[HN Gopher] I'm a scam prevention expert and I got scammed
___________________________________________________________________
I'm a scam prevention expert and I got scammed
Author : matiskay
Score : 404 points
Date : 2022-03-31 16:50 UTC (6 hours ago)
(HTM) web link (www.lupinia.net)
(TXT) w3m dump (www.lupinia.net)
| iratewizard wrote:
| This speaks more to the incompetence of supposed experts and less
| to the sophistication of scams.
| BenjiWiebe wrote:
| Agreed. I wish someone would try this level of attack against
| me - I'm 99% sure I wouldn't have fallen for this particular
| one, but how can I truly know without going through it?
|
| Anyways, I am extremely aware of caller ID spoofing. I use it
| myself to show a usable callback number on a VoIP outgoing-only
| line.
|
| And the 2FA - I would be incredibly reluctant to give a code
| over the phone, even if _I_ had initiated the call.
| Sebguer wrote:
| I honestly got this exact same scam happen to me, and
| probably came 50% of the way through falling for it.
| Especially since it happened just a few weeks after I had
| actually had my card compromised, and used for fraudulent
| transactions.
|
| I got the same text about "confirming fraud transactions" and
| then a phone call from "my bank". I nodded along at his
| script for a few seconds, before I remembered the constant,
| unending advice of: "if your bank calls you, hang up and call
| back on the fraud number listed on your card". I told the
| person I'd do exactly that, and hung up.
|
| I then checked my card account and confirmed that there
| actually weren't any fraudulent transactions, so didn't
| bother calling.
|
| That said, I can absolutely see a world in which a tired or
| otherwise frustrated me would just follow along the script,
| and with a similar background to the author (I'm not a
| security professional, but I work in fintech and on security-
| adjacent things):
|
| > I also find it entirely plausible that Apple (or Google)
| would require a bank to jump through these kinds of hoops in
| order to remove a fraudulently-added payment method from
| someone's account, and that Wells Fargo's system would be so
| janky and sloppily-built that this is the least awful way
| they could figure out how to do it.
|
| This honestly resonates with me as a plausible thought path.
| I'm pretty confident that I wouldn't have actually provided
| the two-factor code, but again, everyone has off days, and
| everyone makes mistakes. That's the core of all of this, that
| endless refrain: defense has to work 100% of the time,
| offense only needs to work once.
| benji-york wrote:
| Sounds like a product idea: Red team for the family
| myfavoritedog wrote:
| TrianguloY wrote:
| "I was tired"
|
| This says it all. You may be the best expert and everything you
| want, but when you are tired you are no longer an expert, and
| it's something that practically can't be learnt to self-identify.
|
| If you think that X will never happen to you, wait until you are
| tired and we'll see about that.
| KT-222 wrote:
| I was at my local coffee shop yesterday when the manager was on
| the phone for 10+ minutes with a scammer. Was a new one to me.
|
| The landline caller ID showed "Madison Police Dept" - the local
| police. The caller introduced themselves as an investigator
| working a case with counterfeit bills. "Don't contact your
| boss/owner because we are not sure if they are in on it." The
| caller knew details like employees names and the layout of the
| store. The manager was going through the cash in the back
| "confirming" serial numbers when the owner got in touch and
| cleared things up.
|
| I was confused about the end game for the scam, but online I've
| read a version where they send a courier to pick up the
| "counterfeit" bills. There's also a version where they convince
| the employee to purchase moneypak cards to be deposited into an
| account so that the 6AM audit shows balanced books making up for
| the counterfeit bills that will be confiscated. [1]
|
| To a person that doesn't know caller ID can be spoofed, getting a
| call that shows up as coming from the local police department can
| put you in a mental state that it 100% is the police, and it will
| take a lot of counter information to realize that it isn't.
| Between that and the convincing reason to "don't tell your boss",
| I'm afraid this might be an effective scam until it's more widely
| known.
|
| [1]
| https://old.reddit.com/r/Scams/comments/ryp4fg/i_got_scammed...
| Giorgi wrote:
| So... where did they got his/her details that she/he was so
| surprised by? Was it Bank's breach?
| stretchwithme wrote:
| Why would an expert on scam prevention answer the phone?
| Markoff wrote:
| On related note - I work for Asian company which sends me money
| to Europe through their US "offshore" bank account in Wells
| Fargo.
|
| I'm receiving monthly payments, but once payment bounced back
| because my local EU bank switched their intermediary bank,
| something normal client shouldn't care about, but I learned about
| hard way because WF is not updating their database of
| intermediary banks and routed my payment through outdated
| intermediary bank.
|
| I was pretty pissed about my own bank not informing me about
| changing intermediary bank, so I changed my receiving bank to
| different one, although in the end it was Wells Fargo problem not
| keeping their records up to date.
|
| Guess what happens years later after my other bank merger with
| different bank, Wells Fargo once again ignores new intermediary
| bank and bounced back the payment.
|
| I dunno if this is standard US international banking experience,
| but I find it extremely unprofessional and unheard in other
| countries that payments would be bouncing because bank is too
| lazy to update their intermediary bank database, not sure what
| operation they are running in Wells Fargo.
|
| In the end company made exemption for me and they are sending me
| money directly from their Asian account, because apparently you
| can't get worse banking experience than with US banks.
| shevis wrote:
| Simple solution to this: Never do anything important or give out
| info on an incoming phone call. Always hang up, find the proper
| number online, and call back to continue the conversation.
| xarope wrote:
| Scams are getting more and more sophisticated. We've always known
| that when you write a playbook, sooner or later the red team will
| find holes in that playbook. Perhaps that's where ML/AI comes in,
| since you can train them, but you never really understands what
| they really "learnt" from that training (/s sort-of, but the
| famous amazing snow/husky classifier always comes to mind)
|
| Personally, I've received such calls before, and the first thing
| I'd ask for is a case number, and that I would call the support
| number printed on my credit card, to get back to them. Of course,
| if someone co-opts that number, then I'm also SOL, but I'd
| imagine then this would be engineering on a larger scale, rather
| than a specifically targeted whaling attempt.
| buscoquadnary wrote:
| Security theater. I had a situation where I had to buy something
| online from a company in Europe (owl4thunderbird) I placed the
| charge and then right after I got a text telling me to call a #
| for a possible fraud alert.
|
| That's a big red flag there. So I try and find the phone # of the
| fraud dept of Citi because anyone can send a text message. Turns
| out can't find it anywhere in the official Citi site. So I
| finally give up and call the phone # before they could go further
| they asked me to confirm a 2FA they would text to me. At that
| point I noped out and decided if it was a realt problem I'd find
| out about it another way.
|
| The problem is I now know how easy it is to break into any Citi
| account just send them a text with a # and pretend to be the
| bank. The worst part is every every every message I get that is
| actually being secure always says "You will never be asked for
| this code" and everytime they ask for it.
|
| It is security theater of the worst degree by incompetents and
| MBAs and I am getting sick of it.
| hunter2_ wrote:
| > always says "You will never be asked for this code" and
| everytime they ask for it.
|
| Yes, but the real meaning behind that phrase is "You will only
| be asked for this code by pages served by our domain name or a
| native app we published." It's unfortunate brevity.
| buscoquadnary wrote:
| Sorry the exact message is something like you will never be
| asked for this by a real employee.
| hunter2_ wrote:
| Oh I didn't mean to suggest the brevity was your doing.
| I've seen it the short way first-hand, but yes, more
| typically it's pretty decent, as you've clarified.
| drdaeman wrote:
| Hell, I'd wish there'd be some zero-knowledge proof protocol
| that can be performed with a pen and paper over a phone call.
| You know, like Dining Cryptographers or Solitaire cipher. Maybe
| there is something, but I'm not a cryptographer and not aware
| about it.
|
| Though, of course, it's completely unrealistic to expect that
| some bank person would agree to do some weirdo math tricks with
| SSN numbers :)
| compsciphd wrote:
| isn't there a phone # printed on your credit card?
| [deleted]
| buscoquadnary wrote:
| Only the customer support number, not the fraud number
| specifically and at the time I didn't have the time nor
| patience to navigate through a thousand mile phone tree and
| wait on hold for 8 hours.
| KMag wrote:
| Side note: if unexpectedly getting a new card, call the support
| number on your old card. A friend of mine almost got taken
| about 15 years ago by a scam where someone got his address and
| bank name, then sent him a fake credit card from that bank with
| a letter saying something like fraud had been detected and they
| were sending him a replacement card. When he called the number
| on the new card's activation sticker, something seemed off and
| he balked when they asked for his SSN. He called the support
| number from his old credit card and confirmed that he had in
| fact not been sent a new credit card by them!
|
| Hopefully we can at some point stop treating a SSN as a
| universal password that can never be changed. At least mother's
| maiden name stopped being a universal security question.
| camtarn wrote:
| Whoah, that's a pretty smart attack.
| Loughla wrote:
| >It is security theater of the worst degree by incompetents and
| MBAs and I am getting sick of it.
|
| It's security theater giving people exactly what they want.
| People want to feel secure, but they don't want any amount of
| actual difficulty in getting what they want from Company A.
|
| Like it or lump it, but regular people really don't want actual
| security. They want the ease and convenience of no passwords at
| all, and want someone to blame in case something goes wrong.
| rhizome wrote:
| Of course people want security, how can you say otherwise?
| What you seem to be talking around is that security
| researchers have been unable to figure out simpler forms of
| maintaining a true sense of security, simpler forms of
| reliability. There is no survey where people say they don't
| want these things, and if you're relying on the sales figures
| for Yubi keys or something, that's not a good indicator.
|
| And of course people don't want difficulty! That's why we
| don't hand-crank to start our cars anymore. Blaming people
| for wanting faster horses[1] is a convoluted anti-
| intellectualism where the experts who actually know what's
| possible are let off the hook. All in all, if you ask me this
| should be a locus of UI/UX research.
|
| 1. https://hbr.org/2011/08/henry-ford-never-said-the-fast
| Kalium wrote:
| You're absolutely right. People _do_ unquestionably want
| security! They want privacy too!
|
| The issue that the parent is alluding to is that the same
| users who want these things seem unwilling to make
| decisions or change behavior to get that security or
| privacy. Those of us working with security and privacy
| often wind up with the sense that users want them, but also
| that users expect them to be automatic and perfect and
| free. This starts with the computer-illiterate user who
| finds passwords confusing and goes all the way to
| developers who find it irritating to be forced to update
| the libs in their docker images.
|
| Are there better ways? I sure hope so. So far we don't have
| simpler forms of maintaining true security or simpler forms
| of reliability. We just have cheaper ways of maintaining a
| sense of security - and that's theater.
|
| I don't blame people for wanting faster horses. We don't
| have them on offer though, so in the meantime it might be
| nice if they were willing to consider what's available.
| 1ris wrote:
| >They want the ease and convenience of no passwords at all,
|
| That's not what I see. I see people looking for
| inconvenience. Expiring passwords. Password requirements, so
| you have to write your passwords down. (You will change it
| soon, anyway) "Security" questions. Lock-Screens, session
| limits. 2FA-SMS. That horrible and unsecure Microsoft 2FA
| that was on the frontpage yesterday. IP-Geo-location-voodo so
| you can't log in from a different ISP/cellular/your parents
| place on this supposedly world wide internet. It's not like
| these things happen on their own.
|
| Computer illiterate people thing that these inconveniences
| bring them security.
| thatwasunusual wrote:
| So. Not an expert, then...
| kmeisthax wrote:
| These 2FA bypass scam calls genuinely unnerve me - because
| they're specifically designed to trick someone who _knows how
| scams work_ and has actually put some effort into securing their
| accounts.
|
| Hardware authentication factors are, of course, immune to these
| sorts of attacks because you can't confuse the victim into
| forwarding their second factor back to you. However, I don't see
| why you couldn't construct a specific scam setup for those.
| GTP wrote:
| But they could still try to trick the victim into reading the
| code for them.
| swalsh wrote:
| I got a really weird call yesterday from some place claiming to
| be the medical center where I was a patient 5 years ago (I go to
| a new place today). I was a bit suspicious simply because it's
| been years since I've been a patient there. But there are many
| plausible legitimate reasons for calling me. However the first
| thing they did was "verify" me by asking for my date of birth and
| home address. I was disarmed at first because the lady was
| clearly American, and sounded bored. But I was still hesitant to
| give up any information on an incoming call. So I asked for some
| way for me call them. She gave me a phone number... which was the
| same one calling me, so I hung up. I looked up the phone number,
| but it was just a random landline from SC (this was a MA based
| business). At this point I gave up, and decided if I owed some
| money they would probably send something in the mail. But it
| makes me wonder if there's a new class of scammer out there with
| a bit more sophistication.
| woah wrote:
| Easy way to avoid this: don't answer the phone
| nonrandomstring wrote:
| I think the movie was Phone Booth that begins with the line
|
| "A ringing phone demands to be answered"
|
| Technology projects a form of authority (disconnected from any
| real power) in the same way that written words were synonymous
| to truth for illiterate 13th century peasants.
|
| To follow your logic, which I am not criticising as it's a
| valid approach given how dysfunctional cellphones are as
| trustable systems, I would say it's better not to _have_ a
| phone. But there 's the road to living in a woodland shack and
| eating spider and squirrel broth.
| akeck wrote:
| The rule in our family for a number of years now has been,
| "If the number is not in your address book, let it go to
| voicemail." We have the landline ringer off and always let it
| go to voicemail. As an 80/20 solution, it's been remarkably
| effective so far.
| alana314 wrote:
| The scammer spoofed the wells fargo customer service line
| in caller ID though.
| fierro wrote:
| interesting post, but tough to take any security-minded blog
| seriously when served over HTTP
| troon-lover wrote:
| denton-scratch wrote:
| He "relayed" an "Apple Authentication Code" from an email to this
| Daniel fellow, right? Presumably he read it into the phone?
