OT: a new scam

Barclays also use it in branch - say when making a cash withdrawal over the counter.

Indeed, but that is where the job of a good pretexter comes in. To concoct a storey plausible enough to make it seem reasonable enough in the this context.

Indian?

Did they just want the ID code (i.e. that generated just from your pin and your card)?

With other details it might be enough to login to your account - but would not be enough to make a payment to a new payee.

(However one way they try and get round that is to see if you have a payee already setup for a suitable intermediate business. They then pay a lump sum to that business from your account, and then ring that business and claim to be you, and explain that you just realised you made a mistake when making an online payment, and paid them by mistake. Could they refund it - to a different account)

It is also used for setting up a new payee on your account. So if you want to make a BACS transfer to an account you have not already paid, they use the "respond" facility to cryptographically sign a part of the payment instruction.

So for a scammer to be able to make a payment they would need two pin sentry codes - one to login, and another to make a new payment.

However just the login would then give them access to your transaction history, and that could be used for a latter scam attempt.

Pinsentry != Pinsentry app

(The barclays app also contains a capability to behave as a pinsentry device)

There are a number - off the top of my head:

Block a compromised card

Pay by bonk. (i.e. using the phone for a contactless payment device)

Verification of an online payment on another service - say you checkout in an online store using your cc, a proportion of the time it will want to verify it was you and so can offer to verify using the app. Not that different to requesting a OTP via SMS, but it can't be misdirected by someone cloning your SIM, or getting you to read the code to them. Also it skips the need for you to enter a code to complete the transaction - you just confirm it on the phone.

You've convinced me! :-))))

I don't think I have been to my personal banking bank for decades! :-)

The above wouldn't work for HSBC anyway as their equivalent of pinsentry is personalised and doesn't require your bank card.

You mean your card in the reader and enter your PIN? I think I'd run a mile!

No, English. Slight accent (i.e. not BBC English) but I couldn't tell you from where.

There are DD's to utilities etc, but I've never used BACS or similar.

Yesterday morning the scammer rang me again, claiming to be from Barclays security, as before, and asking me to have my card reader ready. Different accent. I hung up. Earlier that morning I'd had an email welcoming me to the Barclays app. Looked very convincing, with all the things I could do with the app. There was a phone number to ring if I wanted to cancel the app. It wasn't a standard Barclays number, which raised my suspicions. I didn't touch any of it and I've double-deleted it (i.e. it's no longer even in my 'deleted' folder).

I rang Barclays and they confirmed they had blocked my debit card on the Friday when I first contacted them, and that someone had tried to register the app, but they had also been blocked. I made sure that Barclays had also blocked any on-line banking and telephone banking - I don't use them, have never used them and don't need them - I manage perfectly well without them. Barclays also confirmed that no money had been taken from my account. I assume the second phone call from the scammer was another attempt to get some more details to open the app, having failed the first time.

I hope that's the end of it.

More likely the first call did allow them to login, maybe harvest details of some recent transactions to convince you during the second call that they are genuine, and use the pinsentry again to add a new payee to make a transfer.

Indeed, lucky escape ...

For paying in batches of cheques I take them to the counter (the app only allows a small number per week and a low value per cheque) the auto cheque scanners in branch are comically inaccurate.

Paying-in slips no longer seem to exist (nor pens on dangly chains) after you explain why you refuse to use the cheque scanners, they harrumph and ask you for your debit card hand it back within their pinsentry for you to enter pin, then swipe the cheques through the MICR slot on their keyboard.

dial up/down the payment limits on the card, and cash machine daily limit.

withdraw "emergency" cash from a machine without your debit card.

Since my Dad's death, I seem to have become the family money-lender, so making transfers in response to a phone call or text message is "necessary"

Well, the question is, who initiated the discussion. I would never give anyone the details if they started it, even if it was from an apparently genuine email. I have no idea about this system as my card has no pin, its a chip and signature card which the bank says is better for blind people as many point of sale pin number pads are now touch screen and cannot be used without sight, However we now have the learning curve of teaching the retailers that these are legal cards and they would not have the hassle of going back in time if they had purchased proper tactile point of sale pin number entry pads. Words fail me really, not enough forethought given once again. I'm not going to get a chip and pin card, and let some shop assistant key it in, now am I? Brian

Makes more sense to use apple pay given you have an iphone already.

See above.

My eldest son is a student, living away and he runs two debit cards.

One account, for day to day use, only ever has a small sum of money in it and he transfers money over from his other account as needed. Compromising of that account would not matter.

The other account may at times have his student loan payment, our accomodation cost contribution and his pay from his part-time job in it. He does not use that account for day to day use or online purchases. He does carry the debit card, but it is disabled from any use. If he suddenly needed it due to any problem with his day to day account, he can re-enable it immediately using the phone app ... which also allows to to be re-enabled for a single use, re-enabled with a pre-set limit, to only be used with a PIN, to be enabled with a pre-set contactless limit or to be enabled for an online transaction. He can then disable it or any one usage type again, as soon as he doesn't need it.

With the card number, the response code would be enough to login to online banking. However at that point they would have found out (if they did not already know) that you did not have it setup. It may have been enough to try set it up, and possibly then enable the app.

The payment of a DD will be satisfied via a BACS payment usually - so although you may not have used one "manually", you will have done implicitly. So further payments to those utilities could be made without further checks.

Yup many of the "better" scams are multiple stage these days - the first to gain information that can be used later to better effect.

(much like these "you have postage to pay on a parcel" scams that take you to a lookalike courier or royal mail web site to make a small payment. It is a way of harvesting enough information from you to make a call a couple of weeks later from the "security" department of your bank far more convincing)

It is possible it may have been a genuine email, if the fraudster had managed to setup the app. (although if you have no online capability setup with the bank then it raises the question as to why it came to your real email address).

In cases like that I would be tempted to keep a copy of the email for evidential purposes, and also you could forward it to the barclays phishing reporting address.

Possibly - although you are now dealing with a spear phisher rather than the more common or garden variety. They now have enough information to target you directly, and may try additional attacks using the phone or other channels.

You have probably neutralised most threats already, so just a case of staying vigilant.

It is still vulnerable to a social engineering attack though - e.g. a security department on the phone from your bank getting you to divulge a code. All it does is change one of the factors in the MFA - the something you "have" becomes the security key rather than your debit card. The something you know (i.e. the pin for the device / card) remains broadly the same.

No, they have their own card readers. They enter the transaction details into it and hand it to you to enter your pin. When you do that it generates a OTP that the staff can use to finish the transaction.

So the bank staff don't learn your pin, and you are giving away no more information than would be required to get the money from a cash machine.

Quite often the people caught are those for whom the pretext matches something they were expecting anyway.

The classic one is parcel delivery scams: people get parcels all the time nowadays, so a fake tracking website / excess postage or tax to pay / 'while you were out' message is plausible enough to hook somebody in.

Everyone laughs at Nigerian prince emails (which are a filter for only the exceptionally gullible), but somewhere somebody will be expecting an inheritance or sale of a property, and cast the net wide enough and you might hook them.

Once they have you hooked, then the pretexting starts.

So we shouldn't be complacent that we won't be taken in, because eventually we will. The thing to think about is what defences we might use to prevent the hook turning into actual damage.

Theo