Called my local bank and they confirmed this was legit, I almost went off on a full rant about how bad their protocol is for this.
It’s kinda nice because while doing this, they also educate their customers to never trust such a call and to rely on official information to contact them.
A few days later I found out the call really was from the bank, and the bank had blocked my account, in a way that took a long time to unblock (don't get me started...). As ever, I found out the hard way, when I needed to use the account for something in real-time and it wasn't available.
But the call was from a different department than general customer support, the department's number wasn't known to customer service, and the account status change wasn't visible to customer service either.
So the bank's own customer service thought it was a scam call!
The example that comes into mind is making transfers to my wife, where every time I do it, they ask me to confirm a bunch of questions to make sure it's not a scam/fraud, which fine, good idea. Once I confirm, they display another notice telling me they won't ask for a confirmation/2FA code because I make transfers to that account so frequently.
The only reason I can come up with why it is like that, is because there isn't a single person/group responsible for the full experience.
I saw some bank from Florida, that I'd never heard of, calling me on my cell. I assumed it was some sort of scam and ignored it. They're too stupid to get a phone number which has caller id set up to read the name of credit union with whom I did business.
Just amazing.
> I think they don't have any people working on the full UX flow
A week later, I phoned up the bank asking why everything was progressing so slowly and they said I'd failed the security check, so the process had been paused. I explained what had happened, and how it was ridiculous that they expected personal details without even saying they were from the bank, which they seemed to agree with, but said that was their procedure so it was my fault for not complying.
When my father calls his bank, they actually verify him by sending a 2FA code to his email that he reads back.
Three guesses on how you log in to the service.
Do as I say, not as I do.
Hardly. The company shouldn't have XSRF-vulnerable software, if your browser is vulnerable you have bigger problems and what you actually shouldn't do is enter your credentials or download stuff after clicking on that link.
But of course there's an internal "phising test" that penalizes you for clicking on links... links that have been obfuscated by some email-modifying link-tracking security software that makes it nearly impossible to figure out to which domain the link even goes.
Then the goddamn CEO sends out an empty email, with a .docx attachment, and the subject saying "urgent, open immediately" The HR sends out suspicious looking shit all the time. The. You have Microsoft spamming you with fucking QR codes!!!
You know what needs to happen? Disable all hyperlinks in email. Make everybody copy and paste the goddamn thing. Then they have to look at the link and they have to manually paste it into the browser. Then there are no obfuscated links. Also disable HTML email, images, and most file attachments. Then there is no pixel tracking, no possibility for malicious images to be auto-loaded, and no excuse for clicking a bad link.
Even better when it's a bank you don't use and the number on their site goes to an automated system that won't let you access it without an account number, so you have to scrounge for alternative phone numbers to get to talk to someone.
In Gmail or Thunderbird they don't just show the PDF and since they display the sender differently it makes it obviously a scam.
Sometimes it feels like companies are just helping scammers and I don't know why.
There's a lot of similarities to scamming and marketing. In particular, they both have essentially the same desire for well-designed messages.
Problem is, one of the most common check frauds is check washing. The PTO line is changed to a fraudulent name, and the amount stays the same. So, yes, the amount matches a legitimate payment, but who was paid? Ha!
Mine actually tries to ask for PII and I tell them to kindly fuck right off and go to my bank website and ask them what the fraud number is.
They said that domain name was not theirs, and they only use usaa.com in their emails. They locked my account without telling me. I had to call them back to get them to unlock my account, and I think that person in their fraud department understood the issue and they said they created a ticket.
We shall see...
They had by far the most competent cybersecurity group I've witnessed. Things have changed in a decade maybe.
But, they still use proprietary TOTP from Symantec which is annoying.
- hostile to password managers.
- You cannot copy paste passwords.
- Client side password hashing
- Stupid requirements like the password cannot have more than 15 characters and even have a whitelist of character sets! (Looking at you HDFC)
- And of course, run of the mill spam
They are all stuck in the early 2000s.
That's something! My bank insists on exactly 6 numbers. Not characters, numbers.
They're also hostile to password managers and don't allow copy/paste. You have to click on the numbers with your mouse.
