Sunday, May 17, 2015

You Can't Be Too Careful

Safely using credit cards is an ongoing battle with all sorts of thieves, hackers, and con artists. I think of myself as reasonably alert and knowledgeable about these things, but I was recently lured in by something I hadn’t seen. Here’s what happened, what I did wrong, and what I did right.

What Happened

Late Saturday night I received a text message:

BankName Mobile Banking Alerts: Your Card has been Locked. Please call 800.###.####.

The message identified itself as coming from a local (to me) phone number and the message had my bank name. I had been on the road and used the card in a couple atypical locations, so this seemed plausible. I called the number on the message.

The automated voice mail identified my bank and said it was for activation. It asked me to enter my card number. Then it asked for the expiration date. Then it asked for my 4 digit ATM PIN. That's when my radar bleeped a warning. 

I don't use the card this way and don't know the PIN. Also, I couldn't imagine why the bank would ask for it. Several seconds later, it asked again, then again, until the call ended.

At this point, someone had my card number and the expiration date. With caller ID, they had my phone number and probably my name. They didn't get the PIN or the CVV code, so it wasn't a complete success from their perspective.

Then What?

My next step was to pull out the card and call the customer service number on it. The man I talked to took my name, identified me through preset questions, and asked why I had called. I told him the details, especially that the card number and PIN had been exposed. I gave him the text of the message, including the phone numbers. 

He verified my last few transactions as legitimate, closed the card number, and set up a replacement card with a new number. At his suggestion, I emailed the text message to the bank abuse email and quickly got the automated response.

Once I get the new card, I can review the card statement and move all the automated payments. This will be a bit of a hassle, but it is trivial compared to what could have happened.

The Tipoff

An 800 number isn’t trivial to set up and runs an expense for its owner. I wouldn’t expect it to be part of a scam, and still don’t. 

Because the text message claimed to come from my bank, I gave it more credibility than I should have. In hindsight, there were warning signs I missed. Look at the message again:

BankName Mobile Banking Alerts: Your Card has been Locked. Please call 800.###.####.

The message does not give even a partial credit card number. If it were real, I would expect to see the last four digits if only to identify the account in question. Also, why capitalize the words Card and Locked? 

Text messages are tricky because not much can be checked. For email, I set up an email account dedicated to the bank. If the message doesn't come to that email, it isn't real. This works for email, but I don't have an equivalent trap for text messages.

What Instead?

Credit cards typically put their customer service number right on the card. Put it somewhere safe in case the card gets lost. When using the Internet, type in a bank URL you know and login directly. Don't call numbers sent via messages or follow links. 

The basic principles are:

Contact the bank through established channels, not through links or phone numbers you are given.

Strictly limit the way the bank can reach you.

No comments:

Post a Comment