Recent searches
Search options
I was the victim of an extremely clever card fraud/social engineering hack.
Well, partly a victim since I managed to stop it.
I was called by my bank, as they wanted to “verify some suspect transactions on my account”.
Then things got weird…
I was informed that there had been a charge for £2900 on a travel booking site.
As this conversation with my bank’s counter-fraud team was happening, I logged into my bank account and could see the fraudulent charge.
“Was this you?”
No, it definitely wasn’t me. Phew, well done for catching it.
“Also, sir, there is another transaction occurring right now that seems odd - for £5900 at Marbella Boat Hire. Is this you?”
Nope, that wasn’t me either.
At this point, my pulse was obviously raised and I was worried what else was going on.
“Ok, sir, we are going to send you a verification code, which we need you to read back to cancel the transaction”.
Ok, bit odd, but yeah, let’s go and get these cancelled.
Then a text/SMS message arrives with a six digit code. I put the call on speaker so I can read it out.
And I notice something odd…
The full text of the message says: “Do not share this message with anyone. To approve the purchase from Marbella Boat Hire for £5900, use code 638267”.
Hold on, I say, this says “to approve the purchase”!
“Ah, right, sir, we’ve had a few problems with our messaging system, so I’m not 100% sure what the message actually says. We just need the code so we can get the purchase blocked. You can ignore the start of the message”.
My spider-sense is tingling, so I challenge…
I can’t share this code, I say.
“No, sir, that’s very smart. I’m so sorry about our messaging system being odd. Let me send you a notification inside your banking app instead”.
The notification arrives and I open my banking app, thinking a hitherto unseen red warning label is about to show me a button that cancels a transaction inside the app.
But again it just says “to approve this transaction”.
Now I’m starting to worry …
So finally I say, look, I need to call my bank directly. This all seems a bit odd.
And then, naturally (in retrospect), the guy hangs up.
I call my bank. They verify that it wasn’t them.
So, very cleverly, the fraudster has used their first fraudulent transaction to socially verify that they knew something only a bank could know - about transactions on my card.
They used that transaction - that they themselves had done - to get me to read a 3D secure code to approve the next transaction that they also wanted to do.
They were able to to do this because the first transaction had happened on a site that didn’t use 3D secure. I’m surprised this is still possible.
In the end, my bank refunded the first transaction. So I haven’t lost anything.
But it shows the clever tricks fraudsters will try to pull and how easy it is to be fooled by the “boiler room” trick. “IT’S HAPPENING RIGHT NOW - DO SOMETHING QUICK!”
End
@BjornToftMadsen that's fascinating. And easy to see why people would fall for that.
I wonder where they got your card details *and* phone number from?
@Edent yes this is also what I can’t understand. I have it on authority that a bank can be tied to a 16 digit credit card number (the issuer ID is embedded), but how they got my phone number I still cannot understand. I shred religiously.
The only way I can see this happening is with a dodgy purchase form from a website, one where you also supply a phone number.
As it happens, I’ve got my suspicions on one particular site, which I’ve shared with the bank.
@BjornToftMadsen personally, I think shredding is over-rated (unless you're a person of interest). Seems far more likely a dodgy site, or a legit site which has been hacked.
I've started using a separate phone number for purchases. If a call from "my bank" comes through on that, I know it is fraudulent.
@Edent @BjornToftMadsen not too many years ago (12?) I knew a guy working at the local garbage dump. They had a contract with most businesses in the area to collect and sort their garbage. What they did at the time was manual sorting, which meant some of them sorted out all papers. Ofcourse they read some of the papers aloud to much amusement.
Since then I have shredded or burned all papers with personal info. Never put them open in the bin.
@fere @Edent @BjornToftMadsen
Always. My own pers info, or anybody else’s.
@fere @Edent @BjornToftMadsen There's a group of people in Albuquerque that rummage through trash looking for bags full of paper, I suspect mostly for expired credit cards (which suprisingly still work). If bank statements or utility bills are in there, you're hosed. It happened to me, but thankfully they didn't get more than some gas.
@nonlinear @fere @Edent @BjornToftMadsen Albuquerque has recycling bins hichnI would guess make this easier. Just dive in the blue bins. I shred everything, then stick it in the recycling
@Bruin @nonlinear @fere @Edent @BjornToftMadsen paper shredders are kinda fun, too
When I worked in computer operations for a bank, we printed people's statements. One time, someone found the bank statement of one of my fellow operators and posted it on the wall. The guy withdrew his funds and switched banks the next day.
