Bjorn Toft MadsenI was the victim of an extremely clever card fraud/social engineering hack.
Well, partly a victim since I managed to stop it.
I was called by my bank, as they wanted to “verify some suspect transactions on my account”.
Then things got weird…
🧵
I was informed that there had been a charge for £2900 on a travel booking site.
As this conversation with my bank’s counter-fraud team was happening, I logged into my bank account and could see the fraudulent charge.
“Was this you?”
No, it definitely wasn’t me. Phew, well done for catching it.
“Also, sir, there is another transaction occurring right now that seems odd - for £5900 at Marbella Boat Hire. Is this you?”
Nope, that wasn’t me either.
At this point, my pulse was obviously raised and I was worried what else was going on.
“Ok, sir, we are going to send you a verification code, which we need you to read back to cancel the transaction”.
Ok, bit odd, but yeah, let’s go and get these cancelled.
Then a text/SMS message arrives with a six digit code. I put the call on speaker so I can read it out.
And I notice something odd…
The full text of the message says: “Do not share this message with anyone. To approve the purchase from Marbella Boat Hire for £5900, use code 638267”.
Hold on, I say, this says “to approve the purchase”!
“Ah, right, sir, we’ve had a few problems with our messaging system, so I’m not 100% sure what the message actually says. We just need the code so we can get the purchase blocked. You can ignore the start of the message”.
My spider-sense is tingling, so I challenge…
I can’t share this code, I say.
“No, sir, that’s very smart. I’m so sorry about our messaging system being odd. Let me send you a notification inside your banking app instead”.
The notification arrives and I open my banking app, thinking a hitherto unseen red warning label is about to show me a button that cancels a transaction inside the app.
But again it just says “to approve this transaction”.
Now I’m starting to worry …
So finally I say, look, I need to call my bank directly. This all seems a bit odd.
And then, naturally (in retrospect), the guy hangs up.
I call my bank. They verify that it wasn’t them.
So, very cleverly, the fraudster has used their first fraudulent transaction to socially verify that they knew something only a bank could know - about transactions on my card.
They used that transaction - that they themselves had done - to get me to read a 3D secure code to approve the next transaction that they also wanted to do.
They were able to to do this because the first transaction had happened on a site that didn’t use 3D secure. I’m surprised this is still possible.
In the end, my bank refunded the first transaction. So I haven’t lost anything.
But it shows the clever tricks fraudsters will try to pull and how easy it is to be fooled by the “boiler room” trick. “IT’S HAPPENING RIGHT NOW - DO SOMETHING QUICK!”
End 🧵
Terence Eden@BjornToftMadsen that's fascinating. And easy to see why people would fall for that.
I wonder where they got your card details *and* phone number from?
I wonder where they got your card details *and* phone number from?
@Edent yes this is also what I can’t understand. I have it on authority that a bank can be tied to a 16 digit credit card number (the issuer ID is embedded), but how they got my phone number I still cannot understand. I shred religiously.
The only way I can see this happening is with a dodgy purchase form from a website, one where you also supply a phone number.
As it happens, I’ve got my suspicions on one particular site, which I’ve shared with the bank.
@BjornToftMadsen personally, I think shredding is over-rated (unless you're a person of interest). Seems far more likely a dodgy site, or a legit site which has been hacked.
I've started using a separate phone number for purchases. If a call from "my bank" comes through on that, I know it is fraudulent.
I've started using a separate phone number for purchases. If a call from "my bank" comes through on that, I know it is fraudulent.
ninkosan@Edent @BjornToftMadsen I can second using a different number to give to places you don’t trust (I use a VoIP one from @aaisp for this) but I’ve also had one site insist I change it post-signup as it wasn’t a “real” number!
RevK 
@ninkosan @Edent @BjornToftMadsen @aaisp Sounds like they have GDPR backwards - they have an obligation to correctly record your personally information, and a phone number you have said is yours (and is) is what they have to record for you. 🙂
[No the ICO have no clue on this either]
@revk it was a bit weird tbh. They obviously knew it was a VoIP number and didn’t like it. I just used said GDPR to delete my account in the end 🙂
@ninkosan I think all 5G mobile are VoIP, are they not? And soon all UK PSTN "landline" numbers will be VoIP as well. Saying a VoIP number is not "valid" makes no sense.
I've also had someone moan at an 07 they claimed was VoIP. I suggested another, which they said was acceptable. My explanation that the first went to my actual mobile, and the second (ported to another operator) went to my VoIP desk phone, did not phase them at all. There is no logic to the complaint!
the vessel of morganna@revk @ninkosan US services still moan about this constantly, and a lot of "validation" services use old, stale databases on top of that. Years ago I grabbed a vanity number via the wholesaler we used at $OLDJOB, and ported it to my cell provider. For years afterwards, I was constantly told that "VoIP numbers are not supported!" despite it damn well not being one 😭