Hello, This Is You're Bank, Please Entering Your PIN

from the phoIP dept

The reason that phishing is such a tough problem to solve is that it's not an attack based on technology, but on social engineering. Therefore there are few solutions, other than telling people to make sure they're actually on the website they think they are when they enter in sensitive information. The problem may get even worse as phishers migrate over to VoIP in their attacks. One company claims to have discovered a scam whereby attackers sent out voice messages to people claiming to be from a bank. They were then instructed to dial a number, whereupon they were prompted to enter in important information, such as their PIN. Impersonating a bank isn't sophisticated at all, but VoIP allows this kind of attack to scale really well, as has been the case with junk faxes. What's more, the few anti-phishing techniques that companies have developed (like toolbar warnings, and personalized bank pages that phishers can't copy) are useless over the phone. Once again, it looks like banks and other institutions will have to launch campaigns reminding people not to just enter their PINs unless they are talking over a known bank phone number. Inevitably, many will ignore the warnings.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Jon, 26 Apr 2006 @ 9:30am

    Natural Selection...

    link to this | view in chronology ]

  • identicon
    fishbane, 26 Apr 2006 @ 9:30am

    One powerful method that I'm surprised isn't used more is that of, upon sign up, soliciting users to provide a personal nonce - pet name, nickname, school name, whatever - and teaching them that unless they see that in the dialog box, it isn't thier bank.

    Some people won't grasp it, of course, and others will forget or miss it. But I've employed this in web applications, and it works really well.

    I have my theories as to why banks won't use it, but it really is too bad.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Apr 2006 @ 9:42am

      Re:

      MasterCard has been using this for some time now - they call it, "SecureCode"

      You can find out more information on this at http://www.concordefs.com/

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Apr 2006 @ 9:48am

      Re:

      Bank of America does something a lot like this... they employ what they call a "SiteKey". It's an image and title for that image that you choose and it works as follows. Upon entering your username, it takes you to a page prompting you for your password that displays your sitekey. If the key doesn't match the one you specified, you know that you're not at an official B of A site. Same idea as a pet name... simple, but it works.

      link to this | view in chronology ]

    • identicon
      Ron, 26 Apr 2006 @ 10:53am

      Re:

      Bank Of America uses it... and it work really well.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Apr 2006 @ 3:44pm

      Re:

      bank of america now does this with their site

      link to this | view in chronology ]

  • identicon
    Another Anonomous Coward, 26 Apr 2006 @ 9:56am

    I dont think the bank ever asks you for your pin do they?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Apr 2006 @ 10:03am

    A banker or phone banker will never ask you for a PIN number; up until recently, nothing but an ATM would. Now, banks are migrating to asking for an ATM PIN while calling the phone banks, but an actual person will NEVER ask you for a PIN number. If a "banker" asks your for a PIN number, you can be assured he's either a thief or a total dumbass.

    Signed,
    10 year banker AKA Another Anonomous Coward

    link to this | view in chronology ]

  • identicon
    Bob, 26 Apr 2006 @ 10:08am

    Anyone who is stupid enough to fall for one of these scams deserves to be taken to the cleaners. No respectable bank would ever ask you to call a number and tell them your PIN, just like no website is going to ask for your password. They already know it!!!

    link to this | view in chronology ]

    • identicon
      me, 26 Apr 2006 @ 11:35am

      Re:

      no website is going to ask for your password. They already know it!!!

      Guess you don't have online banking. If you do, I would love to know what secure bank you have where no password is required to look at your account.

      link to this | view in chronology ]

      • identicon
        Alara Moonrunner, 26 Apr 2006 @ 11:50am

        Re: Online banking

        I'd have to agree here, the person who said about websites not asking for passwords either doesn't have online banking or even shop online, nor does the person have a blog/lj/myspace account or what have you. If you have an account anywhere, it doesn't matter if it's a online bank account or some other type of account, you need to know your passwords. Even if the person plays something like World of Warcraft or any other MMO's. Passwords are essencial, if the person does not realise this then they are showing that the person is a moron and therefore needs to learn how the internet actually works.

        Just my two cents on the matter.

        link to this | view in chronology ]

      • identicon
        Bob, 26 Apr 2006 @ 12:49pm

        Re: Re:

        What I meant was that no website is going to ask you what your password is in an email or phone call. Of course you need one to log in to the website.

