My bank uses a fraud detection system that calls you if suspicious activity is detected on your account. It then asks you to call back a number to verify the account activity. Every time they call, they provide a different callback number. Searching for the callback number online yields only one result, which is the fraud detection systems web page telling you to NOT trust phone calls of any kind (their advice is solid, but it tells you to not respond to their own legitimate calls)!
The only time I ever triggered fraud detection system on my card I got a text message from bank that was "Your card is blocked due to suspicious usage, please call 'number'". And the number was also some random unlisted one.
Only reason I didn't just ignore the thing is I did make a purchase on new website a half an hour before.
Called my local bank and they confirmed this was legit, I almost went off on a full rant about how bad their protocol is for this.
One of my former banks handled this pretty well. They called you and would say something like “there is an issue, but since you should never trust a direct phone call pretending to be your bank, please look up our number on our website and call us”.
It’s kinda nice because while doing this, they also educate their customers to never trust such a call and to rely on official information to contact them.
My credit union does the same but with "call the number on the back of your card". I suppose they have a lot of practice getting it right, given that their idea of a suspicious transaction is any transaction out of state.
Banks are filled with stupid levels of bureaucracy internally, but PNC takes that up to 10. Their IT employees seem like dried husks of something that once was human.
I am assuming card-present transactions? Because I order things from all over, not just locally.
I do appreciate the fraud protection but authorizing my ATM card for non-US withdrawals is overly specific and extremely annoying and time-consuming. Plans change? Expect to spend 15-20 minutes on the phone to say “yes, I will be in Portugal for one extra day”.
Mine did the opposite for a while. In the event of an issue, they'd call, tell you that they were putting you on hold for a teller, and the first thing the teller did was identify the bank and ask for personal information to verify the account.
I always made a point of telling them that they had called me, that I had no proof of who they were, and that I was going to call back from the published number.
It's also a great filter for the scammers. The people who are non-gullible or medium-gullible will follow. The truly gullible will say "What is the web address?" To which they respond "citibank-support.blogspot.com"
I've had the version of that where I called my bank's listed number to confirm the incoming "call us on this number" voicemail was legit, and they said NO, the call is not a legit number of theirs, the account looks fine, I was right to check, and they agreed it seemed like a scam call.
A few days later I found out the call really was from the bank, and the bank had blocked my account, in a way that took a long time to unblock (don't get me started...). As ever, I found out the hard way, when I needed to use the account for something in real-time and it wasn't available.
But the call was from a different department than general customer support, the department's number wasn't known to customer service, and the account status change wasn't visible to customer service either.
So the bank's own customer service thought it was a scam call!
Name and shame whoever did that. The last time that a bank tried to pull such shit at me I wrote about it all over the Internet and to this day it comes up when you search for that bank (either my post or others complaining/warning others of the same problem).
Yeah, I think they don't have any people working on the full UX flow, my bank does similarly weird stuff.
The example that comes into mind is making transfers to my wife, where every time I do it, they ask me to confirm a bunch of questions to make sure it's not a scam/fraud, which fine, good idea. Once I confirm, they display another notice telling me they won't ask for a confirmation/2FA code because I make transfers to that account so frequently.
The only reason I can come up with why it is like that, is because there isn't a single person/group responsible for the full experience.
The idiots at my former credit union apparently subcontract out their credit cards to some east coast bank, whereas my bank and I live on the west coast.
I saw some bank from Florida, that I'd never heard of, calling me on my cell. I assumed it was some sort of scam and ignored it. They're too stupid to get a phone number which has caller id set up to read the name of credit union with whom I did business.
> I think they don't have any people working on the full UX flow
Probably right, but this is the importance of dogfooding. I really think this stuff happens because everyone is in such a rush and doesn't take a few minutes to think things though, which requires thinking about everything as a whole.
Ye they don't follow their own rules. Once my bank called me for a insurance change I requested a month or so earlier and asked me to verify myself via the security dongle. Like, and then they act surprised when people are scammed.
Heh. 20 years ago when I was buying my house, I was arranging the mortgage through HSBC bank. One day I got a random call, started by asking me to confirm my name and date of birth. I asked them who they were, and they refused to say anything before going through security. I told them I wasn't giving them any personal details without knowing who they were, and they hung up.
A week later, I phoned up the bank asking why everything was progressing so slowly and they said I'd failed the security check, so the process had been paused. I explained what had happened, and how it was ridiculous that they expected personal details without even saying they were from the bank, which they seemed to agree with, but said that was their procedure so it was my fault for not complying.
> that was their procedure so it was my fault for not complying
This is the most fascinating (infascinating? like, infamous/famous distinction? whatever) things about bureaucracies, to me: they sincerely expect everyone to follow their internal rules and procedures, even the people who are completely outside their jurisdiction by any stretch of imagination.