"My security" is very important to them, so they've moved 2nd factor from a physical fob, to an app tied to my phone, and now they've improved it further by switching to sms!
Now, this isn't some neighborhood mom 'n'pop bank, but the biggest or second-biggest bank in France.
When I see this kind of thing I suspect that it's a web app that's simply a proxy for some mainframe screens that were written in the 1990s (or earlier).
So 6 digits is low entropy, but it is compensated by a few layers of security. I don't know in practice how effective it is against passwords. I have seen it done in several banks, insurance companies, etc... including online banks. So I guess that it is not that bad. Most discourage SMS/email second factor in favor of their apps though. The physical fob is probably a hassle for them so they will try to push you to other solutions, usually an app.
Indian banks and many of the government websites are some of the most user-hostile things out there. Once upon a time, I used to think this was primarily to deter malicious actors from preying on tech-illiterate users, but given that the banks don't want to use all the tools/frameworks out there which help websites be both secure and user-friendly, I've changed my opinion.
I had to write 3 different "letters" (paper pen) to have a phone number typo (on their part) corrected.
I have not received any spam similar to the OP from my bank. But it seems (at least the popular belief) the lower level employees regularly leak your account details to scam callers.
Forgive my ignorance, but what's wrong with this one?
If you hash the password on the server instead, then if the password database is breached, then an attacker needs to actually reverse the hash[0] and find the original password in order to log in, because that's all that the server will accept.
[0] Note, this should be difficult[1] [1] In crypto, "difficult" should mean "impossible before the end of the universe"
I also had to deal with a medical device recall, which was terrible. I had to trust some skeezy domains.
This isn't hard to fix, all you need to do is list on your website your "partner domains."
My personal security protocol was to search a .gov website for contact info of financial institutions, go to the domain listed, look for a customer service number, and call that to find out what domains to trust. Customer service people thought I was weird.
At one point, a customer service person said, "you know it's legitimate because if you go to LinkedIn, you can see the person you're dealing with has <Bank Name> listed as their employer."
"Yeah? Give me two minutes, and mine will say the same. So, will you give me your personal info?"
Huh? I got my mortgage thru a mortgage broker and I only dealt with a single person.
Domain insanity aside, or course.
I have a strong anti-mortgage-broker bias. Mostly because of that one bad apple.
We used to have a lot of people like this running businesses in the US before roughly 2012, but white (and black) hat hacking began spreading quickly and made generally short work of the problem.
We employees of the acquired company discussed the emails in Slack: we were sure that these emails were legitimate, but acting on them would have broken our security policies, so we all decided to all report them as phishing attempts. We understood that we were engaging in malicious compliance, but our actions were also a best practice, so we couldn't technically be criticized for it.
After a while of this, execs at the parent company would send out sometimes exasperated-sounding emails ahead of time, alerting us to the email that we should expect to receive and how they wanted us to respond. Of course, that led to discussions of how we know that that pre-email emails were legitimate. After a while, we all lost interest in this malicious compliance and adopted the much laxer security culture of the acquiring company.
The absolute last thing anyone competent does is train employees to receive communications like that in email and follow them. If they'd asked for 3 minutes at an all hands to prep employees, or announced in slack, or something similar then ok. Or some out-of-band announcement that this was legit.
There's almost a catch-22: setting good, effective policies tends to involve a lot of telling people "no". And it's hideously difficult to do that without ruffling the feathers of people who control promotions.
It doesn't make any sense to me because it's expensive to make sure your company's services are secure, but it's also expensive to not be secure. Perhaps it's less expensive to not worry about it because the loss-of-customers impact on revenue are still under the cost of doing it right. If that's the case it's a sad state for all of us.
I don't know of anything that can convince a group of leaders making money and doing fine to change besides fear. Perhaps the US with its lawsuit-happy culture helped propel such changes more quickly than in Western Europe.
Unfortunately, the medical world is caught between a rock and a hard place in this case. Can't give any info to anybody but the patient--which means they can't identify themselves when they call as the practice name directly reveals their specialty, or the doctor (google will reveal their area of practice.) And the office that's doing this is an area where some patients would want it confidential.
