I’ve made a few big (unusual) purchases on my credit card recently. My credit card provider called me up and asked me to provide my security details.
Being a suspicious kind of person, I enquired
How do I know you are my bank?
Quite politely and correctly the caller suggested I look at my credit card, and phone them back on the telephone number provided, and quoting the reference XXXX.
This I did, and confirmed the purchases as genuine. No problems.
A few months later, I relayed the above story to at a security industry event. It turns out I could still have been easily scammed. Here’s how it works:
- Having made the (fake) call to me to report an issue on my card, the attacker does not hang up the phone their end.
- The attacker plays a fake dial-tone down the line.
- The victim, picks up the phone, hears the (fake) dial tone and punches in the trusted bank phone number.
- They perpetrator plays a ringing sound, then ‘answers’ the call.
- They take you through security by asking for you password etc…
- Whack – you’ve been done.
To avoid this, the advice I was given was do one of the following if your bank calls, and you need to call them back.
- Use a different phone to call the bank back.
- Call someone else you trust first, and make sure the call connects and you speak to the right person.
- Hang up, and wait 30 minutes – after which the call will normally clear itself.
While this is good advice, I doubt it is widely known. Is this an education issue, or do we need a ‘stronger’ security ‘protocol’ over the phone?