|
| That's where (I hope) I would have stopped; if X sends me an
| authentication code, the only reasonable place to send it back to
| is X.
|
| Also, I think the real fraud department would be completely OK
| with me saying "Oh, thanks for spotting it. I'd like to call you
| back now please - give me your name and the name of your
| department, and I'll look it up and call you back - what do I do
| to bypass transfer hell?".
|
| Getting on the blower to Wells Fargo on the other line was smart,
| but you need to have multiple lines at your disposal.
| jordanmoconnor wrote:
| I never pick up the phone if it's a number that's not in my
| contacts. You can leave a voicemail.
| PopAlongKid wrote:
| I almost got scammed regarding renewing my software subscription
| with Intuit. I got a voice message indicating that my credit card
| on file for the renewal was expired (true) and that I should call
| back at the number given. That was my big mistake; given that _I_
| made the callback, I overlooked the fact that I had not myself
| looked up the number I was calling. But how did they know my CC
| number was expired, and that my annual renewal date was coming up
| soon?
|
| When I called, I immediately got connected to a live person.
| Second mistake: you can _never_ get through the voice menu to a
| live person so easily. Anyway, the guy sounded convincing, and
| said I could get a special discount on renewal, so after some
| further conversation, I commented that I should be able to log in
| online and get this same deal, which was my preferred method. At
| that point, he finally put me on hold and then the call
| disconnected.
| BuckRogers wrote:
| I was scammed by a kid locally. He paid me for a motherboard over
| Paypal, then months later claimed it wasn't approved. I thought
| it was fishy he mentioned to me having his little brother pick it
| up. I said no to that. And I insisted on cash, but eventually
| relented, thinking it would probably be ok. He filed a PP dispute
| and lost, as I had text messages proving the sale. Then he did a
| chargeback and won.
|
| I would've filed in small claims court but the filing fee is more
| than the loss. So I looked up all his family info and addresses,
| and next time in his neighborhood I'll be knocking on their door
| for my money.
|
| And, I'll just keep finding creative ways to chase him down,
| online and off, until the day I die. I'm never letting it go and
| eventually if I had to "take" the money from him through other
| means (him losing money), that's what I'll do. I'll be sure to
| double or triple his losses though if it comes to that.
| gnicholas wrote:
| > _He verified my name, he had the last four digits of my debit
| card number, and everything generally seemed to follow the normal
| script of a transaction verification call_
|
| There's a red flag right there -- I've never found a bank willing
| to provide any verification of who _they_ are when calling me.
| They call me and ask me to give them a code or card number
| without providing me with any proof of their identity. I 've
| tried to get them to give the sum of the last 4 numbers of my
| account, but they won't do it.
|
| They always tell me to just call back using the number on my card
| and try to find my way to the right department. Super annoying.
| hunter2_ wrote:
| > sum of the last 4
|
| It's a chicken/egg problem of not wanting to give information
| first, but a one-way function (hash) is a fantastic idea. The
| collision possibilities in this particular function are
| worrisome, though.
| onaworkcomputer wrote:
| It'd be unreasonable to ask someone to perform a hash of
| those last four digits (how would your mom respond if the
| bank asked her for the sha256 hash of her card number?), but
| it could be helpful to ask questions that don't reveal too
| much information, like, "is the sum of the last four digits
| even?" or "is the sum evenly divisible by 3?"
|
| It would be difficult to come up with something you could
| reasonably ask an account holder to figure out on their own
| that also wasn't easy to randomly guess.
| gnicholas wrote:
| What I was suggesting wasn't asking the account holder, but
| asking the bank. With a little training, the call center
| reps should be able to handle adding together the last few
| digits of a card number.
|
| I agree that asking account holders for this would be
| confusing, but since the bank is the one calling in this
| case it makes sense that the caller (bank) should provide
| information first.
|
| Of course, it appears that in this guy's case, not even
| this would have worked, since they apparently had his full
| card number.
| giaour wrote:
| If the account holder has to ask the bank for a piece of
| information, the account holder will also have to produce
| it for comparison.
|
| Summing the last four digits could unintentionally leak
| information (what if those digits are all zeros?), so the
| challenge question should be carefully chosen by the
| bank, not just whatever the account holder comes up with.
| gnicholas wrote:
| Can you explain what the information leak would be? Also,
| I think it's not possible for a credit card to end in all
| zeroes.
| giaour wrote:
| There may be inferences you can make from the sum that
| aren't immediately obvious. If cards can end in four
| zeros, the sum and the last four digits contain
| equivalent information, but you would also confirm that
| three of the digits are zeros if the sum was 1. It's
| something that, if I were a bank, I would want someone
| with a background in number theory to weigh in on. If I
| were a paranoid bank exec, I wouldn't trust the low-wage
| customer support reps I had on staff to vet customer
| questions for how much information they might leak and
| would instead have blanket prohibitions on answering
| questions from customers until after the authentication
| phase of the call.
|
| Questions like "is the sum even?" trade a lower
| opportunity for information leakage for a greater
| opportunity for a random guess to be correct.
| gnicholas wrote:
| I understand the perspective of the paranoid bank exec!
| But if the alternative is that their customers are
| trained to give out personal information whenever someone
| calls and says they're from the bank, that's quite
| possibly worse.
|
| It would be nice if when someone called me from an
| institution, they gave me a code that I could enter after
| calling the number on the back of my card. That way I
| would have confidence I'm talking to the bank and would
| feel comfortable giving out verification information.
|
| In the past, it has always been a headache to find my way
| back to the department that called me.
| jrochkind1 wrote:
| Don't forget the last digit is a checksum digit too.
| Which I still can't give you an attack, but I also agree
| that I definitely can't say I'm sure there isn't one.
| hunter2_ wrote:
| For sure. I wonder what the state of the art is in human-
| friendly challenges.
| Zachsa999 wrote:
| Please select pictures containing a boat.
| giaour wrote:
| "What is pictured on the front of my card?" might not be
| a bad question (assuming the bank allowed account holders
| to choose from a large variety of images or upload their
| own). It's data that the bank could capture on card
| issuance, that anyone who has been in the physical
| presence of the card could answer, and that would not be
| captured by payment systems.
| droffel wrote:
| The dataset for hashed credit card numbers is small enough
| that it can be easily represented in a static lookup table,
| or brute forced.
| giaour wrote:
| Brute forced by a human voice on a phone call? You must
| talk quickly.
| NavinF wrote:
| He almost certainly meant that sha256(card number) can be
| bruteforced to figure out what card number was hashed.
| 10^12*256 bits is only 29 TiB.
|
| So providing a hashed card number to a potential scammer
| is just as bad as providing the card number.
| indiv0 wrote:
| So just ask the other party to give you a salt they
| generate on the spot? And/or you do so on your end?
|
| You can still get targeted for a direct attack but much
| less likely to end up caught in a dragnet approach.
| giaour wrote:
| That would prevent using a pre-generated lookup table but
| doesn't help much with brute force attacks. All possible
| card numbers is a finite set, and if you have the
| sha256(card number + salt), you can figure out which card
| number was used as input given the improbability of
| sha256 collisions within that set.
|
| Keep in mind this in the context of an account holder
| asking the bank to authenticate themselves on a phone
| call using data only the bank and the account holder
| should know. sha256(card number) was an example of
| something that is obviously inappropriate, and I don't
| think sha256(card number + salt) is any different
| qualitatively.
| lucb1e wrote:
| > like, "is the sum of the last four digits even?" or "is
| the sum evenly divisible by 3?"
|
| Exactly. After only a few of these you have an equivalent
| security level to checking the four digits directly but at
| each step of the way there is a 50% chance that the
| attacker, not knowing the number yet, gets it wrong and you
| stop giving more info. If they do a thousand calls a day,
| they'll still get some people, but it's _probably_ not you
| so that 's at least a small win.
|
| You might enjoy learning about PAKE/SPEKE, which has
| similar properties.
|
| > An important property is that an eavesdropper or man-in-
| the-middle cannot obtain enough information to be able to
| brute-force guess a password without further interactions
| with the parties (Wikipedia: PAKE)
|
| Just enough enjoyment to then get depressed wondering why
| nobody is using these nice things
| Domenic_S wrote:
| This happens with my doctor's scheduling people all the time.
| "Hi I'm calling for $YOU, will you please verify the last 4 of
| your social and full DOB?" uhhhh... no I will not, random
| person
| Isthatablackgsd wrote:
| DOB made sense because 10,000 people in the world have the
| same birth date. DOB (without PII) didn't narrow enough to
| identity the person. Regarding that last 4 SSN, yea I would
| never give that out.
|
| My doctor office required me to provide my DOB before I can
| schedule an appointment or questioning over the phone. My
| pharmacist required my DOB before I can get my meds from
| them. If I don't provide my DOB, they will turn me away and
| assumed that I'm a scammer.
| the_svd_doctor wrote:
| DOB is often just to make sure they have the right person,
| and not an alias. But yeah, SSN, I wouldn't give it out like
| this.
| wanderer_ wrote:
| Oooh, good way to abstract out names from stories! Stolen for
| my own future use.
| alana314 wrote:
| I had a similar scam fraud call from my bank and I asked them
| to verify the last 4 of my SSN. They had it! But later they
| said they'd send a text verification but it was asking to add
| my card to apple pay. So I hung up and called my bank back and
| they had no record of the call. It was freaky that the scammer
| had so much info though.
| A7med wrote:
| "EXPERT"
| TheHypnotist wrote:
| That's all I could think. This guy sounds like a typical person
| prone to scams. Expert my ass.
| fleddr wrote:
| Some of the comments here are cruel and missing the entire point.
|
| Well yes, as you're slowly reading this entire case, with the
| prior knowledge that he is getting scammed, and having all the
| time in the world to find the mistake or red flag in his actions,
| sure enough you'll find it. How very smart and vigilant you are.
|
| But as the article already explains, those are not the conditions
| in which a scam happens. You don't know you're being scammed. The
| person sounds helpful, exploiting your inner desire to be
| cooperative. There's a sense of urgency, which disrupts calm and
| clear thinking. It was a very sophisticated and well prepared
| scam, which increases trust and makes you glance over or
| "forgive" small oddities.
|
| Ironically, the fact that some of you chose to criticize somebody
| showing vulnerability is very emotional behavior, not rational
| behavior. Perfect candidates to be scammed.
|
| By the way, are Americans still logging into online banking with
| a username and password? That's it? Please tell me that's a joke.
| klik99 wrote:
| There's one easy rule that could have avoided all of this - never
| give out any info on incoming calls. If I get a call or text
| about fraudulent transactions, I'll keep them on hold while I log
| into the bank website. If I get a call about a late payment, I'll
| thank them for the info and ask them to stay on while I pay
| online. If I get an inbound call with a more complex request,
| I'll ask them for their employee info and call back the official
| service number. It annoys the caller sometimes, despite always
| treating them professionally, but I keep that a hardline rule no
| matter how real it feels.
|
| I heard this from a security guy and was under the impression it
| was one of the sacred laws of security. If it's not, it should be
| - it's a rule of thumb that would stop 90% of social engineering
| attacks I hear about.
| zzzeek wrote:
| what information is actually being asked of people on incoming
| calls these days? I never seem to get any of these calls, but
| banks and credit cards etc. by now should be clued in enough to
| this stuff that when they actually call a customer, they do
| nothing more than alert that customer to proper channels they
| should initiate and follow to resolve the issue.
| [deleted]
| antiframe wrote:
| Yes, this is what I do too. I say "Thank you for the
| information. For security reasons I won't discuss this matter
| on this incoming call but I will immediately contact your fraud
| department on the number I have." They've never been annoyed
| about this. In fact, mostly they've been positively surprised.
| geek_at wrote:
| Another solution would be to find out who the scammers
| parents are and write them. Worked for me
|
| https://blog.haschek.at/2016/how-a-scammer-
| stole-500-dollars...
| roozbeh18 wrote:
| I am a security guy by profession, the other day my wife singed
| up for a tesla and they ran her credit. next day we get a
| random call from wellsfargo regarding an auto application and
| wanted to verify her information. my wife confused why
| wellsfargo calling, did what I always ask her to do. tell the
| individual to provide her with the case number and she will
| call back and they do not need to provide her the call back
| number. This is easy to remember for most people and She did
| just that. It turned out tesla has multiple financier which
| tesla failed to mention that one is wellsfargo.
| tempestn wrote:
| This is good advice, despite it being a pain sometimes! I once
| got a voicemail from the fraud department at my bank, with a
| number to call back. I googled the number and all that came up
| were stories about being scammed. So I was 95% sure it was a
| scam, but called my bank directly just in case. The person who
| answered assured me they hadn't contacted me, and it was indeed
| a scam. I later got a follow-up voicemail from the "fraud
| department", from the same supposed scam number, which I
| ignored.
|
| Then, the next time I went to use my card, it was blocked. I
| called the bank again and spoke to someone new, who _informed
| me that the original calls had been legitimate_ - they had the
| same reference number and everything - and the card had been
| blocked due to lack of response!
|
| Obviously a false positive on the scam detector is less of a
| problem than a false negative, but was still pretty incredible.
| No idea what was with all the people talking about being
| scammed from that number online; I can only assume that they
| (like the first rep) _assumed_ it was a scam, since if the bank
| needs to call you, they should tell you to call back using the
| number on your card, not some random number they give you. But
| apparently that 's exactly what they did.
| aceazzameen wrote:
| I had something similar. One time I got a phone call from a
| "Scam Likely" and decided to answer it. And it was an
| automated message from my bank asking if some purchases in
| another state were real or fraudulent. At this point I began
| to second guess if it was a scam or not, but had to assume it
| still was. I ended up logging into my account and seeing the
| same fraudulent purchases that it listed over the phone. So I
| called the number on my card and had it all settled. I found
| it weird that the original call was a false positive though.
