Beyond having hardware keys, this scenario is why I really try to drive home, in all of my security trainings, the idea that you should instantly short circuit any situation where you receive a phone call (or other message) and someone starts asking for information. It's always okay to say, "actually, let me get back to you in a minute" and hang up, calling back on a known phone number from the employee directory, or communicate on different channel altogether.
Organizationally, everyone should be prepared for and encourage that kind of response as well, such that employees are never scared to say it because they're worried about a snarky/angry/aggressive response.
This also applies to non-work related calls: someone from your credit card company is calling and asking for something? Call back on the number on the back of your card.
I've had a wide range of responses from people calling me when I tell them I won't give personal details out based on a cold call.
A few understand immediately and are good about it. Most have absolutely no idea why I would even be bothered about an unexpected caller asking me for personal information. A few are practically hostile about it.
None, to date, have worked for a company that has a process established for safely establishing identity of the person they're calling. None. Lengthy on-hold queues, a different person with no context, or a process that can't be suspended and resumed so the person answering the phone has no idea why I got a call in the first place.
(Yet I'll frequently get email full of information that wouldn't be given out over the phone, unencrypted, unsigned, and without any verification that the person reading it is really me.)
The organisational change required here is with the callers rather than the callees, and since it's completely about protecting the consumer rather than the vendor, it's a change that's unlikely to happen without regulation.
> Tell them you need to verify them, and then ask how they propose you do that.
Last time I did that, the caller said "but you can just trust that I'm from <X>." So I replied that they, likewise, could just trust that I'm me, and you could practically hear the light bulb click on. They did their best to help from there but their inbound lines aren't staffed effectively so my patience ran out before I reached an operator.
I can't remember which company it was, but I got a call a few years ago about some issue with an account, and they wanted some information to "verify my identity"
I said wait a minute, you called me. Shouldn't I be verifying who you are?
The guy kind of laughed and said yeah, but this is the process I've been given to follow. I said I would call back on public customer service number and he said that would be fine.
It turned out it was a legit call, but just weird that they would operate that way.
I wish I could remember who it was. A credit card, I think.
This happened to me with AT&T herein Mexico: I have an AT&T pre-paid sim card that expires after a year. At the end of the year I got a call supposedly from someone form AT&T and told me about some special discount offer if I pre-paid for another year. The catch is that I needed to pay over there by phone ... (give my card details).
I told her that I preferred to call the AT&T number and for her to tell me what options should I press to get to her. She couldn't give me an answer to that.
Anecdotally, I seem to have had the opposite experience. I've been doing this for at least 15 years, and never had a negative reaction. With bank, credit card, or finance-related companies, they seem to understand immediately. With other callers I've gotten awkward pauses, but ultimately they were politely accommodating or at least understanding that some issue would have to be processed through other channels or postponed.
However, I don't have strict requirements. When a simple callback to the support line on the card, bill, or invoice doesn't suffice--and more often than not it does, where any support agent can field the return call by pulling up the account notes--all I ask for at most is an extension or name that I can use when calling through a published number. I'll do all the leg work, and am actually a little more suspicious when given a specific number over the phone to then verify. Only in a few cases did I have to really dig deep into a website for a published number through which I could easily reach them. In most cases it suffices to call through a relatively well attested support number found in multiple pages or places[1].
I'm relatively confident that every American's Social Security number (not to mention DoB, home address, etc) exists in at least one black market database, so my only real practical concern is avoiding scammers who can't purchase the data at
[black] market price, which means they're not very sophisticated. A callback to a published phone number for an otherwise trusted entity that I already do business with suffices, IMO. And if I'm not already doing business with them, or if they have no legitimate reason to know something, they're not getting anything, period.
[1] I may have even once used archive.org to verify I wasn't pulling the number off a recently hacked page, as it was particularly off the beaten path and a direct line to the department--two qualities that deserve heightened scrutiny by my estimation.
Someone needs to standardize a simple reverse-authentication system for this.
For example whenever a caller is requesting sensitive information, they give you a temporary extension directing to them or an equal, and ask you to call the organization's public number and enter that extension. Maybe just plug the number into their app if applicable to generate a direct call.
Like other comments have mentioned, the onus should be on them. Also, they would benefit from the resultant reduction in fraud. Maybe a case study on fraud reduction savings could help speed the adoption process without having to invoke the FCC.
