More Phishing
Hot on the heels of my phishing lession from Barclaycard I had a phone call yesterday from my bank. Well I’m pretty sure it was my bank. The guy on the phone said “Hello, this is whoever from Lloyds bank. To confirm your identity could you please give me your date of birth and your online banking password?”. The point is that he called me; he could have been anyone. The only credential he offered was that he knew who I banked with; not hard to find out. In fact I’ve just told you all that it’s Lloyds…
I explained to him that I had no way of knowing that he was who he claimed to be and - after a pause - he came back with some details from my bank account that presumably would only be known to me and the bank. At this stage I should have teased him: “Thanks for that; when Andy gets back I’ll let him know you’ve just divulged confidential details about his account to me”. I didn’t but if they call again I think I will - I feel obliged to find out what kind of reaction that produces.
You’d think the people who design these procedures for the banks would have enough security savvy not to actively encourage people to fall for such simple social engineering tricks though, wouldn’t you? I have to admit that I only just managed to stop myself from giving him my details without authenticating him - and I actually know a bit about this stuff.
I suppose the full exploit works like this: phone someone up posing as a marketeer and say “May I ask who you currently bank with?”. Make a note of their reply and then pretend to get cut off or follow up with some fake marketing guff. Then some time later phone up again and say “Hello, it’s Conman here from <insert name of bank recovered at stage one>. Before I continue please verify your identity by giving me your password”. That’s it - you now have all the information you need to take control of their account.
September 17th, 2005 at 2:39 pm
Hang on a second - he asked for your online banking password? The sort of thing that the banks themselves tell you that you should *never* give out to anybody.
Twattus clottus.
September 17th, 2005 at 2:41 pm
Sorry - it was my /phone/ banking password. Which is just as bad I think…
September 19th, 2005 at 8:11 am
Ask THEM for their password next time, I am sure a hell they’d not give it ;)
September 19th, 2005 at 9:29 am
Had the same recently from Cahoot.
“Hello, it’s Bob from Cahoot. I need to speak to you about something important but first I need to verify your identity, can I have your date of birth please?”
“No.”
“Why not?”
“Because I don’t give out security details to random callers.”
“But if you don’t tell me then I can’t give you this very important message.”
“Suits me.”
“But… but…”
In the end I gave him my date of birth as I figured it wasn’t hard to find, and the “very important message” turned out to be some sales blurb about some savings account, which they could have happily messaged me about on my account page and didn’t seem to require any security information anyway. So the poor chap got shouted at.
It does seem absurd, and Cahoot didn’t come up with any useful reply as to why they were doing it either.
There’s no money in the account now.
October 13th, 2005 at 6:54 pm
I regularly ring people up because they’ve entered their CC details wrong when placing an order with us.
I use my “line 1″ number (with my free minutes) rather than my “line 2″ one, and inspite of this people are perfectly happy to rattle off their CC details even though I tell them “you know I could be a con man, about to run off to Brazil”.
Quite odd really.
I’ve had someone ringing, at 5 to 6, several times, claiming to be from Quoteline Direct who do my car insurance, asking for CC payment for missed payments my car insurance. I always ask them to put it in writing, or email me, but nothing.