Hello, This Is You're Bank, Please Entering Your PIN

from the phoIP dept

The reason that phishing is such a tough problem to solve is that it’s not an attack based on technology, but on social engineering. Therefore there are few solutions, other than telling people to make sure they’re actually on the website they think they are when they enter in sensitive information. The problem may get even worse as phishers migrate over to VoIP in their attacks. One company claims to have discovered a scam whereby attackers sent out voice messages to people claiming to be from a bank. They were then instructed to dial a number, whereupon they were prompted to enter in important information, such as their PIN. Impersonating a bank isn’t sophisticated at all, but VoIP allows this kind of attack to scale really well, as has been the case with junk faxes. What’s more, the few anti-phishing techniques that companies have developed (like toolbar warnings, and personalized bank pages that phishers can’t copy) are useless over the phone. Once again, it looks like banks and other institutions will have to launch campaigns reminding people not to just enter their PINs unless they are talking over a known bank phone number. Inevitably, many will ignore the warnings.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Hello, This Is You're Bank, Please Entering Your PIN”

Subscribe: RSS Leave a comment
fishbane (profile) says:

One powerful method that I’m surprised isn’t used more is that of, upon sign up, soliciting users to provide a personal nonce – pet name, nickname, school name, whatever – and teaching them that unless they see that in the dialog box, it isn’t thier bank.

Some people won’t grasp it, of course, and others will forget or miss it. But I’ve employed this in web applications, and it works really well.

I have my theories as to why banks won’t use it, but it really is too bad.

Anonymous Coward says:

Re: Re:

Bank of America does something a lot like this… they employ what they call a “SiteKey”. It’s an image and title for that image that you choose and it works as follows. Upon entering your username, it takes you to a page prompting you for your password that displays your sitekey. If the key doesn’t match the one you specified, you know that you’re not at an official B of A site. Same idea as a pet name… simple, but it works.

Anonymous Coward says:

A banker or phone banker will never ask you for a PIN number; up until recently, nothing but an ATM would. Now, banks are migrating to asking for an ATM PIN while calling the phone banks, but an actual person will NEVER ask you for a PIN number. If a “banker” asks your for a PIN number, you can be assured he’s either a thief or a total dumbass.


10 year banker AKA Another Anonomous Coward

Alara Moonrunner says:

Re: Re: Online banking

I’d have to agree here, the person who said about websites not asking for passwords either doesn’t have online banking or even shop online, nor does the person have a blog/lj/myspace account or what have you. If you have an account anywhere, it doesn’t matter if it’s a online bank account or some other type of account, you need to know your passwords. Even if the person plays something like World of Warcraft or any other MMO’s. Passwords are essencial, if the person does not realise this then they are showing that the person is a moron and therefore needs to learn how the internet actually works.

Just my two cents on the matter.

Anonymous Coward says:

Re: Typo in the title -DUH c'mon

That’s exactly the point – you missed it.

The title is supposed to be like that.

And “please entering your PIN” is all messed up as well.

The headline is mimicking the horribly-written emails that are sent out.

I get so many a day in which the grammar is terrible. Nothing professional at all, and yet people fall for them.

Anonymous Coward says:

What’s more, the few anti-phishing techniques that companies have developed (like toolbar warnings, and personalized bank pages that phishers can’t copy) are useless over the phone.

well there is Caller Id, but that has drawbacks, as not everyone subscribes to it or phones dont have that functionality or its a third party calling on behalf of the company. not an all out solution, but i hope that the people who do have it put it to good use, especially in situations like this.

Robert says:

Just ASK!!

If you get a call from “your bank” asking you for any information, just ask them what account number this is pertaining to. I bet they’ll hang up or step all over themselves trying to figure out how to salvage their “element of surprise.”

I mean, if it IS your bank and THEY are calling YOU, you can bet they have pulled up your account and are calling you for a real reason, like loss prevention or suspicion of fraud. Maybe someone stole your card and you don’t know yet. If you simply say, “I have so many cards and accounts… which account number/credit card number are you calling about? Just the last 6 digits or so would be fine.

Alternately if they are posing as my actual bank, in my case BofA, I can simply tell them, “I’ve got stuff boiling in the kitchen, I can call you back in 5 minutes, what number and extension can I reach you at?”

Funny thing about the bad grammar. It probably goes unnoticed by many phishing victims, due to their own anemic command of the language, whether that’s because they juss dint lern good in skool, or because they are not native English speakers and wouldn’t be able to pick up on the fact that the purported “bank” on the phone is a hoax.

Joe Smith says:


What I do not understand about phishing frauds is why these guys aren’t tracked down and dealt with.