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Apr 2006 @ 10:15am

    Typo in the title

    You want to use "Your" in the headline, not "You're". The latter is a contraction of "You are".

    link to this | view in chronology ]

    • identicon
      Egat, 26 Apr 2006 @ 10:17am

      Re: Typo in the title

      I'm guessing that one's intentional, since a lot of phishing scams seem to use very very poor engrish.

      link to this | view in chronology ]

    • identicon
      Buzz, 26 Apr 2006 @ 10:24am

      Re: Typo in the title

      They also put "please entering your pin". I think the errors were deliberate. As many point out hackers/phishers/spammers typically have horrible English skills.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Apr 2006 @ 10:57am

      Re: Typo in the title -DUH c'mon

      That's exactly the point - you missed it.
      The title is supposed to be like that.
      And "please entering your PIN" is all messed up as well.
      The headline is mimicking the horribly-written emails that are sent out.

      I get so many a day in which the grammar is terrible. Nothing professional at all, and yet people fall for them.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Apr 2006 @ 10:19am

    What's more, the few anti-phishing techniques that companies have developed (like toolbar warnings, and personalized bank pages that phishers can't copy) are useless over the phone. well there is Caller Id, but that has drawbacks, as not everyone subscribes to it or phones dont have that functionality or its a third party calling on behalf of the company. not an all out solution, but i hope that the people who do have it put it to good use, especially in situations like this.

    link to this | view in chronology ]

    • identicon
      Caven, 26 Apr 2006 @ 10:25am

      CallerID, Banks, Phishing, etc

      With the advent of caller-id spoofing services, even caller id cannot be trusted. I expect that the prior comment, while basking in simplicity, truly tells the tall. Kudos to he/she who wrote: "Natural Selection" -Caven

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Apr 2006 @ 10:24am

    It was intentional, and so was "Entering". Some people have to know it all don't they.

    link to this | view in chronology ]

  • identicon
    Robert, 26 Apr 2006 @ 10:53am

    Just ASK!!

    If you get a call from "your bank" asking you for any information, just ask them what account number this is pertaining to. I bet they'll hang up or step all over themselves trying to figure out how to salvage their "element of surprise."

    I mean, if it IS your bank and THEY are calling YOU, you can bet they have pulled up your account and are calling you for a real reason, like loss prevention or suspicion of fraud. Maybe someone stole your card and you don't know yet. If you simply say, "I have so many cards and accounts... which account number/credit card number are you calling about? Just the last 6 digits or so would be fine.

    Alternately if they are posing as my actual bank, in my case BofA, I can simply tell them, "I've got stuff boiling in the kitchen, I can call you back in 5 minutes, what number and extension can I reach you at?"

    Funny thing about the bad grammar. It probably goes unnoticed by many phishing victims, due to their own anemic command of the language, whether that's because they juss dint lern good in skool, or because they are not native English speakers and wouldn't be able to pick up on the fact that the purported "bank" on the phone is a hoax.

    link to this | view in chronology ]

    • identicon
      Gabe, 28 Apr 2006 @ 3:07am

      Re: Just ASK!!

      This is the first coment in this thred withut eny speling erors... Aim geting afraid here...

      link to this | view in chronology ]

  • identicon
    Joe Smith, 26 Apr 2006 @ 11:15am

    Phishing

    What I do not understand about phishing frauds is why these guys aren't tracked down and dealt with.

    I receive about five phishing emails per week (the ones that make it past the spam filter). CitiBank is a common target.

    It would be trivial to reply to one of these scams with a bait account and then follow the money through the system as they tried to steal it. Bank transfers leave an electronic trail afterall.

    Even if the money goes off-shore it can be followed - or banks that allow themselves to be used for these frauds can be quarantined from the international banking system.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Apr 2006 @ 11:22am

    While I do not have a solution, I believe this to be an issue that the finical institutions need to resolve. If consumers only dealt with physical cash, identity theft would no longer be an issue. (yes, this would have other issues).

    Let's boycott the banks! (sarcasm is lost in a text post)

    Use of Caller-ID, a Site Key, etc ... will be circumvented eventually.
    We will need to adjust!

    I would like to suggest that biological information be obtained with all transactions. A thumb print for checks and credit/debit card transactions (one for each signature). This does not work well for internet transactions. It will not even resolve the actual transactions, but it would help to resolve the tracking of the fraud (this is subject to issues as well).

    link to this | view in chronology ]

  • identicon
    RoyalPeasantry, 26 Apr 2006 @ 11:57am

    Pretty much every bank does warn its new customers to never give out thier bank information to anyone. The real problem is people don't listen. And then when they get screwed because of thier own stupidity they blame the bank..