Like, "we require the application of your personal seal to the papers" — "Personal seal?.. we use signatures in this part of the world, you know" — "No, we don't accept signatures, it has to be a seal imprint" so then you just stamp some absolutely random rubber stamp and they accept it because even if they can't actually read Cyrillic, it's a stamp and that's all that matters.
I taught at a German university for a few years. And they way grades were handled was, you had to print a standardized piece of paper for every student with their name, date of examination, and grade, and drop them off at the secretary's office.
The secretary would stamp every such Schein with a rubber stamp. Then the students would pick up their Scheine at the secretary's office and bring it to the examination department themselves (!) to get the grade registered. Only at the very of my time there, they changed the system and I could hand in the grades directly to the examination department.
At any rate, the system was so stupid. It was trivial for students to print a new Schein with a better grade and register that (there must have been a lot of fraud). But the counter argument was 'no, it's very safe because the students do not have a rubber stamp'. Of course, the rubber stamp was just the university logo with something like the faculty name next to it. Trivial to copy (or make a rubber stamp for more enterprising students).
Probably the procedure had been followed since 1573, well before home printers, scanners, phone cameras, or get-your-own-rubber-stamp-for-a-few-bucks internet shops.
> Probably the procedure had been followed since 1573, well before home printers, scanners, phone cameras, or get-your-own-rubber-stamp-for-a-few-bucks internet shops.
This is almost always how these seemingly silly bureaucracy hoops become established. They were created in a prior time where a third party obtaining "magic item Y" with which to authenticate was significantly difficult to near impossible. Then, over time, the world, and technology improve, to the point where anyone, willing to spend $9.99, can have an exact duplicate of "magic authentication item Y" manufactured via any one of 78 different makers. But the bureaucracy continues using the now outdated process because "this is the way it has always been done".
ARM had a huge headache when the CEO of their Chinese subsidiary stole the company seal and refused to give it back. That meant they effectively couldn't do business at all.
I recently joined a very old company, with many lifers, I continuously run into this mentality. “I can’t explain it now, but I’m sure there was a good reason for it, so we’re gonna continue doing it this way”
The real issue is that most business just don't document anything to do with their processes. Chance are that there are a hand full of things that there are a good reason for doing and they do need to be done that way. Except the people that identified that original problem and came up with original solution have all left the company so now there is nobody around that has put in the effort (or been given the time to investigate) to figure out why things are done the way they are, and the last time one of the things that had been done forever was suddenly stopped it caused untold amount of chaos so now the directive is to just keep doing everything we've always done.
I like that fence, but I consider the best course of action to be going and finding out why the thing is done the eay it is, even if it necessitates careful investigation.
I always understood chestertons to be that you should leave the fence there while you are investigating why its there and whether its still needed. Not blind "dont do anything"
I'd wholeheartedly agree with your assessment of the best course of action. To the points raised in the conversation above: there is definitely too little understanding of the pattern and too much blind adherence to the pattern as a widespread institutional practice across many institutions.
Ah, offloading the physical movement of papers between the offices onto the general populace... why don't they just mail each other directly, isn't the part of their job is to communicate with other offices? Lolnope.
Sometimes it becomes truly ridiculous: I once had to apply for some thing, and was told I need to grab and provide them some certificate from a different government service to prove that I'm actually eligible. Okay, I do that, and then they spend two weeks verifying the certificate by physically mailing and inquiring info about me from that other service and waiting for them to respond (also by physical mail).
Of course, the rubber stamp was just the university logo with something like the faculty name next to it. Trivial to copy (or make a rubber stamp for more enterprising students).
My entire career is predicted on the things I did with a stack of university letterhead 40 years ago.
Had something like this years ago when we were trying to get an EV code signing certificate from GoDaddy (for our Windows application).
They wanted a government issued identification document with both photograph of the individual as well as their physical address on it.
No such document exists for South Africans, I offered to get attestations from lawyers, police, but nothing was good enough.
Then I had to threaten charging back the credit card to get a refund (as opposed to credit) on the not-insubstantial fee for a service that their verification policies made impossible to be fulfilled by South African entities.
We succeeded with DigiCert, was a bit involved including getting sign off by a certified security consultant that we had appropriate procedures in place to protect the private key, but eventually got through the process.
I have had nothing but trouble with GoDaddy and their ridiculous identification routines. We've spent hours with (allegedly) real humans who will tell us "ok I've released the domain for transfer. It will be clear in about 30 minutes" (or whatever it is at the time) and it never is, and then we have to start the entire process over with a new rep. There are other reasons to hate them too, but I won't go on a rant :-D
My initial philosophy with GoDaddy was "as long as it works, it's good enough".
