Charlie's Diary

[ Site Index] [ Feedback ]

Mon, 06 Mar 2006

Gone Phishing

Identity fraud is something of a current-day worry. We've probably all heard about it, or heard horror stories from someone who's been on the receiving end of it. But how do you tell when someone is trying to do it to you?

The most important thing you can know, to make yourself safe, is this: before some thief can empty your bank account, they have to know how to impersonate you convincingly on paper or on the telephone. And because your bank call center doesn't know you from a dalek by voice, this means they need the password or private information the bank depends on to identify you.

If you've been on the internet for any length of time, you probably get phishing emails — messages purporting to be from financial institutions to you, their customer, warning that your account is in jeopardy and that you need to click here to update your details or log in or something. The "click here" button invariably leads to a convincing fake copy of the bank's web site, and if you enter your details the scammers will be into your real online banking account faster than a greased Jack Russell terrier down a rabbit hole. I get about two or three of these a day for my bank account, ten to twenty a day for my ebay/Paypal accounts, and another twenty to fifty for banks I've never dealt with in my life. Needless to say, I'm blase and cynical about them. On the other hand, things are different for folks who aren't used to the internet — different enough that these thieves find it a lucrative line of work.

A somewhat rarer fraud requires a bunch of people in an office, with a set of telephone lines. I got one of these today. The first sign was around 1pm, when the phone rang. I picked it up: silence on the line. I put it down in disgust, immediately — the silent line means some automatic polling software at the far end is dialing numbers but there were no call centre staff ready to launch into a sales script. And that, I thought, was that.

Then the phone rang again at 4pm. I picked it up, hearing a silent line, which immediately raised my suspicions. But a moment later, someone came on the line. "Hello, I'm J from Barclays banking security. Can I speak to Mr Stross, please?"

As it happens, I do bank with Barclays, and once in a while I get a phone call from their security people. But that silent couple of seconds at the beginning of the call had got me on edge. (Why would the bank's security department be using a polling dialer?) "Speaking," I said. "What is the purpose of this call?"

"We've had a notification about some suspicious activity on your current account and we're phoning to check into it." So far, this was following the standard Barclays script. However, a second odd thing about the call caught my attention: my caller's accent. Barclays have not, as far as I know, outsourced their call centres from the UK, but his accent was definitely foreign. I'm bad at accents: I initially thought "Indian", but as he continued I shifted to "South African". Still, that's not damning. When I visited my bank branch this lunch-time, the cashier who dealt with me was Polish. But you can add up points here, and this was the second oddity about the call.

Then: "can I just confirm your identity sir? If I can ask you for your date of birth and your mother's maiden name ..."

That is what really started the alarm bells ringing.

You see, Barclays use these bits of information to authenticate callers. You go through a switchboard system, punch in your account number, and then talk to a call centre cashier. Who uses these questions to confirm that you are who you say you are. But this guy was asking me to break the first rule of security, which is know who you're talking to. He had called me. How did I know he really was from Barclays' security department? All I had was his word for it. If he was a bad guy, then he knew my name and phone number. If he had access to my bank statement (with account number and sort code printed on it) then all he needed was my pass information and he could impersonate me. Tell the bank I've moved to his own address, request new debit cards, and bang — that's my account stolen.

Hint: Your mother's maiden name is a matter of public record. Banks who use this as a customer password are just asking to be hit on by fraudsters. Me, I lie to the bank: the name they've got on file as my response to that question is not my mother's maiden name, so any identity thieves who go researching me are going to get it wrong.

"Excuse me, but I don't know who you are," I said. "Give me you department's phone number and I'll call you back."

A little confusion, then he rattled off a number (0800 389 1652) and I hung up on him.

First stop: caller-ID. I dialed BT's last number service and got "the caller withheld their number". That's odd, but not utterly implausible for a real bank (they do silly stunts with offshore voice-over-IP to save money). Second stop:, to see if I could find that telephone number anywhere. Funnily enough, the number (0800 389 1652 — a commercial freephone number) wasn't listed in Barclays' page of contact numbers. Third stop: google. Nope, nobody seems to have a web page with that phone number on it listed.

Fourth stop: after some mild irritation digging it out of the web, I called Barclays customer services, and got through to a helpful fellow. Because I initiated the call, I didn't mind giving him the password. "No, there's no outstanding notes on your account. Let me call that number you were given and see if it's one of ours ..." (It seems big banks haven't yet cottoned onto the idea of an in-house phone book with reverse lookup). "That's odd, it hung up after it rang three times. I'll try again." And no dice that time, either. "I'll make a note on your account."