I have some fraud stories too, but this invasion of privacy was so appalling...
@apgarcia My mom got fired from a bank because a fellow employee was running their fraud scheme through her accounts. After that they simply did it to someone else, but nobody was interested in absolving her, of course. 
@fere @Edent @BjornToftMadsen I shred paper with personal info then put it in my compost - it may as well be useful for something.
@fere @Edent thrice now have I encountered paper collection gone wrong. Over here, paper is collected separately on distinct days. Some municipalities offer bins for this. Some just ask to pile carton boxes at the curb.
Once, said boxes blew and rained away. Street was littered with two of my neighbors' paper. I then knew: one had serious financial trouble and the other was graduating. That was the day I bought a shredder.
Later, twice, a bin tipped over, other neighbors' papers everywhere.
@fere @Edent @BjornToftMadsen shred and compost in my case!
@Edent @BjornToftMadsen I can second using a different number to give to places you don’t trust (I use a VoIP one from @aaisp for this) but I’ve also had one site insist I change it post-signup as it wasn’t a “real” number!
@ninkosan @Edent @BjornToftMadsen @aaisp Sounds like they have GDPR backwards - they have an obligation to correctly record your personally information, and a phone number you have said is yours (and is) is what they have to record for you. 
[No the ICO have no clue on this either]
@revk it was a bit weird tbh. They obviously knew it was a VoIP number and didn’t like it. I just used said GDPR to delete my account in the end
@ninkosan I think all 5G mobile are VoIP, are they not? And soon all UK PSTN "landline" numbers will be VoIP as well. Saying a VoIP number is not "valid" makes no sense.
I've also had someone moan at an 07 they claimed was VoIP. I suggested another, which they said was acceptable. My explanation that the first went to my actual mobile, and the second (ported to another operator) went to my VoIP desk phone, did not phase them at all. There is no logic to the complaint!
@Edent
Shredding is not over-rated.
I'm no longer in hacker circles, but digging through trash for information was quite common when I was.
@BjornToftMadsen
@Edent
I find few reasons why a vendor should need my number when there's a perfectly valid email address right there ; so I often plug in my old landlines number... The phone company may have reissued it, but it's certainly not me answering
@BjornToftMadsen
@Edent @BjornToftMadsen ”Legit site”
Last count I saw there were some 8000 data brokers selling and re-selling your information. Firms like Klarna may or may not sell your data (last I checked their data policy basically said they promised to not send your data to the Bahamas unless they really wanted to), and for many of them selling data is an important source of revenue, if not the main one.
@Edent @BjornToftMadsen My point is that “legit” sites use those firms and have very little control or insight or understanding of what’s going on. So maybe “legit” is a bit of a misnomer.
Also they quite often leak information, don’t even have to be hacked. Like the Swedish pharmacy that leaked the data of a million customers because they didn’t understand how Facebook works.
Now that's an interesting idea. Virtual phone numbers olong with virtual card numbers (if UK banks would get serious about them).
Make both accessable from an app or website and we have a very useful service
@Edent @BjornToftMadsen I caught someone fishing mail out of my dumpster once. I shred pretty much everything now, on the theory that it's good to have a healthy mix of shredded nonsense in with the important stuff.
@BjornToftMadsen @Edent Or your phone number was in one of the many data breeches that seem to be occuring with increasing frequency.
@BjornToftMadsen @Edent Or someone was storing credit card info and both bits of data came from the same source. (I Know they're not supposed to store CC data but there's plenty of places that still do it anyway)
It's not uncommon for retailers to ask for the phone number during the order proccess so it's feasible someone had both together.
@BjornToftMadsen @Dragon @Edent I could buy a shitty hotel that stored more data than they were supposed to
@BjornToftMadsen @Edent We had something similar in South Africa a couple of years ago and it turned out to be an inside job by a bank employee working with a mobile phone company to reroute calls.
@BjornToftMadsen @Edent The great majority of this information are obtained from ecommerce sites leaks. Those data are for sell in bulk. I personally use virtual credit cards that I delete and re-create every few months and when a phone number is mandatory, I use a number not associated with any card/bank account.
@BjornToftMadsen They got me a little further - I read out the first one before realising, hanging up, and calling my bank.
