My bank keeps on undermining anti-phishing education
moritz-mander.de320 points by cheesepaint 2 days ago
320 points by cheesepaint 2 days ago
My bank uses a fraud detection system that calls you if suspicious activity is detected on your account. It then asks you to call back a number to verify the account activity. Every time they call, they provide a different callback number. Searching for the callback number online yields only one result, which is the fraud detection systems web page telling you to NOT trust phone calls of any kind (their advice is solid, but it tells you to not respond to their own legitimate calls)!
The only time I ever triggered fraud detection system on my card I got a text message from bank that was "Your card is blocked due to suspicious usage, please call 'number'". And the number was also some random unlisted one. Only reason I didn't just ignore the thing is I did make a purchase on new website a half an hour before.
Called my local bank and they confirmed this was legit, I almost went off on a full rant about how bad their protocol is for this.
One of my former banks handled this pretty well. They called you and would say something like “there is an issue, but since you should never trust a direct phone call pretending to be your bank, please look up our number on our website and call us”.
It’s kinda nice because while doing this, they also educate their customers to never trust such a call and to rely on official information to contact them.
My credit union does the same but with "call the number on the back of your card". I suppose they have a lot of practice getting it right, given that their idea of a suspicious transaction is any transaction out of state.
PNC pulled that on me all the time. So I closed all my accounts and bank elsewhere. Gave fraud prevention as the sole reason for my exit on forms.
I ended up with a PNC account as a result of a series of bank acquisitions, and they're so badly run it's almost a dark comedy.
Branch staff are all perfectly lovely, but they're at the mercy of very funky systems above them.
Banks are filled with stupid levels of bureaucracy internally, but PNC takes that up to 10. Their IT employees seem like dried husks of something that once was human.
My bank did the "out of state" suspicious thing for a while. It was particularly painful since I lived near a state border...
Mine did the opposite for a while. In the event of an issue, they'd call, tell you that they were putting you on hold for a teller, and the first thing the teller did was identify the bank and ask for personal information to verify the account.
I always made a point of telling them that they had called me, that I had no proof of who they were, and that I was going to call back from the published number.
That is a great demonstration of best practices. What bank was that?
I was probably the Dutch ING or ABN-AMRO, we went through too many banks and between two countries :D.
The Dutch ING now has a new thing where you can verify in the banking app if it's them calling you:
https://www.ing.nl/de-ing/veilig-bankieren/wat-kan-je-zelf-d...
(I guess in some sense it's a step back because the bank is calling you again, but it's nice that you can verify it live in the app.)
I've had the version of that where I called my bank's listed number to confirm the incoming "call us on this number" voicemail was legit, and they said NO, the call is not a legit number of theirs, the account looks fine, I was right to check, and they agreed it seemed like a scam call.
A few days later I found out the call really was from the bank, and the bank had blocked my account, in a way that took a long time to unblock (don't get me started...). As ever, I found out the hard way, when I needed to use the account for something in real-time and it wasn't available.
But the call was from a different department than general customer support, the department's number wasn't known to customer service, and the account status change wasn't visible to customer service either.
So the bank's own customer service thought it was a scam call!
Yeah, I think they don't have any people working on the full UX flow, my bank does similarly weird stuff.
The example that comes into mind is making transfers to my wife, where every time I do it, they ask me to confirm a bunch of questions to make sure it's not a scam/fraud, which fine, good idea. Once I confirm, they display another notice telling me they won't ask for a confirmation/2FA code because I make transfers to that account so frequently.
The only reason I can come up with why it is like that, is because there isn't a single person/group responsible for the full experience.
> I think they don't have any people working on the full UX flow
The idiots at my former credit union apparently subcontract out their credit cards to some east coast bank, whereas my bank and I live on the west coast.
I saw some bank from Florida, that I'd never heard of, calling me on my cell. I assumed it was some sort of scam and ignored it. They're too stupid to get a phone number which has caller id set up to read the name of credit union with whom I did business.
Just amazing.
Ye they don't follow their own rules. Once my bank called me for a insurance change I requested a month or so earlier and asked me to verify myself via the security dongle. Like, and then they act surprised when people are scammed.
Heh. 20 years ago when I was buying my house, I was arranging the mortgage through HSBC bank. One day I got a random call, started by asking me to confirm my name and date of birth. I asked them who they were, and they refused to say anything before going through security. I told them I wasn't giving them any personal details without knowing who they were, and they hung up.
A week later, I phoned up the bank asking why everything was progressing so slowly and they said I'd failed the security check, so the process had been paused. I explained what had happened, and how it was ridiculous that they expected personal details without even saying they were from the bank, which they seemed to agree with, but said that was their procedure so it was my fault for not complying.
> that was their procedure so it was my fault for not complying
This is the most fascinating (infascinating? like, infamous/famous distinction? whatever) things about bureaucracies, to me: they sincerely expect everyone to follow their internal rules and procedures, even the people who are completely outside their jurisdiction by any stretch of imagination.
Like, "we require the application of your personal seal to the papers" — "Personal seal?.. we use signatures in this part of the world, you know" — "No, we don't accept signatures, it has to be a seal imprint" so then you just stamp some absolutely random rubber stamp and they accept it because even if they can't actually read Cyrillic, it's a stamp and that's all that matters.
Oh, don't get me started on rubber stamps.
I taught at a German university for a few years. And they way grades were handled was, you had to print a standardized piece of paper for every student with their name, date of examination, and grade, and drop them off at the secretary's office.
The secretary would stamp every such Schein with a rubber stamp. Then the students would pick up their Scheine at the secretary's office and bring it to the examination department themselves (!) to get the grade registered. Only at the very of my time there, they changed the system and I could hand in the grades directly to the examination department.
At any rate, the system was so stupid. It was trivial for students to print a new Schein with a better grade and register that (there must have been a lot of fraud). But the counter argument was 'no, it's very safe because the students do not have a rubber stamp'. Of course, the rubber stamp was just the university logo with something like the faculty name next to it. Trivial to copy (or make a rubber stamp for more enterprising students).
Probably the procedure had been followed since 1573, well before home printers, scanners, phone cameras, or get-your-own-rubber-stamp-for-a-few-bucks internet shops.
> Probably the procedure had been followed since 1573, well before home printers, scanners, phone cameras, or get-your-own-rubber-stamp-for-a-few-bucks internet shops.
This is almost always how these seemingly silly bureaucracy hoops become established. They were created in a prior time where a third party obtaining "magic item Y" with which to authenticate was significantly difficult to near impossible. Then, over time, the world, and technology improve, to the point where anyone, willing to spend $9.99, can have an exact duplicate of "magic authentication item Y" manufactured via any one of 78 different makers. But the bureaucracy continues using the now outdated process because "this is the way it has always been done".
It is largely a real world example of "The Monkeys, Bananas and Ladder Experiment": https://psychologyfor.com/the-monkeys-bananas-and-ladder-exp...
The extension to that is making it illegal to own/buy/use 'magic item Y', on the basis it enables fraud.
When they could just cut out the middle man and just make fraud itself illegal and not require the magic item at all.
I recently joined a very old company, with many lifers, I continuously run into this mentality. “I can’t explain it now, but I’m sure there was a good reason for it, so we’re gonna continue doing it this way”
The real issue is that most business just don't document anything to do with their processes. Chance are that there are a hand full of things that there are a good reason for doing and they do need to be done that way. Except the people that identified that original problem and came up with original solution have all left the company so now there is nobody around that has put in the effort (or been given the time to investigate) to figure out why things are done the way they are, and the last time one of the things that had been done forever was suddenly stopped it caused untold amount of chaos so now the directive is to just keep doing everything we've always done.
Per Chesterton's Fence, isn't this the right course of action for any individual who is unsure of why the practice was started?
I like that fence, but I consider the best course of action to be going and finding out why the thing is done the eay it is, even if it necessitates careful investigation.
