Saturday, May 23, 2015

Avoiding The Trap

In my last article, I told the story of how I (barely) avoided a credit card phishing exploit because I became suspicious while I cooperatively gave my card number to an anonymous voicemail system out to scam me. While I managed to avoid significant damage, this is neither the standard I aspire to nor one I recommend for you. This time, in the spirit of continuous improvement,!let's consider how to do better by avoiding the trap.

What Happened?

The short version is that I received a text message appearing to be from my bank claiming that my card had been locked and telling me to call an 800 number. The full story us here:

Scammers depend on greed, fear, and psychology so we feel compelled to act quickly and stupidly. In my credit card example, I fell for the bait and started giving my information in moments, mostly out of fear. I needed to slow down a little and think. By answering a few key questions, I could have done that.

Key Questions

We tend to speed up, not slow down, when we feel threatened. If the threat is real, this is a survival skill. If not , it may be a trap. We control this by asking appropriate questions.

How urgent is this?

In my example, I got a Saturday evening text message that my credit card had been locked. Even if true, I wouldn't use the card for 14 hours at the earliest. If someone had tried to tamper with my account, the bank had parked it into a safe condition. There was nothing urgent in this. It just felt urgent.

Who Sent the Message?

On the surface this looked like a customer service notice from the bank. It could be, and actually was, from a scam artist. Since this wasn't urgent, I should have taken the time to be sure.

How Can I Be Sure?

There are two basic strategies available. First, check everything you can. Second, contact the bank directly, either through a prearranged number or their approved email address. Let's look at both.

In the previous article, I described oddities in the text of the message. There was no indication what account was involved. The language, though grammatically correct, was capitalized oddly.

This was a text message which revealed a real US phone number in my area code. While this is plausible, using Whitepages to do a reverse number lookup identified it as a mobile phone.

Finally, what about the number to call? It is possible to do a reverse lookup on an 800 number but even a legitimate number may say only that it is a U.S. phone. Even so, no harm in trying.

What Am I Being Asked to Do?

For the moment, let's ignore that you're being asked to call an unknown number, by a text message of unknown origin, and focus exclusively on the conversation that would follow.

In my case, an automated voice mail identified itself as the bank's activation service. Since the card was already active, this should have raised an alarm. It no doubt picked up what it could about me from caller ID and asked for my full card number, then the expiration date. When it asked for the PIN I (finally) got suspicious and stopped. This was too much information, not enough confirmation.

So, What Instead?

There are several ways to check with the bank safely. What I did was call the number the bank printed on the card. This led to s human customer service representative who asked for only the last four digits on the card and a prearranged question. Record that phone number so you have it if the card is lost or stolen. I asked them to replace the card.

By contrast, when the new card arrived I went through the real validation process. The system asked for the last four digits of the card and considered that enough since I had called from the phone number it had on file for me.

Other Options

Your second option is to email the abuse group at your bank. If you don't have the address you can search for it online. Include as much information as you can. You'll get an automated confirmation at once and a followup later. This is fine if things aren't really urgent.

If you have a smartphone, odds are they offer a custom app to connect you to your account. You can use this to check the status of your card. It may also offer a secure messaging service to safely inquire in more detail.

Finally, you can go to a bank website from a browser. Just use URLs the bank gave you in advance. Never follow a link from an email or text message.

How Is This Possible?

The message was convincing only because it used the name of my bank. The 800 number I called also identified itself using the name of my bank. Since it came as a text message, they apparently had my bank and my phone number.

Where would that information have been available? I can't be sure. Late in 2013, I made a credit card purchase at Target, which days later discovered and closed a data breach. I replaced the card after that, but not the bank.


My experience with this has led to one simple rule: if you get a message that suggests a problem may exist, find a way to check it out without using numbers or links the measage provided. Beyond that, have multiple ways you can reach a bank quickly if an alarm is raised.

Sent from my IPhone

Sunday, May 17, 2015

You Can't Be Too Careful

Safely using credit cards is an ongoing battle with all sorts of thieves, hackers, and con artists. I think of myself as reasonably alert and knowledgeable about these things, but I was recently lured in by something I hadn’t seen. Here’s what happened, what I did wrong, and what I did right.

What Happened

Late Saturday night I received a text message:

BankName Mobile Banking Alerts: Your Card has been Locked. Please call 800.###.####.

The message identified itself as coming from a local (to me) phone number and the message had my bank name. I had been on the road and used the card in a couple atypical locations, so this seemed plausible. I called the number on the message.

The automated voice mail identified my bank and said it was for activation. It asked me to enter my card number. Then it asked for the expiration date. Then it asked for my 4 digit ATM PIN. That's when my radar bleeped a warning. 

I don't use the card this way and don't know the PIN. Also, I couldn't imagine why the bank would ask for it. Several seconds later, it asked again, then again, until the call ended.

At this point, someone had my card number and the expiration date. With caller ID, they had my phone number and probably my name. They didn't get the PIN or the CVV code, so it wasn't a complete success from their perspective.

Then What?

My next step was to pull out the card and call the customer service number on it. The man I talked to took my name, identified me through preset questions, and asked why I had called. I told him the details, especially that the card number and PIN had been exposed. I gave him the text of the message, including the phone numbers. 

He verified my last few transactions as legitimate, closed the card number, and set up a replacement card with a new number. At his suggestion, I emailed the text message to the bank abuse email and quickly got the automated response.

Once I get the new card, I can review the card statement and move all the automated payments. This will be a bit of a hassle, but it is trivial compared to what could have happened.

The Tipoff

An 800 number isn’t trivial to set up and runs an expense for its owner. I wouldn’t expect it to be part of a scam, and still don’t. 

Because the text message claimed to come from my bank, I gave it more credibility than I should have. In hindsight, there were warning signs I missed. Look at the message again:

BankName Mobile Banking Alerts: Your Card has been Locked. Please call 800.###.####.

The message does not give even a partial credit card number. If it were real, I would expect to see the last four digits if only to identify the account in question. Also, why capitalize the words Card and Locked? 

Text messages are tricky because not much can be checked. For email, I set up an email account dedicated to the bank. If the message doesn't come to that email, it isn't real. This works for email, but I don't have an equivalent trap for text messages.

What Instead?

Credit cards typically put their customer service number right on the card. Put it somewhere safe in case the card gets lost. When using the Internet, type in a bank URL you know and login directly. Don't call numbers sent via messages or follow links. 

The basic principles are:

Contact the bank through established channels, not through links or phone numbers you are given.

Strictly limit the way the bank can reach you.