[massung]

I use USAA for banking.

Something they do when they initiate a call to me on the phone is they start by making sure they are talking to me (they don’t ask me to prove it) and making sure I have the app on the my phone or access to a web page.

Then they initiate a MFA check within the app. I have to get it and read back a number. Then they ask me for my phone PIN or password. Once that’s done, then we can start talking.

[mnw21cam]

That is a really bad idea. That's letting anyone who phones you prove to the bank that they are you.

You should only reveal an MFA code to someone that you have called, knowing that it is the right person.

[massung]

Walk me through the chain you’re thinking of. I want to understand it better.

If you’re thinking that - for example - someone is attempting to log into my account online and simultaneously call me pretending to be the bank. They are presented with an MFA check and tell me they initiated it. I give it to them unwittingly, and note they are in.

My understanding is that isn’t possible here, because this “MFA check” is different than the login one. The login one is the “Google Authenticator, 6 numbers”. This is a different code entirely. Obviously I didn’t specify that in the original post. My bad.

If that wasn’t what you were thinking and you can think of how this fails, I need to know and learn more!

[renewiltord]

Well, if I wanted to get into your account, apparently I just call the bank and then call you. Any time they ask me something I ask you the same thing and pass it along to them, and you'll faithfully tell me. They trigger the codegen and ask me to read it back and I ask you and you happily tell me. Then I "confirm your account is safe" to you, and continue my call with the bank except now I've authenticated as you.

[tempnew]

The scammer calls the bank rather than trying to login. When calling, they will be asked to verify with info and the code which they will get from you. Think mitm but telephone based. The verification info (maybe just a zip code or last 4 of ssn or something publicly available) can be acquired beforehand so they only need the code to be relayed. Obviously they have to get the timing right, so you might be on the phone for a few minutes before they find a reason to ask for the code.

[massung]

Makes total sense. Thank you!

[BobAliceInATree]

You're giving a MFA number to someone that called you?!

[GolDDranks]

The bank I used to use had a per-verification request code that the app showed. If the party dealing with you knew the code, you could be sure they were the party who initiated the verification request.

[LorenPechtel]

But you said you read back the code. It should be the other way around--*you* compare the code they give you with the code the app gives you. Give zero information until identity is confirmed.

[ainiriand]

That's really not safe...