I always understood chestertons to be that you should leave the fence there while you are investigating why its there and whether its still needed. Not blind "dont do anything"
I'd wholeheartedly agree with your assessment of the best course of action. To the points raised in the conversation above: there is definitely too little understanding of the pattern and too much blind adherence to the pattern as a widespread institutional practice across many institutions.
ARM had a huge headache when the CEO of their Chinese subsidiary stole the company seal and refused to give it back. That meant they effectively couldn't do business at all.
Ah, offloading the physical movement of papers between the offices onto the general populace... why don't they just mail each other directly, isn't the part of their job is to communicate with other offices? Lolnope.
Sometimes it becomes truly ridiculous: I once had to apply for some thing, and was told I need to grab and provide them some certificate from a different government service to prove that I'm actually eligible. Okay, I do that, and then they spend two weeks verifying the certificate by physically mailing and inquiring info about me from that other service and waiting for them to respond (also by physical mail).
Of course, the rubber stamp was just the university logo with something like the faculty name next to it. Trivial to copy (or make a rubber stamp for more enterprising students).
My entire career is predicted on the things I did with a stack of university letterhead 40 years ago.
Had something like this years ago when we were trying to get an EV code signing certificate from GoDaddy (for our Windows application).
They wanted a government issued identification document with both photograph of the individual as well as their physical address on it.
No such document exists for South Africans, I offered to get attestations from lawyers, police, but nothing was good enough.
Then I had to threaten charging back the credit card to get a refund (as opposed to credit) on the not-insubstantial fee for a service that their verification policies made impossible to be fulfilled by South African entities.
We succeeded with DigiCert, was a bit involved including getting sign off by a certified security consultant that we had appropriate procedures in place to protect the private key, but eventually got through the process.
I have had nothing but trouble with GoDaddy and their ridiculous identification routines. We've spent hours with (allegedly) real humans who will tell us "ok I've released the domain for transfer. It will be clear in about 30 minutes" (or whatever it is at the time) and it never is, and then we have to start the entire process over with a new rep. There are other reasons to hate them too, but I won't go on a rant :-D
My initial philosophy with GoDaddy was "as long as it works, it's good enough".
But generally happy to not be using them these days. I do our domain registrations through Namecheap and can't say I've ever had an issue with them, also had to interact with support on occasion and also no negative experiences there.
If something goes wrong and you followed the procedure, the chances you're getting fired are very low. If something goes wrong and it is discovered you didn't follow the procedure, the chances of you being assigned the blame and fired are very high. It doesn't matter how stupid the procedure is or what's at stake - 99.999% of people you'd be dealing with do not care if the bank as a whole loses business or money, but care very much whether or not they are getting in trouble. Following the procedure is the easiest way of CYA.
Had the same thing happen with a debt collector. They would identify themselves, but seeing as their name was meaningless to me as we had no prior relationship, and even if I knew what they were calling about I had no debt I was aware of...
They were a _little_ more cooperative about it though.
"Hi this is <Person> from <ABC Inc.>. Can I start by confirming your name and date of birth?"
"Who is this?"
"<Person> from <ABC Inc.>. Can I start by confirming your name and date of birth?"
"No, you may not. What's this regarding?"
"I can't discuss that with you until you verify your identity."
"Okay, well I have no idea who you are so I'm not about to do that."
"Well, I can't tell you anything else until you confirm your identity for me."
"Okay."
"So can I get your name and date of birth please?"
"No."
"..."
"..."
"..."
"..."
"Can you tell me what _day_ in January of 1970 were you born?"
(Turns out the ISP did their usual ISP thing and failed to mark that I'd returned my modem when cancelling service a few months prior then told no one and sent it to collections. The debt collector was very adamant that I needed to set up a payment because this wasn't going away. I walked into one of the ISP's retail outlets, told them what happened, they sighed heavily because this comes up _constantly_ and called in to have it marked returned and I never heard from anyone ever again. The end.)
> Turns out the ISP did their usual ISP thing and failed to mark that I'd returned my modem when cancelling service a few months prior then told no one and sent it to collections.
Spectrum did this to me. They sent a single "hey, you owe us for this thing" email before sending it to collections.
HSBC had famously terrible systems when I dealt with them for a mortgage years ago - they were so bad that the staff I spoke with pre-briefed me on the range of issues their website could suffer from.
The best was that certain sections were circular, so it would start to ask the same questions again but displaying answers prefilled in - yet it would arbitrarily forget particular (different) details on each loop, defaulting to values other than what you'd entered before, so there were only certain points you should exit the loop at, to be sure it would submit the right information!
On the plus side, despite their system woes, they had very competitive rates, so it was definitely financially worth spending another 20 minutes and accepting their idiocy!
This wasn't so much a competitive rate, but I literally couldn't have afforded to buy this house if they didn't offer a 105% mortgage - so no deposit and some extra money so I could buy some furniture. To be fair, I had some deposit so didn't really need all the extra 5%, but I wasn't anywhere close to the 10% deposit that was standard at the time.
Also, now I remember that I also had to jump through some deceptive hoops. The deal was technically only available on the graduate account, which my account had stopped being earlier in the year because it changed to a regular account after 10 years from opening. The bank manager said she'd bend the rules and let me have the deal as an exception, but then presented me with a load of life insurance policies to sign (which of course I didn't want or need) and it was strongly intimated that if I didn't sign them, she'd no longer bother bending the rules to get me the mortgage deal. So, I signed them, and as soon as I had the mortgage confirmation letter through the post I phoned up to cancel before the end of the 14 day cooling off period. I dread to think how much commission she'd have made from me if I didn't cancel.
I had something similar happen to me except it was for health insurance authorization, for a regular treatment. So, every two weeks they would call me and ask me for personal info, and refuse to explain who they were or why they called until I gave it to them. Every two weeks I would try to explain how dumb that was. No direct call back number, of course.
More. I work with a bank that sends text messages asking if you issued a check for $x amount.
Problem is, one of the most common check frauds is check washing. The PTO line is changed to a fraudulent name, and the amount stays the same. So, yes, the amount matches a legitimate payment, but who was paid? Ha!
It's fun when you phone the bank's regular number, waiting hours to get someone on the phone, and they say that number isn't legitimate when it actually is.
Even better when it's a bank you don't use and the number on their site goes to an automated system that won't let you access it without an account number, so you have to scrounge for alternative phone numbers to get to talk to someone.
last digit +/- [1-9] usually isn't a bad place to start for larger institutions
Not a bank, but Apple Mail inline displays PDFs. I've been getting these PayPal Bitcoin scam emails lately and checking from Apple Mail they look legitimate. Problem is, I don't have a PayPal account...
In Gmail or Thunderbird they don't just show the PDF and since they display the sender differently it makes it obviously a scam.
Sometimes it feels like companies are just helping scammers and I don't know why.
> Sometimes it feels like companies are just helping scammers and I don't know why.
There's a lot of similarities to scamming and marketing. In particular, they both have essentially the same desire for well-designed messages.
True, but I find that highly problematic.
It's not a good system if it's hard to differentiate. We should be encouraging making money by providing meaningful value to the people buying the product. To get those things aligned. I think we engineers can play a role too. While not having the ultimate decision I think speaking up and just pushing here and there to prioritize product quality over profits goes a long way. In the long run, I think quality and profits are usually aligned, though I think rarely in the short term
They could have published the procedures/numbers online. IME companies decided that publishing notices/articles on the web, setting up subdomains and modifying apps are expensive projects. That leaves only noreply@bank.com for communication.
It could also be misguided security guidelines – because of things like caller id spoofing where scammers would spoof one of their actual numbers to lull people into a false sense of security
This is especially annoying when I have their app installed, if the app popped up warning me of fraud, I would trust it far more than a random phone call.
The company we use for our yearly mandated training has a cybersecurity "class" which tells you not to click links in emails (which is good advice!).
Three guesses on how you log in to the service.
My bank tells me via email to not click on links in emails and to directly visit their homepage instead. That's fine, but that email itself contains a link to their fraud prevention page (to learn more) and another link to log into their online banking service.
Do as I say, not as I do.
> which tells you not to click links in emails (which is good advice!).
