Hello, This Is You're Bank, Please Entering Your PIN
from the phoIP dept
The reason that phishing is such a tough problem to solve is that it’s not an attack based on technology, but on social engineering. Therefore there are few solutions, other than telling people to make sure they’re actually on the website they think they are when they enter in sensitive information. The problem may get even worse as phishers migrate over to VoIP in their attacks. One company claims to have discovered a scam whereby attackers sent out voice messages to people claiming to be from a bank. They were then instructed to dial a number, whereupon they were prompted to enter in important information, such as their PIN. Impersonating a bank isn’t sophisticated at all, but VoIP allows this kind of attack to scale really well, as has been the case with junk faxes. What’s more, the few anti-phishing techniques that companies have developed (like toolbar warnings, and personalized bank pages that phishers can’t copy) are useless over the phone. Once again, it looks like banks and other institutions will have to launch campaigns reminding people not to just enter their PINs unless they are talking over a known bank phone number. Inevitably, many will ignore the warnings.
Comments on “Hello, This Is You're Bank, Please Entering Your PIN”
Natural Selection…
Re: Re:
LOL, nice
Re: Re:
Yup. Proof that it still works sometimes, if nothing else.
Re: Re:
One Word….. Nice…
Re: Re:
or..
“A fool and his money…”
One powerful method that I’m surprised isn’t used more is that of, upon sign up, soliciting users to provide a personal nonce – pet name, nickname, school name, whatever – and teaching them that unless they see that in the dialog box, it isn’t thier bank.
Some people won’t grasp it, of course, and others will forget or miss it. But I’ve employed this in web applications, and it works really well.
I have my theories as to why banks won’t use it, but it really is too bad.
Re: Re:
MasterCard has been using this for some time now – they call it, “SecureCode”
You can find out more information on this at http://www.concordefs.com/
Re: Re:
Bank of America does something a lot like this… they employ what they call a “SiteKey”. It’s an image and title for that image that you choose and it works as follows. Upon entering your username, it takes you to a page prompting you for your password that displays your sitekey. If the key doesn’t match the one you specified, you know that you’re not at an official B of A site. Same idea as a pet name… simple, but it works.
Re: Re:
Bank Of America uses it… and it work really well.
Re: Re:
bank of america now does this with their site
I dont think the bank ever asks you for your pin do they?
A banker or phone banker will never ask you for a PIN number; up until recently, nothing but an ATM would. Now, banks are migrating to asking for an ATM PIN while calling the phone banks, but an actual person will NEVER ask you for a PIN number. If a “banker” asks your for a PIN number, you can be assured he’s either a thief or a total dumbass.
Signed,
10 year banker AKA Another Anonomous Coward
Anyone who is stupid enough to fall for one of these scams deserves to be taken to the cleaners. No respectable bank would ever ask you to call a number and tell them your PIN, just like no website is going to ask for your password. They already know it!!!
Re: Re:
no website is going to ask for your password. They already know it!!!
Guess you don’t have online banking. If you do, I would love to know what secure bank you have where no password is required to look at your account.
Re: Re: Online banking
I’d have to agree here, the person who said about websites not asking for passwords either doesn’t have online banking or even shop online, nor does the person have a blog/lj/myspace account or what have you. If you have an account anywhere, it doesn’t matter if it’s a online bank account or some other type of account, you need to know your passwords. Even if the person plays something like World of Warcraft or any other MMO’s. Passwords are essencial, if the person does not realise this then they are showing that the person is a moron and therefore needs to learn how the internet actually works.
Just my two cents on the matter.
Re: Re: Re:
What I meant was that no website is going to ask you what your password is in an email or phone call. Of course you need one to log in to the website.
Typo in the title
You want to use “Your” in the headline, not “You’re”. The latter is a contraction of “You are”.
Re: Typo in the title
I’m guessing that one’s intentional, since a lot of phishing scams seem to use very very poor engrish.
Re: Typo in the title
They also put “please entering your pin”. I think the errors were deliberate. As many point out hackers/phishers/spammers typically have horrible English skills.
Re: Typo in the title -DUH c'mon
That’s exactly the point – you missed it.
The title is supposed to be like that.
And “please entering your PIN” is all messed up as well.
The headline is mimicking the horribly-written emails that are sent out.
I get so many a day in which the grammar is terrible. Nothing professional at all, and yet people fall for them.
What’s more, the few anti-phishing techniques that companies have developed (like toolbar warnings, and personalized bank pages that phishers can’t copy) are useless over the phone.
well there is Caller Id, but that has drawbacks, as not everyone subscribes to it or phones dont have that functionality or its a third party calling on behalf of the company. not an all out solution, but i hope that the people who do have it put it to good use, especially in situations like this.
Re: CallerID, Banks, Phishing, etc
With the advent of caller-id spoofing services, even caller id cannot be trusted. I expect that the prior comment, while basking in simplicity, truly tells the tall. Kudos to he/she who wrote:
“Natural Selection”
-Caven
It was intentional, and so was “Entering”. Some people have to know it all don’t they.
Just ASK!!
If you get a call from “your bank” asking you for any information, just ask them what account number this is pertaining to. I bet they’ll hang up or step all over themselves trying to figure out how to salvage their “element of surprise.”
