grndkntrl
Bjorn Toft MadsenI was the victim of an extremely clever card fraud/social engineering hack.
Well, partly a victim since I managed to stop it.
I was called by my bank, as they wanted to “verify some suspect transactions on my account”.
Then things got weird…
🧵
I was informed that there had been a charge for £2900 on a travel booking site.
As this conversation with my bank’s counter-fraud team was happening, I logged into my bank account and could see the fraudulent charge.
“Was this you?”
No, it definitely wasn’t me. Phew, well done for catching it.
“Also, sir, there is another transaction occurring right now that seems odd - for £5900 at Marbella Boat Hire. Is this you?”
Nope, that wasn’t me either.
At this point, my pulse was obviously raised and I was worried what else was going on.
“Ok, sir, we are going to send you a verification code, which we need you to read back to cancel the transaction”.
Ok, bit odd, but yeah, let’s go and get these cancelled.
Then a text/SMS message arrives with a six digit code. I put the call on speaker so I can read it out.
And I notice something odd…
The full text of the message says: “Do not share this message with anyone. To approve the purchase from Marbella Boat Hire for £5900, use code 638267”.
Hold on, I say, this says “to approve the purchase”!
“Ah, right, sir, we’ve had a few problems with our messaging system, so I’m not 100% sure what the message actually says. We just need the code so we can get the purchase blocked. You can ignore the start of the message”.
My spider-sense is tingling, so I challenge…
I can’t share this code, I say.
“No, sir, that’s very smart. I’m so sorry about our messaging system being odd. Let me send you a notification inside your banking app instead”.
The notification arrives and I open my banking app, thinking a hitherto unseen red warning label is about to show me a button that cancels a transaction inside the app.
But again it just says “to approve this transaction”.
Now I’m starting to worry …
So finally I say, look, I need to call my bank directly. This all seems a bit odd.
And then, naturally (in retrospect), the guy hangs up.
I call my bank. They verify that it wasn’t them.
So, very cleverly, the fraudster has used their first fraudulent transaction to socially verify that they knew something only a bank could know - about transactions on my card.
They used that transaction - that they themselves had done - to get me to read a 3D secure code to approve the next transaction that they also wanted to do.
They were able to to do this because the first transaction had happened on a site that didn’t use 3D secure. I’m surprised this is still possible.
In the end, my bank refunded the first transaction. So I haven’t lost anything.
But it shows the clever tricks fraudsters will try to pull and how easy it is to be fooled by the “boiler room” trick. “IT’S HAPPENING RIGHT NOW - DO SOMETHING QUICK!”
End 🧵
Terence Eden@BjornToftMadsen that's fascinating. And easy to see why people would fall for that.
I wonder where they got your card details *and* phone number from?
I wonder where they got your card details *and* phone number from?
@Edent yes this is also what I can’t understand. I have it on authority that a bank can be tied to a 16 digit credit card number (the issuer ID is embedded), but how they got my phone number I still cannot understand. I shred religiously.
The only way I can see this happening is with a dodgy purchase form from a website, one where you also supply a phone number.
As it happens, I’ve got my suspicions on one particular site, which I’ve shared with the bank.
@BjornToftMadsen personally, I think shredding is over-rated (unless you're a person of interest). Seems far more likely a dodgy site, or a legit site which has been hacked.
I've started using a separate phone number for purchases. If a call from "my bank" comes through on that, I know it is fraudulent.
I've started using a separate phone number for purchases. If a call from "my bank" comes through on that, I know it is fraudulent.
ninkosan@Edent @BjornToftMadsen I can second using a different number to give to places you don’t trust (I use a VoIP one from @aaisp for this) but I’ve also had one site insist I change it post-signup as it wasn’t a “real” number!
RevK 
@ninkosan @Edent @BjornToftMadsen @aaisp Sounds like they have GDPR backwards - they have an obligation to correctly record your personally information, and a phone number you have said is yours (and is) is what they have to record for you. 🙂
[No the ICO have no clue on this either]
@revk it was a bit weird tbh. They obviously knew it was a VoIP number and didn’t like it. I just used said GDPR to delete my account in the end 🙂
@ninkosan I think all 5G mobile are VoIP, are they not? And soon all UK PSTN "landline" numbers will be VoIP as well. Saying a VoIP number is not "valid" makes no sense.
I've also had someone moan at an 07 they claimed was VoIP. I suggested another, which they said was acceptable. My explanation that the first went to my actual mobile, and the second (ported to another operator) went to my VoIP desk phone, did not phase them at all. There is no logic to the complaint!
the vessel of morganna@revk @ninkosan US services still moan about this constantly, and a lot of "validation" services use old, stale databases on top of that. Years ago I grabbed a vanity number via the wholesaler we used at $OLDJOB, and ported it to my cell provider. For years afterwards, I was constantly told that "VoIP numbers are not supported!" despite it damn well not being one 😭
TheAnymouseProphet@Edent
Shredding is not over-rated.
I'm no longer in hacker circles, but digging through trash for information was quite common when I was.
@BjornToftMadsen
Shredding is not over-rated.
