Extremely, we had a client list who were already customers and mail ins from adverts etc. so we knew that a mailshot would get us a good response, for some products it would be almost 100% but that was for mandatory upgrades. Once or twice we got more than 100%!
It would be nice to be supplied with a "tripwire" password for this purpose. i.e. if in doubt about a situation give them characters from a password that if used will flag up a dodgy transaction - but otherwise appear ok. That way a genuine caller would be able to spot the use of the tripwire and hence you would have verification that they were legit, a scammer would not be any the wiser until they tried using the code, which would trigger immediate investigation.
(would be particularly effective for those PIN verification devices that some online banks use new - it would stop them being useful to muggers etc for verifying pin number obtained under duress)
To get around this all the scammer would have to do is reject the initial password given and accept the second. If the user gave the correct password the first time then the scammer could simply say they typed the wrong one in the first time.
But the scammer has to ring a number of times to get two different letters or numbers each time. It would very quickly become obvious that something fishy was going on when, from the rest of the conversation, it is obvious that the scammer does not really have access to your account details.
It works fine when they call you. You give them *only* two letters/ numbers from much longer passwords and they then have access to your account details. Ask them a simple question about the account activity to verify they really do have access.
You still haven't come up with anything better as far as i can see.
Scammer asks for all (or part) of your password. You give them the wrong answer. They tell you it is wrong and ask for the password again. You give them the correct answer.
Scammer asks for all (or part) of your password. You give them the correct answer. They tell you it is wrong and ask for it again. You insist it is correct and give it to them again. They tell you they typed it in wrongly the first time.
You need to understand that genuine callers will *never* ask for all of the password. Only ever two characters which they are prompted for by their computer, e.g. "Can I have the 3rd and 8th characters from your password?" followed by "Can i have the 1st and 4rd digit of your passcode?".
If I deliberately give them the wrong answer, and they're able to tell me it's wrong then they must (a) know the password already, (b) be genuine, or (c) lucky. Even if it's (c), what happens next in you scenario?
of posting.
And? What does that prove or disprove? They still only have two characters from a much longer password. What use is that to the scammer?
If they call the next day for two more characters, and the next day, and... then I would get suspiciosu before they get anywhere near the whole password and number.
As I've said, but you don't seem to understand, once the system accepts you it's very easy to determine if they are genuine either by the nature of their questions orby asking your own questions.
Scammer asks for all or part of password you give them the tripwire response. They tell you it was wrong
Them telling you it wrong - means that you know they either keyed it wrongly, or they are scamming. A legit caller would have identified the password as the tripwire one.
so you respond that you gave them the right password, or end the call then.
By giving a scammer the tripwire there is the possibility they will try and reuse it. Directly calling attention to their activities. A legit caller would recognise it as distinct from just a "wrong" password and would handle the call differently.
Request the person calls them on their published numbers on a matter of security. Should the scammer do so, they would re-use the scammed tripwire, the real punter however could phone and use real credentials and would also be aware of the fact they had used the tripwire recently when contacted.
HomeOwnersHub website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.