Hardly. The company shouldn't have XSRF-vulnerable software, if your browser is vulnerable you have bigger problems and what you actually shouldn't do is enter your credentials or download stuff after clicking on that link.
But of course there's an internal "phising test" that penalizes you for clicking on links... links that have been obfuscated by some email-modifying link-tracking security software that makes it nearly impossible to figure out to which domain the link even goes.
> what you actually shouldn't do is enter your credentials or download stuff after clicking on that link.
Then why even click on it in the first place (and risk your email address getting flagged as active in some illicit database?)
Because the aforementioned built-in link obfuscation makes it hard to even tell if the link goes to one of our work domains. And pretty much all our stuff is behind SSO, so if something asks for creds that's an easier tell than hovering over the link and trying to figure out where it goes. And sometimes they introduce new tools on new domains that may be legit.
Generally clicking on the link is not what gets you compromised (except for some spearphishing involving zero-days...). It's actions following that which might. So they're barking up the wrong tree and penalize people for that. That's just chicanery.
Holy fuck this drives me insane. My company makes us do the idiotic trainings, which tell you all the "red flags" to look for.
Then the goddamn CEO sends out an empty email, with a .docx attachment, and the subject saying "urgent, open immediately" The HR sends out suspicious looking shit all the time. The. You have Microsoft spamming you with fucking QR codes!!!
You know what needs to happen? Disable all hyperlinks in email. Make everybody copy and paste the goddamn thing. Then they have to look at the link and they have to manually paste it into the browser. Then there are no obfuscated links. Also disable HTML email, images, and most file attachments. Then there is no pixel tracking, no possibility for malicious images to be auto-loaded, and no excuse for clicking a bad link.
I briefly worked on a product related to this. It was a chatbot meant to replace the human phonecall in just this situation. The user would get a text from the bank with a link to the chatbot. They ended up not being able to sell; the common complaint from the banks was that they'd been training their users to never click links like that.
Just piggybacking on this, if your bank (or eBay or Amazon or whoever) ever calls you to inform you of a suspected hack on your account, and says they're sending you a 2 factor authentication code to confirm your identity, do NOT tell them the code. It sounds obvious when phrased like this, but if you're not familiar with the scam then yeah, it's a scam and they're trying to get your 2FA token in order to access your account.
That's when you pull out the 69420 code and if they ask your name, it's Ben Chode.
> do NOT tell them the code
When my father calls his bank, they actually verify him by sending a 2FA code to his email that he reads back.
At least he's doing so having called an already trusted number. But receiving a call from someone claiming to be your bank is a much more dangerous situation, despite it feeling similar to lay people. Banks should really train people to hang and call to their actual customer service.
A variation can be the scammer presents a fake number for you to call, via email, sms or worse through malicious ads that pop up when you google for the company phone number. Or, a phishing proxy like evilginx could overlay a “call [fake number] to unlock your account” as part of the login process.
It makes more sense when you realize it's an ass-covering exercise. Legitimate transaction blocked: "It's the user's fault for not calling the number, see, we called them and told them to call this number." Phishing: "It's the user's fault for calling the number, see, it says on our website you should never call any number." No matter what, it's always the user's fault for disobeying advice. A lot of things in our world are like this.
The whole concept of "identity theft" is this. Consider this: some dude D comes to bank B and says "I'm actually John Smith, given me $TONS of money". Bank gives the money and D disappears. Now B comes to actual John Smith and demands the money back. John is like "how it's my fricking fault that you gave your money to some random dude?!" And the bank pulls out the "identity theft" card out - you see, your "identity" got stolen, so now it's your fault for not guarding your "identity" properly, not ours! So now you should spend your time and money to fix it and we will treat you for years as a suspicious character, borderline criminal, for it. A very neat system.
My bank has implemented suggestions I've given them in the past (USAA), but recently they used a different domain for a legitimate-seeming email (the email was about something I just did, and it was to an address I only use with that bank), and I called them up and spoke with someone in their fraud department to ask about it. I told them either they were hacked, or they were training their customers to fall for phishing, and asked them to create a ticket.
They said that domain name was not theirs, and they only use usaa.com in their emails. They locked my account without telling me. I had to call them back to get them to unlock my account, and I think that person in their fraud department understood the issue and they said they created a ticket.
We shall see...
I interviewed for a software engineering position at USAA. After seeing the incompetence of the interviewers none of the nonsense they do surprises me.
I worked in IT ops there for a long time, and since then have seen the inner workings of companies in several different fields.
They had by far the most competent cybersecurity group I've witnessed. Things have changed in a decade maybe.
But, they still use proprietary TOTP from Symantec which is annoying.
> But, they still use proprietary TOTP from Symantec which is annoying.
They at least used to, but I'm not sure they still do.
(And when they did, I was able to copy the key into a MFA app of my choice.)
But now as an end-user, it's all built in to their own banking app. I don't use the code from the app though, because I just use my personal 4 digit pin (after entering in my unique password from my password manager).
Yeah I've never worked there, but been a customer since 2005. For many years there, USAA was really cutting edge of tech and highly competent. The system has slowly gotten a little less usable though, but at least it still works most of the time
User facing tech and marketing practices at banks are the worst. Every Indian bank login form I've ever had to use is
- hostile to password managers.
- You cannot copy paste passwords.
- Client side password hashing
- Stupid requirements like the password cannot have more than 15 characters and even have a whitelist of character sets! (Looking at you HDFC)
- And of course, run of the mill spam
They are all stuck in the early 2000s.
> cannot have more than 15 characters
That's something! My bank insists on exactly 6 numbers. Not characters, numbers.
They're also hostile to password managers and don't allow copy/paste. You have to click on the numbers with your mouse.
"My security" is very important to them, so they've moved 2nd factor from a physical fob, to an app tied to my phone, and now they've improved it further by switching to sms!
Now, this isn't some neighborhood mom 'n'pop bank, but the biggest or second-biggest bank in France.
> My bank insists on exactly 6 numbers. Not characters, numbers.
When I see this kind of thing I suspect that it's a web app that's simply a proxy for some mainframe screens that were written in the 1990s (or earlier).
I bet it's actually a set of solenoid actuators physically typing into a 90s terminal.
Don't be ridiculous. It's a set of solenoids typing into a punch card machine.
I remember at least one major US bank saying that the reason they only allowed short passwords was indeed that it was the limit for login passwords on their mainframe.
I was sure this was complete bullshit because even if everything is handled on the mainframe a user using their online banking would not be logging on to the mainframe. The online banking password is a credential for the bank's application(s) that run on top of the mainframe's system software.
When a new customer signed up for an account the bank would not create a new mainframe user account for that user. A bank customer account would just exist in the bank's database and would be completely independent of actual mainframe user accounts. If the online banking password needed to be stored on the mainframe it would be in one of the bank's tables, not wherever that mainframe's system software stores password.
I mentioned this somewhere and someone who actually worked on bank systems commented that some banks actually really do have a mainframe user account per bank customer account.
I think that doesn't actually change my point that blaming a short online banking password limit on mainframe system software limitations is complete bullshit.
Users are not asked for their password when they use non-online banking, such as at ATMs or through a teller at the bank. This shows that the bank does have interfaces that allow performing all the normal functions a customer needs to do without the customer needing to supply a login password.
Online banking is going through a web server. They web application should be using those interfaces that don't require a customer mainframe login to work. The password the customer supplies to the web interface should be a credential for the web interface and be completely separate from any mainframe login password.
The pathways and decisions made might be unintuitive and effects can linger even after the original reasons no longer apply.
Where I work, usernames are still limited to 8 characters because some old unix platforms didn't support more than that. I'm virtually certain that none of those are still in use today, but the requirement was baked into user provisioning in ways that would be expensive to change, so they keep with it.
My hunch is that the idea that some banks have a mainframe user account per bank customer is a red herring, and that the real answer is that the customers are indeed in a separate database table. But that database is a mainframe database, and the field is a fixed width that maybe could be changed but the mainframe admins see no reason to.