| MerelyMortal wrote:
| Probably because the phone number is calling about a scam
| (fradulant charge), and then when they hang up, people
| report the phone number as a scam because they don't
| understand the difference.
| caf wrote:
| This has a similarity to the original story here, in that the
| original sounded like: _" They behaved a lot like a scammer
| would, but I also totally expect my real bank to behave like
| a scammer would"_.
| WorldMaker wrote:
| Many banks today have communications preferences options
| and I've told all of my banks that do to _never call me
| directly_. If I receive any sort of legitimate call from
| them I immediately follow up with a strongly worded letter
| that they should not have called me and violated their own
| security policies.
|
| The only thing we can do about "bank behaviors make it
| easier for scammers" is to change bank behaviors. It's not
| an _easy_ process, but unfortunately it is a necessary
| process.
| fallingknife wrote:
| He is looking for a definite red flag that it's a scammer.
| This is a terrible strategy and he should know better. One
| suspicious act and you should hang up and call the number
| on the back of the card. Really you should just not take
| calls from the bank ever and call back on the number on the
| card.
| thathndude wrote:
| Agreed. It's easy to play Monday morning quarterback, but the
| author of this article made some pretty big blunders for an
| expert.
| blondin wrote:
| surprised too, once i read it all started with a phone call
| from author's bank. your bank will "almost" never ask you for
| your info on the phone. if they do, you don't have to provide
| it. you can ask to go to a branch in-person, or log onto the
| website to provide the required information.
|
| all banks should often remind their customers of this. mine
| does.
|
| banks and phone carriers should do scam and fraud trainings for
| customers. or friendly reminders.
| wccrawford wrote:
| Agreed. No matter how tired and annoyed I was, I'd have stopped
| dead at the confirmation code that they asked for. There's
| absolutely no way I'd have given that to them, even if it meant
| cancelling my account and using a different bank.
|
| That seems a bit extreme, but if their procedures are so crazy
| as to require circumventing another system's security
| procedures, I'm not going to bank with them.
|
| I actually had a bank send me an email asking for information
| that came from another domain, had a header that looked liked
| it had been badly scanned in, and had links to domains they
| don't own. When I ignored it, I eventually got a notice that my
| car loan was in jeopardy because I hadn't provided that
| information.
|
| They had no clue why I was so upset about that email.
|
| I paid off my loan immediately and never looked back, even
| though the interest was less than I make off the stock market.
| yuliyp wrote:
| I think this is a statement easier to conclude in hindsight,
| especially as you are primed with "this story is describing a
| scam, definitely". The author describes the thought process
| and what ended up nudging them toward believing the scammer
| about the workflow. A code sent like this in a legitimate
| workflow could be plausible. Maybe it's a requirement to
| ensure that the customer is indeed acknowledging the
| operation and the CSR isn't taking actions behind the
| customer's back, for instance.
|
| The author had a lot of signals pointing toward legitimacy to
| counteract their natural skepticism, it was a stressful
| situation and the nature of a phone call puts time pressure
| into the decision making, increasing the odds of a mistake.
|
| Your example points out that false positives on the "scam or
| ham" decision do have a cost to the contact recipient too, so
| "never respond to anything" comes with risks and costs too.
| It's hard to be perfect.
| pmoriarty wrote:
| _" There's one easy rule that could have avoided all of this -
| never give out any info on incoming calls."_
|
| Also: Just call your official bank/card phone number yourself.
| This number should be on the back of your debit/credit card.
| Isthatablackgsd wrote:
| I have the same rule for online chat support.
|
| Last week, I cancelled my Netflix subscription and been trying
| to remove my credit card details from my account to prevent
| surprise reactivation in the future. There wasn't an option to
| do it online, so I went in their chat support and ask them to
| remove my CC information from my account. Then they asked me to
| provide my CC number to validate who I am. I told the rep that
| I am not comfortable sharing my CC information over the chat
| and prefers only give out my service code or alternative
| information. This rep kept ensuring that it is secured and they
| can't see what I am typing in. I asked them to initiate it and
| I will decide if it is trustworthy to put it down. I got the
| prompt and it asked for a full CC number. I declined the prompt
| and told them that I'm not comfortable doing that. And it
| didn't help that the rep are unintentionally behaving like a
| scammer. I shared my concerns about the rep behavior and
| remarks that scammers can say those things. The rep understand
| my concerns and asked for other information like the email
| address that is linked in the account and what are two recent
| activity on the device I uses. I gave out the information and
| validated I am the accountholder. Then the rep processed my
| request and I see my CC information is removed from my Netflix
| account.
| nilsbunger wrote:
| Banks and health care providers have aggressively trained
| customers to be ok with giving sensitive info in a received
| call. It's a real disservice to the community, but kind of a
| tragedy of the commons.
|
| I also do a callback (verifying the number they give me via a
| google search) but it seems like almost no one else does. On
| one of these calls from a bank, I asked the agent whether
| anyone else asked to do a callback, and they said no one ever
| did this.
| alskdjflaskjdhf wrote:
| Yes, this is scam prevention 101. Anyone who called you is
| always unverified. It's hard for me to take seriously a "scam
| prevention expert" who doesn't seem to know or follow this
| rule, which by itself is enough to protect you from most scams.
| Normally I try not to victim blame people for getting scammed,
| but when you've made a declaration like that you forfeit that
| right.
|
| I'll also point out that the author seems to have some
| complicated arrangement for their phone number(s), presumably
| in the name of security, that in fact got in the way of
| identifying this to be a scam.
| klik99 wrote:
| Regarding the complex phone arrangement: There's an effect,
| the name escapes me, that adding security can make threats
| less frequent but more dangerous. Sounds like he was more
| complacent because he had trust in his phone system.
|
| And I agree about author - if he had said that he violated an
| easy rule and owned that I would take his credentials more
| seriously. Everyone makes mistakes, but he didn't list this
| simple, well-known rule as a way of preventing this.
| aceazzameen wrote:
| That's good advice. I'm also wary of providing information over
| a customer service chat. A recent example that comes to mind
| was when I was price matching a product on Best Buy's website
| over a chat session. The rep confirmed the price match was
| valid and began to initiate it. And then he started asking for
| all of my personal details including, phone number, address,
| and credit card. When I politely refused, he thought I didn't
| want the price match anymore. I confirmed I still did, and he
| said he needed all of the info to place the order for me. I had
| assumed I would be sent a personalized link to order the
| product, or it would just be added to my cart (since I was
| signed in). But no, he needed personal info which would live in
| a chat log. I ended up ordering from the other retailer.
|
| Anyways, maybe there was nothing wrong with providing those
| details. Maybe they were already available to him on his
| screen. But the act of asking for that info and making it
| commonplace for people to just provide it is how so many scams
| are successful. I don't know how we get away from bad security
| practices being the norm.
| jesusthatsgreat wrote:
| Or better yet, just don't answer incoming calls that you're not
| expecting
| cjg wrote:
| Calling on the official number is a good rule. But my neighbour
| followed that and was still scammed for tens of thousands.
|
| The critical extra step that they missed was to check that the
| line was disconnected before calling out. They were using a
| landline.
|
| The scammers called them, but didn't hang up. Then, when my
| neighbour called out to their bank, they pretended to be
| answering that call - going through security, etc.
|
| My neighbour then did whatever the scammers said - because they
| couldn't possibly be scammers.
| ghostly_s wrote:
| Your neighbor just dialed the new number without hanging up
| first?
| AdamTReineke wrote:
| I could see this working if the other end played a click
| followed by and dial tone sound.
| harshreality wrote:
| Unless both sides hang up, there's something like a 10-20
| second window where the call is held open. Hanging up,
| picking up within 10 seconds and dialing, means you're
| still connected to the original caller. If they're clever,
| the might even detect the click of you hanging up, and play
| a dialtone for when you pick back up, and stop playing it
| when you start to dial.
| lostlogin wrote:
| No dial tone and no ring... Seems a difficult mistake to
| make but then again, I regularly surprise myself with my
| errors.
| bragr wrote:
| There's nothing technical that prevents the other side
| from playing dial tone and ring sounds
| e40 wrote:
| The neighbor hung up, but the scammers didn't, and the call
| was not disconnected? That's not my experience. Is this what
| you meant?
| afiori wrote:
| Apparently it is a feature Called Subscriber Held (CSH).
|
| https://security.stackexchange.com/a/100342/143105
|
| TL;DR It was just how analog phone worked, users came to
| rely on it, digital exchanges reimplemented it (with a
| timeout)
| [deleted]
| BeefWellington wrote:
| Yes, and this is how it works as another responder
| mentions.
|
| The thinking by phone companies is essentially: guy calling
| pays for the call, so we can milk each call for a few extra
| cents each time even if they're shady or a wrong number.
| mdoms wrote:
| Your neighbour dialed a new number without hanging up his
| ongoing call? Is this his first time operating a telephone?
| The scammers mustn't have believed their luck when they
| realised that was happening. Did they mimic a "brnnnnggg
| brnnnggg" sound when he dialed?
| post-it wrote:
| > Did they mimic a "brnnnnggg brnnnggg" sound when he
| dialed?
|
| Yes: https://bc.ctvnews.ca/beware-of-the-delayed-
| disconnect-phone...
|
| Looks like you would have fallen for it.
| function_seven wrote:
| The connection isn't always torn down immediately.
| Different switches behave differently in this regard. I
| remember a long time ago being trolled by a friend of mine
| who refused to hang up. I wanted to call someone else, but
| every time I picked up the handset to dial out, he was
| still on the line laughing at me.
|
| So if you're served by a switch that operates this way, the
| scammer just holds the line open, plays dialtone and
| ringback tones appropriately, and you're none the wiser.
| camtarn wrote:
| For the people who are confused: this is a fairly common
| thing on landlines in some countries, where the telephone
| exchange doesn't drop the connection until both ends have
| hung up, or in some cases when the caller hangs up but not
| the callee. So it's possible to put your own phone down, but
| when you pick it up again your phone is still connected to
| the scammer's telephone. If they play a convincing dial tone,
| then change to a ring tone when they hear DTMF, you'd be none
| the wiser.
|
| The workaround to this is to use another phone (e.g. switch
| to mobile), or if that's not possible, apparently you can
| wait several minutes until the exchange times out the
| connection.
|
| https://security.stackexchange.com/questions/100268/does-
| han...
| afiori wrote:
| I can confirm that at least once this happened to my family
| in Italy about 20 years ago.
|
| The most anecdotal statement ever, but a data point
| nonetheless.
| sometimeshuman wrote:
| I accidentally won a radio contest many years ago in this
| way. I heard "you are caller 2" and then the DJ hung up. I
| stayed on because I was confused and then a few seconds
| later he picked up again and said you are "caller 4". So I
| just stayed on and eventually said I was caller 10 and the
| 10th caller won the prize. I assume he was switching back
| and forth between two internal phone lines.
|
| I was confused because I was calling to make a song request
| and had no idea that this contest was initiated because
| they had just played a certain song.
| Spooky23 wrote:
| I did that too, except I called the wrong number and won
| Barbara Streisand tickets. Not my jam.
| caf wrote:
| Back when I was in high school and landlines were still a
| thing, we used to prank our friends this way sometimes.
| hunter2_ wrote:
| It even makes the news [0] periodically. Watch the video,
| especially 2:22-2:36 which reiterates the PSTN behavior.
|
| [0] https://bc.ctvnews.ca/beware-of-the-delayed-disconnect-
| phone...
| Phiwise_ wrote:
| Even already knowing about this I'm still mystified that
| landlines work this way on every occasion that I'm reminded
| of it. Does anyone know if there is, or at least was, a
| justification for this mode of operation? Was it at least
| of any use to anyone back around the 1900s or whenever or
| is it just another "we do it because that's how we've been
| doing it" residue that hasn't been cleaned yet?
| maicro wrote:
| As opposed to my sib comment, I could see (theoretically,
| not saying this is what the original logic was) some
| justification to deal with intermittent line breaks or
| connection issues - if one side can keep the call open,
| then a wind gust breaking the connection for a couple
| milliseconds somewhere between the two parties won't
| cause the whole call to end. From a customer point of
| view, it's more resilient and ends up with fewer dropped
| calls.
|
| I could also theorize about the different switching
| actions going on, where up until the other party picks up
| there's already only one phone on the line, but that's
| getting into phone system/phreaking stuff that is way out
| of my depth.
| jameshart wrote:
| Back in the day, folks would have more than one phone in
| their house.
|
| Someone would call and all the phones would ring (or you
| might turn off the ringers on some of them so only one
| main phone actually rings). So someone might pick up the
| phone in the entrance hall and the caller would ask to
| speak to Becky, and Becky's mom would yell up the stairs
| 'BECKY PHONE' and then put the receiver back down while
| Becky runs into her big sister's room to grab the
| upstairs phone, and carry the whole phone, trailing on
| its wire, into her bedroom, slamming the door on the wire
| for privacy, before she picks up the receiver to answer.
| brimble wrote:
| I lived through this era and at one point _worked at a
| phone company_ and never knew about this behavior. I 'd
| hold the receiver until I heard the other person pick up,
| then hang up.
| lxgr wrote:
| If you're up for an (at least to me) fascinating rabbit
| hole of technological history in audio form, you might
| enjoy this narrated audio tour of analog phone switches:
|
| https://www.evan-doorbell.com/production/group1.htm
| easytiger wrote:
| Was this in the UK? I think they dropped the timeout to help
| mitigate this. KNow someone else it happened to
| mekoka wrote:
| So your neighbor hung up to proceed with a follow up call,
| which, if they're like most people, consists in just pressing
| the switch with a finger, while keeping the handset to their
| ear. But then upon releasing the switch, they just started
| dialing without waiting for the dial tone? And after they
| finished dialing and never heard the ringing tone, they
| didn't find that unusual? Forgive my skepticism, but
| something's missing from that story.
