Hacker News new | ask | show | jobs
by throwaway_qwe 941 days ago
I was recently a target of a UK online bank phishing scam (not Monzo). They were highly sophisticated. They knew details of recent transactions, including bank transaction numbers that don’t show in any qif export or anything. They had a plausible reason to call (based on said visibility). They had researched my name and everything about me and my family that is online. They faked caller ID. Their ‘patter’ was so advanced that I do not know this extra layer of protection would have helped much. Luckily I didn’t finish the steps and lost no money.

It is clear the bank has had a severe exfiltration event. There are other reports that online. IMHO the law should make banks report breaches to the ICO and a record of the nature and size of the breach be public.

Through the process I learned that in the UK you can call 159 to directly contact your bank fraud dept (most banks) https://stopscamsuk.org.uk/159

I also learnt about the police’s Action Fraud hotline to report cybercrime. https://www.actionfraud.police.uk/what-is-action-fraud

The phisher was very determined. They called back in 15 minutes claiming to be from the bank fraud dept returning my call. Then 2 weeks later they called back claiming to be from Action Fraud.

However prepared you think you are for such an attack, my advice is to have utmost caution for every single call from anyone claiming to be anyone.

I also have a Monzo account. Even if they called me I wouldn’t use this. Hang up. Call them. Don’t let them call you.
10 comments
hermitcrab 941 days ago
On landlines IIRC there is some feature that allows them to stay on the line after you hang up. So when you try to call the bank, you get the scammers again.

https://security.stackexchange.com/questions/100268/does-han...

So try to call the bank from a mobile.

link
ethanbond 941 days ago
Now that is insane. Totally sounds like one of those things that paranoid old people believe about newfangled technology, but nope, just extremely weird protocol design.
link
traceroute66 941 days ago
> just extremely weird protocol design

Its not really weird if you look at it in context.

People who are not Gen-Z whipper-snappers will recall the era.

Before cell phones, before DECT home phones, before wireless cordless home phones you had fixed phones.

You had a master socket and then, optionally, one or more secondary sockets (depending where you lived, you were either permitted to install these secondary sockets yourself, or you had to call in the telco to do it).

Anyway, so what would happen is that your friend from school would call you up. Inevitably your parent would answer the phone because they were, for example, in the kitchen cooking your dinner.

There would then be a shout across the house "Bobby its Johnny ... AGAIN !".

The call-transfer process would involve your parent hanging up and you picking up the nearest secondary handset.

Hence the exchange needed to keep the A-end of the call live whilst you completed the B-end "transfer".

The same generation of people will also recall the ability to abuse the mechanism to quietly spy on someone else using the phone. :)

link
kylegordon 941 days ago
UK analogue strowger exchanges did not permit the called party to clear down the line - that was the job of the calling party. A legacy function of being 'patched through'.

"Called Subscriber Held", a feature that was carried into early digital exchanges because people expected it to work in the manner you describe, even though afaik it was designed for the other purpose of keeping the line open whilst operators patched it through, trunk lines picked up the tone, etc.

My grandpa was a something like chief engineer for the West Coast of Scotland phone network. I have so many questions I wish I could ask him these days.

link
leereeves 941 days ago
In the US, Bobby would pick up the second handset before the parent hung up the first.
link
pulisse 941 days ago
Shouting across the house, "got it!"
link
netsharc 941 days ago
... although they can hear each other through the devices in their hands. More likely the person in the kitchen just put the handset down on the table and continued cooking.
link
dtech 941 days ago
It's still weird and unnecessary. This happened everywhere, but people just picked up the phone before the other person in the house would hang up. You mention it yourself because of the ability to spy.
link
jjav 939 days ago
> Now that is insane.

Remember it used to be a switched physical circuit. In the early days the switching was done by people, later it was automated. But you still had a circuit from phone to phone.

When one side hung up, the circuit is still live. Eventually it timed out and the switch disconnected it, but it took a while (don't remember how long). So you could hang up a phone, walk to a different room and pick up another phone and the same call circuit was still live (as long as the other side didn't also hang up meanwhile).

link
dredmorbius 941 days ago
It's worth noting that many landline phones now allow you to enter a number that you're intending to call, then pressing the call button at which point the number is automatically dialed.

If the dial tone is heard at all, it is for a very brief period, and might be entirely missed. This would make the scam you're describing even more readily achieved.

link
dredmorbius 938 days ago
On further reflection ...

