I've run into the programmer vs normal person difference in thinking quite often with regard to customer support calls.
Occasionally I will be called by someone from some company or government department because they want to notify of something. Lets say for example, I forgot to pay my insurance bill.
At some point in the call they will ask me "I just need to verify your identity with some security questions." and ask me for something like my date of birth or my home address.
The only correct answer to this is "I can't give you that information. You called me. I have no idea who you are."
I'm always met with complete incredulity at this concept. About 50% of callers don't understand at all what I'm trying to get at. Most of the rest just don't have any idea how to continue.
What I tell them at this point is that the correct way to handle this is that they need to give me an extension number for them personally and I will find the external number of their company/dept myself on their website and then call them back.
Unfortunately a lot of these callers either can't (due to not having a personal extension number) or wont (it's off protocol I guess?).
The problem is, I feel like an asshole for taking a stand on things like this ("Why is this guy trying to make my job difficult"), but more people need to understand that it's all too easy to be socially engineered!
> At some point in the call they will ask me "I just need to verify your identity with some security questions." and ask me for something like my date of birth or my home address.
> The only correct answer to this is "I can't give you that information. You called me. I have no idea who you are."
This ties in with a scam in the UK that exploits a feature / bug of the POTS.
The scammer calls, and claims to be from your bank, and that you've been the victim of crime, and that they need to sort it out.
Some people express doubt about the validity of the caller.
The scammer says something like "Have a look on the Internet at your bank's phone number, and give them a call, and ask for Mr Jones in the Fraud Response Unit on extension 537. I'll hang up while you look. But it's really important that you do this quickly, to prevent more of your money being stolen".
The person being called hangs up the phone, but the scammer does not. Since the scammer initiated the phone call they're keeping that line open.
When the victim picks up their phone to make a call the scammer plays a fake dial tone while the victim "dials a number". An assistant of the scammer then pretends to be a bank phone answerer and connects the victim back to the scammer.
This little bit of social engineering appears to be very strong. There are stories of people who were initially suspicious, but who then lost all suspicion because of this trick, and who lost tens of thousands of pounds.
And since the victim handed out the money the banks tend to refuse to give the money back. The victims really lose real money.
It's very sad.
>The person being called hangs up the phone, but the scammer does not. Since the scammer initiated the phone call they're keeping that line open.
Is that a some UK specific thing? Because in Moscow hanging up the phone breaks connection at any side. Pretty sure that it was this way since soviet times.
Of course scammers can easily physically connect to your wire so analogue connections are totally insecure for communicating with bank anyway.
I've had this happen in the US, but only if the phone is picked up again within 1-2 seconds. Presumably there's a timeout somewhere (whether deliberately implemented or as a side effect of reactance on the network) that can be different in different systems.
As an old person my memory is that this phenomenon used to be relatively commonplace in the US as well, and I remember people abusing it to make prank calls and the like. Not sure if I've thought about it since the 80's.
You use a mobile phone, another line, or walk to the bank. Other than that one must ask himself, what type of crime? Why does my bank's website show none of it? Is it related to any of my cards missing? Why is the bank contacting me and not the card issuer (VISA, etc)?
I must guess this kind of primitive social engineering can work around 1 out of 100 cases and still be practical. As far as I've seen though the real treat is phishing. Really easy to set up and for most people it works.
Just the other day I was playing around an unprotected server of a phisher that had just sent me an email and there was plenty of people that had fallen for their trick. It could be seen on a text file were they were lousily saving all these details. Scary stuff.
Two factor authentication and even one-time cards (some banks issue this) can protect from this; but as always people that worry about security are already secure. It's the unaware that will fall for the trick.
One way, if you're suspicious, is to dial some # you know is NOT the bank, and see if they answer as the bank.
But in the heat of the moment we often forget these sorts of things; I got a scam voice mail allegedly from the US Internal Revenue Service (IRS) saying I owed money and was about to get sued.