|
| Edit: Just read up on the disconnect time (10 seconds for
| some providers) and yes, a sophisticated scammer could indeed
| emulate the various tonalities.
| AdamN wrote:
| scammer plays a dial tone after the 'hang up' and while
| dialing.
| chaostheory wrote:
| Can I get scammed? Sure, but in this specific case, that Wells
| Fargo scam wouldn't work on me because I know firsthand that
| Wells Fargo fraud prevention is terrible. Case in point, a few
| years back I had in-store mall transactions happening 400 miles
| and 2600 miles away from my current location within an hour span
| of my lunch transaction. No fraud alert. It even took me weeks to
| contest these transactions. This is abysmal compared to virtually
| every other credit card provider.
| gowld wrote:
| > I answered, the guy said he was calling from Wells Fargo's
| Fraud Prevention Department, calling to verify some transactions.
| He verified my name, he had the last four digits of my debit card
| number, and everything generally seemed to follow the normal
| script of a transaction verification call.
|
| No legitimate bank would do this. They say "call the number on
| your card, and mention reference # NNNNN"
|
| Wells Fargo is a criminal organization:
| https://en.wikipedia.org/wiki/Wells_Fargo_account_fraud_scan...
| so there's no reason to assume an impostor would be worse.
| js2 wrote:
| > Said he was calling from Wells Fargo's Fraud Prevention
| Department, calling to verify some transactions. He verified my
| name, he had the last four digits of my debit card number, and
| everything generally seemed to follow the normal script of a
| transaction verification call.
|
| I recently had to speak with the Zelle FPD because it had frozen
| my ability to send (but not receive) after I had made some small
| trial transactions. Also, I use a Google Voice number with Zelle,
| which Zelle seems not to like.
|
| I was shocked at the depth of questions that the Zelle FPD agent
| asked me. My SSN, DOB, address and recent transactions were
| expected. But then it went deeper: state where my birth
| certificate was issued. Fine. Car loans I had. Okay, this is all
| stuff on my credit report. But then it went past me: where my
| kids were born and their DOBs; my brother's DOB and age; my
| wife's DOB and age; my mother-in-law's (!) maiden name. Keep in
| mind this all after I've authenticated myself to my bank
| including a phone password I have setup. And, it's for a
| secondary checking account that I have less than $1000 in.
|
| Real bank FPDs have a crazy amount of information on not just
| you, but also your family members.
|
| I personally would hang up if any of my financial institutions
| called me and I'd call them back.
| sjmm1989 wrote:
| > We always say we'd rather people report a thousand false alarms
| than fail to report a single real emergency, but if the process
| of filing those reports results in condescending info-dumps or
| intimidating interrogations, is it really a surprise that so many
| people have been trained to just not say anything and hope their
| suspicions were wrong?
|
| This is how it is at almost any company I have ever worked for.
| They always say things like "We prefer that you ask questions if
| you don't know" or "We would rather get a hundred false reports
| than miss one valid one." That sort of thing.
|
| And then when you follow through with what they ask for, it's
| just like the quoted part says.
|
| > results in condescending info-dumps or intimidating
| interrogations
|
| It's not just a cyber security problem folks. This is pretty much
| a global problem, because no one ever really wants to be bothered
| over trivial matters, and no one really wants to believe the boy
| who cries wolf; even if the wolf is real.
|
| None of this will get better until people in general become both
| intellectually and morally wiser. So get a drink and some popcorn
| cause this is gonna be a while.
| nopeYouAreWrong wrote:
| I'm so skeptical of these "experts" especially if they write a
| blog post where they hate their bank.
|
| I've been with Wells for over a decade. They have never called
| me. Never.
|
| I have had "fraud" alerts hundreds of times. They always happen
| at certain POS, and it's always a text alert.
|
| Some of the stories I read make me viscerally react with "what in
| the world are you doing with something as simple as a bank
| account?"
|
| Also a fundamental default is "no action". If you are even
| slightly suspicious, do nothing. It isn't somehow so important
| that you stop thinking and just act or react. Just stop.
| ghostly_s wrote:
| > I'm so skeptical of these "experts" especially if they write
| a blog post where they hate their bank.
|
| There is a nearly endless list of legitimate reasons for one to
| hate Wells Fargo.
| buscoquadnary wrote:
| My wife used Well's Fargo, I've heard about how they don't like
| to bother customers, in fact they hate it so much they didn't
| even bother notifying customers when opening new accounts for
| them, or performing actions on their behalf to generate fees.
| civilized wrote:
| Also, no one asked for the account to be opened or for the
| fee-generating actions to be performed.
|
| (They're still not out from under that Federal Reserve asset
| cap!)
| mattbee wrote:
| The author does seem to bang on about his "reasonable
| assumptions" for how much Wells and Apple Pay suck, so he
| should continue the call! Like he's just too clever to follow
| the advice he'd give everyone else to hang up and call back.
| mort96 wrote:
| I didn't read it as explaining why she _should_ continue the
| call, just why she _did_ continue the call. She 's explaining
| why those things didn't immediately trigger the scam alarm.
| Nowhere did I see her claim to be too clever to do anything.
|
| I found it an interesting read which details an experience
| which is far removed from how you expect a scam call to
| occur. It's interesting to read the signs which _should_ have
| been alarm bells, but which were dismissed because nobody is
| perfect all the time.
| spicybright wrote:
| I'm honestly surprised he even wrote this if he claims to be
| an expert.
|
| He literally ignored half of what the rep was saying because
| he was busy fiddling with the computer, then willingly gave
| up all his personal information because of the distraction.
|
| You would think an expert would know how to properly use 2
| factor auth too. Giving someone the code is exactly how you
| defeat it.
| BaseballPhysics wrote:
| > I'm so skeptical of these "experts" especially if they write
| a blog post where they hate their bank.
|
| Really? That's the thing that makes you skeptical and feel the
| need to use scare quotes?
|
| Banks suck. Hell, mine hasn't even implemented proper 2FA.
|
| And Wells Fargo is so bad they've been caught scamming _their
| own customers_ :
|
| https://en.wikipedia.org/wiki/Wells_Fargo_account_fraud_scan...
| gotaquestion wrote:
| I think it was important of the author to put that out there,
| expert or not. It made me take a mental inventory, and bolster
| my first-responder thoughts.
| vmception wrote:
| > if it was a scam, then this was clearly a bluff to try to
| reassure me, but he had WAY more information about me than I
| would expect an average scammer to have
|
| you can purchase FULLZ from darkweb marketplaces, these contain
| name and address and social security number and often come with
| credit card details too
|
| with that, you can do social engineering like this, you can also
| remote desktop into any computer nearby to their zipcode (from a
| different darknet marketplace of compromised computers being
| rented out) and purchase things online from that, making it less
| likely to be flagged
|
| the idea that "scammers intentionally do obviously red flag
| things to weed out discerning people and just target susceptible
| people" is just one segment of the market. doing smarter more
| cunning things is entirely available and entirely lucrative
| boznz wrote:
| Be interesting to do a lookup on yourself, is there any
| information how you go about this ?
| vmception wrote:
| I mean you could try to find the large known leaks and go
| through them yourself
|
| People just cross reference them and sell individual ID packs
| one by one
|
| There were 15,000,000 people in the Experian leak alone. Most
| of that information is still valid, we've just gotten numb to
| it.
|
| Merchants that care about customer support and reviews will
| just replace an ID for the consumer if its been used before
|
| There isn't a way to try to find who is in a database without
| the source databases yourself. Merchants don't tell you how
| they found the aggregate data, they just have reviews from
| people that say if it was accurate data or not. You could try
| and ask a merchant if they have a particular person, but I
| doubt many merchants have a way to sort that themselves, as
| the files are no longer in a parseable database by the time
| it reaches them. The organized networks are corporations and
| conglomerates with separations of knowledge and duties.
|
| All you would be able to do is purchase a FULLZ and get what
| you get.
| luckyorlame wrote:
| Define expert?
| nonrandomstring wrote:
| This is a perfect case of iatrogenic security. When the systems
| get so complex and remote that security experts are caught out,
| they do more harm than good.
|
| It's also a consequence of solutionism, systematic monotonicity,
| mother-knows-best and externalising costs such that we:
|
| Only add more security solutions on top of existing ones to fix
| their holes.
|
| Deny the user any choice or agency in setting their own security
| terms
|
| Never revoke or remove a feature (that would be admitting
| _defeat_ )
|
| Push the burden in every process on to the user
|
| Create fear in the user - that any misstep will cause them more
| inconvenience and trouble.
|
| Make security an authoritarian culture such that user will not
| question or be sceptical.
|
| All of these are antithetical to civic cyber-security that we
| need available so educated and empowered users can operate
| technology under their control.
| inetknght wrote:
| What a terrible site to complain about being scammed when you
| don't even bother to serve over HTTPS!
| dfsegoat wrote:
| I know it doesn't matter for reading text, but the look is no
| bueno.
|
| I really think this detracts from the credibility of a
| "Security expert".
| otterley wrote:
| Scam reports like these really frighten me. If someone of above-
| average intelligence like the author can nearly be taken for a
| ride, imagine how easily our friends and family -- who are often
| far more vulnerable -- can be taken advantage of.
|
| As the people most capable of remediating the vulnerabilities in
| our telecommunication and banking systems, I think we ought to
| close ranks and insist that our employers do a better job of
| protecting the innocent, even if it means breaking a few
| conveniences.
| jstarfish wrote:
| > imagine how easily our friends and family -- who are often
| far more vulnerable -- can be taken advantage of.
|
| FUD. Hackers and scammers exist, sure, but your friends and
| family are always most likely going to be victimized by friends
| and family.
|
| Outsiders have to _work_ to collect intelligence, gain access
| and obtain your trust. Friends and family already have all
| three prerequisites.
|
| Bernie Madoff didn't become the most prolific con-artist in
| history by cold-calling strangers. And consider what
| demographic is most likely to try recruiting you into the
| latest MLM scheme.
| AnIdiotOnTheNet wrote:
| Why do you assume the author is of above average intelligence
| just because they work in a technology profession? _I_ work in
| this industry, and I 've met a lot of people even dumber than
| me in it, so intelligence can't be much of a requirement.
| smm11 wrote:
| Expert.
| qualudeheart wrote:
| But who scams the scammers?
| Anechoic wrote:
| There was one time I _thought_ I was being scammed, but it turns
| out there was an actual issue with my bank account.
|
| Sitting at my desk at work, I get a phone call from my bank on by
| cell phone. "Mr. Anechoic, there appears to be a security issue
| with your bank account. We can resolve it for you. For security
| purposes, can you give your checking account number and the last
| four of you SSN"?
|
| This is clearly a scam, right? I tell the guy there is no way I'm
| giving up that info for a random dude that calls me. He stresses
| again that there is an issue with my bank account, that the
| account will be frozen, and there is nothing he can do about it
| without the account and SSN information. I refuse again, and he
| tells me that I should go to a local bank to get it resolved. I
| hang up and go back to work. I log into my bank account website,
| and all seems fine.
|
| After about 20 minutes, something is still bothering me, so I
| leave work to go to a local branch. I speak to a branch manager
| about what happened, and she agrees with me that it was clearly
| an attempted scam and the bank would never call me and ask for
| that information. But just to be safe, she checks my account on
| her computer. To our surprise, it turns out there was a security
| flag on my account!
|
| She calls the bank security desk, they confirm that there was an
| attempt by someone in another branch a few states to get money
| from my account and the call I got was legit and logged in their
| system. We get the account locked out, and then the manager asks
| to talk to a security supervisor about the messed-up way they
| reached out to me. The security person basically said "this is
| how they do things" and didn't see the problem. The bank manager
| apologized, said it was messed up and she would try to run things
| up the chain to improve their process.
|
| Damned if you do, damned if you don't.
| exolymph wrote:
| Not the same thing, but relatedly, every legit email I receive
| from my health insurance is functionally indistinguishable from
| phishing. They always bounce me through a million weird domains
| too. It's very discomfiting and makes me worry that I won't be
| able to pinpoint a legit phishing attempt because it won't
| stand out.
| bombcar wrote:
| The weird domain stuff is something related to SSO I feel,
| and it is HIGHLY indistinguishable from phishing.
|
| So all the "just be smarter" talk from ten years ago about
| checking your domains, etc is out the window.
| scammerbillz.biz is ACTUALLY your hospital billing service,
| too bad.
| tempnow987 wrote:
| I love the weird domains - billing is sometimes outsourced
| through x redirections, and they use weird third party email
| hosts (CISCO secure email etc) that is halfway broken with
| CSS for you to upload your employee rosters (complete with
| socials and DOB's etc).
|
| The domains for these are always commically like phising
| domains (secure-bank-email.valimail.com etc).
| teawrecks wrote:
| "Cool cool, could you go ahead and close my account, please?"
| alana314 wrote:
| That's so dumb! No wonder the industry is rife with scams.
| mafuy wrote:
| How about this:
|
| "Very well. Please repeat to me in writing that if I receive an
| unverified call claiming to be from Your bank, and asking for
| my personal details, that I am to give the information and
| follow all instructions and will not be at fault for damage
| that might result from this."
|
| As they clearly won't do that, at least the moron will lose
| face, and quickly so.
| smarx007 wrote:
| "We don't issue written statements to customers, please call
| another department. We have locked your account for the time
| being."
|
| The kinds of people who do this boring work all day long may
| not be so receptive to our witty humor.
| throwaway1777 wrote:
| Sounds like they're not an expert after all, never give out
| information over the phone unless you initiated the call.
| googlryas wrote:
| > So, I faithfully relayed the Apple Pay verification code, as
| requested.
|
| I cannot fathom how a tech professional would do this. I mean, I
| read their justification, but it still doesn't make an ounce of
| sense to me, other than their brain was shut off for the entire
| call.