As I understand it, the thing with "click the number" codes is that it is a protection against keyloggers. The numbers are usually scrambled and when you click on it, you don't send the code but the position of the numbers you clicked. So for someone to get your code, you need both a screen capture and the position of mouse clicks.
So 6 digits is low entropy, but it is compensated by a few layers of security. I don't know in practice how effective it is against passwords. I have seen it done in several banks, insurance companies, etc... including online banks. So I guess that it is not that bad. Most discourage SMS/email second factor in favor of their apps though. The physical fob is probably a hassle for them so they will try to push you to other solutions, usually an app.
Yup, keylogger defense. I've seen a system with a full virtual keyboard to let you type anything without hitting a key--explicitly as a security measure. Fixed keyboard, though, I've never seen one with randomized targets. Capturing everything would be an awful lot of data for malware to export so I don't think screen capture is much of a risk.
Royal Bank of Canada (at least until recently, haven't been a customer for a while) just silently truncates your password. Discovered this when I thought I saw the number of masked characters go down, and then entered my password with one less character and logged in. (This was on mobile)
I wonder if it's because they look at security more globally. Their actions probably keep lowering security for people who understand the risks and are willing to take the extra steps to protect themselves but on the other hand they probably drive up adoption of some extra security for most other folks. Or if you want to be less charitable: they were tired with dealing with support calls from a lot of tech illiterate people and decided to just sacrifice security.
I'm sensible to these considerations.
But I don't see how a JS applet where you need to click on a bunch of numbers in plain view of whoever is curious to look over your shoulder helps with this. People have to type in their customer number in a regular text field anyway, so why not use the same thing for the password?
SG?
BNP. I used to have an account with Boursorama (which belongs to SG) and they also had the point-and-click number thing, but I think the code was a bit longer.
SG is also exactly six, with a randomized on-screen keyboard.
It's a French thing.
There was some brouhaha a few weeks ago when someone posted a screenshot on reddit about an Indian public sector bank's app refusing to run because a user had installed Firefox, and according to that bank, was a "malicious app that could steal user data".
Indian banks and many of the government websites are some of the most user-hostile things out there. Once upon a time, I used to think this was primarily to deter malicious actors from preying on tech-illiterate users, but given that the banks don't want to use all the tools/frameworks out there which help websites be both secure and user-friendly, I've changed my opinion.
It's insane that any rando app on your device can have access to the list of other apps installed on your device.
There's a certain Indian public sector banking app which won't run at all unless you give it camera, full filesystem and some other crucial permissions.
I have not received any spam similar to the OP from my bank. But it seems (at least the popular belief) the lower level employees regularly leak your account details to scam callers.
Yeah my bank requires me to reset my password every 180 days, only accepts passwords from 6 to 11 characters, and has a whitelist of valid characters. All this leads to a situation where I want to sign in, I'm then prompted to reset my password, but the autogenerated passwords from Firefox don't actually work because they are too good, so I switch to a terminal to make up a custom password to their rediculus requirements.
> Client side password hashing
Forgive my ignorance, but what's wrong with this one?
If the hashing is done on the client and then sent to the server, then the server is effectively just processing as a plaintext password. If an attacker gets hold of the server password database, then they can just connect to the server and pretend to be the client and hand it the hashed password that they read from the database breach.
If you hash the password on the server instead, then if the password database is breached, then an attacker needs to actually reverse the hash[0] and find the original password in order to log in, because that's all that the server will accept.
[0] Note, this should be difficult[1] [1] In crypto, "difficult" should mean "impossible before the end of the universe"
No it's not. Did you ever think that you can hash something twice? Hash it once on the client, then hash and salt it server side, like normal. It means that the server never actually knows your password, but that's about all it gives you.
> It means that the server never actually knows your password
If the client is hashing it without a salt the server could simply check a Rainbow table (https://en.wikipedia.org/wiki/Rainbow_table) to know which password it is. For short inputs this could be trivial.
Sure, but I still think this is preferable to sending the password in clear text even over HTTPS. You're trusting the server doesn't do anything with the password and immediately hashes it, but it might not. It might store it, or even if it doesn't, your password will stick around in RAM for an indeterminate amount of time.
If the server is compromised in any way, passwords could be exfiltrated. Companies are, sometimes, wildly incompetent. Zoom historically stored private keys on the same server as their "encrypted" data. I would not be surprised if your password is just stored for "convenience" or some other bullshit reason and just waiting to be breached.
> Sure, but I still think this is preferable to sending the password in clear text even over HTTPS. You're trusting the server doesn't do anything with the password
My point is in both cases the server has access to the password. As I mentioned, without salt the server can get the original password (by checking the pre-computed rainbow table of hashes up to n length), so the trust issue is the same.
If this is slightly better (more obfuscated) or the same thing + a false sense of security is debatable, but I could agree.
Well no, because rainbow tables are quite small. You don't have precomputed hashes for all passwords 24 characters and under that contain numbers and symbols.
I mean, even with just letters, you're looking at 620448401733239439360000 hashes required. x 128 / 8 bytes, you're looking at ~ 9000 zettabytes. So, a few order of magnitude larger than the entire internet.
If you have a strong password, it's not comparable. In scenario one the server has the password immediately. In scenario two, it would require the heat death of the universe to precompute the hash to find out the password.
Indian banks and their websites are likely among the worst in the world. The fact that many situations require printing forms, dealing with SMS-based 2FA, multiple passwords, sometimes with different requirements… I’m not surprised that many Indians still prefer the hassle of visiting a branch.
The branches are worse. Staff rotates _constantly_. Most of the new ones don't know anything, including most straightforward things people go to branches for. Almost everyone from the tellers to the branch manager is mandated to upsell/cross-sell something or the other, and in the most non-transparent way possible (so that the right people get the commission). Need a bank locker? Jack up your savings account balance. Need a credit card? Get a unit-linked insurance plan, else don't waste our time. A couple of tellers will start calling random people to sell things (in direct violation of central bank rules).
I assure you, dealing with the staff at the bank is different ball game altogether.
I had to write 3 different "letters" (paper pen) to have a phone number typo (on their part) corrected.
Indian government's websites (eg: IRCTC train booking, exam registration portals) are worse IME.
When buying or selling a house, this can get really bad. You have all sorts of entities which extensions of other entities. The bank has a mortgage sector which uses a different domain.
I also had to deal with a medical device recall, which was terrible. I had to trust some skeezy domains.
This isn't hard to fix, all you need to do is list on your website your "partner domains."
My personal security protocol was to search a .gov website for contact info of financial institutions, go to the domain listed, look for a customer service number, and call that to find out what domains to trust. Customer service people thought I was weird.
At one point, a customer service person said, "you know it's legitimate because if you go to LinkedIn, you can see the person you're dealing with has <Bank Name> listed as their employer."
> At one point, a customer service person said, "you know it's legitimate because if you go to LinkedIn, you can see the person you're dealing with has <Bank Name> listed as their employer."
"Yeah? Give me two minutes, and mine will say the same. So, will you give me your personal info?"
The naive people in decision-making positions often don't realize the risks involved in their behavior until they or someone near to them gets hurt -- in this case scammed or sued.
We used to have a lot of people like this running businesses in the US before roughly 2012, but white (and black) hat hacking began spreading quickly and made generally short work of the problem.
I used to work for a financial services company that had a strong and well-managed security culture. The company got acquired, and afterwards, we kept getting emails from third parties for various things, all supposedly initiated by execs/groups at the parent company.
We employees of the acquired company discussed the emails in Slack: we were sure that these emails were legitimate, but acting on them would have broken our security policies, so we all decided to all report them as phishing attempts. We understood that we were engaging in malicious compliance, but our actions were also a best practice, so we couldn't technically be criticized for it.
After a while of this, execs at the parent company would send out sometimes exasperated-sounding emails ahead of time, alerting us to the email that we should expect to receive and how they wanted us to respond. Of course, that led to discussions of how we know that that pre-email emails were legitimate. After a while, we all lost interest in this malicious compliance and adopted the much laxer security culture of the acquiring company.
