Hello, This Is You're Bank, Please Entering Your PIN
from the phoIP dept
The reason that phishing is such a tough problem to solve is that it's not an attack based on technology, but on social engineering. Therefore there are few solutions, other than telling people to make sure they're actually on the website they think they are when they enter in sensitive information. The problem may get even worse as phishers migrate over to VoIP in their attacks. One company claims to have discovered a scam whereby attackers sent out voice messages to people claiming to be from a bank. They were then instructed to dial a number, whereupon they were prompted to enter in important information, such as their PIN. Impersonating a bank isn't sophisticated at all, but VoIP allows this kind of attack to scale really well, as has been the case with junk faxes. What's more, the few anti-phishing techniques that companies have developed (like toolbar warnings, and personalized bank pages that phishers can't copy) are useless over the phone. Once again, it looks like banks and other institutions will have to launch campaigns reminding people not to just enter their PINs unless they are talking over a known bank phone number. Inevitably, many will ignore the warnings.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
"A fool and his money..."
[ link to this | view in chronology ]
Some people won't grasp it, of course, and others will forget or miss it. But I've employed this in web applications, and it works really well.
I have my theories as to why banks won't use it, but it really is too bad.
[ link to this | view in chronology ]
Re:
You can find out more information on this at http://www.concordefs.com/
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Signed,
10 year banker AKA Another Anonomous Coward
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Guess you don't have online banking. If you do, I would love to know what secure bank you have where no password is required to look at your account.
[ link to this | view in chronology ]
Re: Online banking
Just my two cents on the matter.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Typo in the title
[ link to this | view in chronology ]
Re: Typo in the title
[ link to this | view in chronology ]
Re: Typo in the title
[ link to this | view in chronology ]
Re: Typo in the title -DUH c'mon
The title is supposed to be like that.
And "please entering your PIN" is all messed up as well.
The headline is mimicking the horribly-written emails that are sent out.
I get so many a day in which the grammar is terrible. Nothing professional at all, and yet people fall for them.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
CallerID, Banks, Phishing, etc
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Just ASK!!
I mean, if it IS your bank and THEY are calling YOU, you can bet they have pulled up your account and are calling you for a real reason, like loss prevention or suspicion of fraud. Maybe someone stole your card and you don't know yet. If you simply say, "I have so many cards and accounts... which account number/credit card number are you calling about? Just the last 6 digits or so would be fine.
Alternately if they are posing as my actual bank, in my case BofA, I can simply tell them, "I've got stuff boiling in the kitchen, I can call you back in 5 minutes, what number and extension can I reach you at?"
Funny thing about the bad grammar. It probably goes unnoticed by many phishing victims, due to their own anemic command of the language, whether that's because they juss dint lern good in skool, or because they are not native English speakers and wouldn't be able to pick up on the fact that the purported "bank" on the phone is a hoax.
[ link to this | view in chronology ]
Re: Just ASK!!
[ link to this | view in chronology ]
Phishing
I receive about five phishing emails per week (the ones that make it past the spam filter). CitiBank is a common target.
It would be trivial to reply to one of these scams with a bait account and then follow the money through the system as they tried to steal it. Bank transfers leave an electronic trail afterall.
Even if the money goes off-shore it can be followed - or banks that allow themselves to be used for these frauds can be quarantined from the international banking system.
[ link to this | view in chronology ]
Let's boycott the banks! (sarcasm is lost in a text post)
Use of Caller-ID, a Site Key, etc ... will be circumvented eventually.
We will need to adjust!
I would like to suggest that biological information be obtained with all transactions. A thumb print for checks and credit/debit card transactions (one for each signature). This does not work well for internet transactions. It will not even resolve the actual transactions, but it would help to resolve the tracking of the fraud (this is subject to issues as well).
[ link to this | view in chronology ]
All people have to do is THINK a little bit before they act and it would solve so many problems.
Unfortunatly people in general seem to have lost the ability to do so..
[ link to this | view in chronology ]
As far as VOIP, working in the industry of VOIP every call has an associated IP that you logger will catch, if ppl simply verify the IP then they should be able to avoid this... then again I have to agree with the first reply to this topic... classic
[ link to this | view in chronology ]
These guys are so stupid..... Everything is messed up, you can't click on any other buttons. First off, it is not https://www.paypal.com/, never log in to anything but that-.....Try entering in anything you woud like for the user name and password, it will log you right in..... this is a big sign that it is so fake...
[ link to this | view in chronology ]
Biometrics
Biometric identification is so not the way to go for identitry verification. First off there is the simple fact of the tech is nowhere near ready yet. With the current rate of false posatives, and the sheer price of the hardware (Decent quality hardware, not those mice with thumbprint readers off ebay). This will improve over time, but there is no technological solution that is completely foolproof. And with an ever expanding database of fingerprints, it is more likely that two will be similar. Law enforcement agencies only use their fingerprint databases to find suspects, and then the prints are checked manually, before the suspect is even looked at.
Also, Identity Thefy. I can change my account number, card number, pin number, and even my name if I want, but without major surgery, that isnt even possible yet, Im stuck with my fingers and eyes.
Consider getting muged for your biometric account, really you have two choices.
1. Give me your card and pin now!
2. Give me your card and your eyes now!
Decisions, decisions......
And Identical Twins.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
A Fool and his money
[ link to this | view in chronology ]
It's the encoding
[ link to this | view in chronology ]
I'm getting it too
It also reverses decades of bank policy which states you will never be asked for your PIN under any circumstances. Stupid, stupid, stupid ....
And as a previous poster already said, IF this becomes normal and standard practice, then it opens the doors to real phishing sites asking exactly the same question and people being much more likely to type in the info.
I hope someone from Bank of America is reading this !!! The secure smart card, with time code, which I believe BofA already has as an extra option is the best way to go.
my 2 cents...
And of course, when I typed in my info, they said we can't do it at the moment, please call us. :-( Stupid bank.
[ link to this | view in chronology ]