{"id":34897,"date":"2022-02-03T16:10:53","date_gmt":"2022-02-03T21:10:53","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=34897"},"modified":"2022-02-04T16:12:35","modified_gmt":"2022-02-04T21:12:35","slug":"hang-up-and-call-back","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2022\/02\/03\/hang-up-and-call-back\/","title":{"rendered":"Hang Up and Call Back"},"content":{"rendered":"<p><a href=\"https:\/\/krebsonsecurity.com\/2020\/04\/when-in-doubt-hang-up-look-up-call-back\/\">Brian Krebs<\/a>:<\/p>\n<blockquote cite=\"https:\/\/krebsonsecurity.com\/2020\/04\/when-in-doubt-hang-up-look-up-call-back\/\"><p>Many security-conscious people probably think they&rsquo;d never fall for a phone-based phishing scam. But if your response to such a scam involves anything other than hanging up and calling back the entity that claims to be calling, you may be in for a rude awakening. Here&rsquo;s how one security and tech-savvy reader got taken for more than $10,000 in an elaborate, weeks-long ruse.<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/twitter.com\/andrewabernathy\/status\/1181711935202582528\">Andrew Abernathy<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/andrewabernathy\/status\/1181711935202582528\">\n<p>A problem here in my experience is legit fraud departments leave callback numbers that don&rsquo;t match the phone number on the back of the credit card; if you call the number on the card they don&rsquo;t know what you&rsquo;re talking about. Fraud depts are training us to trust random ass calls.<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/twitter.com\/DigitalLawyer\/status\/1181348694991331328\">Pieter Gunst<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/DigitalLawyer\/status\/1181348694991331328\">\n<p>Once I gave my member number, the attacker used the password reset flow to trigger a text message from the bank.<\/p>\n<p>They used this to gain access to the account.<\/p>\n<p>Then read some of my transactions to give the call more credibility<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/twitter.com\/patio11\/status\/1181693236898742272\">Patrick McKenzie<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/patio11\/status\/1181693236898742272\">\n<p>Wish more banks would do what Stripe does here: &ldquo;Log into your account and use the &lsquo;auth a support rep&rsquo; feature. I will read you some digits, you verify they match, then read your digits to me.&rdquo;<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/twitter.com\/chrismessina\/status\/1183492104590221312\">Chris Messina<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/chrismessina\/status\/1183492104590221312\">\n<p>Apple Support now sends push notifications to your devices to verify that it&rsquo;s you calling.<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/twitter.com\/choffstein\/status\/1183783568926900230\">Corey Hoffstein<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/choffstein\/status\/1183783568926900230\">\n<p>My bank just called me about something, but couldn&rsquo;t tell me what it was about unless I answered my security questions.<\/p>\n<p>Sorry, I&rsquo;m going to assume it&rsquo;s fraud and hang up 100% of the time.<\/p>\n<p>I called the bank myself.  Turns out it was legit.<\/p>\n<p>What a stupid, broken security model.<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/twitter.com\/OluseyiSonaiya\/status\/1185337884330676224\">Oluseyi Sonaiya<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/OluseyiSonaiya\/status\/1185337884330676224\">\n<p>I just received a <em>phone call<\/em> purporting to be Apple Inc., with a recorded voice telling me my &ldquo;iCloud account had been breached,&rdquo; not to perform any actions, and to press &ldquo;1&rdquo; to connect with &ldquo;Apple Support.&rdquo;<\/p>\n<p>If you receive this call, it&rsquo;s a scam.<\/p>\n<p>[&#8230;]<\/p>\n<p>There is some persistent vulnerability in US phone networks that is allowing spammers to spoof the phone numbers and caller ID information of known brands. It shows up as \"Apple Inc.\" on my phone, too.<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/krebsonsecurity.com\/2020\/04\/would-you-have-fallen-for-this-phone-scam\/\">Brian Krebs<\/a>:<\/p>\n<blockquote cite=\"https:\/\/krebsonsecurity.com\/2020\/04\/would-you-have-fallen-for-this-phone-scam\/\"><p>You may have heard that today&rsquo;s phone fraudsters like to use caller ID spoofing services to make their scam calls seem more believable. But you probably didn&rsquo;t know that these fraudsters also can use caller ID spoofing to trick your bank into giving up information about recent transactions on your account &mdash; data that can then be abused to make their phone scams more believable and expose you to additional forms of identity theft.<\/p><\/blockquote>\n\n<p id=\"hang-up-and-call-back-update-2022-02-04\">Update (2022-02-04): <a href=\"https:\/\/twitter.com\/johndotbowdre\/status\/1489606160076390402\">John Bowdre<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/johndotbowdre\/status\/1489606160076390402\">\n<p>I&rsquo;ll also add: if you can&rsquo;t find a company&rsquo;s support phone number on their website, they don&rsquo;t want you to call. Use some other contact method. The number you found via search is probably a scam.<\/p>\n<\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Brian Krebs: Many security-conscious people probably think they&rsquo;d never fall for a phone-based phishing scam. But if your response to such a scam involves anything other than hanging up and calling back the entity that claims to be calling, you may be in for a rude awakening. Here&rsquo;s how one security and tech-savvy reader got [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2022-02-03T21:10:58Z","apple_news_api_id":"41d3f9c5-292f-483b-8fb4-a50d82fb9eec","apple_news_api_modified_at":"2022-02-04T21:12:40Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAAAA==","apple_news_api_share_url":"https:\/\/apple.news\/AQdP5xSkvSDuPtKUNgvue7A","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[1195,1200,1454,48,2090],"class_list":["post-34897","post","type-post","status-publish","format-standard","hentry","category-technology","tag-financial","tag-phishing","tag-phone-app","tag-security","tag-two-factor-authentication-2fa"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/34897","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=34897"}],"version-history":[{"count":2,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/34897\/revisions"}],"predecessor-version":[{"id":34918,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/34897\/revisions\/34918"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=34897"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=34897"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=34897"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}