In Sweden we have a special authetication system that is owned by the banks. It is called BankID and generally works well but it has flaws, especially that you shouldn't use it if they call you and ask to you do it since that is a security risk by itself.
It works if I call a bank or insurance company or something like that. A robot voice will ask me to authenticate and when I have done so and is transferred to an operator they will see that I authenticated. So it works when I call them but not the other way around. We need a new system.
I've had my cable company call me directly about an account issue and told them I couldn't validate it was them and the person got somewhat irate with my response, insisting there was no one I could call to verify them and that it has to be handled on that call. Turns out it was just a sales call (up selling a product) - which probably speaks to the level of talent they hire for that.
> this scenario is why I really try to drive home, in all of my security trainings, the idea that you should instantly short circuit any situation where you receive a phone call (or other message) and someone starts asking for information.
The trouble is, calling the number on the back of your card requires actually taking out your card, dialing it, wading through a million menus, and waiting who-knows-how-long for someone to pick up, and hoping you're not reaching a number that'll make you go through fifteen transfers to get to the right agent. People have stuff to do, they don't want to wait around with one hand occupied waiting for a phone call to get picked up for fifteen minutes. When the alternative is just telling your information on the phone... it's only natural that people do it.
Of course it's horrible for security, I'm not saying anyone should just give information on the phone. But the reality is that people will do it anyway, because the cost of the alternative isn't necessarily negligible.
I say "If this is a scam call please hang up now, otherwise give me an invoice or ticket number or name and department and I'll get back to you," and they usually do hang up. The case where you need to actually call your bank is really rare.
Note that it's very important not to let them give you an actual phone number to call on. This sounds obvious but I know someone who hung up but called back on a number given by the scammers, which was of course controlled by them and not the bank.
I'm going to add to this that "hang up" means physically do that. I've heard that many are tricked by the attacker playing a "dial tone" sound into the phone and thus keeping the line open and "answering" when you thought you called you bank.
You may be right that some people are tricked into thinking the call has been terminated by the caller, when in fact the caller is playing a dial tone over the line. It's worse than that though. In some telephone systems, the call is not ended when the callee hangs up.
I don't think most people who get scammed this way pause to say "oh, this might be someone stealing my credit card number", then disregard that thought because it's too much of a pain to call back on an official line. Instead I think they don't question the situation at all, or the scammer has enough information to sound sufficiently authoritative. Most non-technical people I've talked to about this are pretty scared of getting scammed, but tell me the thought never crossed their mind they could call back on a trusted number.
I like the "hang up, call back" approach because it takes individual judgment out of the equation: you're not trying to evaluate in real time whether the call is legit, or whether whatever you're being asked to share is actually sensitive. That's the vulnerable area in our brains that scammers exploit.
I'm sure a lot of people are like what you describe (this doesn't occur to them), but I think it does affect those who are a bit suspicious/on the fence, potentially like the person in the article. ("Throughout the conversation, the employee grew more and more suspicious, but unfortunately did provide [the MFA code].")
I think the parent poster is arguing that we should normalize this behavior not that there's no excuse for not calling the number back given the reality we have today.
You're saying it's natural for people not to want to call back and wade through a million menus, and I agree.
But the conclusion from this is that companies should change their processes so that calling back is easy, precisely because otherwise people won't do it.
And the more people that do it despite the costs, the more normalized it'll be, and the more companies will be incentivized to make it easier.
We certainly should normalize this, but my point was that it's going against the grain, so efforts like this may be in vain without a bigger lever to pull. e.g., I imagine you'd need to convince some sort of authority (CISA? FIPS? not sure whom the right entity is) to point out the best practices here before organizations start paying attention.
Unfortunately there's a dark incentive. Providing support costs money, but an automated phone menu does not (or at least, it's negligible). So you want to chuck your customers into hold music hell and winnow out as many as you can. This also makes your staff scheduling easier.
If your customers are captive, this is all upside. And most customers will tolerate this. The ones that do churn somehow don't generate blame for the psychopaths who implement this hostile practice, those bastards cut support costs and get promoted out.
Great point. But it could be easily solved with something like: “Call the number on the back of your credit card. Push *5 and when prompted enter your credit card number and you will be immediately connected back to my line”
Or just connect you directly if you call back within a few minutes from the same number they called, no need to press anything. But I guess that's too advanced for 2023 technology
If my bank cold calls me, I can say "I just need to verify the legitimacy of your call, so send me your direct number in the online bank app, and I'll call you". It works every time, but it also works because all the employees have a direct number.