I had to fire the MSP I hired because they needed to install some software on everyone's computer, so they sent a company-wide email, with no clearance from anyone, directing approximately 40 people to open terminal and paste in a string sent in that email. Along with instructions on how to open terminal.
The absolute last thing anyone competent does is train employees to receive communications like that in email and follow them. If they'd asked for 3 minutes at an all hands to prep employees, or announced in slack, or something similar then ok. Or some out-of-band announcement that this was legit.
I also suspect that the social dynamics of these kinds of organizations make it difficult for the right people for making these kinds of decisions to rise to the right positions for making them.
There's almost a catch-22: setting good, effective policies tends to involve a lot of telling people "no". And it's hideously difficult to do that without ruffling the feathers of people who control promotions.
Yeah, fear of consequences (due to something bad happening) seems to be the only way to both motivate and justify adopting more secure practices and policies.
Considering that on paper these businesses all have employees serving as CISO, EVP-, SVP-, and many, many Directors of Security, I find it highly unlikely that the accumulated experience of the people and their teams results in decisions like this. It's hard to distinguish incompetence from malice in many situations but calling them "naive" seems to be indirectly excusing customer-hostile behavior.
It doesn't make any sense to me because it's expensive to make sure your company's services are secure, but it's also expensive to not be secure. Perhaps it's less expensive to not worry about it because the loss-of-customers impact on revenue are still under the cost of doing it right. If that's the case it's a sad state for all of us.
The example given in TA seems to be a straightforward case of institutional naivety (banks doing stupid stuff that confuses customers and makes them prone to potential identical-appearing phishing attacks) -- for which the only solution is for decision makers to be convinced that something needs to change.
I don't know of anything that can convince a group of leaders making money and doing fine to change besides fear. Perhaps the US with its lawsuit-happy culture helped propel such changes more quickly than in Western Europe.
My bank used to call me with random marketing crap, and insisted on telling them my birthday and my mother's name before they can reveal their latest exclusive offer or some other crap. They were always dumbfounded when I retorted that it is them who need to prove that they're really calling from my bank first.
When a random call asks me to confirm some information, I always reply that I'm not going to share any personal information because I have no idea who they are. Half the time, they just hang up, the other half of the time they launch into the sales pitch.
I have this happen all the time in healthcare. I had someone from a specialist office call me and immediately ask me for my date of birth. Their surprise when I said no was incredible. But I agree with you, if THEY are the ones calling, they need to prove their identity.
I've got one that their phone robot says it's a message from my doctor's office, does not identify the office. Almost dismissed it as garbage, then realized it could be related to an upcoming appointment. And it's not even really right--unspecified doctor of mine would be my PCP, not the specialist.
Unfortunately, the medical world is caught between a rock and a hard place in this case. Can't give any info to anybody but the patient--which means they can't identify themselves when they call as the practice name directly reveals their specialty, or the doctor (google will reveal their area of practice.) And the office that's doing this is an area where some patients would want it confidential.
I think maybe it could be resolved by having the medical world go to a correct horse battery staple model--on first contact you're given a set of random words that will be used as an identifier for future contacts. Each patient gets different words so all anyone else can infer is that it's a medical provider.
I much prefer the places that go with don't leave a message/leave a brief message/leave a detailed message. No need to add security to situations that don't need it.
My bank eventually understood this, which is why currently you can check in the app whether on their end they're seeing that you're talking with their sales rep and which one specifically.
> So the next idea is to register the domain as a subdomain
I think the problem is, someone in the IT department understands the high risk associated with handing out subdomains, so they refuse to do it. So other parts of the company "work around" this by registering their own domain name.
I wonder how companies like Google handle this. A subdomain of google.com is probably the most valuable hack target in the world, but google does use subdomains occasionally (...or maybe more than occasionally! https://gist.github.com/abuvanth/b9fcbaf7c77c2954f96c6e55613...)
Nearly. It almost certainly never even touched IT.
The issue is that marketing is organizationally separate from IT and doesn't want to interact with them. IT is probably behind a slow, outsourced ticket based process and will take weeks to do a simple thing. They may also have random opinions about stuff marketing doesn't want them to have opinions about. So building out promos like this is delegated to SaaS services or contractors who also have no relationship with corporate IT. Then nobody in marketing really knows or cares what a subdomain is, because everything they do is just searching Google or clicking links. They never look at the address bar because it's always full of meaningless junk so why would they or anyone else care what's in it?
Anti-phishing training doesn't make sense, when you look at how people really use the internet. Not many people look at the actual text of a URL. The best anti-phishing training is "go to google and type what you're looking for, only click links from there" and not "carefully examine the domain name to try and intuit if it's owned by the organization you think it is".
Have you tried what you're recommending without an ad block extension recently?
Doesn't need to be IT being slow. I've seen it happen--we warned the guy to talk to us before putting up the new website. Admittedly, I was on the other side of the world and only reachable by e-mail, but the other guy was there in his office.
I don't know if he ever truly understood how he took out all company e-mail for nearly a week.
And trust links from Google? Keep up with the times! Sometimes the first hit is the scammers.
Google handles it in the same shitty way. They send mails that could be phishing mails and use not only google.com but many other weird domains like goo.gl or foobar.google and so on.
Terrible. The times were one could rely on them have long passed.
For me, the money shot is Chapter 4: the bank needs to be held legally accountable of gross negligence for sending phishing-resembling emails to customers.
How do you hold someone legally accountable for a non-crime with no identifiable victims? Especially for "gross negligence", when the negligence is very clearly minor.
I see Conway's Law at work here. The marketing department must have its own IT department separate from the IT that maintains the core website and business functions. It's impossible for them to get on the same web domain (much less build something in the phone apps). Instead, they built their own disparate site and experience.
It gets worse. These German "Sparkassen" are small to at most medium sized credit unions. They are organised in a larger umbrella organisation that takes care of some of the services like IT, but the individual banks can pick and choose what and how much they want to handle themselves.
Some of them are larger and pretty well organised, but there are also a lot of small ones that just don't have the people and expertise for things like proper IT security practices. But customers trust them, because they position themselves as these local neighbourhood banks, even though most of them are pretty incompetent and will rip you off with high fees on accounts and shitty, underperforming investment products.
A friend told me about a company where the CISO instigated security newsletters aimed at staff to build up their experience on such topics, yet the newsletters were emailed from an external email and contained links to a hosting site that wasn't related to any of the employers regular website domains and like this case would often come across as a phishing attempt, especially when they ran competitions (apparently they appeared too good to be true, as friend's employer was famously tight!)
Every weekly newsletter I get at work is sent from an external spam-sender, containing links to an external hosting site that have a unique ID for tracking clicks. Those links are then munged by Outlook which makes them hard to identify. I searched on the company web site for any confirmation that the external sender or external hosting site were legitimately being used by the company and found none, so I refuse to click on those links. I should also report them as phishing scams really.
I had this happen worse from my car loan bank.
I got an email with a header that was obviously badly scanned from a paper document. It demanded that I provide proof of insurance or my car loan would be canceled. It had the name of the bank and my name and my email, but nothing else of import.
The only URL was to a domain unrelated to the bank.
I ignored the first couple, and finally looked into it the third time.
It was legit.
When I told them all the ways this looked like phishing, they couldn't understand my concerns.
I gave them the info they wanted in person at a local branch. I soon after paid off that loan and got away from them.
Something similar happened in Belgium in 2021. The Flemish government launched a compensation scheme for solar panel owners via a site called tellercompensatie.be. I registered the obvious typo variant: teller-compensatie.be right after the tv and radio announcements, added a visitor counter and a link to the real site. It got ~20k hits in a few days, my second most popular project thus far.
I just went to check the “official” domain and it looks like the domain is now owned by an ad network. Classic.
A news article link ( https://www.vrt.be/vrtnws/nl/2021/01/22/compensatieregeling-...) still ises that domain name in it’s article, but now redirects to a proper gov site: vlaanderen.be/veka
I had similar with my energy provider in the UK (Octopus). For one reason or another a regular payment bounced which automatically puts you on a "call daily until the debt is repaid" list.
