OT: Cunning new scam.

So the DECT 'phone system itself, or any other system, has no way of distinguishing between a real dial-tone and a fake one, and will think, in the case of this Scam, that a dial-tone played by the scammers is actually a real dial-tone? Or should it detect that the usual signal, whatever it is that it looks for to detect an open ready-to-dial line, is not there, and still display 'In Use'? Forget the second handset, this just applies to the basestation and its handset. What I am trying to establish is, what does the 'phone display at the time that the called party thinks that the line is cleared and ready for the Credit Card company call to be dialled, but in fact the line is still connected? If a dial-tone sounds, but the display says 'In Use', then that would be a good indication that something was not right. Calling home from a mobile sounds like the best check.

No, it doesn't bother trying to listen for a dialtone, why should it, that's your job!

Fair enough.

But what about the other part of the question: "What I am trying to establish is, what does the 'phone display at the time that the called party thinks that the line is cleared and ready for the Credit Card company call to be dialled, but in fact the line is still connected? If a dial-tone sounds, but the display says 'In Use', then that would be a good indication that something was not right."

It could vary from phone to phone, or the phone could be fooled, if you want a reliable method to ensure the line is clear, use the recall method (or use a different line, a mobile, a voip system etc)

Talking of self inflicted, I've just finished watching a program form a few weeks ago about the work of the Fraud Squad.

There were interviews with "victims" who had lost their entire wealth that they'd invested in one single "fund" on the basis of a phone call from some scammer.

These were normal compos mentis people. I found it difficult to feel sorry for them.

tim

Yes I've had this happened sometimes we hardly ever use the card then we need to buy something rather expensive so that trips up the system.

I'll call them back as you suggested, and more often on another private line we have;)..

Phones in general make no attempt to detect a dial tone. They dial when you push the buttons regardless of what can be heard.

If one handset is "off hook", then the other handset will normally display "in use". There are some DECT base stations that can cope with two phone lines - and with these you can have both in use at the same time on different lines.

It depends on if the in use note is indicating that the exchange line is in use, or that the radio connection between base unit and hand set is in use.

I just did a quick experiment: leaving the handset on the basestation, I disconnected the line. After a few seconds, the display told me to check the connection, so it knew that there was a break. I then picked up the handset, and it did indeed dial. This is probably also necessary to connect with the other handset for use as an intercom.

Not only that, but these days one frequently needs to dial when there is no tone for accessing menus on robo calls.

Didn't work with my Co-Op bank credit card. Despite the fact I informed them I would not be using it abroad they failed to spot £1000s of fraudulant use all over the world. I no longer have this credit card BTW.

Quite.

Worse still the Co-Op bank has an automated system for this so you can't even explain to the staff why this is a bad idea. A robot calls you and a recorded message says "This is the co-op bank" and then "type in your DoB into the keyboard". I don't know what other "security" questions they would ask because I always hung up at that point.

I even raised a formal complaint to them about this but they tried to hide behind the Data Protection Act. They attempted to justify their system by saying that they need to be sure who is answering the call. However they completely failed to understand that I need to know who is calling first.

People here have neatly illustrated how these so-called 'security' questions are a bad idea. If the answers are memorable or true then they're easily guessed. If you make up answers then they're easily forgotten.

Even using a real name is not ideal because it is effectively a very weak password.

It's really about time organisations stopped using them.

As ever, XKCD has it bob-on.

The HSBC token is quite good. You need a four number pin to use it and it generates a six digit code used in the login along with your password.

If you want to do a new transaction it will also generate a transaction code to enable that transaction.

Santander will send a OTP to your mobile before they allow some transactions.

I've just got a HSBC keyfob thing press the button 6 digit number is produced no PIN required.

I detest the Barclays system that requires a card, the card pin, then entering the last 5 digits of the card number and the 6 (8?) digit number that the device produces into the site.

What if you don't have a mobile or simply don't have a signal where you are?

This is the best one I've seen. It also keeps costs down as your fob will need to be precoded with your account number, whereas the device I have is generic. It's very quick to use.

Does that mean that anyone stealing your keyfob can generate useable codes with it, without needing to know the PIN? If so, that is the worst possible system imaginable.

The Barclays one does not require that just to login (although you can do it that way). It does require it though for setting up a new payee.

If you are going to have two factor authentication, their implementation of it seems reasonable.

They would presumably still need a password - i.e. a second factor.