Normally we just write message back and forth in the banking app, and if we talk it's an online meeting with video. Only for large business I go to the physical site.
>This also applies to non-work related calls: someone from your credit card company is calling and asking for something? Call back on the number on the back of your card.
There's a number of situations, not just credit card ones, where it's impossible or remarkably difficult to get back to the person that had the context of why they were calling.
Your advice holds, of course, because it's better to not be phished. But sometimes it means losing that conversation.
My mother recently started having to deal directly with utility bills and the like and this was some information we impressed very early on. You should never agree to billing or hand over CC/account information in a phone call you didn't initiate. She hasn't run into an issue yet - most utilities, online stores and other entities have call in numbers if you need to resolve a billing dispute. That random company you bought a plumbing valve from has an office somewhere with a secretary that gets a phone call maybe three times a month from customers looking to resolve issues - and Amazon has mostly centralized support for small sellers and has lines you can call to resolve any disputes you have which may forward you to the original sale party but often just resolve the issue directly.
Honestly, the worst experiences are usually with large companies that funnel all customers into massive phone centers - I've probably lost the better part of a week to Comcast over my lifetime.
Yeah, I'm talking about situations where it's a department that's not tied to the main call center. The credit card fraud people, for example[1]. Or, with Comcast, some guy saying your modem return was missing a piece, etc. Those are often hard to reach by calling the main number.
[1] For at least one place, the people that proactively identify things that could be fraud and call you...they aren't the same people you call to report fraud on your own. Why? No idea.
Definitely, sometimes they'll have a case number or agent id you can use to get back to them, but there are cases where you have to assume if it's important to them they'll continue to nag or reach out on another channel.
I have had at least one situation where I spent a while trying to get back to a quite convincing/legitimate sounding caller this way, where, as I escalated through support people it became increasingly clear that the initial call had been a high quality scam, and not in fact a real person from the bank.
I put in very limited effort in returning cold calls. The contact is being initiated by the other party, the interest in the exchange is theirs, and the onus on making it work is theirs.
Companies, including banks, don't call you to protect _your_ interests, they call you to protect themselves.
It's probably a good idea to program your bank's fraud number into your phone. The odds that someone hacks your bank's Contact Us page are small but not zero.
The bedrock of both PGP and .ssh/known_hosts could be restated as, "get information before anyone knows you need it".
Fraud departments contacting me about potentially fraudulent charges is always going to make me upset. Jury is still out on whether it will always trigger a rant, but the prognosis is not good.
At least once I have gotten a terribly phrased and link-strewn "Fraud Alert" from a bank, reported it to said bank's anti-phisihing e-mail address, gotten a personalized mail that responded that it was in fact fraud and that they had policies against using third party subdomains like... And then found out the day later that yes, that was their real new anti-fraud tool and template.
There will need to be jail time for the idiots writing the government standards on these fraud departments before we get jail time for the idiots running these fraud departments before it gets better.
Last time I talked to someone about this they pointed out that fraud depts are often outsourced. Which is a lovely plan because now your customers hate you for something an entirely different company did to them. And also they are directing you away from the official website every single time you interact with them.
I'm not sure what grounds you issue arrest warrants on, but I appreciate the sentiment.
Ironically, fraud. They have done substantial financial and "real" harm by pretending to be competent at things that they are clearly not, and have been a combination of remiss in their duties and complicit in the crimes of fraudsters.
Sufficiently advanced incompetence is indistinguishable from malice, and should be prosecuted as such.
Years ago I bought a tv. Clear on the other side of town. When I got home I had a message from the fraud dept about charges. I called them up to explain I did in fact buy that tv.
They weren’t calling about the TV. They were calling about the car wash I stopped to get near my old neighborhood on the way home. For $8. Wat.
And for a while they would flag me every time I went on a road trip or travelled, because they pegged me as a non traveler. I travel, but quality over quantity. And you’re basically psychologically fencing me into a profile you’ve written about me that’s wrong by punishing me every time I step out of it? Fuck you.
> someone from your credit card company is calling and asking for something? Call back on the number on the back of your card.
This recently happened to me, and bizarrely they wouldn’t tell me what’s actually going on on my account because of not being able to verify me. (They were also immediately asking for personal information on the outbound call, which apparently really was from them.)