I think maybe it could be resolved by having the medical world go to a correct horse battery staple model--on first contact you're given a set of random words that will be used as an identifier for future contacts. Each patient gets different words so all anyone else can infer is that it's a medical provider.
I much prefer the places that go with don't leave a message/leave a brief message/leave a detailed message. No need to add security to situations that don't need it.
I opted-out for all marketing purposes once they allowed to do so but yet, I was getting random calls from bank and 3rd parties. One day I called them because I had login issues on Windows Phone. I did mention to consultant that I was getting these calls and in return lady hit me with quite a revelation: they had a single opt-out that was only available if you called them.
I think the problem is, someone in the IT department understands the high risk associated with handing out subdomains, so they refuse to do it. So other parts of the company "work around" this by registering their own domain name.
I wonder how companies like Google handle this. A subdomain of google.com is probably the most valuable hack target in the world, but google does use subdomains occasionally (...or maybe more than occasionally! https://gist.github.com/abuvanth/b9fcbaf7c77c2954f96c6e55613...)
The issue is that marketing is organizationally separate from IT and doesn't want to interact with them. IT is probably behind a slow, outsourced ticket based process and will take weeks to do a simple thing. They may also have random opinions about stuff marketing doesn't want them to have opinions about. So building out promos like this is delegated to SaaS services or contractors who also have no relationship with corporate IT. Then nobody in marketing really knows or cares what a subdomain is, because everything they do is just searching Google or clicking links. They never look at the address bar because it's always full of meaningless junk so why would they or anyone else care what's in it?
Anti-phishing training doesn't make sense, when you look at how people really use the internet. Not many people look at the actual text of a URL. The best anti-phishing training is "go to google and type what you're looking for, only click links from there" and not "carefully examine the domain name to try and intuit if it's owned by the organization you think it is".
I don't know if he ever truly understood how he took out all company e-mail for nearly a week.
And trust links from Google? Keep up with the times! Sometimes the first hit is the scammers.
Terrible. The times were one could rely on them have long passed.
Some of them are larger and pretty well organised, but there are also a lot of small ones that just don't have the people and expertise for things like proper IT security practices. But customers trust them, because they position themselves as these local neighbourhood banks, even though most of them are pretty incompetent and will rip you off with high fees on accounts and shitty, underperforming investment products.
I got an email with a header that was obviously badly scanned from a paper document. It demanded that I provide proof of insurance or my car loan would be canceled. It had the name of the bank and my name and my email, but nothing else of import.
The only URL was to a domain unrelated to the bank.
I ignored the first couple, and finally looked into it the third time.
It was legit.
When I told them all the ways this looked like phishing, they couldn't understand my concerns.
I gave them the info they wanted in person at a local branch. I soon after paid off that loan and got away from them.
I didn't know about it before my grandmother handed me an article from the local newspaper and told me some of her friends were worried about it. We laughed and I took the newspaper clipping to work and posted it on the wall of failures. Everybody in IT could immediately tell that this was a pretty bad idea, but we weren't asked.
I'd link the article and provide more details, but I'd have to visit my local library, and maybe later.
However every time I use it, instead of answering through the secure channel, they try to call me on the phone.
Now they've put out security warnings about scammers impersonating bank staff making calls to customers.
Something they do when they initiate a call to me on the phone is they start by making sure they are talking to me (they don’t ask me to prove it) and making sure I have the app on the my phone or access to a web page.
Then they initiate a MFA check within the app. I have to get it and read back a number. Then they ask me for my phone PIN or password. Once that’s done, then we can start talking.
You should only reveal an MFA code to someone that you have called, knowing that it is the right person.
If you’re thinking that - for example - someone is attempting to log into my account online and simultaneously call me pretending to be the bank. They are presented with an MFA check and tell me they initiated it. I give it to them unwittingly, and note they are in.
My understanding is that isn’t possible here, because this “MFA check” is different than the login one. The login one is the “Google Authenticator, 6 numbers”. This is a different code entirely. Obviously I didn’t specify that in the original post. My bad.
If that wasn’t what you were thinking and you can think of how this fails, I need to know and learn more!