I KNEW it wasn't legit; I KNEW it was a scam, but I still had that adrenaline surge and a desire to clear it the hell up, right now, using the method they wanted me to use. Which of course would have cost me a lot of money. My cooler head prevailed thankfully, but the fact my emotions rose so high, so quickly, scared me. Still does.
well if something similar happened, you could just call a different number from your bank and see if you still get connected. that would be a bad sign ;)
In my opinion, the best possible demonstration of this lack of security mindset is the time I was repeatedly contacted by some sort of bill-paying service explaining that my credit card details were out of date and the bill to "my" Montana-based electrical utility was overdue. It was clear that someone had accidentally signed up for this bill paying service and gave my email address by accident. After the third notice when they mentioned that my electricity was likely to be cut off, I decided I should call and let them know about the mistake so they could try other methods of contacting their customer. The customer service person said no problem, just give me the social security number associated with the account and she'd be able to assist me. I explained that it wasn't my account, and that was the problem. I didn't have the social security number. Faced with this obstacle, she thought for a moment and said, "ok, well to verify that, just give me your social security number and I'll check that it's not the number on the account." I tried to explain the flaw in her reasoning for a while and eventually just made up a social security number so I could fail her test.
Or they call and ask for someone but won't say a company or name, because DATA PROTECTION.
"Hello is XXX there ?"
"Who is calling ?"
"I can give out that information"
"Mrs XXX here."
"I am going to need you to verify your identity."
"BUT YOU CALLED ME !@*!"
Companies need to actively distinguish their communications from SPAM, SLAM & fishing attempts.
I've run into the programmer vs normal person difference in thinking quite often
As a programmer I can't understand how we are more secure by bunching people into large tight groups in security lines to protect people on the other side of security lines.
If terrorists want to kill the traveling public, one grenade and a few guns could take out dozens if not hundreds of people in a security line. And it requires no security to reach it. It really just seems a textbook case of security theater to me.
That's because there is no real threat and it's all theater. In a place where there are real threats, like in Israel, they have security layers with multiple checkpoints and they understand that a bunch of people in a group is a target.
I am from Brazil, and phone-based scams are VERY common... after my parents fell in two different ones, they started to always answer the question "Who is it?" when someone called, with the reply: "Who you want to reach?"
Some people DO get very pissed off, but never it was someone worth interacting with in first place, so...
Just so we understand, your parents would answer the phone, say "hello", and the person who placed the call would then say "who is this?", really? That seems quite rude to me. We don't carry phones for the purpose of sudden challenges to our identity! I have gotten that sort of "who is this?" call before, but I just hung up.
I think he is saying that his parents' are responding with "Who do you want to reach" when prompted with "Who is this?". If you call a home phone and someone responds with "Hello" then it can be quite difficult to guess who you reached.
Also, it's probably more "Hi, this is Mr XXX, who am I talking to?".
Could just be lost in translation. You'd never hear that in the US, but you might hear "Hi, this is James from Chase Bank, may I ask who I'm speaking with?" which is the same question asked politely.
For US residents, date of birth-name and home address-name pairings are not really sensitive information. There's multiple databases that can be used to access them (often along with SSNs).
I had a text from my bank due to some fraudulent transaction. It asked me to reply if the transaction was legit so I called them up. They couldn't understand why I didn't want to start a conversation about my account with a number I didn't recognise.
They said "if the text says it's from us it definitely is". I was not overly impressed by this.
Heh. Here in Australia, not all of the salespeople are willing to breeze through required info, solely because some staff have been charged with fraud or held liable for fraud. I know of one person who had to pay back $500k worth of fraud from the dodgy cell-phone retail stores he ran. A crook through and through, and god am I glad he got busted.
Occasionally I will be called by someone from some company or government department because they want to notify of something. Lets say for example, I forgot to pay my insurance bill.
At some point in the call they will ask me "I just need to verify your identity with some security questions." and ask me for something like my date of birth or my home address.
The only correct answer to this is "I can't give you that information. You called me. I have no idea who you are."
I'm always met with complete incredulity at this concept. About 50% of callers don't understand at all what I'm trying to get at. Most of the rest just don't have any idea how to continue.
What I tell them at this point is that the correct way to handle this is that they need to give me an extension number for them personally and I will find the external number of their company/dept myself on their website and then call them back.
Unfortunately a lot of these callers either can't (due to not having a personal extension number) or wont (it's off protocol I guess?).
The problem is, I feel like an asshole for taking a stand on things like this ("Why is this guy trying to make my job difficult"), but more people need to understand that it's all too easy to be socially engineered!