Charlie's Diary

[ Site Index] [ Feedback ]

Mon, 06 Mar 2006 Gone Phishing Identity fraud is something of a current-day worry. We've probably all heard about it, or heard horror stories from someone who's been on the receiving end of it. But how do you tell when someone is trying to do it to you? The most important thing you can know, to make yourself safe, is this: before some thief can empty your bank account, they have to know how to impersonate you convincingly on paper or on the telephone. And because your bank call center doesn't know you from a dalek by voice, this means they need the password or private information the bank depends on to identify you. If you've been on the internet for any length of time, you probably get phishing emails — messages purporting to be from financial institutions to you, their customer, warning that your account is in jeopardy and that you need to click here to update your details or log in or something. The "click here" button invariably leads to a convincing fake copy of the bank's web site, and if you enter your details the scammers will be into your real online banking account faster than a greased Jack Russell terrier down a rabbit hole. I get about two or three of these a day for my bank account, ten to twenty a day for my ebay/Paypal accounts, and another twenty to fifty for banks I've never dealt with in my life. Needless to say, I'm blase and cynical about them. On the other hand, things are different for folks who aren't used to the internet — different enough that these thieves find it a lucrative line of work. A somewhat rarer fraud requires a bunch of people in an office, with a set of telephone lines. I got one of these today. The first sign was around 1pm, when the phone rang. I picked it up: silence on the line. I put it down in disgust, immediately — the silent line means some automatic polling software at the far end is dialing numbers but there were no call centre staff ready to launch into a sales script. And that, I thought, was that. Then the phone rang again at 4pm. I picked it up, hearing a silent line, which immediately raised my suspicions. But a moment later, someone came on the line. "Hello, I'm J from Barclays banking security. Can I speak to Mr Stross, please?" As it happens, I do bank with Barclays, and once in a while I get a phone call from their security people. But that silent couple of seconds at the beginning of the call had got me on edge. (Why would the bank's security department be using a polling dialer?) "Speaking," I said. "What is the purpose of this call?" "We've had a notification about some suspicious activity on your current account and we're phoning to check into it." So far, this was following the standard Barclays script. However, a second odd thing about the call caught my attention: my caller's accent. Barclays have not, as far as I know, outsourced their call centres from the UK, but his accent was definitely foreign. I'm bad at accents: I initially thought "Indian", but as he continued I shifted to "South African". Still, that's not damning. When I visited my bank branch this lunch-time, the cashier who dealt with me was Polish. But you can add up points here, and this was the second oddity about the call. Then: "can I just confirm your identity sir? If I can ask you for your date of birth and your mother's maiden name ..." That is what really started the alarm bells ringing. You see, Barclays use these bits of information to authenticate callers. You go through a switchboard system, punch in your account number, and then talk to a call centre cashier. Who uses these questions to confirm that you are who you say you are. But this guy was asking me to break the first rule of security, which is know who you're talking to. He had called me. How did I know he really was from Barclays' security department? All I had was his word for it. If he was a bad guy, then he knew my name and phone number. If he had access to my bank statement (with account number and sort code printed on it) then all he needed was my pass information and he could impersonate me. Tell the bank I've moved to his own address, request new debit cards, and bang — that's my account stolen. Hint: Your mother's maiden name is a matter of public record. Banks who use this as a customer password are just asking to be hit on by fraudsters. Me, I lie to the bank: the name they've got on file as my response to that question is not my mother's maiden name, so any identity thieves who go researching me are going to get it wrong. "Excuse me, but I don't know who you are," I said. "Give me you department's phone number and I'll call you back." A little confusion, then he rattled off a number (0800 389 1652) and I hung up on him. First stop: caller-ID. I dialed BT's last number service and got "the caller withheld their number". That's odd, but not utterly implausible for a real bank (they do silly stunts with offshore voice-over-IP to save money). Second stop: www.barclays.co.uk, to see if I could find that telephone number anywhere. Funnily enough, the number (0800 389 1652 — a commercial freephone number) wasn't listed in Barclays' page of contact numbers. Third stop: google. Nope, nobody seems to have a web page with that phone number on it listed. Fourth stop: after some mild irritation digging it out of the web, I called Barclays customer services, and got through to a helpful fellow. Because I initiated the call, I didn't mind giving him the password. "No, there's no outstanding notes on your account. Let me call that number you were given and see if it's one of ours ..." (It seems big banks haven't yet cottoned onto the idea of an in-house phone book with reverse lookup). "That's odd, it hung up after it rang three times. I'll try again." And no dice that time, either. "I'll make a note on your account." And now for the punch-line. Some bastard just tried to steal my bank account. I have no idea how they decided to target me, but from the sound on the line they're running a call centre, and from the accent, they may not be based in the UK at all. If I had taken it on trust that my caller was from my bank and answered their questions, I would be in a world of hurt right now. I'm pretty sure they don't have my bank details (I don't leave statements lying around) but there's one due real soon now that hasn't arrived yet ... and you can never be sure what's happened to the mail that you haven't received. Barclays aren't a major high street presence in Scotland (they've got three branches in the whole country) and my phone number has the Edinburgh dialing code, so to be targeted that way implies that they knew beforehand that I am a Barclays customer and were just looking to fill in the gaps they need. Which is worrying. It implies they know more about me than they'd get by just sticking a pin in the phone book. (I should add that I won't be a Barclays customer for much longer — I've been meaning to change banks for a while now, and this is just the final straw.) Anyway, in this particular case I didn't get phished — but it's bloody easy if you lose track of the essentials: never disclose secret information — like your banking details or passwords — through a communications channel which you did not initiate for yourself. Oh, and J, if you're out there and reading this, I'm looking for you. And when I find you, I'm going to do my best to put you in prison. Sleep tight. [Discuss spam] posted at: 17:27 | path: /spam | permanent link to this entry