| renewiltord wrote:
| I think I can kind of get it. This guy has made his own life so
| complicated that he no longer knows what a normal guy operates
| like.
|
| A normal person knows that scam calls come in all the time, so
| they're on the alert for them. A normal person has their MFA
| device or has MFA on text and they know these two mechanisms
| have codes they should never relay. If they got an MFA via
| email they'd immediately have their suspicions up.
|
| A normal person, through the normalcy of their system, assumes
| that if this bank is having trouble dealing with them they'd
| have trouble dealing with everyone and that's just absurd.
|
| But if you're the _abnormal_ person, then you assume your
| custom setup is the problem. That's because 99% of the time it
| _is_ the problem. He 's fucked himself into being a social
| engineering target.
|
| Back in the day, this was a thing with Linux. You'd encounter a
| bug in a Windows app hosted through the WINE runtime and you'd
| think "Well, it's WINE, it can't be perfect. I'll just report
| it on WineHQ and go about my life". Well, sometimes it wouldn't
| be WINE. It would just be the app itself. But you assumed that
| because you're the weird one using WINE. Everyone else is using
| Windows. So you blame your own setup and your bug doesn't get
| fixed because it's in the wrong place.
|
| So this is my attitude to a lot of security stuff. I want to be
| the normal user. Huge advantages:
|
| - If something is broken for you, it's broken for everyone. So
| no one will blame you for consequences.
|
| - If something is weird about it, it's weird; you should be
| suspicious
|
| - If things go badly for you because of it, no one will blame
| you because they can relate; you will get help easier
| mort96 wrote:
| > A normal person has their MFA device or has MFA on text and
| they know these two mechanisms have codes they should never
| relay. If they got an MFA via email they'd immediately have
| their suspicions up.
|
| What? I get MFA codes on e-mail all the time. I've got them
| from Steam, from Mojang, from GitHub, from Square Enix, from
| Digital Ocean, etc. For a normal person, getting some code
| you have to relay to some other entity via e-mail is normal.
|
| Not to mention that the e-mail was actually a legit 2FA
| e-mail from Wells Fargo? That's how this scam works after
| all; you tell the victim that they'll receive a message with
| a code, then the scammer tries to do some action which
| requires 2FA, then the victim reads the code from the 2FA
| message. The fact that you would categorize this e-mail as an
| obviously fake e-mail which normal people would immediately
| recognize as suspicious, when it's actually a real 2FA
| e-mail, is pretty telling I think.
|
| > A normal person, through the normalcy of their system,
| assumes that if this bank is having trouble dealing with them
| they'd have trouble dealing with everyone and that's just
| absurd.
|
| No, _this_ is absurd. Everyone has experienced having some
| one-off problem with some account in some system. Not to
| mention that the case in TFA was explicitly about fraud
| prevention calling you about suspected fraudulent charges,
| which seems extremely normal to me. Limiting individual
| accounts due to suspected fraud, and then notifying the owner
| of that account, is exactly the purpose of fraud prevention.
|
| The only part of this event which the author's unusual set-up
| is responsible for, is that she gave an unusual level of
| credibility to the scammer just for calling her phone number.
|
| But if it comforts you to think normal people would be immune
| to this scam just because normal people have their
| information more readily available on the internet, keep
| believing that I guess.
| [deleted]
| megous wrote:
| Nah, phone calls are even worse than SMTP here. Caller ID means
| nothing. It's like a From header on an email with no DKIM.
|
| It can be set by the caller to anything, if they have access to
| some trunk from an operator that allows this. It's another trust
| based thing, with no automated verification.
|
| Trusting caller ID was the initial mistake. Never trust caller ID
| with your money. It's like trusting sender names in your spam
| folder mean anything.
| arzeth wrote:
| Is that "Verify your card in Apple Payr" email real/non-spoofed?
| On that email's screenshot there's a huge red flag as with other
| 99.9% scams: bad punctuation. Nobody writes "number:" (1:, 2:,
| 3:, ...) for lists in English.
| https://writing.stackexchange.com/questions/5680/is-it-ok-to...
| orkj wrote:
| > And lastly, if you're reading this, Daniel Coffmane #1687979,
| whoever you really are: Well played.
|
| I went to read the comments here to see if Daniel somehow
| acknowledged this
| rob_c wrote:
| I keep seeing this story headline from security admins lecturing
| me how to not get my estate compromised... please just learn and
| employ best practices and stop getting on at those with proven
| track records
| intrasight wrote:
| Banks will never call you. It's that simple. And if they do, hang
| up and call them back.
|
| I've had this attempted scam tried on me twice in last 4 months.
| You know it's a scam for sure when they try to prevent you from
| hanging up.
|
| Also, always disconnect. Don't just listen for a "dial tone"
| after they hang up.
| ivanche wrote:
| This x100! And call them back from a different phone, just in
| case.
| josephcsible wrote:
| tl;dr: Someone claiming to be from Wells Fargo contacted her by
| phone and requested a code that she got emailed. The email with
| the code said "Wells Fargo will not contact you by phone or text
| to request this code." She gave him the code anyway.
| TedDoesntTalk wrote:
| > opened a claim for the fraudulent transaction (frustratingly,
| there's no immediate reversal; have I mentioned yet that I loathe
| this bank?).
|
| That's because you have a debit card instead of a credit card.
| Get rid of the debit card. There are Zero consumer protections.
| throwaway2474 wrote:
| I wonder who these well-spoken, educated scammers are and how
| they're recruited.
|
| Pet theory: voice recordings will be the next fingerprints/DNA,
| at some point it will be trivial to identify the person based on
| old recordings. At which point we can retroactively convict these
| people years or decades later, when they thought they were out of
| the woods.
| katsura wrote:
| Reminds me of the Darknet Diaries podcast episode 69:
| https://darknetdiaries.com/episode/69/
|
| Off topic: The site has a contact form and a login page, but no
| https?
| simoneau wrote:
| I'm surprised at the level of scamming we tolerate as a society.
| As technologists, we have a good chance of not falling for it,
| but my parents are sitting ducks.
|
| Some combination of new consumer protection laws, infrastructure
| improvements, and law enforcement attention is desperately
| needed. I don't know why this doesn't get more attention. Is it
| just the historical attitude that each of us are responsible for
| protecting ourselves? Is the line too blurry between a legit
| business and an outright scam?
| monktastic1 wrote:
| "while I'm no expert, I've never heard of a call center system
| that can accept touch tones seamlessly while a call is active,
| and it would take extremely sophisticated audio processing
| capabilities to be able to do that, since the frequencies used by
| touch tone keys heavily overlap the frequencies of human speech."
|
| "Extremely sophisticated?" The tones are just a sum of two sine
| waves of known frequencies. That's trivial to detect. What am I
| missing?
| scottmcdot wrote:
| > he was talking about mobile app payment systems, like Apple Pay
| and Google Pay. Which, yes, I'm very familiar with, but I don't
| use and have no interest in using.
|
| I think if you're going to be a Scam Prevention Expert, you
| should at least familiarise yourself with the user experiences of
| these services so that you can detect when they're potentially
| being used in a scam.
| renewiltord wrote:
| I'm a gullible motherfucker: I have memories of handing a $20 to
| a random guy walking up to me and saying "Hey, man, my car's
| stuck and I need some cash for gas".
|
| That said, I've had a lot of these calls and fortunately not
| fallen for them once. The funny thing is that eTrade (I think)
| has a system where you can ask for a callback but then they'll go
| right into taking your information. When that happens, I followed
| the play book: I asked for a phone number that I could find on
| ETrade that I could add an extension for to get to this person.
| He gave it to me and everything along with some sort of quick
| access code I was supposed to use to get whomever I hit to pass
| me along.
|
| Well, I did the whole thing and the person at the other end in
| the ETrade system that I dialed said "It's okay, I'll just take
| care of it, sir". I mean, at this point I just sucked it up and
| went through with the process since I figured I dialed the number
| from their website to get there and then the extension so surely
| it has to be legit, right?
|
| But I just know someone is going to point out a way that I could
| have been scammed through this mechanism.
| paxys wrote:
| I expected some crazy new attack vector that was so sophisticated
| it could fool this Scam Prevention Expert, but this post is
| laughable. They fell for textbook "scamming 101" that my grandma
| knows to avoid.
|
| Here's one tip for this expert - if you get a 2FA code over text
| or email that clearly has the line "we will never contact you for
| this code over phone or text" right under it, DON'T give it to a
| "support agent" over the phone.
|
| > this is clearly a two-factor authentication code, meant to be
| entered directly into an authentication page. Which is normally
| not something that would be relayed over a phone call to a
| customer service rep. A concern that I raised to Daniel. However,
| he said that it was part of Apple's system, which they only had
| limited access to. An explanation that, as someone who works with
| computers, data security, and API integration professionally, I
| completely bought
|
| And after reading multiple paragraphs of this person describing
| money literally taken out of their account in front of their
| eyes, you get to this line:
|
| > Putting all of this together, the scales started to tip toward
| this potentially being a scam call, but I still wasn't certain
|
| I _really_ hope they don 't have a lot of clients
| feoren wrote:
| I agree. I nodded along to the part about not assuming it's the
| victim's fault, and then this "expert" falls for an extremely
| basic, obvious attack. "Wells Fargo will not contact you by
| phone or text to request this code." -- maybe that should have
| been bigger and bolder, but it was there. This guy should not
| be allowed to call himself a "scam prevention expert" anymore.
| mort96 wrote:
| There's _a lot_ of text in that e-mail. The text you 're
| referring to is perfectly positioned to be almost invisible
| -- it's in the last paragraph intermingled with the standard
| "if you have any questions, call us on blah blah blah" text.
| My brain skipped the rest of that paragraph the first 5 times
| I skimmed the e-mail.
| gridspy wrote:
| Anyone can fall for these attacks in the moment, even experts.
| That was the point of the article.
|
| What makes us vulnerable is that we are human: we get tired,
| caught up in the urgency of the call and our logical thinking
| stops working.
|
| The actual story of the article is that we need to design
| systems that are robust even when people are getting scammed.
| Able to identify and reverse scamming soon after it happens
| with easy ways to report it.
| fallingknife wrote:
| Amazing that a security "professional" would wait until he is
| 100% sure it's a scam and not hang up when he isn't 100% sure
| it's legit.
| anonymousisme wrote:
| I had a legitimate call from my credit union last month. They
| were following up on a problem I had reported with their on-line
| bill pay system. Toward the beginning of the call, they wanted to
| verify that it was me and they asked me to provide them with the
| 2FA code they had just texted to me. I declined and told them
| that this is what scammers do. They agreed with me and encouraged
| me to call them back at the number on my ATM card.
|
| I thought it was really unprofessional of them to operate this
| way.
| harshreality wrote:
| It's insane for them to request that you read a 2fa code to a
| human over the phone. Even if you called them. Escalate and get
| their policies changed, or get them fired if they're violating
| policy.
| killjoywashere wrote:
| I mean, if you're the test, if you pass 100% of the time, you're
| not trying hard enough.
| lucb1e wrote:
| How often do you guys get calls from your bank?
|
| I got called twice in my life, both times in response to a ticket
| I had filed but didn't necessarily need a response to (firstly a
| complaint about some new hardware authenticator that was worse
| than the old one (I was hoping enough complaints might make them
| pick a better replacement next time), secondly about phishing-
| but-legitimately aka Sofort which they now, two years later,
| finally semi-blocked).
|
| From the post, since it mentions this being routine and normal,
| plus the comments here, it sounds like americans are called every
| month or so. Is that impression correct? Is it because of this
| credit card system where basically anyone with your account
| number has withdrawal access identical to what we use 2FA (chip
| and pin) for? With IBAN it's more of a money destination than a
| source. Direct debit exists but I have yet to see it abused, not
| sure how that works exactly, and definitely never got a call to
| confirm this or that.
| verisimi wrote:
| Is it possible that this is a PR puff piece?
|
| I think you could argue that this guy gives us this long (and
| somewhat implausible) story in order to:
|
| a/ support the line of business he is in and
|
| b/ to justify all the privacy intrusions and obstructions that
| banks are undertaking
| [deleted]
| interfixus wrote:
| Caller would have gotten about five seconds worth of my time:
| "That's very nice. Please send an email. Goodbye". But then, I'm
| not an expert.
| kebman wrote:
| Sure. I've been scammed. It felt really bad. And I consider
| myself quite knowledgeable. On the other hand, I noticed what was
| happening before greater harm could have been done. Perhaps
| that's what distinguishes so-called experts from the regular
| folks. Because an expert would know sooner, without being
| impervious.
|
| Long story short, I could have ended up with a subscription on a
| set of questions for 20 dollars a week, which was given only
| after a set of legitimate surveys were given on behalf of Apple.
| I of course notified Apple of this, but I never got the 20 first
| dollars back, before cancelling the "subscription" I had
| apparently signed up for.
|
| I really wanted to track the guys down, but they had been very
| careful in covering their tracks with proxies and mailbox
| addresses, so in the end I considered it too much work. But I did
| spam them. Perhaps I could have even used their mail for even
| more spam, but I suppose they just use throwaway mails anyway.
|
| Not sure how they got through the cracks of Apple, though. IMHO
| it's pretty damning for the reputation of Apple to work with guys
| like that.
| dade_ wrote:
| Not much of an expert, caller ID means nothing.
|
| Standard procedure for everybody in the last 20 years should be:
| Whenever I get a call about security or fraud from the bank, I
| thank them for the notification and tell them I will call them
| back, and hang up. Then I call the number on my credit /bank
| card, not the number I was called from. Fortunately there is a
| lost or stolen cards so there is no queue time and tell them I
| received a fraud alert notification.
| BaseballPhysics wrote:
| > Not much of an expert, caller ID means nothing
|
| They... said that:
|
| > The caller ID showed the correct name and number for my bank,
| but caller ID data is so hilariously easy to spoof that it
| might as well not even exist.