I mean, if it IS your bank and THEY are calling YOU, you can bet they have pulled up your account and are calling you for a real reason, like loss prevention or suspicion of fraud. Maybe someone stole your card and you don’t know yet. If you simply say, “I have so many cards and accounts… which account number/credit card number are you calling about? Just the last 6 digits or so would be fine.
Alternately if they are posing as my actual bank, in my case BofA, I can simply tell them, “I’ve got stuff boiling in the kitchen, I can call you back in 5 minutes, what number and extension can I reach you at?”
Funny thing about the bad grammar. It probably goes unnoticed by many phishing victims, due to their own anemic command of the language, whether that’s because they juss dint lern good in skool, or because they are not native English speakers and wouldn’t be able to pick up on the fact that the purported “bank” on the phone is a hoax.
Re: Just ASK!!
This is the first coment in this thred withut eny speling erors… Aim geting afraid here…
Phishing
What I do not understand about phishing frauds is why these guys aren’t tracked down and dealt with.
I receive about five phishing emails per week (the ones that make it past the spam filter). CitiBank is a common target.
It would be trivial to reply to one of these scams with a bait account and then follow the money through the system as they tried to steal it. Bank transfers leave an electronic trail afterall.
Even if the money goes off-shore it can be followed – or banks that allow themselves to be used for these frauds can be quarantined from the international banking system.
While I do not have a solution, I believe this to be an issue that the finical institutions need to resolve. If consumers only dealt with physical cash, identity theft would no longer be an issue. (yes, this would have other issues).
Let’s boycott the banks! (sarcasm is lost in a text post)
Use of Caller-ID, a Site Key, etc … will be circumvented eventually.
We will need to adjust!
I would like to suggest that biological information be obtained with all transactions. A thumb print for checks and credit/debit card transactions (one for each signature). This does not work well for internet transactions. It will not even resolve the actual transactions, but it would help to resolve the tracking of the fraud (this is subject to issues as well).
Pretty much every bank does warn its new customers to never give out thier bank information to anyone. The real problem is people don’t listen. And then when they get screwed because of thier own stupidity they blame the bank..
All people have to do is THINK a little bit before they act and it would solve so many problems.
Unfortunatly people in general seem to have lost the ability to do so..
Am I missing something or will storing your passwords not be a decent idea for websites… if the site is phishing, then the IP won’t be exactly the same so your browser won’t automatically insert your info. This really only works if you have different accounts on your PC or no one else uses your computer but it works to a degree for me.
As far as VOIP, working in the industry of VOIP every call has an associated IP that you logger will catch, if ppl simply verify the IP then they should be able to avoid this… then again I have to agree with the first reply to this topic… classic
http://61.6.64.141/https:/www.paypal.com/cgi-bin/us/webscr.php?cmd=_login-run
These guys are so stupid….. Everything is messed up, you can’t click on any other buttons. First off, it is not https://www.paypal.com/, never log in to anything but that-…..Try entering in anything you woud like for the user name and password, it will log you right in….. this is a big sign that it is so fake…
Biometrics
Biometric identification is so not the way to go for identitry verification. First off there is the simple fact of the tech is nowhere near ready yet. With the current rate of false posatives, and the sheer price of the hardware (Decent quality hardware, not those mice with thumbprint readers off ebay). This will improve over time, but there is no technological solution that is completely foolproof. And with an ever expanding database of fingerprints, it is more likely that two will be similar. Law enforcement agencies only use their fingerprint databases to find suspects, and then the prints are checked manually, before the suspect is even looked at.
Also, Identity Thefy. I can change my account number, card number, pin number, and even my name if I want, but without major surgery, that isnt even possible yet, Im stuck with my fingers and eyes.
Consider getting muged for your biometric account, really you have two choices.
1. Give me your card and pin now!
2. Give me your card and your eyes now!
Decisions, decisions……
And Identical Twins.
It doesn’t help when actual banks phone up and ask for verification information. My bank phoned me last week because of “suspicious” activity on my credit card, and then asked me for my date of birth etc for security – only after I said no did they tell me to call them back on the number on the reverse of my credit card.
A Fool and his money
…are soon parted! Poor Baby Boomers..could somebody grandkids please help them understand the INTERNET!!
It's the encoding
I have yet to find a single phishing mail message in plain ASCII. The reason is quite simple: it does not work this way. So, why are there so many idiots working on ever more complicated encoding schemes, like MIME and HTML for something that is as simple as a plain text message? People who write such junk software should be made responsible. But by whom? The stupid customers who use this junk deserve it!
I'm getting it too
It maybe legit BofA practice to ask for this ATM Card No. and ATM Card PIN, but this is the first time I’ve seen it and its sooooo stupid for many reasons. Firstly, it is NOT secure. There are many ways to find this info after being submitted, keyboard capturing/screen capturing trojans and unencrypted wifi links everywhere. And yes, you can make an imitation card with the account Number if you know how.
It also reverses decades of bank policy which states you will never be asked for your PIN under any circumstances. Stupid, stupid, stupid ….
And as a previous poster already said, IF this becomes normal and standard practice, then it opens the doors to real phishing sites asking exactly the same question and people being much more likely to type in the info.
I hope someone from Bank of America is reading this !!! The secure smart card, with time code, which I believe BofA already has as an extra option is the best way to go.
my 2 cents…
And of course, when I typed in my info, they said we can’t do it at the moment, please call us. 🙁 Stupid bank.