I'm no longer in hacker circles, but digging through trash for information was quite common when I was.
@BjornToftMadsen
Full Metal Archaeopteryx@Edent
I find few reasons why a vendor should need my number when there's a perfectly valid email address right there ; so I often plug in my old landlines number... The phone company may have reissued it, but it's certainly not me answering
@BjornToftMadsen
I find few reasons why a vendor should need my number when there's a perfectly valid email address right there ; so I often plug in my old landlines number... The phone company may have reissued it, but it's certainly not me answering
@BjornToftMadsen
Världens bästa Kille™@Edent @BjornToftMadsen ”Legit site”
Last count I saw there were some 8000 data brokers selling and re-selling your information. Firms like Klarna may or may not sell your data (last I checked their data policy basically said they promised to not send your data to the Bahamas unless they really wanted to), and for many of them selling data is an important source of revenue, if not the main one.
@Edent @BjornToftMadsen My point is that “legit” sites use those firms and have very little control or insight or understanding of what’s going on. So maybe “legit” is a bit of a misnomer.
Also they quite often leak information, don’t even have to be hacked. Like the Swedish pharmacy that leaked the data of a million customers because they didn’t understand how Facebook works.
Simon Zerafa (Status: 
😊)Now that's an interesting idea. Virtual phone numbers olong with virtual card numbers (if UK banks would get serious about them).
Make both accessable from an app or website and we have a very useful service 🙂
aeva@Edent @BjornToftMadsen I caught someone fishing mail out of my dumpster once. I shred pretty much everything now, on the theory that it's good to have a healthy mix of shredded nonsense in with the important stuff.
Dragon@BjornToftMadsen @Edent Or your phone number was in one of the many data breeches that seem to be occuring with increasing frequency.
@BjornToftMadsen @Edent Or someone was storing credit card info and both bits of data came from the same source. (I Know they're not supposed to store CC data but there's plenty of places that still do it anyway)
It's not uncommon for retailers to ask for the phone number during the order proccess so it's feasible someone had both together.
potatoofdestiny@BjornToftMadsen @Dragon @Edent I could buy a shitty hotel that stored more data than they were supposed to
GinevraCat@BjornToftMadsen @Edent We had something similar in South Africa a couple of years ago and it turned out to be an inside job by a bank employee working with a mobile phone company to reroute calls.
Giuseppe Mazzapica@BjornToftMadsen @Edent The great majority of this information are obtained from ecommerce sites leaks. Those data are for sell in bulk. I personally use virtual credit cards that I delete and re-create every few months and when a phone number is mandatory, I use a number not associated with any card/bank account.
Matt Wilcox@BjornToftMadsen They got me a little further - I read out the first one before realising, hanging up, and calling my bank.
The bit that really concerned me was not just that they had my phone number - they had some other "verification" (which I can't remember most of) which included an old address. I have not worked out how they got the other information. @Edent
Kaan Barmore-Genc@BjornToftMadsen @Edent It could be social engineering with the bank's customer support. Especially if they already have your name and card number, they might have tricked a CS rep into revealing your phone number like "oh I forgot what phone number I had with this account, what was it?"
Alexander The 1st@BjornToftMadsen @Edent It's possible they got it scrapped from somewhere.
Though while we're all focused on that, my next thought is "What if they just robo-called a whole suite of numbers until they got the right one?".
That is, if they verified your name before telling you that the bank transaction was bad, they could've limited down the number of people they needed to spoof the transaction for significantly.
@BjornToftMadsen @Edent Like, if they know *where* you live (Based on banking address stuff, IIRC the card number helps identify the main host branch for the banker), they can limit it down to a phone's area code pretty easily.
Doubly so if the card number was found *in* the area code area.
If they have an image of the card, first and last names are on there too, and the card expiration information there.
@BjornToftMadsen @Edent They'd have the name of the banking institution, so if they go online, and they had the CVV on the back, they might just try to send a password reset command, and back out just before 2FA trips in - depending on the setup, that screen might say "We'll send an SMS to (***)-***-**zx." That means they only have 59049 numbers to run through, if they already have your area code.
n3wjack@BjornToftMadsen @Edent maybe a site got hacked where you ordered something and left your card- and phone number?
Robots can be gay deal with it@BjornToftMadsen @Edent I use a app called Privacy, it makes proxy cards that only work with the merchant that first uses it. It also makes one-time use cards and let's you set limits. Might be worth looking into.
Darrel PlantBack in February, an auto-generated email from my bank alerted me that a travel authorization had been placed on my checking account, meaning I’d supposedly cleared upcoming usage in the Turks & Caicos, which I actually had no intention of traveling to. I logged into my account and while I was deleting that authorization (and calling bank security) three more notifications came through, for Mexico and elsewhere. Managed to avoid losing $.
Appellation Hunter@BjornToftMadsen
Data matching - they will gave gotten different pieces of information from different data breaches and put them together to say "here's thus person's name, phone number, email address, bank account and credit card number". You can buy packages of information on individuals like this for pitifully small amounts of money on the dark net (about US$2-3 per account).