|
| Honestly, what is with the low quality comments attempting to
| undermine this person's credibility?
| mardifoufs wrote:
| So what if they said that? I'm not trying to pile on them but
| the reason people are questioning their credibility is that
| they fell for a pretty basic scam. Even if they acknowledged
| that their assumptions were incorrect (knowing Caller Id is
| very flawed but still falling for it), it doesn't necessarily
| make the scam any less obvious.
|
| Would you not question the credibility of a doctor who falls
| for say, crystal healing or homeopathic cures?
| BaseballPhysics wrote:
| > I'm not trying to pile on them but the reason people are
| questioning their credibility is that they fell for a
| pretty basic scam.
|
| Yeah, I've read the armchair quarterbacks around here
| thinking they wouldn't be the ones to get duped if it was
| them.
|
| Of course, I'll bet if they did get duped, they wouldn't
| post about it on social media because a bunch of folks
| would come out of the woodwork to point out how stupid they
| were.
|
| Personally, I read this accounting and thought "You know,
| for all my own knowledge about how these scams work, I
| might've been caught by this one." This specific example
| strayed into spearphishing territory given the knowledge
| the attacker had of the victim. This wasn't just an average
| war dialler. And the time investment, alone, on the part of
| the attacker makes this unusual compared to your average
| phone same.
|
| But hey, maybe I'm just not bright enough to hang with the
| cool kids around here.
| mardifoufs wrote:
| I'm not saying I wouldn't get duped, but Im also not a
| scam prevention expert! And you are right that I wouldn't
| be posting this if I was in their place but I'm not sure
| if that means that makes them immune to criticism. "I bet
| you'd have done the same" is not an extraordinarily good
| defense when we are talking about a scam precention
| expert.
|
| I also don't think this has anything to do with
| intelligence. You can question expertise without
| questioning intellect
| mekoka wrote:
| Simple and effective. It's been over 10 years that I've
| followed this same protocol. It hasn't failed me yet. I also
| don't think I've missed anything that could have been better
| handled, had I chosen to speak to the caller. Just don't say
| anything, beyond greetings, to the caller.
| gwbas1c wrote:
| > I'm a scam prevention expert and I got scammed
|
| After reading all that... I noticed that the "scam prevention
| expert" isn't serving their site with proper https.
| lucb1e wrote:
| Was the first thing I noticed, but to be fair, there also just
| isn't really a need for a blog like this. Someone once said
| something like "I encrypt my innocuous blog because else
| private becomes suspicious" but by now the internet is largely
| encrypted and this one blog won't reverse that.
|
| And who knows, maybe the person reading along at the NSA will
| also enjoy the article :)
| tempestn wrote:
| I wish the title hadn't given away that it was a scam call.
| Perhaps it could have implied it was a gripe about Wells Fargo at
| first. Reading it while already knowing it was a scam, it seemed
| blindingly obvious to me, and it was hard to imagine how I could
| have made the same mistakes. But that could be overconfidence.
| ziml77 wrote:
| Yes it is overconfidence. You just have to be tired or
| distracted and it will be incredibly easy to fall victim to one
| of these scams.
| sevenf0ur wrote:
| I have to give credit for sharing your story and how
| sophisticated these attacks can be. These scams work because
| we're human and don't always think rationally under pressure.
| sshine wrote:
| I was never attempted scammed online, and I think (naively like
| the author) that it wouldn't happen to me.
|
| But I was pick-pocketed twice in my life. Both failed attempts,
| but only because of dumb luck. And I thought that would never
| happen, "because I'm that much present always."
|
| One time I'm wearing a hoodie, and a cheery guy distracts me and
| sticks his hand into a double-ended pocket and my hand, resting
| in the other side, instinctively grabs his; a trigger-happy hand-
| shaking mechanism and a bad choice of pocket. I quickly walk off
| because his grumpy friend looks like someone who would stab you.
|
| Another time I'm running for the bus, my phone is thrashing forth
| and back in my pocket, so while running, I quickly grab the phone
| and stick it in another pocket; two seconds later, a young guy
| bumps into me, and his hands reach all the way down in the now
| empty pocket. We land, we stare at each other, and I run for the
| bus rather than him; I'd have no chance catching him anyways.
|
| So... with some humility: The only way to stay out of trouble is
| to apply really dumb protocols.
| throwawayHN378 wrote:
| "Expert"
| drdaeman wrote:
| Hm, interesting. I've had surprising fraudulent charges on a WF
| card just a few days ago. They texted and emailed me, but I had
| to call them myself (not that I would've trusted a call, I even
| wondered for a minute if SMS was a fraud attempt).
|
| The issue is, it was a card that I keep only because it's the
| oldest card I have, that I don't really ever pull out of my
| wallet anymore. I'm not familiar with the underground stuff but I
| suppose stolen CC numbers are typically sold reasonably fast
| (months, not years) and used while they're still fresh? If that's
| the case, while two random anecdotal data points don't prove
| anything, I start to wonder if it's possible that WF was recently
| compromised.
| stjohnswarts wrote:
| ehhhhhhhhhhhh I always call back. Isn't that one of the 1st laws
| of not getting fucked online/over the phone? I go to the company
| web page (https only of course) and get a phone number. I mean
| suppose it's possible for an employee to screw you over, but at
| least it's (call metadata) probably being logged somewhere. Also
| if I was into security my blog page would be on https, even if
| that's not entirely necessary for webpages. It throws up a yellow
| flag to me.
| dangus wrote:
| The author ("scam prevention expert") was extremely uncomfortable
| at multiple points in the interaction and just...kept going.
|
| I know that this scam is relatively sophisticated compared to
| others, but I have to think if I was a scam prevention expert
| that I wouldn't tarnish my own name by putting a story with this
| much raw honesty out there.
|
| They basically violated rule #1 of scam avoidance which is that
| no legitimate business cold calling you will need you to do
| _anything_ with urgency.
|
| Either that or it's a way to make potential customers feel better
| about the obvious mistakes they made.
| rollcat wrote:
| > I have to think if I was a scam prevention expert that I
| wouldn't tarnish my own name by putting a story with this much
| raw honesty out there.
|
| I think it's an absolutely excellent story to publish. The road
| to becoming an expert in any field or art is paved with
| failures, and your own failures tend to be the ones you learn
| the most from. Plus in a field that primarily deals with
| dishonesty, being this transparent does help build a positive
| image.
| aldebran wrote:
| I think you missed the point. They said circumstances can make
| it such that you can get scammed so let's not blame the victim.
| whimsicalism wrote:
| Just don't give people 2FA codes? I am never going to give a 2FA
| code to someone who calls me, no matter what combination of words
| come out of their mouth.
| jcoq wrote:
| Right? There's nothing surprising about getting scammed when
| you give out the 2FA code.
| throwra620 wrote:
| agentdrtran wrote:
| "just don't get phished"
| iforgotpassword wrote:
| As TFA starts out, it is always easy to point out all the
| mistakes after the fact. People underestimate how prone the
| mind is to just trying to play down danger, inconvenience and
| generally unpleasing situations. Even after a few minutes on
| the phone, after you built up the most basic "relationship"
| with the person on the other end, you simply don't want this to
| be a scam. Avoiding cognitive dissonance. Just like when you
| bought something expensive that doesn't really meet your
| expectations.
|
| Then you must not underestimate the pressure under which you
| then are, because either way is not a pleasant situation
| (getting scammed or having been scammed already trying to
| contain the damage). I fully believe the author that they only
| skimmed that mail and weren't even aware that this is 2FA. It
| must have seemed like "just some one-off verification code".
|
| Then I think there is also this phenomenon where experts think
| that just by being an expert on something, they are immune to
| it. Not consciously, rationally, but lingering in the
| subconsciousness. It reminds me of the show "the good doctor"
| where a seasoned oncologist is diagnosed with a brain tumor and
| completely blocks off any conversation about it and rejecting
| treatment. I think that very well illustrates what I mean.
|
| Another anecdote to add here if that Jim Browning, a YouTuber
| focused on finding scam call centers, getting into their
| systems to gather information and shutting them down in the end
| got his YouTube account taken away from him through a scammer
| on the phone. So I'd be careful with claiming this could never
| happen to me because I'd never do X. Until the day you do
| without realizing.
| whimsicalism wrote:
| Look, I certainly believe that as you get larger and larger
| groups of people, law of large numbers it becomes inevitable
| that someone becomes scammed.
|
| And I certainly don't doubt that I could be scammed at some
| time, especially by a phishing email or something of the
| sort.
|
| But I don't think I'll ever give out a 2FA code to anybody
| that's not me. It's a really simple rule of thumb. Just never
| do it, there is never any reason for anybody besides myself
| to know my 2FA. If there is a reason, that is unfortunate
| that they've designed their system that way because, again, I
| am never going to give out my 2FA code to anybody.
|
| The person in your anecdote never gave his 2FA to anybody, so
| it is not relevant to what I am discussing.
| iforgotpassword wrote:
| Yes, it's easy to convince yourself you're way too smart to
| make this mistake. At the same time, you now deliberately
| skipped over the fact _twice_ that he just skimmed the mail
| and didn 't fully realize it was specifically a 2FA code,
| just assumed it was _some_ verification code. I mean, the
| wording explicitly talks about _entering_ this code
| somewhere to _enable_ stuff. That 's already two dead
| giveaways. Otherwise you'd be implying this guy, being an
| expert, doesn't fully understand how 2FA works. Pretty
| unlikely, but sure, not impossible. But I mean
| realistically now that this has been overstressed I
| actually do believe you'd never make that specific mistake
| in the future.
| whimsicalism wrote:
| It's pretty obvious what is a 2FA code and what is not.
| If I'm being sent a code on my email or phone, I know not
| to tell it to someone on the phone. Indeed, even that
| very email she was sent contained a reminder not to tell
| it to someone on the phone.
|
| I read the entire article, I am just unimpressed by the
| justifications as to how this "could happen to anybody."
| mort96 wrote:
| I don't think the e-mail in the article is very obviously
| a 2FA code? I usually associate 2FA with something I use
| to log in somewhere; not to do some other operation which
| (presumably) already requires account access. To me, it
| looks like a Wells Fargo Apple Pay "Verification Code",
| which honestly could mean anything.
|
| There are other signs, obviously. You could ask the
| question of, why is the e-mail asking me to enter the
| code myself while the customer support rep asking me to
| provide it over the phone? But as you well know, the
| author also asked that question, and arrived at a
| plausible enough sounding answer.
|
| Regarding that last sentence: I have actually skimmed the
| e-mail many times now, and only when looking at it again
| to try to understand what you meant by "even that very
| email contained a reminder not to tell it to someone on
| the phone" did I actually see that part. I suppose I just
| started reading the standard "if you have questions call
| us on this number" text and skipped the rest of the
| paragraph. Brains are very good at extracting what they
| think is the relevant information and ignoring what they
| think is the irrelevant information, _especially_ when in
| an active social interaction with another person who
| expects something from you.
|
| I think any technical person should be able to analyze a
| play-by-play description of the events and explain
| exactly how each mistake could've been avoided. But I
| think most technical people could've made similar
| mistakes if they were caught in a vulnerable state of
| mind. I think sharing these kinds of stories, where even
| people who "should" know better got scammed, is an
| important part of how we learn to recognize scams. I
| think the vitriol in places like this comment section
| plays a part in making people avoid sharing stories like
| this.
| Spivakov wrote:
| Here is an interesting story in which a scammer almost got me but
| failed because he knew me "too well":
|
| One morning in college I was awakened by a call after staying up
| all night working on some project. The caller claimed to be from
| my home country's embassy and was investigating a fraud case I
| was involved in. He started by confirming my personal information
| such as DOB and passport number and he had them all correctly. He
| asked me to physically visit consular office, which I told him
| was impossible because I was in some program.
|
| At this point I sort of give in, but he asked if I was preparing
| for piano/music rehearsal - a huge red flag that awakened me from
| foggy mind. During adolescence I attempted to becoming a pianist
| and dedicated lots of time to training and competitions, but this
| is a past that was never mentioned on resume or to friends. There
| couldn't be legitimate way to relate that experience to me.
|
| I said yes and asked why he knew it. He began talking about my
| musical experience and what awards I won, without knowing that
| all these bits sounded to me like a pretentious show of being
| knowledgeable about my life.
|
| One lesson from this and Op's story is that the scammer can
| attempt an attack at any moment, including downtime of brain
| activity.
| 533474 wrote:
| Crazy, was it someone you knew?
| Spivakov wrote:
| No, not to my knowledge. It seems that they obtained/built my
| pre-college profile many years ago, but they attempted scam
| until later and failed to match it up-to-date
| [deleted]
| Natsu wrote:
| > my bank, Wells Fargo (I know, I know; trust me, they were not
| my first choice). > aren't phone numbers that Wells Fargo
| recognizes as valid mobile numbers (one of many things I despise
| about this bank). > Wells Fargo's system would be so janky and
| sloppily-built that this is the least awful way they could figure
| out how to do it. > consistent with similarly nonsensical
| policies I've encountered with Wells Fargo before (I hate this
| bank so much
|
| I think it might be time to change banks...
| rcurry wrote:
| It gets even weirder when your bank acts like a scammer. A few
| weeks ago I was trying to help my wife add her USBank credit card
| to Apple Pay and Apple Pay said I needed to call this number to
| finish setting up the card. So I call the number and the guy is
| very friendly and asks me for a bunch of identity verification
| details, which I provide to him, but then he asks us to send a
| code back that will be coming over text messaging - yes, I
| initiated the phone call, but I suddenly realize that the number
| Apple directed me to was not the same number on my USBank card.