I receive about five phishing emails per week (the ones that make it past the spam filter). CitiBank is a common target.

It would be trivial to reply to one of these scams with a bait account and then follow the money through the system as they tried to steal it. Bank transfers leave an electronic trail afterall.

Even if the money goes off-shore it can be followed – or banks that allow themselves to be used for these frauds can be quarantined from the international banking system.

Anonymous Coward says:

While I do not have a solution, I believe this to be an issue that the finical institutions need to resolve. If consumers only dealt with physical cash, identity theft would no longer be an issue. (yes, this would have other issues).

Let’s boycott the banks! (sarcasm is lost in a text post)

Use of Caller-ID, a Site Key, etc … will be circumvented eventually.

We will need to adjust!

I would like to suggest that biological information be obtained with all transactions. A thumb print for checks and credit/debit card transactions (one for each signature). This does not work well for internet transactions. It will not even resolve the actual transactions, but it would help to resolve the tracking of the fraud (this is subject to issues as well).

RoyalPeasantry says:

Pretty much every bank does warn its new customers to never give out thier bank information to anyone. The real problem is people don’t listen. And then when they get screwed because of thier own stupidity they blame the bank..

All people have to do is THINK a little bit before they act and it would solve so many problems.

Unfortunatly people in general seem to have lost the ability to do so..

Slickriven says:

Am I missing something or will storing your passwords not be a decent idea for websites… if the site is phishing, then the IP won’t be exactly the same so your browser won’t automatically insert your info. This really only works if you have different accounts on your PC or no one else uses your computer but it works to a degree for me.

As far as VOIP, working in the industry of VOIP every call has an associated IP that you logger will catch, if ppl simply verify the IP then they should be able to avoid this… then again I have to agree with the first reply to this topic… classic

Yaffanator says:

These guys are so stupid….. Everything is messed up, you can’t click on any other buttons. First off, it is not https://www.paypal.com/, never log in to anything but that-…..Try entering in anything you woud like for the user name and password, it will log you right in….. this is a big sign that it is so fake…

Snay says:


I would like to suggest that biological information be obtained with all transactions. A thumb print for checks and credit/debit card transactions (one for each signature). This does not work well for internet transactions. It will not even resolve the actual transactions, but it would help to resolve the tracking of the fraud (this is subject to issues as well).

Biometric identification is so not the way to go for identitry verification. First off there is the simple fact of the tech is nowhere near ready yet. With the current rate of false posatives, and the sheer price of the hardware (Decent quality hardware, not those mice with thumbprint readers off ebay). This will improve over time, but there is no technological solution that is completely foolproof. And with an ever expanding database of fingerprints, it is more likely that two will be similar. Law enforcement agencies only use their fingerprint databases to find suspects, and then the prints are checked manually, before the suspect is even looked at.

Also, Identity Thefy. I can change my account number, card number, pin number, and even my name if I want, but without major surgery, that isnt even possible yet, Im stuck with my fingers and eyes.

Consider getting muged for your biometric account, really you have two choices.

1. Give me your card and pin now!

2. Give me your card and your eyes now!

Decisions, decisions……

And Identical Twins.

Anonymous Coward says:

It doesn’t help when actual banks phone up and ask for verification information. My bank phoned me last week because of “suspicious” activity on my credit card, and then asked me for my date of birth etc for security – only after I said no did they tell me to call them back on the number on the reverse of my credit card.

GrapschDenArsch says:

It's the encoding

I have yet to find a single phishing mail message in plain ASCII. The reason is quite simple: it does not work this way. So, why are there so many idiots working on ever more complicated encoding schemes, like MIME and HTML for something that is as simple as a plain text message? People who write such junk software should be made responsible. But by whom? The stupid customers who use this junk deserve it!

blissweb (user link) says:

I'm getting it too

It maybe legit BofA practice to ask for this ATM Card No. and ATM Card PIN, but this is the first time I’ve seen it and its sooooo stupid for many reasons. Firstly, it is NOT secure. There are many ways to find this info after being submitted, keyboard capturing/screen capturing trojans and unencrypted wifi links everywhere. And yes, you can make an imitation card with the account Number if you know how.
It also reverses decades of bank policy which states you will never be asked for your PIN under any circumstances. Stupid, stupid, stupid ….
And as a previous poster already said, IF this becomes normal and standard practice, then it opens the doors to real phishing sites asking exactly the same question and people being much more likely to type in the info.

I hope someone from Bank of America is reading this !!! The secure smart card, with time code, which I believe BofA already has as an extra option is the best way to go.

my 2 cents…

And of course, when I typed in my info, they said we can’t do it at the moment, please call us. 🙁 Stupid bank.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...