And now for the punch-line. Some bastard just tried to steal my bank account. I have no idea how they decided to target me, but from the sound on the line they're running a call centre, and from the accent, they may not be based in the UK at all. If I had taken it on trust that my caller was from my bank and answered their questions, I would be in a world of hurt right now. I'm pretty sure they don't have my bank details (I don't leave statements lying around) but there's one due real soon now that hasn't arrived yet ... and you can never be sure what's happened to the mail that you haven't received. Barclays aren't a major high street presence in Scotland (they've got three branches in the whole country) and my phone number has the Edinburgh dialing code, so to be targeted that way implies that they knew beforehand that I am a Barclays customer and were just looking to fill in the gaps they need. Which is worrying. It implies they know more about me than they'd get by just sticking a pin in the phone book. (I should add that I won't be a Barclays customer for much longer — I've been meaning to change banks for a while now, and this is just the final straw.)

Anyway, in this particular case I didn't get phished — but it's bloody easy if you lose track of the essentials: never disclose secret information — like your banking details or passwords — through a communications channel which you did not initiate for yourself.

Oh, and J, if you're out there and reading this, I'm looking for you. And when I find you, I'm going to do my best to put you in prison. Sleep tight.

[Discuss spam]

posted at: 17:27 | path: /spam | permanent link to this entry


Is SF About to Go Blind? -- Popular Science article by Greg Mone
Unwirer -- an experiment in weblog mediated collaborative fiction
Inside the MIT Media Lab -- what it's like to spend a a day wandering around the Media Lab
"Nothing like this will be built again" -- inside a nuclear reactor complex

Quick links:

RSS Feed (Moved!)

Who am I?

Contact me

Buy my books: (FAQ)

Missile Gap
Via Subterranean Press (US HC -- due Jan, 2007)

The Jennifer Morgue
Via Golden Gryphon (US HC -- due Nov, 2006)

Via (US HC -- due June 30, 2006)

The Clan Corporate
Via (US HC -- out now)

Via (US HC)
Via (US PB -- due June 27, 2006)
Via (UK HC)
Via (UK PB)
Free download

The Hidden Family
Via (US HC)
Via (US PB)

The Family Trade
Via (US HC)
Via (US PB)

Iron Sunrise
Via (US HC)
Via (US PB)
Via (UK HC)
Via (UK PB)

The Atrocity Archives
Via (Trade PB)
Via (Trade PB)
Via Golden Gryphon (HC)
Via (HC)
Via (HC)

Singularity Sky
Via (US HC)
Via (US PB)
Via (US ebook)
Via (UK HC)
Via (UK PB)


Some webby stuff I'm reading:

Engadget ]
Gizmodo ]
The Memory Hole ]
Boing!Boing! ]
Futurismic ]
Walter Jon Williams ]
Making Light (TNH) ]
Crooked Timber ]
Junius (Chris Bertram) ]
Baghdad Burning (Riverbend) ]
Bruce Sterling ]
Ian McDonald ]
Amygdala (Gary Farber) ]
Cyborg Democracy ]
Body and Soul (Jeanne d'Arc)  ]
Atrios ]
The Sideshow (Avedon Carol) ]
This Modern World (Tom Tomorrow) ]
Jesus's General ]
Mick Farren ]
Early days of a Better Nation (Ken MacLeod) ]
Respectful of Otters (Rivka) ]
Tangent Online ]
Grouse Today ]
Hacktivismo ]
Terra Nova ]
Whatever (John Scalzi) ]
Justine Larbalestier ]
Yankee Fog ]
The Law west of Ealing Broadway ]
Cough the Lot ]
The Yorkshire Ranter ]
Newshog ]
Kung Fu Monkey ]
S1ngularity ]
Pagan Prattle ]
Gwyneth Jones ]
Calpundit ]
Lenin's Tomb ]
Progressive Gold ]
Kathryn Cramer ]
Halfway down the Danube ]
Fistful of Euros ]
Orcinus ]
Shrillblog ]
Steve Gilliard ]
Frankenstein Journal (Chris Lawson) ]
The Panda's Thumb ]
Martin Wisse ]
Kuro5hin ]
Advogato ]
Talking Points Memo ]
The Register ]
Cryptome ]
Juan Cole: Informed comment ]
Global Guerillas (John Robb) ]
Shadow of the Hegemon (Demosthenes) ]
Simon Bisson's Journal ]
Max Sawicky's weblog ]
Guy Kewney's mobile campaign ]
Hitherby Dragons ]
Counterspin Central ]
MetaFilter ]
NTKnow ]
Encyclopaedia Astronautica ]
Fafblog ]
BBC News (Scotland) ]
Pravda ]
Meerkat open wire service ]
Warren Ellis ]
Brad DeLong ]
Hullabaloo (Digby) ]
Jeff Vail ]
The Whiskey Bar (Billmon) ]
Groupthink Central (Yuval Rubinstein) ]
Unmedia (Aziz Poonawalla) ]
Rebecca's Pocket (Rebecca Blood) ]

Older stuff:

June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003
June 2003
May 2003
April 2003
March 2003
February 2003
January 2003
December 2002
November 2002
October 2002
September 2002
August 2002
July 2002
June 2002
May 2002
April 2002
March 2002
(I screwed the pooch in respect of the blosxom entry datestamps on March 28th, 2002, so everything before then shows up as being from the same time)

[ Site Index] [ Feedback ]

Powered by Blosxom!