These calls come in on an unrecognised number, from staff who say "I don't know" when you ask them to prove they are from Octopus, and generate no call notes so you can't find out why they rang if you use the main customer service number.
To top it off they ask you to key in your card info on the phone after asking for your personal information.
I complained and they offered to fob me off with £30 credit instead of talking to their CISO, but they did at least say they can add phone passwords to individual accounts.
I use USAA for banking.
Something they do when they initiate a call to me on the phone is they start by making sure they are talking to me (they don’t ask me to prove it) and making sure I have the app on the my phone or access to a web page.
Then they initiate a MFA check within the app. I have to get it and read back a number. Then they ask me for my phone PIN or password. Once that’s done, then we can start talking.
That is a really bad idea. That's letting anyone who phones you prove to the bank that they are you.
You should only reveal an MFA code to someone that you have called, knowing that it is the right person.
Walk me through the chain you’re thinking of. I want to understand it better.
If you’re thinking that - for example - someone is attempting to log into my account online and simultaneously call me pretending to be the bank. They are presented with an MFA check and tell me they initiated it. I give it to them unwittingly, and note they are in.
My understanding is that isn’t possible here, because this “MFA check” is different than the login one. The login one is the “Google Authenticator, 6 numbers”. This is a different code entirely. Obviously I didn’t specify that in the original post. My bad.
If that wasn’t what you were thinking and you can think of how this fails, I need to know and learn more!
The scammer calls the bank rather than trying to login. When calling, they will be asked to verify with info and the code which they will get from you. Think mitm but telephone based. The verification info (maybe just a zip code or last 4 of ssn or something publicly available) can be acquired beforehand so they only need the code to be relayed. Obviously they have to get the timing right, so you might be on the phone for a few minutes before they find a reason to ask for the code.
Well, if I wanted to get into your account, apparently I just call the bank and then call you. Any time they ask me something I ask you the same thing and pass it along to them, and you'll faithfully tell me. They trigger the codegen and ask me to read it back and I ask you and you happily tell me. Then I "confirm your account is safe" to you, and continue my call with the bank except now I've authenticated as you.
You're giving a MFA number to someone that called you?!
The bank I used to use had a per-verification request code that the app showed. If the party dealing with you knew the code, you could be sure they were the party who initiated the verification request.
But you said you read back the code. It should be the other way around--*you* compare the code they give you with the code the app gives you. Give zero information until identity is confirmed.
My bank has a secure messaging system inside their website and app.
However every time I use it, instead of answering through the secure channel, they try to call me on the phone.
Now they've put out security warnings about scammers impersonating bank staff making calls to customers.
Here's an interesting scheme. Some credit/debit card merchant accounts can arrange to get updated card info if your card expires and/or gets replaced. So if the merchant is a bad actor and doesn't charge your card directly but just tracks your updated card info so it can be used fraudulently elsewhere, you, your bank, and the card company will never know they were the source. And the card is linked to your bank account, you can replace it ad infinitum and the bad actors will get the updated info for the new card every time. The only way to break out of this is to close your bank account and open a new one.
Banks usually have a mechanism to prevent automatic billing/card data updates for exactly that reason for suspected/confirmed fraudulent used cards, but unfortunately not all of them, and I suspect even for those that do, not all customer service reps know how to do that.
In an ideal world, all merchants would be using tokenization already – then the bank could offer you a UI where you can just kick out the merchants you don't want to have access to your payment credentials anymore before reordering a new card. (If tokens were mandatory, like they are e.g. in India, you wouldn't even need to reorder the card in the first place, but that'll probably never happen in the US – too many legacy systems.)
Consumer-facing financial services in Germany are really bad at this, and it is not just Sparkassen: a few years ago an email supposedly from our corporate credit card provider to all of the foreign nationals at our company asking for scans of their passport photo pages triggered a deluge of phishing reports to IT, who had to subsequently inform everyone that yes, the email did indeed look exactly like a phishing attempt, but no, it was real.
I don't really know why the situation is so terrible -- there are many good and competent security professionals working in corporates in Germany -- but perhaps as the post alludes to it is due to a lack of legal or regulatory pressure to date.
> "The SSL certification is from Let’s Encrypt and not from one of the major root CAs"
This is NOT a reason to distrust a website.
This absolutely IS a reason to distrust a website claiming to be owned by a bank (or any other institution working with such sensitive assets). To be precise, such a website absolutely needs to have a certificate granted not only on the basis of "yes, I control the machine this domain points to" (which is what Let's Encrypt does), but also based on other, more physical and reliable means.
You're talking about EV certificates. They're dead.[0]
I personally would trust something signed by Lets Encrypt more readily than many other certificate providers. They appear to know what they are doing.
[0] https://www.troyhunt.com/extended-validation-certificates-ar...
The only thing other CAs do (after EV certificates stopped being a thing, as a sibling commenter already mentioned) is to take more money from you than Letsencrypt, in exchange for longer validities and historically some other concessions (although the browser forum has been clamping down on that, for good reasons).
In other words, if the bank is following best security practices, they're fine with Letsencrypt; if they don't, they might need somebody else.
Not outright, but it's more likely that a malicious actor utilizes the simpler or cheaper solution. $300/yr+ adds up, especially if you need to go through due diligence to acquire the EV.
True - but if browsers don't show the EV cert until I click 3 buttons and my bank don't use one is there really a point?
From a customer & technical perspective, not really.
From a compliance, regulatory & risk perspective, definitely.
The EV certificate often comes with additional liability protection to cover any end customer claims related to certificate issues (i.e., if the authority is compromised and the customer's PII becomes exposed).
Followed up with:
> While everyone can register for free on Let’s Encrypt, only (or mostly) serious companies pay money to register on DigiCert, GoDaddy, and so on.
GoDaddy is not a serious anything. DigiCert perhaps, but GoDaddy has repeatedly shown themselves to be scummy and untrustworthy.
That said, I do see the value in having an entity like a bank pay for a stricter cert with identity validation versus leveraging Let's Encrypt's free infrastructure which only validates domain/site control.
> While everyone can register for free on Let’s Encrypt, only (or mostly) serious companies pay money to register on DigiCert, GoDaddy, and so on.
Serious companies donate the money they saved by not buying snake oil to Let's Encrypt.
Phising and phishing education are inherently misguided. If my normal workflow includes much the following, then phishing will always eventually succeed:
- HTML emails where links and remote images obfuscate the 'real' content of the email.
- URLs which are not clearly and easily human-readable.
- A workflow where my normal and expected daily behavior is to receive valid emails that I don't recognizes with URLs from vendors, and then I'm meant to click on those URLs, go to web pages, and enter my credentials.
The fact that _any_ normal products or business processes expect this means phishing will always eventually succeed. No, I don't have all the UIs and URLs for every vendor memorized. I'd have no way to know if they changed validly, and my job trains me on a daily basis to click on emails and enter my credentials. It's just that _every so often_ this same scenario is set up by a bad actor.
Sharepoint is crazy. I get an email sending me documents, but to view them I need to click a link to an outside website and enter in my email login details??
I was on the phone with my bank recently (I called them) and they wanted to send a code to my phone to confirm my identity. I agreed. In came a text with a code and the phrase "nobody from the bank will ever ask you for this code..."
Royal Bank of Canada hasn't done anything this egregious but it always gave me a lot of confusion.
They use so many different domains. I'm not talking about redirects either. Like their landing page is at rbcroyalbank.com and then the login is at secure.royalbank.com. for ages rbc.com was another website for ages, but now also appears to be the Royal Bank (or is it?). I forget under which domain the dashboard is hosted.
Like, I get buying all the variations of your bank name, but please just redirect to one cannonical one! Marketing should also be for one domain. Way to easy to be scammed by royalbankofcanada. com or rbcbank.ca, because who the heck knows what their actual site is!
I know this from sport events but often the lottery or prize draw are organised by external marketing companies. So likely this is one reason for not making it a subdomain.