I don't really know why the situation is so terrible -- there are many good and competent security professionals working in corporates in Germany -- but perhaps as the post alludes to it is due to a lack of legal or regulatory pressure to date.
In an ideal world, all merchants would be using tokenization already – then the bank could offer you a UI where you can just kick out the merchants you don't want to have access to your payment credentials anymore before reordering a new card. (If tokens were mandatory, like they are e.g. in India, you wouldn't even need to reorder the card in the first place, but that'll probably never happen in the US – too many legacy systems.)
This is NOT a reason to distrust a website.
I personally would trust something signed by Lets Encrypt more readily than many other certificate providers. They appear to know what they are doing.
[0] https://www.troyhunt.com/extended-validation-certificates-ar...
In other words, if the bank is following best security practices, they're fine with Letsencrypt; if they don't, they might need somebody else.
> While everyone can register for free on Let’s Encrypt, only (or mostly) serious companies pay money to register on DigiCert, GoDaddy, and so on.
GoDaddy is not a serious anything. DigiCert perhaps, but GoDaddy has repeatedly shown themselves to be scummy and untrustworthy.
That said, I do see the value in having an entity like a bank pay for a stricter cert with identity validation versus leveraging Let's Encrypt's free infrastructure which only validates domain/site control.
Serious companies donate the money they saved by not buying snake oil to Let's Encrypt.
I just went to check the “official” domain and it looks like the domain is now owned by an ad network. Classic.
A news article link ( https://www.vrt.be/vrtnws/nl/2021/01/22/compensatieregeling-...) still ises that domain name in it’s article, but now redirects to a proper gov site: vlaanderen.be/veka
- HTML emails where links and remote images obfuscate the 'real' content of the email.
- URLs which are not clearly and easily human-readable.
- A workflow where my normal and expected daily behavior is to receive valid emails that I don't recognizes with URLs from vendors, and then I'm meant to click on those URLs, go to web pages, and enter my credentials.
The fact that _any_ normal products or business processes expect this means phishing will always eventually succeed. No, I don't have all the UIs and URLs for every vendor memorized. I'd have no way to know if they changed validly, and my job trains me on a daily basis to click on emails and enter my credentials. It's just that _every so often_ this same scenario is set up by a bad actor.
These calls come in on an unrecognised number, from staff who say "I don't know" when you ask them to prove they are from Octopus, and generate no call notes so you can't find out why they rang if you use the main customer service number.
To top it off they ask you to key in your card info on the phone after asking for your personal information.
I complained and they offered to fob me off with £30 credit instead of talking to their CISO, but they did at least say they can add phone passwords to individual accounts.
They use so many different domains. I'm not talking about redirects either. Like their landing page is at rbcroyalbank.com and then the login is at secure.royalbank.com. for ages rbc.com was another website for ages, but now also appears to be the Royal Bank (or is it?). I forget under which domain the dashboard is hosted.
Like, I get buying all the variations of your bank name, but please just redirect to one cannonical one! Marketing should also be for one domain. Way to easy to be scammed by royalbankofcanada. com or rbcbank.ca, because who the heck knows what their actual site is!
The other is that Germans seem very bad at this kind of stuff. Why the heck would the application for the German passport or Ausweis be published by some random GmbH and not Bundesregierung.gov?
At least for Switzerland the federal government puts its sites under the domain admin.ch . And the Cantons have their own domains, e.g. zh.ch for Zurich.
This way the government doesn't have to release information to the public (think FOIA) about it. Moving central part of government operation into a private GmbH wholly owned by the government has (sadly IMHO) become a somewhat common strategy for the government. Not just Governikus (the one with the passport) but also the Telematik (Health system) and probably some more.
And then now we've got OIDC.
In the government/banking/etc space - there is at least FIDO/WebAuthn/Passkeys which also resolves it. But it's a fair criticism.
Sneakers (1992)[0]
Mitchell and Webb has a good commedy skit on this subject: https://www.youtube.com/watch?v=CS9ptA3Ya9E
Don't they allow you to manually enter the bank routing number and account number, then verify it by depositing and withdrawing a few cents?
All the other times, they just ask for my verbal password to verify me.