... the autodial feature may well be waiting for dialtone in order to dial. I've not looked into this and you're probably best off testing this yourself on your own equipment.

link
pests 940 days ago
This was, IIRC, a regional thing based on how the internal network was set up And all the legacy stuff. Half the country experienced this and the other half didn't so it always causes fun stories like this And expected gotchas from those who are learning it for the first time.
link
throwawaymobule 941 days ago
This also exists (existed?) for mobile numbers, and was used by newspapers to 'hack' certain celebrities' voicemail. Including some cases where they deleted existing messages when the mailbox was full, so they could get more.
link
hermitcrab 941 days ago
I thought they just called their phones when they weren't in and used the default voicemail PIN (which most people don't change) to access their messages.
link
throwawaymobule 940 days ago
either default pin or guessed based on publicly available info. calling from their line was also done to get at more mailboxes.
link
yardie 941 days ago
> Even if they called me I wouldn’t use this. Hang up. Call them. Don’t let them call you.

This has become increasingly difficult in my experience. Where calling the local branch I have the actual relationship is just dumped into the IVR. They make it very hard to speak to an actual human being bank employee.

link
flatline 941 days ago
All I can get is callbacks for some places. This is newish. You can call, wait in the queue for 20+ minutes, get routed to voicemail, and leave an option for a callback. That’s it. And the CSRs won’t reveal any semi-secret info to confirm who they are, they just want info to confirm your identity. It is frustrating because “calling them first” for anything billing related has been my go-to for a decade.
link
yencabulator 941 days ago
The (US) banks I've experienced will give you an "incident number"[1], you can call the number on e.g. your credit card or bank's website and say you have an incident number and you'll be connected to a rep who can pull up the details.

[1]: or something like that, I forget the exact words

link
gpvos 941 days ago
Might be nice if you could enter that incident number from the initial phone menu instead of waiting for a human first.
link
yardie 940 days ago
My card has an international number which is US +1-(AreaCode)-XXX-XXXX. It used to bypass the IVR and send you directly to the top of the queue to a CSR. Because who has time to putz around the IVR when you're paying .25-.50/min to make an international call. Sadly, because some customers figured it out, it just routes you into the queue.
link
Guvante 941 days ago
I just make them tell me how to do it.

If they are behind an annoying IVR they usually know how to get back to themselves.

Of course don't take their word on what number to call, make them point to a part of their website that shows the number.

link
bmitc 941 days ago
I have experienced an increase in just flat out hang ups as well. If the automated system doesn't understand you, it'll just say "it looks like we're having a problem, goodbye". It's infuriating.
link
lozenge 941 days ago
Could the breach be at an Open Banking service that lets you view and aggregate your bank details such as Emma, Money Dashboard, TrueLayer? Some marketing/voucher companies are also using this sort of integration now such as Airtime Rewards.
link
throwaway_qwe 941 days ago
This is possible. I had the account linked to a very well known and popular service that is owned by another bank. I don’t want to use names. But “bank transaction ids” were known I do not know if this is part of the spec. My theory was some export from bank 1 for openbanking was breached or in bank 2’s import was breached. But the news items are about bank 1. Also, they knew details like the date of account opening which was different to date of first transaction. I was not using openbanking in many places but I have now turned it off everywhere.
link
jtaft 941 days ago
What about stolen mail? Would any of this details be in a bank statement?
link
throwaway_qwe 941 days ago
No paper bank statement. No email bank statement. Only qif/csv export. iPhone app only (not web). Fairly sure it was either an inside job and/or openbanking API implementation.
link
vkou 941 days ago
The best advice for dealing with this kind of fraud is knowing that there are exactly three things that can happen in a conversation with the fraud department.

1. "Did you make these purchases?"

2. "Yes" -> "Thanks, bye."

3. "No" -> "Thanks, we're disabling your card, and sending a new one to your address. If your address has changed, please pick it up at the branch."

Any deviation from this is a scammer posing as the fraud department. Any attempt to gather any information from you, besides 'Did you make these purchases?' is a scam.

They know who you are, if they didn't, they wouldn't be calling you.

link
jacquesm 941 days ago
> IMHO the law should make banks report breaches to the ICO and a record of the nature and size of the breach be public.