| Being a bit paranoid I tell the guy "Look, nothing personal but I
| get nervous when people ask for a verification code to be read
| back to them, I'm just going to call the regular number and go
| from there, okay?" Instead of being friendly, this guy suddenly
| gets in my face and is like "Oh, you'll give me all this other
| info but won't read that code back to me? I'm Fraud Prevention
| dude, good luck getting this done calling the main number. Oh,
| and just for this I'm putting a block on your card." I hung up
| immediately and called US Bank's main number and asked to talk to
| a supervisor - sure as hell, it turns out the guy I had talked to
| did work in their fraud prevention department and actually had
| retaliated against me by locking my credit card. It was the most
| incredibly ugly thing I've ever seen from a customer service
| department.
| starwind wrote:
| I had a problem with US Bank just trying to open an account
| with them. They sent me these instructions on how to upload a
| copy of my ss card through some "secure" Cisco system. The
| email I get has a different subject line than what the
| instructions said it would, it has this HTML attachment that
| doesn't render right, and it was missing the button they said
| it would to create some kind of account. I was like wtf and
| their security department said if I didn't like it then I had
| to go into a branch to handle everything.
|
| Went with a local credit union instead
| WorldMaker wrote:
| Something I learned (almost the hard way) was to always make
| sure I have a Bank/Credit Card's own app installed (and logged
| in) before trying to add to Apple Pay. Apple Pay can and will
| redirect you to verification steps _in the app_ if the app is
| installed. More often than not, if you initiate "Add to
| Wallet" from the app itself there's no additional verification
| step.
| rexf wrote:
| The setup flow is hit or miss.
|
| With some banks, it was seamless to setup. With another bank,
| it wasn't clear how to finish setting up Apple Pay. I don't
| recall if I called them or went through their app to actually
| set it up. It was definitely confusing, and the Apple Pay
| onboarding screens didn't provide useful instructions.
| EGreg wrote:
| This is just very weird to read. What was this scammer's endgame?
|
| With all this info they can call up GoDaddy and redirect your
| domain (and all your emails) to themselves, or call AT&T and sim
| swap you. Why even call the actual account holder?
|
| https://www.zdnet.com/finance/blockchain/fbi-warns-sim-swapp...
|
| As for these "confirmation" emails or SMS -- they are so dumb !!!
| Why don't they just include a full description of the ACTION you
| are supposed to have taken, that you are expected to be
| confirming? In big red letters before the confirmation number.
| That way the scammer won't be able to trick you. Sheesh, these
| companies haven't figured out to include that?
| BeefWellington wrote:
| A tip that may or may not travel well: some banks can set a
| "security passphrase" or passcode that must be provided before
| they will do anything for you. A few years back I had someone
| compromise my credit card and somehow answer enough questions to
| increase the credit limit on the card substantially. This was the
| bank's response to this.
|
| No bank advertises this from what I can tell.
| rolobio wrote:
| I nearly got taken by a scammer because Amazon transferred me to
| one. I purchased a set of Reolink cameras on Amazon, (they've
| been great) one of them failed a couple months in. I contacted
| Amazon customer support (via my Amazon login and in their
| interface) and they wanted to troubleshoot with their technical
| team. Eventually the (very helpful) Amazon technician suggested
| contacting Reolink for support and started a 3-way call. The
| "Reolink" technician got my phone number and then said they
| wanted to call me back.
|
| They called me back a minute later (now without Amazon recording
| the conversation) and asked me for my NVR's serial number so they
| could connect to my NVR. I was shocked they had a backdoor into
| my NVR but I figured I'd let it play out. A minute later the
| technician said that he was having trouble connecting because "an
| internet virus is corrupting my firewall". I was extremely
| confused and thought it must be a translation problem. Until he
| kept insisting it was a problem and became belligerent and angry.
| He said I needed to pay $300 to have an on-site technician
| troubleshoot the problem. I got angry because he was making some
| weird excuse for their camera not working, and wanting to charge
| me rather than just ship me a replacement. I refused and he
| started mocking me. I demanded his manager and he ignored me.
| Eventually I hung up and called Amazon back.
|
| The Amazon technician was helpful and shipped me a replacement. I
| contacted Reolink via email to complain about their technician.
| They responded that they have no on-site technicians and that it
| was a scam!
|
| I was blown away that Amazon would transfer me to a scammer. I
| contacted Amazon again and let them know what had happened.
| Hopefully they will figure out how their guy got this scammers
| phone number and teach him how to find a 3rd party phone
| number...
| Galaxeblaffer wrote:
| It's really hard recognizing the image Amazon have in the US
| compared to my personal experience with amazon.de . The service
| is stellar, shipping both ways is free as long as you buy
| products covered by prime. Refunds are with no questions asked
| (as long as you don't start abusing it i guess). As soon as you
| go into 3rd party sellers the experience gets muddled, though
| I've had plenty of good experiences with those as well. There's
| simply nothing here in Europe that gets even close to what
| Amazon offers. I really really hope it will never be like the
| horror stories i see here on HN.
| FpUser wrote:
| >" The service is stellar, shipping both ways is free as long
| as you buy products covered by prime. Refunds are with no
| questions asked"
|
| This is my exact experience in Canada so far. But they did
| something else weird. I wanted to buy Google Store gift card
| from Amazon and as soon as I made the purchase my account was
| suspended. It had taken me few hours including lengthy phone
| call to sort things out. I was told that gift cards are
| widely used in fraud. Sure, whatever but then why FFS they
| sell those?
| nattaylor wrote:
| My US based Amazon experience is like yours with fast
| shipping and easy refunds/exchanges, so don't lose hope. I
| guess with 100e6 or so customers, there are bound to be some
| bad experiences.
| mcv wrote:
| > There's simply nothing here in Europe that gets even close
| to what Amazon offers.
|
| I strongly prefer bol.com. No idea if they ship abroad,
| though.
| rolobio wrote:
| Amazon US used to be as you describe. But now its mostly just
| cheap knockoff stuff. I hardly purchase there anymore. Its
| really sad because they used to have such a wide selection.
| pmoriarty wrote:
| Where do you shop instead?
| rolobio wrote:
| Locally mostly. Also, surprisingly on walmart.com.
|
| Edit: Also from manufacturers' websites.
| monksy wrote:
| > just cheap knockoff stuff.
|
| By that you mean overpriced dropshipping from aliexpress.
| bcrosby95 wrote:
| I dislike Amazon but yes, my experience in what you have
| outlined is that it's generally amazing.
|
| The parts that aren't amazing is getting items that aren't
| representative of what I ordered. But refunding is always a
| breeze when that occurs.
|
| My problem is that it shouldn't be a thing that happens so
| often (to me). I shouldn't be shipped shoes of the wrong size
| 3 times before I get shoes of the size I ordered. I shouldn't
| be buying open box items without being told it's open box. I
| shouldn't be buying things with the completely wrong thing in
| them.
|
| Now, all of these can be problems with big box retailers. But
| the sheer frequency it happens to me on Amazon - it's never
| happened at this frequency to anyone I know when we would
| shop in store. Yes, my friend once bought a graphics card at
| Fry's that just contained a box of rocks. But that was one
| friend, one time. I've had more of these issues on Amazon,
| the last ~7 years, than I have for all shopping experiences
| everywhere else that I've ever shopped combined.
| mypalmike wrote:
| I think it's selection bias. People with a bad experience
| with Amazon are more likely to dive into it here. And dive
| they do, nearly any time Amazon is mentioned. Even in a
| thread about Wells Fargo we somehow get sidetracked into
| "Amazon just sells counterfeit garbage".
|
| Out of the thousands of items I've bought through Amazon, I
| think maybe one set of Henckels steak knives might be
| counterfeit (I've ordered two sets of the same knives and
| they were noticeably different - both seem high quality
| though).
| carabiner wrote:
| Amazon today is a street side flea market. You really don't
| know what you'll get. I've started ordering more stuff from
| traditional retailers. Their online operations these days are
| really good, and at most a few dollars more than Amazon.
| Clothes from macys.com, home goods from homedepot.com and
| target.com, and so on. You're not flooded with choices with
| these stores that are mostly garbage, instead you get only 1-3
| choices that are reputable.
| SemiNormal wrote:
| Too bad Wal Mart murdered Jet.com
| m463 wrote:
| I think ordering on amazon has become a little like getting
| your car towed.
|
| Towing companies appear to be a large shell game where your
| $200 tow is handled my one or more middlemen who eventually
| get some poor independent towtruck driver to tow you for $75
|
| Amazon should do something that would allow partnering with
| decent brands. Customers would be happy, brands could keep
| their reputation, amazon could get a reasonable cut, and they
| would still sell stuff via flea-market brands and the made up
| word-salad amazon brands
| amelius wrote:
| I'd like to see an economist's view on how the free market
| is failing here, and what we can do about it.
| mlindner wrote:
| I'd say it's working just fine, by causing people to
| switch away from using Amazon. Amazon continued to lower
| their brand's quality and as the name becomes less and
| less trusted, their products are worth less and less.
| Wistar wrote:
| > I think ordering on amazon has become a little like
| getting your car towed.
|
| Apparently _especially_ in Ontario...
|
| https://www.thedrive.com/news/44749/inside-the-tow-truck-
| maf...
| Spooky23 wrote:
| Tow drivers make a lot of money. They do a lot of
| subcontracting and mutual aid type arrangements.
| weq wrote:
| Towys in my country are usually connected to some kind of
| mafia. Never met an altruistic one like like matts
| offroad recovery in my travels.
| bubblethink wrote:
| This seems to be the classic underdog problem. The
| traditional retailers that you like today will become third
| party marketplaces tomorrow if they grow. So the issue is
| that we only get good service from underdogs and it is
| destined to fail once the underdog is not an underdog
| anymore.
| verve_rat wrote:
| That doesn't follow. Just because an online retailer grows
| it doesn't mean they have to start allowing third-party
| sellers. In fact, seeing what is happening to Amazon's
| reputation, that seems like a bad long term move.
|
| Short termisum might win out, but it is not a foregone
| conclusion.
| cogman10 wrote:
| I agree it's not a foregone conclusion, but it's also not
| far fetched. That's what happened to newegg. They tried
| to turn into an amazon and now I have a hard time
| trusting them.
| lamontcg wrote:
| The mechanism is the managers that take over at companies
| who focus on the short term bottom line (trimming support
| today, to juice profits tomorrow, to lose credibility
| years down the road after the bonuses have long landed in
| their bank account).
|
| And the problem is that Amazon's growth profile (retail-
| side anyway) is going to be pretty constrained going
| forwards because they own too much of the available pie
| right now. So the result is that managers are going to
| have to look for other ways to trim costs to make
| numbers.
|
| If you're starting from 0.001% of the retail market and
| trying to grow 10x it is much easier to do that just by
| having really good customer service.
| lupire wrote:
| "short term bottom line" is a comically absurd way to
| describe Amazon, which has been growing consistently for
| 25 years.
| WorldMaker wrote:
| Except Amazon _started_ as a third-party marketplace. This
| isn 't *new*, some of us just have really short memories.
| For the first several years the _only_ first-party sales
| they did were in books (and not _all_ books on the store
| even at the beginning). They 've expanded into other first-
| party categories, but there are much fewer first-party
| categories than people assume. (And always have been.)
|
| The big thing that changed isn't the third-party
| marketplace on Amazon, it's that they increasingly and
| intentionally blurred the lines between "third-party" and
| "second-party" marketplaces. Any third-party that uses
| "Fulfilled by Amazon" logistics (warehouses, shipping) just
| about gets automatically upgraded in the Amazon user
| experience to "second-party" even if Amazon has no deeper
| working relationship with the third-party than "Fulfilled
| by Amazon".
|
| Some of that intentional blurring of the lines is also
| questionably Dark Patterns intentionally designed to
| confuse consumers in just exactly what categories Amazon
| supports directly (first-party) and which ones are third-
| party, and more importantly which ones are first-party
| usually versus third-party _today_ (such as sold out
| goods). They want to give consumers the illusion of an
| "everything store" that is never out of stock. That's never
| the practical reality, and the illusion may be evil from
| the perspective of shadily pushing consumers to unvetted
| third parties due to Dark Patterns that back that illusion.
| 14 wrote:
| Agreed. Last example was LED grow light I purchased and
| description said had a grounded plug. When it arrived there
| was only a 2 prong plug. I'm weary of everything I buy there
| now and try find a manufacturer direct order when possible.
| Fulfilled by Amazon should read as a warning sign.
| aceazzameen wrote:
| Yep. I've been ordering from Target, Best Buy, and Walmart
| much more often these days. I just assume the product
| descriptions and reviews on Amazon are all lies.
| brimble wrote:
| Target and Wal-Mart also sell third party shit. It's easier
| for me to just buy directly from brands I like, or to shop
| for them on a couple outlet sites I trust (so far) to sell
| legit (overstocked or lightly damaged) top-quality stuff
| and not lower-quality second- or third-tier versions (as
| some outlet stores do), than figure out how to avoid or
| disable displaying third party sellers on a bunch of
| different sites.
|
| By the time you factor in the time and frustration for
| that, any savings (which isn't even guaranteed) doesn't
| look like great ROI anyway. Plus, even Amazon often won't
| carry the full range of a brand's products, so I get more
| options shopping this way.
| mardifoufs wrote:
| Best buy is filled with 3rd party sellers too but it's at
| least very easy to filter them out. If I could do the
| same on Amazon I wouldn't have any problem with 3rd party
| sellers, but they instead make it almost impossible to
| know even if you check manually.
| aceazzameen wrote:
| That and Amazon commingles their inventory with 3rd party
| inventory, which can sometimes be counterfeit. And Amazon
| doesn't care if the counterfeit products are mixed in
| with the genuine products in their warehouses. As far as
| I know, Best Buy/Target/Walmart don't commingle their
| inventory with 3rd parties because they have physical
| stores that they can pull from.
| aceazzameen wrote:
| True. But stores like Target also let you see inventory
| in physical stores, so it's easier to purchase an item
| you know is coming from a Target store/warehouse than a
| 3rd party.