But generally happy to not be using them these days. I do our domain registrations through Namecheap and can't say I've ever had an issue with them, also had to interact with support on occasion and also no negative experiences there.
If something goes wrong and you followed the procedure, the chances you're getting fired are very low. If something goes wrong and it is discovered you didn't follow the procedure, the chances of you being assigned the blame and fired are very high. It doesn't matter how stupid the procedure is or what's at stake - 99.999% of people you'd be dealing with do not care if the bank as a whole loses business or money, but care very much whether or not they are getting in trouble. Following the procedure is the easiest way of CYA.
Had the same thing happen with a debt collector. They would identify themselves, but seeing as their name was meaningless to me as we had no prior relationship, and even if I knew what they were calling about I had no debt I was aware of...
They were a _little_ more cooperative about it though.
"Hi this is <Person> from <ABC Inc.>. Can I start by confirming your name and date of birth?"
"Who is this?"
"<Person> from <ABC Inc.>. Can I start by confirming your name and date of birth?"
"No, you may not. What's this regarding?"
"I can't discuss that with you until you verify your identity."
"Okay, well I have no idea who you are so I'm not about to do that."
"Well, I can't tell you anything else until you confirm your identity for me."
"Okay."
"So can I get your name and date of birth please?"
"No."
"..."
"..."
"..."
"..."
"Can you tell me what _day_ in January of 1970 were you born?"
I'm sure it broke some rule somewhere, but at least giving me some verification that they already had some of the information they were asking for I was willing to play along.
(Turns out the ISP did their usual ISP thing and failed to mark that I'd returned my modem when cancelling service a few months prior then told no one and sent it to collections. The debt collector was very adamant that I needed to set up a payment because this wasn't going away. I walked into one of the ISP's retail outlets, told them what happened, they sighed heavily because this comes up _constantly_ and called in to have it marked returned and I never heard from anyone ever again. The end.)
> Turns out the ISP did their usual ISP thing and failed to mark that I'd returned my modem when cancelling service a few months prior then told no one and sent it to collections.
Spectrum did this to me. They sent a single "hey, you owe us for this thing" email before sending it to collections.
I assume collections pays (pennies on the dollar, but still >0) for each case, so being more thorough in verification of this literally costs them (the ISP) money. And, also, people who are being pissed off aren't clients anymore anyway. So of course they'd not do it.
HSBC had famously terrible systems when I dealt with them for a mortgage years ago - they were so bad that the staff I spoke with pre-briefed me on the range of issues their website could suffer from.
The best was that certain sections were circular, so it would start to ask the same questions again but displaying answers prefilled in - yet it would arbitrarily forget particular (different) details on each loop, defaulting to values other than what you'd entered before, so there were only certain points you should exit the loop at, to be sure it would submit the right information!
On the plus side, despite their system woes, they had very competitive rates, so it was definitely financially worth spending another 20 minutes and accepting their idiocy!
This wasn't so much a competitive rate, but I literally couldn't have afforded to buy this house if they didn't offer a 105% mortgage - so no deposit and some extra money so I could buy some furniture. To be fair, I had some deposit so didn't really need all the extra 5%, but I wasn't anywhere close to the 10% deposit that was standard at the time.
Also, now I remember that I also had to jump through some deceptive hoops. The deal was technically only available on the graduate account, which my account had stopped being earlier in the year because it changed to a regular account after 10 years from opening. The bank manager said she'd bend the rules and let me have the deal as an exception, but then presented me with a load of life insurance policies to sign (which of course I didn't want or need) and it was strongly intimated that if I didn't sign them, she'd no longer bother bending the rules to get me the mortgage deal. So, I signed them, and as soon as I had the mortgage confirmation letter through the post I phoned up to cancel before the end of the 14 day cooling off period. I dread to think how much commission she'd have made from me if I didn't cancel.
I had something similar happen to me except it was for health insurance authorization, for a regular treatment. So, every two weeks they would call me and ask me for personal info, and refuse to explain who they were or why they called until I gave it to them. Every two weeks I would try to explain how dumb that was. No direct call back number, of course.
Just piggybacking on this, if your bank (or eBay or Amazon or whoever) ever calls you to inform you of a suspected hack on your account, and says they're sending you a 2 factor authentication code to confirm your identity, do NOT tell them the code. It sounds obvious when phrased like this, but if you're not familiar with the scam then yeah, it's a scam and they're trying to get your 2FA token in order to access your account.
At least he's doing so having called an already trusted number. But receiving a call from someone claiming to be your bank is a much more dangerous situation, despite it feeling similar to lay people. Banks should really train people to hang and call to their actual customer service.
A variation can be the scammer presents a fake number for you to call, via email, sms or worse through malicious ads that pop up when you google for the company phone number. Or, a phishing proxy like evilginx could overlay a “call [fake number] to unlock your account” as part of the login process.