    All people have to do is THINK a little bit before they act and it would solve so many problems.
    Unfortunatly people in general seem to have lost the ability to do so..

    link to this | view in chronology ]

  • identicon
    Slickriven, 26 Apr 2006 @ 12:14pm

    Am I missing something or will storing your passwords not be a decent idea for websites... if the site is phishing, then the IP won't be exactly the same so your browser won't automatically insert your info. This really only works if you have different accounts on your PC or no one else uses your computer but it works to a degree for me.

    As far as VOIP, working in the industry of VOIP every call has an associated IP that you logger will catch, if ppl simply verify the IP then they should be able to avoid this... then again I have to agree with the first reply to this topic... classic

    link to this | view in chronology ]

  • identicon
    Yaffanator, 26 Apr 2006 @ 12:45pm

    http://61.6.64.141/https:/www.paypal.com/cgi-bin/us/webscr.php?cmd=_login-run

    These guys are so stupid..... Everything is messed up, you can't click on any other buttons. First off, it is not https://www.paypal.com/, never log in to anything but that-.....Try entering in anything you woud like for the user name and password, it will log you right in..... this is a big sign that it is so fake...

    link to this | view in chronology ]

  • identicon
    Snay, 26 Apr 2006 @ 3:22pm

    Biometrics


    I would like to suggest that biological information be obtained with all transactions. A thumb print for checks and credit/debit card transactions (one for each signature). This does not work well for internet transactions. It will not even resolve the actual transactions, but it would help to resolve the tracking of the fraud (this is subject to issues as well).


    Biometric identification is so not the way to go for identitry verification. First off there is the simple fact of the tech is nowhere near ready yet. With the current rate of false posatives, and the sheer price of the hardware (Decent quality hardware, not those mice with thumbprint readers off ebay). This will improve over time, but there is no technological solution that is completely foolproof. And with an ever expanding database of fingerprints, it is more likely that two will be similar. Law enforcement agencies only use their fingerprint databases to find suspects, and then the prints are checked manually, before the suspect is even looked at.

    Also, Identity Thefy. I can change my account number, card number, pin number, and even my name if I want, but without major surgery, that isnt even possible yet, Im stuck with my fingers and eyes.

    Consider getting muged for your biometric account, really you have two choices.
    1. Give me your card and pin now!
    2. Give me your card and your eyes now!
    Decisions, decisions......

    And Identical Twins.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Apr 2006 @ 4:05pm

    It doesn't help when actual banks phone up and ask for verification information. My bank phoned me last week because of "suspicious" activity on my credit card, and then asked me for my date of birth etc for security - only after I said no did they tell me to call them back on the number on the reverse of my credit card.

    link to this | view in chronology ]

  • identicon
    mdlthomas, 26 Apr 2006 @ 8:18pm

    A Fool and his money

    ...are soon parted! Poor Baby Boomers..could somebody grandkids please help them understand the INTERNET!!

    link to this | view in chronology ]

  • identicon
    GrapschDenArsch, 6 May 2006 @ 12:24pm

    It's the encoding

    I have yet to find a single phishing mail message in plain ASCII. The reason is quite simple: it does not work this way. So, why are there so many idiots working on ever more complicated encoding schemes, like MIME and HTML for something that is as simple as a plain text message? People who write such junk software should be made responsible. But by whom? The stupid customers who use this junk deserve it!

    link to this | view in chronology ]

  • identicon
    blissweb, 6 May 2009 @ 7:23pm

    I'm getting it too

    It maybe legit BofA practice to ask for this ATM Card No. and ATM Card PIN, but this is the first time I've seen it and its sooooo stupid for many reasons. Firstly, it is NOT secure. There are many ways to find this info after being submitted, keyboard capturing/screen capturing trojans and unencrypted wifi links everywhere. And yes, you can make an imitation card with the account Number if you know how.
    It also reverses decades of bank policy which states you will never be asked for your PIN under any circumstances. Stupid, stupid, stupid ....
    And as a previous poster already said, IF this becomes normal and standard practice, then it opens the doors to real phishing sites asking exactly the same question and people being much more likely to type in the info.

    I hope someone from Bank of America is reading this !!! The secure smart card, with time code, which I believe BofA already has as an extra option is the best way to go.

    my 2 cents...

    And of course, when I typed in my info, they said we can't do it at the moment, please call us. :-( Stupid bank.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.