The other is that Germans seem very bad at this kind of stuff. Why the heck would the application for the German passport or Ausweis be published by some random GmbH and not Bundesregierung.gov?
But .gov are for American government sites, and Elon's friends (oh geez I loaded doge.gov, it looks so dodgy...), and I assume the assignment of the domain names under .gov is done by somebody in the federal government, if they haven't been DOGEed as well. If any country's government can get a .gov domain, I can imagine the hacking that could happen, similar to hackers managing to infiltrate Bangladesh's central bank and almost managing a heist, but for a typo: https://en.wikipedia.org/wiki/Bangladesh_Bank_robbery
At least for Switzerland the federal government puts its sites under the domain admin.ch . And the Cantons have their own domains, e.g. zh.ch for Zurich.
From what I've seen, Austria also does this pretty well, with everything being on xyz.gov.at. The problem I see for germany is that the principle of subsidiarity is taken very seriously here. Everything is decided at the lowest sensible level of government. Consequently, there are many very tiny local authorities that have to manage things independently and lack IT admins.
> Why the heck would the application for the German passport or Ausweis be published by some random GmbH and not Bundesregierung.gov?
This way the government doesn't have to release information to the public (think FOIA) about it. Moving central part of government operation into a private GmbH wholly owned by the government has (sadly IMHO) become a somewhat common strategy for the government. Not just Governikus (the one with the passport) but also the Telematik (Health system) and probably some more.
Speaking of normalizing bad habits, does anyone else remember when you were supposed to only ever enter your password into a site if you'd entered the address yourself (or used a bookmark), because if some other site had redirected you there it might be a fake?
And then now we've got OIDC.
That is less of a problem in the consumer space where the OIDC Auth providers have giant long lived sessions (google/FB/etc).
In the government/banking/etc space - there is at least FIDO/WebAuthn/Passkeys which also resolves it. But it's a fair criticism.
To verify your account during online customer service calls, Comcast will text you a six digit 2FA looking auth code which you must provide to the Comcast customer support. Guys.
I left Chase because their anti-fraud detection was so suspicious that Chase's own customer service told me it was fraud and had me close my checking account in the middle of a vacation. Only later I put together it was legitimate fraud detectiontriggering on an unexpected transaction location.
I called the number on the back of my Chase credit card (which goes to a call center in what sounds like India), and the person told me he has to verify me by hanging up, and then not to call anyone because he will call back in a few minutes... (Probably while he's on a "bathroom break" running to the scam center on the next floor of the same building.)
All the other times, they just ask for my verbal password to verify me.
I reported it and they said they created a ticket, but a month later when I called for a follow-up on the ticket, they said they had no idea what I was talking about :-/
(If anyone from Chase reads this, I have the recordings of those calls if you want them.)
In some instances where scambaters have hacked the scammers network video recorder you can see them working legitimate calls from the same desks... the outsourced call center can achieve 100% utilization by using all idle capacity for outbound fraud and if data access from the legitimate side helps with the criminal side, well that's just the synergy of horizontal integration for you.
>Only later I put together it was legitimate fraud detectiontriggering on an unexpected transaction location.
If I use my Chase debit card more than fifty miles from my home, transactions are denied as potential fraud. Then again, if someone uses my card details at a gas station in Santo Domingo, DR, that's just fine, even though I'm using the card in my home town on the same day.
It's maddening.
I know somebody who tried doing a standard vehicle emissions test (gov't facility) in the area they live in. Bank thought it was suspicious and locked their card. Then they tried sending money from the bank to buy a car (they were just borrowing it before buying from a family member), and the bank thought it was fraud so removed online banking too. No tickets or phone calls helped. Ridiculous. Never once did they call to ask "hey is this fraud?"
The problem is that banks are too regulated. They get into problems (of different kinds) when it's actually fraud and they don't block the account. And then, customer support is expensive, more than losing a few customers.
My bank replaced their phone authentication with something that asks you to speak a phrase (the same one every time) and tries to recognise your voice. Luckily that's completely bulletproof, there's no way it can be forged :-/
I read the FAQ on mine and it assures me it is totally safe and the voice cannot be forged. This mechanism was defeated in a hacker movie from the early 90s using a tape recorder but is actually being pushed as state of the art. I can't imagine how this method could ever be safe, even if it were possible to use some kind of advanced detection which would fail any time I had a cold my voice can be recorded and played back in high fidelity!
>This mechanism was defeated in a hacker movie from the early 90s
Sneakers (1992)[0]
This is pretty bad, but not as bad as Plaid asking for my bank account log-in credentials.
There’s no other way to do it. Not all banks expose an API.
> There’s no other way to do it.
Don't they allow you to manually enter the bank routing number and account number, then verify it by depositing and withdrawing a few cents?
That’s just account verification. ACH has some really antiquated practices on purpose that make the system more robust than a naive automated banking system and less robust than a comprehensive one.
I own a business that works directly in this space.
Ah, Sparkasse. I fondly remember the needless restriction for my password to be at most 5 characters long, all numbers.
My bank’s fraud department uses text shorthand like “Stop2end” and “call ph#” and their dates lack spaces “24Jun” in their texts to me.
Is this some kind of meta-level play to sound less fake?
Text messages used to be limited in size to IIRC 140 characters. (And I still have that limit on my Garmin inReach--about an abysmal a texting device as you can get, but it works off Iridium, not the cell net. I can be on the back side of nowhere and still talk to emergency services.)
SMS is limited to 140 characters, but there has been a standard to send multiple messages in a row and have the receiving phone concatenate them automatically since about the year 2000. For older devices that that don't support it, they will get multiple messages and just show it as "(1/2)" etc (I had a Panasonic phone that didn't support it during the transition so I remember it well)
This is on us, as software “engineers” for not having standards that may be used to regulate software development. There are building codes, fire codes, but no software codes.
When I got locked out of my mobile banking app, I got a security code in email to reset the app or something, but it didn't work. Then, I've called my customer representative for help, who promptly asked me to tell her the security code in the email so that she can reset the app. Yet, the email, in bold letters, said to never divulge the code to anybody, including the bank personnel...
Here is american Express "secure email" documentation : https://www.americanexpress.com/us/customer-service/secure-e...
I've mistakenly deleted from our mail quarantine multiple times as spam/phishing. Imho it's wilful négligence toynkeep such a system operating in 2025.
Same with DHL, they basically train their customer base to trust messages from random channels like whatsapp containing links. They have all the urgency/nonsense markers of spam.
I've been getting lots of scam calls lately, especially AI voice generated once, and there was one particularly annoying. Very persistent call about being approved for some loan, no reference to any particulars, all very vague, and I kept ignoring. In my mind I had no doubt it was a scam. Well, long and boring story short, now I have a missed payment on my credit report for my new HVAC system..
Do what I did: move to a new bank that respects your security. When you close your account, give formal feedback about why you are closing. Outflows of depositors should send a signal.
(i had on issue with PNC in the US where they kept calling and asking for a 2FA code. Totally indistinguishable from phishing. Clearly they lack proper infosec, so I moved to Schwab and have not looked back.)
My employer regularly sends out phishing honey pot emails. Which is great but they then will send out legitimate emails which are genuinely difficult to separate from actual phishing (using novel new email addresses and domain names in links). They also like to use some email filtering which has a habit of mutilating URLs.
Major US banks sometimes do similarly dumb things: TD Bank owns onlineaccessplus.com and myonlineaccount.net. Citi's credit card site used to have you log in at accountonline.com.
My local Volksbank does basically the same, linking to https://www.wero-gewinnspiel.de/.
The site also uses a Let's Encrypt certificate, which seems strange. This appears to be a massive, coordinated and not very well-executed effort to promote this Wero service. My guess is that the sites were all build by the same advertising agency.
gewinnen-mit-wero.de: It is pretty common to use a dedicated domain for a large campaign so that the spam complaints don't hurt the deliverability of your main domain.
I’m always surprised that banks don’t have a better way of authenticating themselves to their customers (Chase and Vanguard, in particular).