My bank tells me via email to not click on links in emails and to directly visit their homepage instead. That's fine, but that email itself contains a link to their fraud prevention page (to learn more) and another link to log into their online banking service.
> which tells you not to click links in emails (which is good advice!).
Hardly. The company shouldn't have XSRF-vulnerable software, if your browser is vulnerable you have bigger problems and what you actually shouldn't do is enter your credentials or download stuff after clicking on that link.
But of course there's an internal "phising test" that penalizes you for clicking on links... links that have been obfuscated by some email-modifying link-tracking security software that makes it nearly impossible to figure out to which domain the link even goes.
Because the aforementioned built-in link obfuscation makes it hard to even tell if the link goes to one of our work domains. And pretty much all our stuff is behind SSO, so if something asks for creds that's an easier tell than hovering over the link and trying to figure out where it goes. And sometimes they introduce new tools on new domains that may be legit.
Generally clicking on the link is not what gets you compromised (except for some spearphishing involving zero-days...). It's actions following that which might. So they're barking up the wrong tree and penalize people for that. That's just chicanery.
Holy fuck this drives me insane. My company makes us do the idiotic trainings, which tell you all the "red flags" to look for.
Then the goddamn CEO sends out an empty email, with a .docx attachment, and the subject saying "urgent, open immediately"
The HR sends out suspicious looking shit all the time. The. You have Microsoft spamming you with fucking QR codes!!!
You know what needs to happen? Disable all hyperlinks in email. Make everybody copy and paste the goddamn thing. Then they have to look at the link and they have to manually paste it into the browser. Then there are no obfuscated links. Also disable HTML email, images, and most file attachments. Then there is no pixel tracking, no possibility for malicious images to be auto-loaded, and no excuse for clicking a bad link.
It makes more sense when you realize it's an ass-covering exercise. Legitimate transaction blocked: "It's the user's fault for not calling the number, see, we called them and told them to call this number." Phishing: "It's the user's fault for calling the number, see, it says on our website you should never call any number." No matter what, it's always the user's fault for disobeying advice. A lot of things in our world are like this.
The whole concept of "identity theft" is this. Consider this: some dude D comes to bank B and says "I'm actually John Smith, given me $TONS of money". Bank gives the money and D disappears. Now B comes to actual John Smith and demands the money back. John is like "how it's my fricking fault that you gave your money to some random dude?!" And the bank pulls out the "identity theft" card out - you see, your "identity" got stolen, so now it's your fault for not guarding your "identity" properly, not ours! So now you should spend your time and money to fix it and we will treat you for years as a suspicious character, borderline criminal, for it. A very neat system.
I had a paper check stolen in the early 1990s. A Walmart accepted the check without its even being signed. So I reported it.
I cannot write a check at Walmart today. Not that I would; it’s antiquated even by US standards to do so. It’s that they fucked up and blame me, 30+ years later.
It's fun when you phone the bank's regular number, waiting hours to get someone on the phone, and they say that number isn't legitimate when it actually is.
Even better when it's a bank you don't use and the number on their site goes to an automated system that won't let you access it without an account number, so you have to scrounge for alternative phone numbers to get to talk to someone.
Not a bank, but Apple Mail inline displays PDFs. I've been getting these PayPal Bitcoin scam emails lately and checking from Apple Mail they look legitimate. Problem is, I don't have a PayPal account...
In Gmail or Thunderbird they don't just show the PDF and since they display the sender differently it makes it obviously a scam.
Sometimes it feels like companies are just helping scammers and I don't know why.
It's not a good system if it's hard to differentiate. We should be encouraging making money by providing meaningful value to the people buying the product. To get those things aligned. I think we engineers can play a role too. While not having the ultimate decision I think speaking up and just pushing here and there to prioritize product quality over profits goes a long way. In the long run, I think quality and profits are usually aligned, though I think rarely in the short term
They could have published the procedures/numbers online. IME companies decided that publishing notices/articles on the web, setting up subdomains and modifying apps are expensive projects. That leaves only noreply@bank.com for communication.
It could also be misguided security guidelines – because of things like caller id spoofing where scammers would spoof one of their actual numbers to lull people into a false sense of security
This is especially annoying when I have their app installed, if the app popped up warning me of fraud, I would trust it far more than a random phone call.
More. I work with a bank that sends text messages asking if you issued a check for $x amount.
Problem is, one of the most common check frauds is check washing. The PTO line is changed to a fraudulent name, and the amount stays the same. So, yes, the amount matches a legitimate payment, but who was paid? Ha!
I briefly worked on a product related to this. It was a chatbot meant to replace the human phonecall in just this situation. The user would get a text from the bank with a link to the chatbot. They ended up not being able to sell; the common complaint from the banks was that they'd been training their users to never click links like that.