I reported it and they said they created a ticket, but a month later when I called for a follow-up on the ticket, they said they had no idea what I was talking about :-/
(If anyone from Chase reads this, I have the recordings of those calls if you want them.)
If I use my Chase debit card more than fifty miles from my home, transactions are denied as potential fraud. Then again, if someone uses my card details at a gas station in Santo Domingo, DR, that's just fine, even though I'm using the card in my home town on the same day.
It's maddening.
A few years ago, I got a postcard that said "renew your alarm licence on-line" and the domain wasn't the .ca.gov domain the city uses, but something like "alarm-renewal-online.info"
I had to spend 30 minutes on the phone with my city to verify that this was a legitimate way to renew the alarm. They had contracted with an outside company to do the payment servicing. In the end, I just decided to mail them a check.
Wow, they never ever stop nickel-and-diming people, do they?
Is this some kind of meta-level play to sound less fake?
“Hello this is your bank can I please confirm your personal details?”
then of course i have to call them back, sit on hold (and maybe get the same call center agent!) to verify their identity and conduct whatever business they originally called about. thanks, your bad practice just cost me an afternoon to deal with the inefficiencies of a private industry i think shouldn't even exist.
I've mistakenly deleted from our mail quarantine multiple times as spam/phishing. Imho it's wilful négligence toynkeep such a system operating in 2025.
The system will surely rectify itself eventually when their spammy, manipulative, promotional banker campaigns do not produce results (is that a bad thing?) and they seek out firms that do produce results based on knowing what they are doing.
The author could even use it as an opportunity to promote his or someone else’s services and use this write-up as an artifact of evidence.
I don’t want to get too generalizing, but it is a perspective that does not surprise me coming from what seems to be a German, for better or worse. Complaints about not being in compliance with universal norms instead of taking advantage of a presented opportunity to break ranks for one’s their own individual advantage, strikes me as a very German perspective; like I said, for better or worse, without judgement, since both of these perspectives have their advantages and disadvantages.
(i had on issue with PNC in the US where they kept calling and asking for a 2FA code. Totally indistinguishable from phishing. Clearly they lack proper infosec, so I moved to Schwab and have not looked back.)
The links to that redirector service are http:
You don’t even need to phish them, AmEx does it for you. All you have to do is rewrite the redirect on the wire.
"We'd like to confirm this wire. We just need some details."
"Okay, I am me, that's true. But I should probably call Chase back for this right? This is textbook scam stuff. What do I tell them to get to you as fast as possible."
"All right, sir. That's fine. Let me just make a note on the account. You should be able to find the phone number on the website"
And then I usually just find my way. It's funny, but you kind of have to be disciplined.
The site also uses a Let's Encrypt certificate, which seems strange. This appears to be a massive, coordinated and not very well-executed effort to promote this Wero service. My guess is that the sites were all build by the same advertising agency.
They call, they say I can call back and wait in a queue, but that’s stupid.
Also crazy they don’t have a TOTP (e.g. Google Authenticator)based two-factor authentication. It’s just way more secure than email or phone number.
Training about this kind of thing is mandatory for bank employees in my country, as far as I know.
Like, companies are making it so easy for scammers to pretend to be them.
I mean this is just ... incredible. Are they living on the moon? Many real phishing messages are even more sophisticated than this.
Once I got a vaccination, and in order to do it I had to fill out a form where I chose the arm. The form said to circle either "right or left."
The word "right" was on the left and "left" was on the right.
I pointed this out to the nurse and she laughed, and then realized her error, because she made the form.
Or in other words, looking at me, my right arm is on your left.
[1] https://archive.org/details/33C3-Shut_Up_and_Take_My_Money
→ "Oh, ok"
→ "Before we get started, I need to verify your social security number/address/other personal information"
→ "Yeah, you called me and I have no way of knowing if you are who you say you are. I'm not going to give you that information. Can you give me your name, and I'll call the number on the website and ask for you?"
→ "Flabbergasted Well, our system doesn't work like that, so you'll have to submit another request"
→ Repeat ¯\_(ツ)_/¯
Oh as a bonus... Hey want to integrate with a third party website? Oh just enter this code that we are literally telling you not to give away to anyone else. Lol.