[PaulB]

There was a piece on the Jeremy Vine Radio 2 show (although hosted by BBC Media Editor, Amol Rajan) today on this subject.

It seems to be like Phishing only done via SMS text messages. It was largely about financial scams and numbers of people called the show having fallen prey to various scams. It raised a few questions in my mind.....


In one case the victim (who was the show's producer and did end up getting her money back) received messages on her pone that looked like they were from her bank and were threaded with other bank messages. in retrospect she said the messages didn't look "quite right" but as they were in amongst all the other bank messages she called the number.....

In another case, someone received a phone call and the caller came up on their phone as the bank (the number was the same as on the back of the credit card) . He fell for this scam and lost £8000 which his bank says in not recoverable.

So.... how is it possible for criminals to spoof SMS messages, and if it's so seemingly easy, why do banks use them?

Same question for phone numbers. Why is it apparently so easy to spoof CLI?

Also, how can the criminal fraternity seem to be able to set up money laundering accounts so easily when the rest of us have to provide identity and visit a branch etc.

Finally why do banks insist on using insecure means to contact people then blame the customer when it all goes wrong (and there's only ever one loser)?

[Flyingfemme]

I don't know the answers to the questions ( but would like to) but I have been llisted b a credit card as an "aggressive customer" and "unhelpful" because I would not do "security" when they called me. Still refuse to play with security theatre if anyone calls me. Makes life difficult but has kept me safe so far. We have had credit card frauds but all, so far, sorted in our favour.

[Rob L]

PaulB, what is CLI? And therefore what are you Fisching for?

I like your posts, but please explain non-standard terms.

ATB (All The Best),
Rob L

[PaulB]

PaulB, what is CLI? And therefore what are you Fisching for?

It was aimed a Paul S (and anyone else knowledgeable about the technicalities of telecoms). It stands for Call(ing) Line Identification and is the technology that allows you to see the number that is calling you.

Apparently it is relatively trivial for those with criminal intent to make your bank's number to show on your phone when they call. Just wondering why this is seemingly so easy and why banks aren't wise to this.

[fcalio]

It's all to do with Voice over IP (or VoIP).

Most things are going via IP these days because the Internet is ubiquitous and cheap to connect to. At some point the IP network and the PSTN (or POTS, if you prefer) meet.

Now... in order to interconnect between VoIP and the regular telephone network somehow, the IP address or VoIP SIP "address" has to get translated to a normal number. This is done via a gateway - something that is connected to both networks, provided by the VoIP Service Provider.

For inbound calls, the VoIP Service Provider can allocate a regular telephone number. All calls to that number will get invisibly routed to the users VoIP address.

For outbound calls, in many cases, the VoIP equipment enables the user to specify what number to present as the CLI. The user can enter any number they like. There is no authentication.

This is why it is trivially easy to spoof any number one desires.

[PaulB]

It's all to do with Voice over IP (or VoIP)Most things are going via IP these days because the Internet is ubiquitous and cheap to connect to. At some point the IP network and the PSTN (or POTS, if you prefer) meet.

Thank you... I like what you did there (hyperlinking the abbreviations to keep Rob L happy! )

If it is that easy (the spoofing, that is, not the linking), and the banks want to shut down branches do they need to put more effort in making it easy for the vulnerable (it's often the elderly who fall for these scams) to interact with the bank and be sure that it *is* the bank?

[Rob L]

...to keep Rob L happy! ...

Thanks Actually it's poorly-titled threads that make me really unhappy (as you know), but I'm taking therapy for that. So I need a new bug-bear to keep me wound up

Take care all.

[fcalio]

If it is that easy (the spoofing, that is, not the linking), and the banks want to shut down branches do they need to put more effort in making it easy for the vulnerable (it's often the elderly who fall for these scams) to interact with the bank and be sure that it *is* the bank?

It really is that easy. Some screen caps from my VOIP Service Providers control panel:





The banks think security only works one way, hence they ring you up and say "I'm from The Bank, answer these security questions". This is idiotic and needs to stop. Equally, more people need to be aware that CLI is not entirely trustworthy.

[PaulB]

The banks think security only works one way, hence they ring you up and say "I'm from The Bank, answer these security questions". This is idiotic and needs to stop. Equally, more people need to be aware that CLI is not entirely trustworthy.

Absolutely.... this needs repeating, so I have!

At the other end of the scale the banks seem unable to stop criminal opening accounts at will and spiriting money away never to be seen again. They are however very good at making innocent customers' lives very difficult - it took months to stop HSBC[1] demanding ID documents from my 88 yr old mother that she didn't have and who had had an account with them for > 30 years and who's only income was state pension.

[1] The did eventually stop and apologise.

[Paul_Sengupta]

I've just sent a lot of money to a company called Avidyne.

Hope they're legit!

[Colonel Panic]

Finally why do banks insist on using insecure means to contact people...

What gives you the impression that they do***?



*** unless, of course, you class Royal Mail as insecure, which TBH it is!

[PaulB]

Someone suggested in the radio prog that if people have an app on their phone why does the bank need to use SMS.

It was also suggested that as the Government was suggesting that messaging services like WhatsApp were full of criminals because the encryption couldn't be broken (yet) so why do the banks not use that? That leaves open the question as to whether it's possible to make a WhatsApp message look like it's from someone else.

[Paul_Sengupta]

Not all erroneous communication is sent by hackers though.

http://www.bbc.co.uk/news/world-us-canada-42677604

Governor Ige said human error during one of the thrice-daily shift changes at the state's Emergency Management Agency (EMA) was to blame for the false alert.

"It was a procedure that occurs at the change of shift where they go through to make sure that the system, that it's working. And an employee pushed the wrong button," he explained.

"It was an inadvertent mistake," said EMA administrator Vern Miyagi. "The change of shift is about three people. That should have been caught... it should not have happened."

[GAFlyer4Fun]

So far I have resisted giving any bank my mobile number so if I get any call or sms purporting to be from a bank I instantly know it is not the bank.

I know 2 factor authentication is increasingly popular but that was not enough to protect McAfee who became a victim from a (twitter account) hack and he consequently disabled 2 factor authentication.
http://www.bbc.co.uk/news/technology-42502770


Some financial institutions allow the user to set up a random picture / phrase of their choosing that the financial institution includes in their electronic communication to give more confidence it is genuine. For that to work it assumes the financial institution computer system never gets hacked to reveal that information..
It also needs the customer to delete all old electronic communications that include the picture/phrase otherwise it will be revealed by someone hacking into the personal device email/messaging.

Generally good practice to delete all old messages that have a direct logged in link to any kind of account since those links can be used to change your account details.

[Colonel Panic]

People do seem to get very wound up by all of this. Maybe I am belittling the issue, but as I see it so long as you ring fence your accounts (different & complex passwords) & remain alert to being phished the chances of actually loosing anything are remote in the extreme.