@Edent
Data matching - they will gave gotten different pieces of information from different data breaches and put them together to say "here's thus person's name, phone number, email address, bank account and credit card number". You can buy packages of information on individuals like this for pitifully small amounts of money on the dark net (about US$2-3 per account).
@Edent
kmetz@BjornToftMadsen @Edent that‘s why I never enter a real phone number in such cases (unless absolutely required for a good reason), when 0000 doesn’t do, 0123456789 tricks most „phone number“ validators.
Julie WebgirlThe sheer number of data breeches exposing millions of accounts is mind-boggling. Did someone go through your garbage or social engineered someone at your bank? Possibly, but there have been 23 reported breeches in Aug alone. Subscribe to Have I Been Pwned's RSS feed. Yikes.
Billy SmithAfter i was hit by ID Theft back in 2000, when it was still called fraud, i started using disposable credit cards.
It vastly reduced the available attack surfaces. :D
One friend uses unique spam-catching email addresses to sign up for individual services to trace the data leaks.
This could be done with credit cards as well.
katrina@Edent @BjornToftMadsen A data leak from a shopping site that has payment details and customer details.
Rolf Steinort (314.8 ppm)@Edent @BjornToftMadsen An employee of a cereal maker’s online shop shared my details once with friends on the Balkan. So it doesn’t have to be the evil „hackers“. Got everything reversed after I got the call from my bank if I had just purchased air line tickets in Split.
pelha@Edent @BjornToftMadsen something like this happened to an acquaintance of mine, when he was in BVI. card chip and phone sniffers apparently are real & in the hands of criminals.
Robin Whittleton@BjornToftMadsen when I’ve had calls from my bank I always ask for a name, then tell them I’m going to ring them back from the support number on their website. General confusion from the bank, but so far it’s worked every time. Luckily I’ve not yet had a fraudulent call.
@robinwhittleton agreed that this is the right way. And indeed when there was a risk, that’s exactly what I did.
But you can see how people get fooled.
Boris Barbour@BjornToftMadsen @robinwhittleton
Saw a story a while back (UK) claiming that the phone call only ends when the caller (the fraudsters) hang up. So when the mark hung up and tried calling the bank (as instructed!), the fraudsters were still on the line. It wasn't stated whether they faked dialling tones.
Steven Reed@BorisBarbour @BjornToftMadsen @robinwhittleton I think they actually changed the way the UK phone system worked a few years ago to avoid that!
@srtcd424 @BjornToftMadsen @robinwhittleton
I didn't know. A shorter "timeout" it seems:
Nick Phillips
Dec [{(
)}]@BorisBarbour @BjornToftMadsen @robinwhittleton
That definitely used to be true in Ireland, with landlines.
That definitely used to be true in Ireland, with landlines.
Eric Carroll@BjornToftMadsen
I *always* challenge. Always call them back and validate. Always..
Recently they called and started demanding PII. I said no way, called back and verified it was in fact them.
I couldn't believe it! I was sure it was a scam!
Then I said wtf folks I want to talk to Security...
@robinwhittleton
RDS (shawphd on Twitter)@robinwhittleton @BjornToftMadsen Yeah, I always go directly to the bank website after any such notification. But this is a remarkably sneaky scam.
ewanm89@robinwhittleton @BjornToftMadsen No bank should be confused, if it was the bank actually calling you, they have a system for the callerID to route you back to the right person directly even. Always hang up and call back directly using number on bank website or the actual carde, there is never any good reason not to do so.
Neil Henning@BjornToftMadsen wow man! Good on you for spotting the con though.
TheJenOk wow. That's pretty clever.
LionelBI had the same. They knew my name and address.
The damage was undone but my strong suspicion is that they have operatives or proxies working within the financial institution or within the booking site.
Don Thompson@BjornToftMadsen
Thankfully, not a perfectly executed fraud but close.
Segregation of phone numbers, and accounts for daily spend/online/large transactions should help minimise risk.
I use three phone numbers & more than two payment cards. The ‘real’ number that’s my mobile I rarely share on web transactions, the other two are SIP services & the provider offers SMS to email & voicemail as I’m not usually logged in. A case of obfuscation…
It is somewhat infuriating that one must take additional steps to protect oneself.
Thankfully, not a perfectly executed fraud but close.
Segregation of phone numbers, and accounts for daily spend/online/large transactions should help minimise risk.
I use three phone numbers & more than two payment cards. The ‘real’ number that’s my mobile I rarely share on web transactions, the other two are SIP services & the provider offers SMS to email & voicemail as I’m not usually logged in. A case of obfuscation…
It is somewhat infuriating that one must take additional steps to protect oneself.
David Goodlad@BjornToftMadsen it’s frustrating but the only mandated use of 3ds is during card-not-present ecommerce transactions in Europe thanks to SCA regs. Visa mandates issuer support worldwide now but nothing on the merchant side (it’s opt-in). This class of attack will keep happening until they eliminate the merchant stigma around 3DS and drive consistent adoption.
Even then, complicit merchants could do things like CNP manual entry to trigger those first txns