specials: Is SF About to Go Blind? -- Popular Science article by Greg Mone Unwirer -- an experiment in weblog mediated collaborative fiction Inside the MIT Media Lab -- what it's like to spend a a day wandering around the Media Lab "Nothing like this will be built again" -- inside a nuclear reactor complex Quick links: RSS Feed (Moved!) Who am I? Contact me Buy my books: (FAQ) Missile Gap Via Subterranean Press (US HC -- due Jan, 2007) The Jennifer Morgue Via Golden Gryphon (US HC -- due Nov, 2006) Glasshouse Via Amazon.com (US HC -- due June 30, 2006) The Clan Corporate Via Amazon.com (US HC -- out now) Accelerando Via Amazon.com (US HC) Via Amazon.com (US PB -- due June 27, 2006) Via Amazon.co.uk (UK HC) Via Amazon.co.uk (UK PB) Free download The Hidden Family Via Amazon.com (US HC) Via Amazon.com (US PB) The Family Trade Via Amazon.com (US HC) Via Amazon.com (US PB) Iron Sunrise Via Amazon.com (US HC) Via Amazon.com (US PB) Via Amazon.co.uk (UK HC) Via Amazon.co.uk (UK PB) The Atrocity Archives Via Amazon.com (Trade PB) Via Amazon.co.uk (Trade PB) Via Golden Gryphon (HC) Via Amazon.com (HC) Via Amazon.co.uk (HC) Singularity Sky Via Amazon.com (US HC) Via Amazon.com (US PB) Via Amazon.com (US ebook) Via Amazon.co.uk (UK HC) Via Amazon.co.uk (UK PB) Toast Via Amazon.com Via Amazon.co.uk Some webby stuff I'm reading: [ Engadget ] [ Gizmodo ] [ The Memory Hole ] [ Boing!Boing! ] [ Futurismic ] [ Walter Jon Williams ] [ Making Light (TNH) ] [ Crooked Timber ] [ Junius (Chris Bertram) ] [ Baghdad Burning (Riverbend) ] [ Bruce Sterling ] [ Ian McDonald ] [ Amygdala (Gary Farber) ] [ Cyborg Democracy ] [ Body and Soul (Jeanne d'Arc)  ] [ Atrios ] [ The Sideshow (Avedon Carol) ] [ This Modern World (Tom Tomorrow) ] [ Jesus's General ] [ Mick Farren ] [ Early days of a Better Nation (Ken MacLeod) ] [ Respectful of Otters (Rivka) ] [ Tangent Online ] [ Grouse Today ] [ Hacktivismo ] [ Terra Nova ] [ Whatever (John Scalzi) ] [ GNXP ] [ Justine Larbalestier ] [ Yankee Fog ] [ The Law west of Ealing Broadway ] [ Cough the Lot ] [ The Yorkshire Ranter ] [ Newshog ] [ Kung Fu Monkey ] [ S1ngularity ] [ Pagan Prattle ] [ Gwyneth Jones ] [ Calpundit ] [ Lenin's Tomb ] [ Progressive Gold ] [ Kathryn Cramer ] [ Halfway down the Danube ] [ Fistful of Euros ] [ Orcinus ] [ Shrillblog ] [ Steve Gilliard ] [ Frankenstein Journal (Chris Lawson) ] [ The Panda's Thumb ] [ Martin Wisse ] [ Kuro5hin ] [ Advogato ] [ Talking Points Memo ] [ The Register ] [ Cryptome ] [ Juan Cole: Informed comment ] [ Global Guerillas (John Robb) ] [ Shadow of the Hegemon (Demosthenes) ] [ Simon Bisson's Journal ] [ Max Sawicky's weblog ] [ Guy Kewney's mobile campaign ] [ Hitherby Dragons ] [ Counterspin Central ] [ MetaFilter ] [ NTKnow ] [ Encyclopaedia Astronautica ] [ Fafblog ] [ BBC News (Scotland) ] [ Pravda ] [ Meerkat open wire service ] [ Warren Ellis ] [ Brad DeLong ] [ Hullabaloo (Digby) ] [ Jeff Vail ] [ The Whiskey Bar (Billmon) ] [ Groupthink Central (Yuval Rubinstein) ] [ Unmedia (Aziz Poonawalla) ] [ Rebecca's Pocket (Rebecca Blood) ] Older stuff: June 2006 May 2006 April 2006 March 2006 February 2006 January 2006 December 2005 November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 February 2005 January 2005 December 2004 November 2004 October 2004 September 2004 August 2004 July 2004 June 2004 May 2004 April 2004 March 2004 February 2004 January 2004 December 2003 November 2003 October 2003 September 2003 August 2003 July 2003 June 2003 May 2003 April 2003 March 2003 February 2003 January 2003 December 2002 November 2002 October 2002 September 2002 August 2002 July 2002 June 2002 May 2002 April 2002 March 2002 (I screwed the pooch in respect of the blosxom entry datestamps on March 28th, 2002, so everything before then shows up as being from the same time)

[ Site Index] [ Feedback ]

Powered by Blosxom!