| gkilmain wrote:
| Interesting. I would have lumped them all together. Why do
| you trust reviews on Target but not Amazon?
| wombatpm wrote:
| Target and Walmart take online returns at their stores,
| which no one in the supply chain likes. They will take
| bad suppliers to the woodshed if too many returns of an
| item. Hence they have skin in the game to carry quality
| products
| jimmaswell wrote:
| These days I'll order certain things from Wal Mart if I'm
| wary of what I see on Amazon.
| bsder wrote:
| > Amazon today is a street side flea market. You really don't
| know what you'll get.
|
| There are two time when I will use Amazon nowadays:
|
| 1) If there is an official store there
|
| Anker is a good example of this. It seems like Amazon doesn't
| commingle inventory if there is an official store.
|
| 2) If I want something faster than Alibaba/Aliexpress
|
| Quite often I can find the exact Chinesium equivalent on
| Amazon and I get the benefit of returnability if what is
| advertised is completely out of whack.
|
| This has to be costing Amazon money, but, it's their funeral.
| InitialLastName wrote:
| > It seems like Amazon doesn't commingle inventory if there
| is an official store.
|
| Is there any confirmation of this? I've seen assertions
| both ways.
| lupire wrote:
| No. Amazon doesn't commingle inventory when... the
| manufacturer doesn't sell through any other channels, so
| there is no one to commingle with.
| reincarnate0x14 wrote:
| Do you know if the original order was from Reolink? If I had to
| guess, that may have been a questionable reseller, I've seen
| several cases in which it looks like you're ordering from
| SomeCorp as fulfilled by Amazon but once you get into the
| actual order process it shows up as some other seller that was
| in the "Buying Options" list.
|
| Definitely sketchy behavior on Amazon's part, never dealt with
| the selling side there so no idea if this is sellers gaming
| Amazon or just awful market platform in general.
| switchbak wrote:
| Not an isolated incident. My mother was transferred to an
| Amazon employee who tried to scam her as well. This was years
| ago, and I reported it to Amazon. No idea what eventually
| happened, but I was shocked that they'd be so brazen about
| committing fraud as an actual employee.
| 1270018080 wrote:
| Amazon hasn't been usable in a long time for me. It takes more
| time to find non-counterfeit/trash products than it's worth.
| craftyguy wrote:
| > I was blown away that Amazon would transfer me to a scammer
|
| You shouldn't be. The amazon store's core business model is
| allowing scammers to sell garbage to unsuspecting buyers.
| Cd00d wrote:
| I'm blown away that Amazon has phone support! I had no idea!
| MerelyMortal wrote:
| They don't make it as easy to call as they did in the past
| though.
| Nextgrid wrote:
| > I was blown away that Amazon would transfer me to a scammer.
| I contacted Amazon again and let them know what had happened.
| Hopefully they will figure out how their guy got this scammers
| phone number and teach him how to find a 3rd party phone
| number...
|
| 1) Amazon is complicit in shady behavior on their platform,
| whether it's inventory commingling, sketchy sellers repurposing
| existing, well-reviewed listings for a totally different
| product or those bribing customers to leave good reviews with
| gift cards or free stuff.
|
| 2) The tech support number could very well be provided by the
| seller, and you could've bought the camera from a listing from
| said seller instead of the real Reolink (if the "real" Reolink
| even sells on Amazon to begin with). Maybe tech support
| scammers are now using this as a new lead-generation tactic
| ("legitimately" sell a high-maintenance product but scam anyone
| that calls for support?).
| jjoonathan wrote:
| Yep. Amazon gets a cut and they act like it.
| dangus wrote:
| This is quite a jump to conclusions. The alternative theory
| of the customer service rep googling a phone number and
| getting the wrong one is far more likely. Or, it's possible
| that the company's own seller login was compromised and a
| scammer changed their contact number.
|
| The idea that a wildly successful multi-billion dollar
| company would actually set up such an easily-noticed system
| where they "get a cut" of phishing scams is outlandish.
| daniel-cussen wrote:
| Why is your username dangus? Are you imitating dang too?
| ethanbond wrote:
| I don't think the "cut" implies they are in on some
| phishing scam. It's saying they take a cut of all volume,
| so even volume that's harmful to consumers is hardly
| worth Amazon's attention (as is evidenced by the
| obviously massive economy of systematic scamming that
| happens via Amazon, all of which, again, they get a cut
| of).
| danachow wrote:
| > The alternative theory of the customer service rep
| googling a phone number and getting the wrong one is far
| more likely.
|
| Their support staff is that reckless and Amazon has no
| training and other systems in place to prevent that? Your
| theory doesn't paint them in any better light.
| bllguo wrote:
| it's far more believable than amazon being in cahoots
| with scammers. whether you think this is "better" or
| "worse" wasn't really part of the discussion
| specialist wrote:
| Well. Not directly. But same outcome. No actual conspiracy
| or collusion necessary.
|
| Amazon profits so much that they're content to eat the
| rampant fraud and waste, than to run a proper legit market
| place.
| bryanrasmussen wrote:
| that number 2 is some next generation criminality there!
| twoxproblematic wrote:
| taylorfinley wrote:
| It's pretty shocking but most IP cameras can be accessed with
| nothing more than their serial number. Here's a somewhat
| recent DefCon talk about it:
| https://m.youtube.com/watch?v=Z_gKEF76oMM
|
| I use Reolink cameras, in the admin interface there's an
| option called UID. Turning that off (theoretically) disables
| the backdoor. I have my cameras and NVR (which is actually
| just a python script on an old laptop that uses ffmpeg to
| capture streams) on their own airgapped lan so I don't have
| to worry about blackhats or the ccp using backdoors to watch
| my kids.
| brk wrote:
| Well, _most_ IP cameras cannot be accessed this way when
| you look at the global pool of IP cameras. However many on
| them on Amazon, particularly from OEM companies like
| Reolink that are more of a custom relabeller vs. a real
| camera manufacturer have all kinds of backdoor access
| methods.
|
| Best practice is to put your IP cameras on a separate
| isolated network, connected to a dual-NIC recorder/PC
| running trusted software (eg: not some random DVR/NVR on
| Amazon) for recording and viewing. This is not a perfect
| solution, but it at least takes you far away from the path-
| of-least-resistance pool of devices with weak cybersecurity
| that are prone to various exploits.
| ashtonkem wrote:
| And this is why my reolink cameras are on a subnet without
| access to the internet. The only thing it can reach is my
| home assistant and open source NVR.
| ______-_-______ wrote:
| I bet your Amazon rep just searched for Reolink and clicked on
| a Google ad that happened to belong to the scammers.
| dqv wrote:
| Well this initiated a rant, not directly related to ads, but
| Google in general. This is an internet literacy issue I've
| noticed more and more. People will refer to Google listings
| as an authoritative source even if the data comes from some
| third party.
|
| "Is this Jordan's Tiles?"
|
| "No. This is Patrick. You have the wrong number."
|
| "It says on their website this is the number!"
|
| "Their website is wrong, this isn't Jordan's Tiles."
|
| _more argument with me just hanging up because they're
| clueless_ (someone even had the audacity to ask me what the
| number was for Jordan's Tiles like I'm their personal
| assistant)
|
| And finally I went on Google and searched for Jordan's Tiles.
| There my number was on the listing and on a _third party
| source_. The right number was on the lower ranking Jordan's
| Tiles website. They were so argumentative about being so
| wrong, it was outside of their ability to understand that the
| internet can and does give you the wrong information.
| itronitron wrote:
| Apple Maps from my experience is quite bad about this. I
| know of one city where it happily provides the locations of
| four DHL counter locations even though there is only one.
| Numerous other store locations on Apple Maps also often do
| not exist, so however they are sourcing their data is full
| of errors or outdated information.
| lostlogin wrote:
| Wrong opening hours on Google is a niggle for me. And
| having been on the other side of the equation, changing the
| hours Google says a business is open is not always
| straightforward.
| threads2 wrote:
| whoa, dude, language
| lupire wrote:
| This is a great opportunity for you to learn more English
| language.
| asib wrote:
| Not sure if you're joking, but the etymology of this word
| does not appear to be racist. According to [0], it
| derives from the same root as "niggardly", which
| according to [1], is unrelated to the racial epithet.
|
| [0]: https://en.wiktionary.org/wiki/niggle [1]:
| https://en.wiktionary.org/wiki/niggard#English
| davchana wrote:
| My friend booked one international flight with departure
| and destination having 12+ hours timezones difference. The
| email listed the departure time & duration of journey and
| arrival time, all in local times (as expected). Gmail auto
| creates an event about flights and hotel bookings, and thus
| shows the correct departure time, duration & then that AI
| simply added that duration to departure, and showed
| departure city's time flight lands. Wrong. My friend, no
| blame, believed it; until I pointed it out.
| pmoriarty wrote:
| .
| jazzyjackson wrote:
| you've got caller and callee flipped
| david422 wrote:
| Honestly, how do you know what the right number is though?
| Everybody outsources their stuff. The real website is at
| jordans-eatery.outsourcedsite.com. Or maybe the guy at
| jordans-eatery.seo.com is taking calls and placing orders
| to the real site at a markup. Or maybe the real number is
| on jordans-eatery.com. Or maybe it's none of those.
| aaaaaaaaaaab wrote:
| You should have spun up gour own tile business, preferably
| just dropshipping from the real Jordan's Tiles!
| ejb999 wrote:
| I've had that happen to me as well - person finds a wrong
| number online someplace, calls me, and then is mad at me
| that I am not who they are looking for...go figure.
| [deleted]
| rolobio wrote:
| Had this happen to me when I was in IT. I got a cold
| transfer of an angry customer who wanted to talk to a guy
| who had a very similar name. I told the customer that
| they wanted the other guy, I was in the wrong department,
| and they wouldn't believe me. They said "I know it's you
| from yesterday, I recognize your voice!" How was I
| supposed to argue against that?? Eventually I convinced
| them and did a warm transfer to the correct guy. We do
| have similar voices...
| rhizome wrote:
| "Call Google. Ask for Sundar."
| burnished wrote:
| I think this might just be a people thing? I've had the
| same experience (some one calling for the YMCA, I inform
| they have the wrong number, they proceed to argue and
| berate me) but they probably just misdialed.
|
| Not that I don't also feel like Google search results have
| gone down hill.
| acheron wrote:
| Yeah, you hear about this with the people who get taken in
| by Grubhub or whoever that's spoofing a restaurant's phone
| number/ordering site. I would never take a third-party
| source as authoritative, but apparently people do it.
| rhizome wrote:
| I never take restaurant phone numbers directly off of
| Google, I always check their (hopefully existent) website
| before calling, or at least crosscheck it against other
| sources. There is no way Grubhub or any of the other
| mediating greedholes will get even Caller ID data from me
| if I can help it.
| InitialLastName wrote:
| Wait until you find out that Grubhub and ilk have been
| known to prop up fake websites for places.
| daniel-cussen wrote:
| Go to the right address in person. If you have no real-
| life connection with the restaurant, or any restaurants,
| give up and take what you get.
| narag wrote:
| _"It says on their website this is the number!"_
|
| "What do you think is more probable: that the website is
| wrong or that I don't know who I am?"
| ashtonkem wrote:
| Given how many fake products amazon sells and intermingles with
| legitimate products, it isn't at all surprising that they
| forwarded you to a scammer. They just don't care about
| protecting their customers, apparently.
| dheera wrote:
| > The Amazon technician was helpful and shipped me a
| replacement.
|
| Considering they have a backdoor, why did you want a
| replacement instead of a refund?
| rolobio wrote:
| Had they actually had a backdoor, I would have unplugged it
| from the internet. Clearly the scammer did not have a
| backdoor.
| itslennysfault wrote:
| Reason #99,999 that I don't use Amazon anymore. Just buy stuff
| in-person, pay the shipping, wait the week, or whatever. You'll
| be fine I promise.
| dheera wrote:
| Stuff in person costs 2X the price though. Especially bike
| parts.
|
| It's often cheaper to buy from Amazon but never go through
| troubleshooting support. Always return or replace.
|
| If that doesn't work, give a 1 star review, wait for the
| seller to come chasing you with a gift card in return for 5
| stars. Change it to 5 stars, spend the gift card, and then
| change it back to 1 star.
| [deleted]
| craftyguy wrote:
| As someone why buys a lot of cycling parts online, there
| are many mom/pop bike shops with web storefronts, that are
| very reasonably priced and often include "free" shipping.
| Stop giving bezos your money, you have no excuse.
| jeromegv wrote:
| Yeah.. lots of people keep repeating "but its expensive
| out of amazon!" and they never tried. Sure, you can find
| cheaper products on Amazon, but once you start looking
| around, it's definitely not always the case. But people
| are lazy, they get multiple amazon packages a week, and
| love to complain about Bezos but do nothing about it.
| weq wrote:
| I bought a book on Amazon in 2005, it came (weeks) late,
| i complained, got sent another, ended up receiving 2
| books. It was my last purchase from Amazon. Since then,
| the only time i see Amazon is on the backend of a
| scammer. Amazon in my opinion, in every sense, a scam
| itself.
|
| First off, its just morphed from a book store into a
| upper class ebay. Alibabba became the chinese ebay. I'll
| pay that drop shipper the money, i got no problem with
| the conveince they give but realistically whats the point
| of going through 3 middle men when i can wait an extra
| week and limit that to 0 or 1.
| overtonwhy wrote:
| Lots of call centers get targeted with this type of scam. I
| think it's because call center employees are so poorly treated
| and compensated that it's appealing to join the scam. I've seen
| the same exact thing happen with QuickBooks support. The actual
| agent you're speaking with gives your contact info to the
| scammer who calls you back.
___________________________________________________________________
(page generated 2022-03-31 23:00 UTC)