The bit that really concerned me was not just that they had my phone number - they had some other "verification" (which I can't remember most of) which included an old address. I have not worked out how they got the other information. @Edent
@BjornToftMadsen Easy: Some WhatsApp-User shared contacts @Edent
@BjornToftMadsen @Edent It could be social engineering with the bank's customer support. Especially if they already have your name and card number, they might have tricked a CS rep into revealing your phone number like "oh I forgot what phone number I had with this account, what was it?"
@BjornToftMadsen @Edent It's possible they got it scrapped from somewhere.
Though while we're all focused on that, my next thought is "What if they just robo-called a whole suite of numbers until they got the right one?".
That is, if they verified your name before telling you that the bank transaction was bad, they could've limited down the number of people they needed to spoof the transaction for significantly.
@BjornToftMadsen @Edent Like, if they know *where* you live (Based on banking address stuff, IIRC the card number helps identify the main host branch for the banker), they can limit it down to a phone's area code pretty easily.
Doubly so if the card number was found *in* the area code area.
If they have an image of the card, first and last names are on there too, and the card expiration information there.
@BjornToftMadsen @Edent They'd have the name of the banking institution, so if they go online, and they had the CVV on the back, they might just try to send a password reset command, and back out just before 2FA trips in - depending on the setup, that screen might say "We'll send an SMS to (***)-***-**zx." That means they only have 59049 numbers to run through, if they already have your area code.
@BjornToftMadsen @Edent maybe a site got hacked where you ordered something and left your card- and phone number?
@BjornToftMadsen @Edent I use a app called Privacy, it makes proxy cards that only work with the merchant that first uses it. It also makes one-time use cards and let's you set limits. Might be worth looking into.
Back in February, an auto-generated email from my bank alerted me that a travel authorization had been placed on my checking account, meaning I’d supposedly cleared upcoming usage in the Turks & Caicos, which I actually had no intention of traveling to. I logged into my account and while I was deleting that authorization (and calling bank security) three more notifications came through, for Mexico and elsewhere. Managed to avoid losing $.
@BjornToftMadsen
Data matching - they will gave gotten different pieces of information from different data breaches and put them together to say "here's thus person's name, phone number, email address, bank account and credit card number". You can buy packages of information on individuals like this for pitifully small amounts of money on the dark net (about US$2-3 per account).
@Edent
@BjornToftMadsen @Edent that‘s why I never enter a real phone number in such cases (unless absolutely required for a good reason), when 0000 doesn’t do, 0123456789 tricks most „phone number“ validators.
The sheer number of data breeches exposing millions of accounts is mind-boggling. Did someone go through your garbage or social engineered someone at your bank? Possibly, but there have been 23 reported breeches in Aug alone. Subscribe to Have I Been Pwned's RSS feed. Yikes.
After i was hit by ID Theft back in 2000, when it was still called fraud, i started using disposable credit cards.
It vastly reduced the available attack surfaces. :D
One friend uses unique spam-catching email addresses to sign up for individual services to trace the data leaks.
This could be done with credit cards as well.
@Edent @BjornToftMadsen A data leak from a shopping site that has payment details and customer details.
@Edent @BjornToftMadsen An employee of a cereal maker’s online shop shared my details once with friends on the Balkan. So it doesn’t have to be the evil „hackers“. Got everything reversed after I got the call from my bank if I had just purchased air line tickets in Split.
@Edent @BjornToftMadsen something like this happened to an acquaintance of mine, when he was in BVI. card chip and phone sniffers apparently are real & in the hands of criminals.
@BjornToftMadsen when I’ve had calls from my bank I always ask for a name, then tell them I’m going to ring them back from the support number on their website. General confusion from the bank, but so far it’s worked every time. Luckily I’ve not yet had a fraudulent call.
@robinwhittleton agreed that this is the right way. And indeed when there was a risk, that’s exactly what I did.
But you can see how people get fooled.
@BjornToftMadsen @robinwhittleton
Saw a story a while back (UK) claiming that the phone call only ends when the caller (the fraudsters) hang up. So when the mark hung up and tried calling the bank (as instructed!), the fraudsters were still on the line. It wasn't stated whether they faked dialling tones.
@BorisBarbour @BjornToftMadsen @robinwhittleton I think they actually changed the way the UK phone system worked a few years ago to avoid that!
@srtcd424 @BjornToftMadsen @robinwhittleton
I didn't know. A shorter "timeout" it seems:
@BorisBarbour @BjornToftMadsen @robinwhittleton Certainly used to be true. Weird, but true.
@BorisBarbour @BjornToftMadsen @robinwhittleton
That definitely used to be true in Ireland, with landlines.