They call, they say I can call back and wait in a queue, but that’s stupid.
Also crazy they don’t have a TOTP (e.g. Google Authenticator)based two-factor authentication. It’s just way more secure than email or phone number.
It's been a while since mine triggered on me, and the weird thing of it was a bought a TV that day, which is what I assumed they called about. Nope, it was for getting a car wash halfway between the store and home.
Every bank I deal with except Schwab forces me to allow cross-site scripting to use bill pay...
I would hope your national bank regulatir would slap this down hard, but if the government does exactly the same thing, your country might be doomed.
Training about this kind of thing is mandatory for bank employees in my country, as far as I know.
I've been preaching about this issue for years, even to my friends working in banks as IT security, but for some reason they are more obsessed about solving the wrong problems with buying expensive hardware.
I know of a bank that it asked for every piece of PPII they have on you for account validation. This allows their phone support folks to have every piece of information to steal your identity.
My bank:
“Hello this is your bank can I please confirm your personal details?”
i've gotten unsolicited calls like this before from my insurance company and when i tell them i don't provide personal information to people who just call me out of the blue and ask for it, they act like i'm from mars.
then of course i have to call them back, sit on hold (and maybe get the same call center agent!) to verify their identity and conduct whatever business they originally called about. thanks, your bad practice just cost me an afternoon to deal with the inefficiencies of a private industry i think shouldn't even exist.
My Bank (ally) absolutely refuses to do any sort of secure authentication. No TOTP, no U2F key, no Passkey... however, they're unbelievably climbing over the garden gate to tie my account to my phone. Want to log it? yeah lets text you. Want to do anything else? Hey we sent a push notification to your phone. Seriously, fuck my phone. It's the least secure thing I own. Stop acting like its my damned identity.
Oh as a bonus... Hey want to integrate with a third party website? Oh just enter this code that we are literally telling you not to give away to anyone else. Lol.
Germany is a broken country, and this illustrates it on a micro-level
Do these banks not have insurance companies looking at this liability and saying "no you goddamned idiots, we are not covering you."
My mom was recently phished. The scammer got into her bank accounts and charged a bunch of air india tickets to her credit card and used zelle to transfer money out. When we reported it to the bank they said it wasn't covered because their fraud protection doesn't cover scams. So the banks just don't care. (It was Capital One FYI)
> their fraud protection doesn't cover scams
Eh?
When I talked to the bank I was like "So if she had just lied and said she didn't know how they got her information she would have been covered, but since she was honest and admitted to being scammed she is getting punished?"
A retail bank with a massive advertising budget has to pinch pennies somewhere.
One of Zelle's explicit design goals, couched in customer convenience, was as a mechanism to offload as much fraud liability onto the customer and away from the member banks.
Why would insurance companies care? These banks never have to take significant losses for their incompetence. If they were fined 1% of profit every time they were hacked, then I could see all sorts of mitigations being considered.
The bank doesn't take the loss, the customer does.
Mitchell and Webb has a good commedy skit on this subject: https://www.youtube.com/watch?v=CS9ptA3Ya9E
insurance companies operate the same way! customer service departments aren't a hotbed of security awareness (coming from personal experience - no sleight to CS reps in general; it's systemic as much as it is personal).
Heh, we did something similar at the bank where I work. Our marketing department, tasked with getting people to complete some "ongoing due diligence" (a bank term, part of KYC), sent out a bunch of SMS' with links to a page (on a non-core business domain) where we then asked customers to enter a bunch highly personal information. The SMS contained a lot of scary language about your account getting blocked and stuff.
I didn't know about it before my grandmother handed me an article from the local newspaper and told me some of her friends were worried about it. We laughed and I took the newspaper clipping to work and posted it on the wall of failures. Everybody in IT could immediately tell that this was a pretty bad idea, but we weren't asked.
I'd link the article and provide more details, but I'd have to visit my local library, and maybe later.
> “Here is your Sparkasse. A very important document is waiting for your signature. Please visit paperless.io/548fkjgd7f to continue.”
I mean this is just ... incredible. Are they living on the moon? Many real phishing messages are even more sophisticated than this.
I find there are a lot of people who just don't "get" written communication.
Once I got a vaccination, and in order to do it I had to fill out a form where I chose the arm. The form said to circle either "right or left."
The word "right" was on the left and "left" was on the right.
I pointed this out to the nurse and she laughed, and then realized her error, because she made the form.
This seems like it was correct - the view of the front of the body shows a third-person view. The labels are relative to the subject (first-person).
Or in other words, looking at me, my right arm is on your left.
I'm also with Sparkasse and it's the worst. Their digital systems and their technical understanding is the bottom of the barrel. On the other hand, the "most digital bank" in Germany, N26, a so called "neobank" has laughable security [1]. It's a huge mess over here. I used to also bank in Singapore, the difference is night and day. Fun story: Sparkasse has an integration with a stock brokerage, and the stock charts are PNGs generated at the backend. It's literally 1995-level HTML usage, One can only laugh.
[1] https://archive.org/details/33C3-Shut_Up_and_Take_My_Money
The one that kills me is when a financial institution or healthcare facility calls and says, "Hi, this is so-and-so from The Place. I was calling about your request/account/etc"
→ "Oh, ok"
→ "Before we get started, I need to verify your social security number/address/other personal information"
→ "Yeah, you called me and I have no way of knowing if you are who you say you are. I'm not going to give you that information. Can you give me your name, and I'll call the number on the website and ask for you?"
→ "Flabbergasted Well, our system doesn't work like that, so you'll have to submit another request"
→ Repeat ¯\_(ツ)_/¯
AmEx emails to customers often have marketing/tracking redirects replacing all of the links in the email.
The links to that redirector service are http:
You don’t even need to phish them, AmEx does it for you. All you have to do is rewrite the redirect on the wire.
The US city I live in 9 months/year has a yearly burglar/fire alarm licence fee.
A few years ago, I got a postcard that said "renew your alarm licence on-line" and the domain wasn't the .ca.gov domain the city uses, but something like "alarm-renewal-online.info"
I had to spend 30 minutes on the phone with my city to verify that this was a legitimate way to renew the alarm. They had contracted with an outside company to do the payment servicing. In the end, I just decided to mail them a check.
At least when my local government outsource their alarm permitting, they linked to the .com from their .gov website.
Lol Chase always calls me.
"We'd like to confirm this wire. We just need some details."
"Okay, I am me, that's true. But I should probably call Chase back for this right? This is textbook scam stuff. What do I tell them to get to you as fast as possible."
"All right, sir. That's fine. Let me just make a note on the account. You should be able to find the phone number on the website"
And then I usually just find my way. It's funny, but you kind of have to be disciplined.
It seems to me the better and simpler solution is to continue teaching your users that this pattern this bank engages in is in fact still the pattern of hostile actors and let the bank deal with the consequences.
The system will surely rectify itself eventually when their spammy, manipulative, promotional banker campaigns do not produce results (is that a bad thing?) and they seek out firms that do produce results based on knowing what they are doing.
The author could even use it as an opportunity to promote his or someone else’s services and use this write-up as an artifact of evidence.
I don’t want to get too generalizing, but it is a perspective that does not surprise me coming from what seems to be a German, for better or worse. Complaints about not being in compliance with universal norms instead of taking advantage of a presented opportunity to break ranks for one’s their own individual advantage, strikes me as a very German perspective; like I said, for better or worse, without judgement, since both of these perspectives have their advantages and disadvantages.
I don't think that everything needs to be a sales pitch all the time. But I am curious, what kind of service do you see promotable in the article?
Some of the worst practices I've seen are from FedEx. When you order an international package, you get a text from some random FedEx employee's personal mobile number, containing a link to a website where you're meant to enter your credit card details to pay import duties. WTF? NO. I've called up about it and the support team were just like "ugh, yes, I know, yeah that's actually probably legit."
And here we are: twenty five years into the 21st century, and it is STILL this bad... SMH
[dead]
[dead]
[dead]
[dead]