Financial companies, the government, ... I always try to bother to raise the issue afterwards, but (not that I think my comments alone would do anything) so far nothing changed that I've taken issue with, I don't think.
A big one I'm aware of many others complaining about in the industry is local governments in the UK soliciting elector details via 'householdresponse.com/<councilname>' in a completely indistinguishable from phishing sort of way.
(They send you a single letter directing you to that address with 'security code part 1' and '2' in the same letter, along with inherently your postcode which is the only other identifier requested. It's an awful combination of security theatre and miseducation that scammy phishing techniques look legit.)
Ha, this reminds me of driver licences in Australia. So at this point almost everyones licence has been leaked multiple times (and just having the details used to be enough to open a bank account online, not sure if this is still the case).
I received an email from my state’s RTA, saying they were adding 2-factor authentication to licences. Great! I assumed this might be an oauth type scenario, or maybe even just email.
Nope. The “second” factor is a different number printed on the licence. Surely this communication had to go through multiple departments, get vetted for accuracy. Yet no one picked up that this isn’t multi factor authentication.
Its only purpose is to make it easier for them to issue a new licence _after_ you’ve been defrauded out of all your money, because most states refuse to issue people with new licence numbers. It does nothing more than fix an incompetence in their system/process. Yet it was marketed as some kind of security breakthrough, as if it would add protection to your licence.
That's the big problem, isn't it? People think it's okay to give out information on an incoming call because often it is really okay. If it were unreliable 99% of the time, phishers would not use this method as an attack vector.
> any situation where you receive a phone call (or other message) and someone starts asking for information.
I had AWS of all places do this to me a year or two ago. The rep needed me to confirm some piece of information in order to talk to me about an ongoing issue with the account. If I recall correctly, the rep wanted a nonce that had been emailed to me.
"I'm terribly sorry but I won't do that. You called me."
Ultimately turned out to be legit, but I admit I was floored.
This is where some kind of chaos monkey might be good. Imagine something that randomly slacks from one human account to another asking for passwords and then the receiver has to press a "suspect message" button as a form of ongoing awareness training.
As part of that a genuine ask for a password would get the same response, and perhaps the button sends a nice message like "Looks like you have asked for a password. We get it, sometimes you need to get the job done, but please try to avoid this as it can make us insecure. Please read our security policy document here."
>This also applies to non-work related calls: someone from your credit card company is calling and asking for something? Call back on the number on the back of your card.
This is a policy I've implemented as well, both for myself and loved ones: don't provide any information to unverified incoming calls. Zero.
Sometimes I'll get some kind of sales call, which I may even be interested in. I'll say, proceed with the pitch to which they'll reply "first we need to confirm your identify". Then I refuse: you called me. Why do you need me to provide private information to confirm my identity?
I've stopped listening to people. I limit myself to talking at them. The upside is that I'm never fooled. The downside is that so far as I can tell half the world hates me and the other half think I'm a lunatic.
> the idea that you should instantly short circuit any situation where you receive a phone call (or other message) and someone starts asking for information
It really irritates me that some significant companies openly encourage customers to ignore this advice, teaching then had practise. The most recent case I know of is PayPal calling myself. It was actually thenm new cc account, I thought I'd setup auto payment but it wasn't so I was a child if days late with the first payment) but it so easily could have not been. The person on the other end seemed rather taken aback that I wouldn't discuss my account or confirm any details on a call I'd not started, and all but insisted that I couldn't hang up and call back. In the end I just said I was hanging up and if I couldn't call back than that was a them problem because at that point I had no way of telling if it was really the company or not. At that point she said she'd send a message that is could read via my account online, which did actually happen so it wasn't a scammer. But to encourage customers to perform unsafe behaviour with personal and account details is highly irresponsible.
I can't understand how someone works at a tech company and is clueless to the point of sharing an auth code over the phone. My grandma, sure, but a Retool employee? C'mon, haven't we all read enough of these stories?
You could give them a false number and see what happens. That might trip up their script enough to reveal they aren't who they seem to be. Just play dumb -- "I can't understand why it's not working, that's the number on my phone...."
Organizationally, everyone should be prepared for and encourage that kind of response as well, such that employees are never scared to say it because they're worried about a snarky/angry/aggressive response.
This also applies to non-work related calls: someone from your credit card company is calling and asking for something? Call back on the number on the back of your card.