Pages

2010-08-12

Bank security case study: Why is financial fraud so easy in America?

Because legitimate telephone transactions with a bank can be 100% indistinguishable from fraudulent transactions with scammers.

Here is a common scenario:

You recently traveled or made a large purchase and your credit card company leaves a message like this on your home phone answering machine: "Hello Mister Entriken, recent purchases on your credit card account ending in 2203 appear to be unusual and we would to confirm that they are legitimate. Please reach us at 520-838-4877". Then you, being the savvy Privacy Log reader that you are, use Google to see if 520-838-4877 is a legitimate phone number for your bank, here are the results:


  1. 520-838 / (520) 838

    ... 520-838-2425; 520-838-5680; 520-838-8012; 520-838-6519; 520-838-0005; 520-838-5912; 520-838-0761; 520-838-1355; 520-838-5297; 520-838-4877520-838-1905 ...
    mrnumber.com/1-520-838?page=5 - Cached

  2. 520-838 Telephone Lookup AZ

    520-838-9590 520-838-9933 520-838-4877 520-838-9935 520-838-3657 520-838-2835 520-838-7683 520-838-3981 520-838-8131 520-838-7452 520-838-7277 520-838-5327 ...
    telephonelookup.net/520-838-telephone-lookup-az - Cached
  3. All Phone Numbers for Area Code (520)-838 // PhoNumbrs

    520-838-4872 · 520-838-4873 · 520-838-4874 · 520-838-4875 · 520-838-4876 · 520-838-4877 · 520-838-4878 · 520-838-4879 · 520-838-4880 · 520-838-4881 ...
    www.opportunitymart.com/520-838 - Cached

  4. 520-838-9995 / 5208389995 1/6

    I just got a call from them too.. I don't answer numbers I dont' know.. So I didn't pick up.. but no message.. just trying to figure out who they are. ...
    800notes.com/Phone.aspx/1-520-838-9995 - Cached - Similar

  5. (520) 838-6552 | WhitePages (5208386552)

    ... (520) 838-4800; (520) 838-4816; (520) 838-4826; (520) 838-4848; (520) 838-4852; (520) 838-4864; (520) 838-4874; (520) 838-4877(520) 838-4886 ...
    phones.whitepages.com/520-838-6552 - Cached
What do you conclude? Nothing, the bank called you from a call center without a well known number. So you put up your defenses and dial the number, then it comes "for account security purposes, please tell me your full account number, mother's maiden name and billing zip code". The banks are training you to answer the phone from unverifiable phone numbers and spit out all the information an attacker needs to use your account.

(Of course the only thing to do at this time is: explain what you are doing, hang up the phone and call the number that is listed on the back of your credit card.)

Whenever a bank or other entity calls you and needs personally identifiable information, they should tell you to hang up and call them back at a well known number for that entity.

Sample message, is this legitimate? https://www.google.com/voice/fm/13391585335464009546/AHwOX_AZSPLaDLFLfu5k0MEmIllpEX7kx595xuNZx9HotwnKnKoWhc0uhSXwHj8SODYfyoWY7lTCZU7JM1_IQWkDKiU1NDxgc8RNUxzIn63MqUorkUeYBFL8USe-b5faNZqX9-mraNKxFoCNn6I_LYzMpIAFeasabQ