful)
Here's one idea. Your actions.
Start up a phishing cluster. Collect authentic notices from various banks (fidelity investement statement notice, etc). Fire copies of these notices to "customers" in an html email. Add a graphic touch to a node in your cluster with a uid traceable to that email address. This email should otherwise be harmless and point to the actual institution - this leaves you with great options on what to email - Retirement tutorials, account statement notices, privacy statements.
If the customer has an account there, they are likely to open the email. By opening it, your cluster is pinged and notified that this email worked.
So now you have a more probable positive hit. Send them a customer service request to call and discuss apparent fraudulent transactions on their account.
Re:Phone service security filter (Score:3, Insightful)
You visit a website. It visits your banks website. You type in your account number. It types in your account number. Etc.
Same for the phone. It could simply conference you to your bank and listen in to everything you do. You're dealing with your own bank, so you wouldn't suspect anything. They'd have all your info.
Re:All of this comes from Spam (Score:3, Insightful)
Then you've never worked for the government.
Re:This... (Score:5, Insightful)
1. I travel for work, and use my credit card for all kinds of things I don't usually buy, like hotel rooms.
2. My wife keeps using the same card for all the stuff we usually buy.
3. The computer says: hey, someone maybe stole the card and is running up all those hotel charges!
4. A human from the security department calls us to verify, gets voicemail, and leaves a callback number that is NOT the callback number on the card.
5. I call back the number on the card. The human there says, "why don't you call the number they gave you?" I explain. They think about it and realize this makes sense. About 15 minutes later, I'm connected to the right people -- usually after going through a supervisor at the call center.
The right way to do it, of course, is to have the human from the security department leave this message: To call us back, call the number on your card; then, immediately enter the following code to be directed to the right department. But they still haven't learned.
I shudder to think what will happen when I'm eventually home when they call. I certainly won't do anything except hang up and call back the same number.
Re:Again the basic rules apply (Score:4, Insightful)
And just to cut the inevitable snarky comment off, yes they are the actual companies.
You are correct though. If you get an unsolicited contact through email or on the phone, don't trust them. If they are really from your institution, tell them you'll call them back on a number you know to be legit. If there's really a problem with your accounts that you need to know about, whoever you get on the line will know what it is. If there isn't, well, good job, you're helping against phishers by notifying the institution that someone is targeting people in their name.
Re:This... (Score:4, Insightful)
The right way to do it, of course, is to have the human from the security department leave this message: To call us back, call the number on your card; then, immediately enter the following code to be directed to the right department. But they still haven't learned.
I shudder to think what will happen when I'm eventually home when they call. I certainly won't do anything except hang up and call back the same number.
I believe you have sufficiently illustrated the problem.
The banks do use the same methods as phishers, despite their claims to the contrary.
I also get voicemails from the "bank" asking me to call back, and when I call back I have to "verify my identify" through at least a couple of personal questions and at least part of my social security number. I have no way of knowing whether I have indeed called the bank, or some guy at a payphone.
It's not so much that the customers are stupid, it's that the banks have trained customers that they must respond to these types of inquiries, or they very well may have their checks/charges declined.
The banks created the system which is being abused. And they have done little to change their practices.
It's hard to determine who, exactly, are the stupid ones in this situation.
I specialize in this! (Score:5, Insightful)