OT: a new scam

AT least in the UK the banking phone app contains the bank card PIN and there has been a spate of recent thefts from gyms where the mobile phone and bank card(s) were stolen and account emptied before the individuals affected even knew they were missing. It hinged on the flash up display of a TFA OTP code sent to the real users mobile phone which could be read momentarily by any Tom, Dick or Harry.

Bank then says "Your problem you must have disclosed your PIN". BBC discovered otherwise after a bit of experimentation. BBC R4 5/9/22

Most UK banks have now adjusted their TFA txt preamble so that the OTP is no longer visible in the preview flash up msg on a locked phone.

Shouldn't you be suspicious of absolutely everyone who contacts you - I am, I never even own up to my name, until they have been able to confirm who they are. Genuine callers don't mind you being suspicious of them.

I view it the opposite way, it makes your own access much more rapid and secure, especially so the use of contactless and instant notifications of transactions via my phone

Well, yes, I was suspicious. But he was very persuasive, persistent and convincing (by using the pinsentry routine which I recognised from when I had visited my local branch in the past).

So how would you confirm who they are? Banks go to some length to confirm who you are, but confirming who they are doesn't seem to be part of their thinking. It would be quite simple for there to be similar set of questions and answers that you could ask them and check the answers, without having to use any app.

when I was called by a scammer on my landline, I rang my bank using my mobile phone.

I dont use a phone app.

I use a PIN sentry

It wants my membership number, my credit card number and a pin sentry generated code

I really dont think so. Its a one time password.

Pin sentry only needed to login to your bank online, it is optional between that and a pin code texted to your mobile for *some* transactions

One problem is actually getting to talk to anyone at the bank with an understandable accent in a short period of time, to confirm (or otherwise) what the scammer was trying to do. Obviously you can't do anything online in case there is a security issue.

Martin Brown <'''newspam'''@nonad.co.uk> wrote

I don't believe that last bit. It certainly isnt in any of my banking apps. And to get into the banking app to see it even if the bank is actually stupid enough to show your pin in the banking app, you have to unlock the phone with touch ID or face ID and do that to get into the app too.

Clearly that won't work if the banking phone app requires the touch ID or face ID to match before you can do anything in the app.

That is comprehensively mangled and they say at the end that you shouldn't have your phone and cards in your bag. That means that someone who steals your phone with the banking app on it can't loot your account.

And the other obvious way to protect yourself is to only use apple pay to pay for anything and that also requires your touch ID or face ID to actually authorise the transaction. And you never need you PIN because apple pay doesn't even ask you for it for the higher value transactions, unlike when a card is used.

You never see anything on a locked iphone.

the phone app incorporates the functionality of a PINsentry, without having to carry around a bit of blue plastic.

But that stuff would soon be well known so the spammer would be able to produce it.

Makes more3 sene to tell the person they are calling an incident number and then the called person can call the number on the card or statements and supply the incident number to be connected to the caller again and be sure that it really is the bank which called them.

Ah, that looks like a promising idea. Next time, I'll try that, and there is bound to be a next time!

Social engineering attacks always are. The only defence is attack. Tell them to FOAD more or less politely - they have cold called you. You have no evidence that they are who they claim to be (end story).

I don't know why this isn't more widely publicised since it is absolutely *BOMB PROOF*. All cold callers are presumed hostile. (most are, or only doing it to get their sales bonus at my expense)

It does FUCK UP the SOP of most cold calling sales pitches though.

You tell them to either put it in writing or *PROVE* to you exactly

When my bank called me and wanted to ask me some security questions I pointed out that he had a good idea who I was, he'd phoned me, but I had no idea who he was.

There was a pause.

"You're right you know, but no-one else has ever said that!".

I took his name and department and called him back. Yes, it really was my bank. And it's depressing that my comment was either needed or new.

Andy

I don't use a banking app, but if it has the function of a PINsentry wouldn't the OP have got caught in the same way?

Out of interest, what online banking can you do with a phone app that you can't do with a computer at home? More to the point, why would you need to do it then rather than wait until you got home?

You can also adjust that preview.

Pay in a cheque.

Its actually the reverse, some of my FI require you to use online banking when doing some stuff.

Very handy to be able to move money about when out and about when say you manage to forget to move enough money into a debit card or find that the card you normally use can't be used for some reason and you need to move money into another card to use that one.

MUCH more secure and much more convenient to use Apple Pay instead of a contactless card and it never demands a PIN for transactions over a specified amount.

Very handy to be able to send money to someone immediately when out an about instead of having to get more cash from the ATM.

I only use cash now at garage sales and even tho I can pay anyone who has a mobile phone number or email address, it isnt a terrific idea to try to convince people that its as good as cash and no risk for them when there is a queue of people waiting to pay for what they have bought.