OT: a new scam

How did they contact you?

When I refused to give details to someone who claimed to be from my bank, they said 'well call the number on your card'

That isn't good enough either if you do it on the same phone line.

A well equipped bad actor can play dial tone to you and hold the line open and them pretend to answer as your bank after you have dialed the right number on your bank card. I think telco's have shortened the delay before the line drops to mitigate against this trick.

So you mean he tricked you into entering your card number and doing the ID me by PIN and passing him that information (possibly allowing access to your bank account). I suggest you contact R4 You & Yours they will love this as a story of the latest scam - I can see lots of people falling for it if the spiel on the other end of the line is done well.

My default position is always that all cold callers are presumed hostile until proved innocent. Usually they can't do that to my satisfaction.

My position with cold calls from people pretending to be my bank is

"*YOU* cold called me so until you prove who *YOU* are I'm not going to confirm or deny who *I* am. If it so important then ring back when you have put someone on the line who can prove to me that you are my bank otherwise put it in writing and send it to my home address."

We deadlock at this point. Most often it really is my bank trying to sell me something that makes their sales droid a handsome commission.

Only twice in several decades has it been a real fraud alert (and they do ring back PDQ) and then ask a very specific question like:

"Was this transaction on <date> for <amount> with <company> really made by you?"

Barclays does have just that system. You set up a word or phrase on your Barclays PinSentry app that only the genuine bank will know about.

Old hat. That was effectively closed ages ago and Digital Voice phones plugged into your router are immune to it.

Telephone.

Don't know how to do that. I don't do on-line banking, internet banking, telephone banking or whatever, and I don't have the banking app. I regard all of them as just more to worry about and additional ways a scammer can get access to my account. Fat lot of good it did me! I get wiser and more paranoid every day. As I said, I managed to get everything blocked before any damage was done, and a new card is on its way.

Yes, that.

No, I didn't give him my pin, at least not directly, unless he is able to deduce it from my pinsentry response. Could that happen, and if so, what's the point of pinsentry? Not a sentry at all.

No, you dont.

A Barclays PIN sentry reads your card and requests your PIN, and then issues various authorisation codes dependent on the transaction.

PIN sentry is about the best online banking authorisation there is. Which for Barclays, takes some achievement.

Ive never had any issues with it,m apart from the battery needing replacing after 15 years

No, but he would have got a valid transaction ID and been able to at least view your account.

By giving him the number that PIN sentry displays after you put your PIN into it the bank's computer will be under the impression that he is you!

I'm wondering how they got your account details to pull this trick.

PINsnetry machines should have a label on "*NEVER* disclose this number to anyone on the phone" only enter it into a secure bank website.

Online banking from a well secured PC is pretty reliable. I was an early adopter since Belgian banks had sophisticated encryption based banking software and a digital currency Protons way back in the late 1990's.

So long as you run something like Trusteer Endpoint Protection (other brands are available) to prevent keyboard loggers and the like and have up to date AV software on your PC it is as secure as a bank machine.

All the banks online offerings are slightly different. Some have a welcome page that you can customise to have a picture or phrase on so that you will recognise it as the real one and not a carbon copy.

Increasingly they require TFA which has me waving my phone in the air at the highest point of the garden trying to get the text before the website times out. It is often rather touch and go.

I won't touch phone banking apps though. Anything daft enough to have my PIN available in plaintext isn't going to have me as a user.

Yes you do, you maybe you've become blasé to it? As you start the barclays app, it says

"Hi $firstname $lastname please enter your 5 digit passcode $yourchosenphrase"

I've never known them use the chosen phrase outside of the phone app though.

But the best phone apps use touch ID or facial recognition on the phone, no PIN involved.

I don't really understand this. You should never tell anyone the 'magic number' the card reader gives you. The only thing you should ever do with it (as far as I am aware) is to enter it in the right field when logging in to your bank or when confirming payments and such.

Someone asking you what the number is screams 'scam' at me.

The counter staff sometimes ask you to put your PIN into their PINsentry to verify your ID in branches

When new security regulations for on-line shopping were published by the government about two years ago I got a pinsentry from my local Barclays branch, expecting to have to use it regularly when buying stuff on-line. But I've never had to use it and this was the first time anyone ever asked me to use it, so I wasn't exactly familiar with what was or wasn't the right thing to do.

Yes, done that occasionally, which is partly why it seemed OK to do it over the phone. Perhaps the whole pinsentry thing was just a smoke-screen to make it look as though the scammer was genuine. Unless they could somehow unscramble the number it gave and make use of the pin. But TNP says no.

No, they can't get your PIN from the code you gave them.

But they can use it for a one-time logon to your bank, if they know the details that e.g. appear on one of your cheques.

What was the purported reason for the cold call?