The law already is that they should report breaches to the ICO, at a minimum you should report this to the ICO and if you can you should name the bank, possibly right here in this thread so that others have a chance to find out. It's a throwaway so why not use it?

link
grecy 941 days ago
> Hang up. Call them. Don’t let them call you.

This is the golden advice. Never, ever speak to anyone about anything important if they contacted you. Call, text, email, whatever. End it and you contact them.

It doesn’t matter if it’s the bank, power company or telco. Even if HR called me or the CEO. Hang up, call them back. It adds 5 seconds to ensure all is good

link
lxgr 941 days ago
> It adds 5 seconds

Depends on the bank.

Some make it almost impossible to get past their IVR, which always claims to be able to help you with any issues you might have (as long as the issue is wanting to know your balance and last three transactions).

link
patrick451 941 days ago
Why are you banking there? Switch banks. Don't be a victim.
link
lxgr 941 days ago
I did. Ironically, it was almost impossible to get to a human representative to close the account: At one point, the IVR would literally end the call after authenticating me due to "problems with your account" (presumably my pending/stuck account closure request).
link
timnetworks 941 days ago
> This is the golden advice.

This bears repeating. It's so simple to check in using another known-good contact method, and btw phone calls are still cool.

link
lxgr 941 days ago
> btw phone calls are still cool.

Not to large corporations. Have you called one lately?

It's a minimum of five minutes of bartering, begging and pleading with the IVR to let you speak to a human, and even then a successful outcome is anything but guaranteed.

link
teeray 941 days ago
Usually doing what the IVR asks is the slowest path. Confusing it by mumbling nonsense so it thinks it can’t understand or ramming never-ending DTMF tones up its input buffer until it chokes works well. For certain companies and certain departments (usually where my ongoing satisfaction is a concern for the company), I’ve sometimes found yelling repeated expletives at the hold music gets me connected faster. I have nothing to substantiate it, but my conspiracy theory is that there’s a customer rage meter that can be gamed (remember “calls may be recorded for quality assurance“). By contrast, when my call is a pure cost center (e.g. product warranty claims), I’ve found there’s a mandatory hold time to encourage you to hang up.
link
c0pium 941 days ago
> yelling repeated expletives at the hold music gets me connected faster

The confirmation bias is real!

link
nerdponx 941 days ago
As everyone else is rightly saying, phone calls are only still cool if your bank or other institution agrees, which some do not.
link
gpvos 941 days ago
It may add up to 20 minutes if the waiting line is long.
link
doingtheiroming 941 days ago
These are by far the hardest kinds of fraud for banks to deal with right now. They’re so convincing that even when the bank detects them, the customer still demands the transactions go ahead because they’re so bought into the fraudsters. We need this kind of authentication to become normal for everyone for any transaction.
link
idk1 940 days ago
Could you let us know how you spotted it was a fraud please?
link
c0pium 941 days ago
> Hang up. Call them. Don’t let them call you.

Louder for the folks in the back. All bank cards should be required to print this on them.

link
mynameisvlad 941 days ago
I got a call from Amex fraud prevention and the voicemail explicitly told me to “Call X or the number on the back of your card” which I really appreciated.
link
switch007 941 days ago
Which bank? (Slightly worried UK resident here!)
link
throwaway_qwe 941 days ago
One of those on the 159 programme https://stopscamsuk.org.uk/159

Honestly, I’m not sure it matters. They’ve all had such incidents. I read somewhere that about 30% of your fees and mortgage interest go toward fraud mitigation,monitoring, and restitution.

I always live by these rules

- call them back, don’t talk to them

- ask why you need to do anything. It’s exceedingly rare a bank would call you to do something legit there and then. “I will do it later” will help. In fact that’s how I caught the phisher as I noted the aggravation in 1% of his voice.

- use credit cards, not debit cards, for purchases. They have far more protection.

- use all the 2FA and password complexity you can

- never use real info for challenge questions. Never use maiden name of mother etc. you can put “14 green fish” as the answer to the question if you like.

- make sure they are FSCS regulated, and try not to exceed that limit.

- understand FSCS does not cover you most phishing attempts, since the bank will claim they tried to warn you and were not negligent

- use private tabs for bank interactions

Through this experience I have learned not to trust “what we know about you” information they share. Do not underestimate HUMINT. A bank snitch could give up something as seemingly innocent (to them) as your “join date” and it be a lynchpin piece of info for a scammer.

This may all seem obvious to an HM reader. But it’s worth refreshing and reiterating.

link