My bank keeps on undermining anti-phishing education
212 comments
·July 17, 2025TheFreim
diggan
Yeah, I think they don't have any people working on the full UX flow, my bank does similarly weird stuff.
The example that comes into mind is making transfers to my wife, where every time I do it, they ask me to confirm a bunch of questions to make sure it's not a scam/fraud, which fine, good idea. Once I confirm, they display another notice telling me they won't ask for a confirmation/2FA code because I make transfers to that account so frequently.
The only reason I can come up with why it is like that, is because there isn't a single person/group responsible for the full experience.
godelski
> I think they don't have any people working on the full UX flow
x0x0
The idiots at my former credit union apparently subcontract out their credit cards to some east coast bank, whereas my bank and I live on the west coast.
I saw some bank from Florida, that I'd never heard of, calling me on my cell. I assumed it was some sort of scam and ignored it. They're too stupid to get a phone number which has caller id set up to read the name of credit union with whom I did business.
Just amazing.
Gunax
Well, afaik caller id is actually unauthenticated and can be trivially impersonated.
Algent
The only time I ever triggered fraud detection system on my card I got a text message from bank that was "Your card is blocked due to suspicious usage, please call 'number'". And the number was also some random unlisted one. Only reason I didn't just ignore the thing is I did make a purchase on new website a half an hour before.
Called my local bank and they confirmed this was legit, I almost went off on a full rant about how bad their protocol is for this.
danieldk
One of my former banks handled this pretty well. They called you and would say something like “there is an issue, but since you should never trust a direct phone call pretending to be your bank, please look up our number on our website and call us”.
It’s kinda nice because while doing this, they also educate their customers to never trust such a call and to rely on official information to contact them.
OkayPhysicist
My credit union does the same but with "call the number on the back of your card". I suppose they have a lot of practice getting it right, given that their idea of a suspicious transaction is any transaction out of state.
JoshTriplett
That is a great demonstration of best practices. What bank was that?
jlokier
I've had the version of that where I called my bank's listed number to confirm the incoming "call us on this number" voicemail was legit, and they said NO, the call is not a legit number of theirs, the account looks fine, I was right to check, and they agreed it seemed like a scam call.
A few days later I found out the call really was from the bank, and the bank had blocked my account, in a way that took a long time to unblock (don't get me started...). As ever, I found out the hard way, when I needed to use the account for something in real-time and it wasn't available.
But the call was from a different department than general customer support, the department's number wasn't known to customer service, and the account status change wasn't visible to customer service either.
So the bank's own customer service thought it was a scam call!
rightbyte
Ye they don't follow their own rules. Once my bank called me for a insurance change I requested a month or so earlier and asked me to verify myself via the security dongle. Like, and then they act surprised when people are scammed.
ralferoo
Heh. 20 years ago when I was buying my house, I was arranging the mortgage through HSBC bank. One day I got a random call, started by asking me to confirm my name and date of birth. I asked them who they were, and they refused to say anything before going through security. I told them I wasn't giving them any personal details without knowing who they were, and they hung up.
A week later, I phoned up the bank asking why everything was progressing so slowly and they said I'd failed the security check, so the process had been paused. I explained what had happened, and how it was ridiculous that they expected personal details without even saying they were from the bank, which they seemed to agree with, but said that was their procedure so it was my fault for not complying.
Joker_vD
> that was their procedure so it was my fault for not complying
This is the most fascinating (infascinating? like, infamous/famous distinction? whatever) things about bureaucracies, to me: they sincerely expect everyone to follow their internal rules and procedures, even the people who are completely outside their jurisdiction by any stretch of imagination.
Like, "we require the application of your personal seal to the papers" — "Personal seal?.. we use signatures in this part of the world, you know" — "No, we don't accept signatures, it has to be a seal imprint" so then you just stamp some absolutely random rubber stamp and they accept it because even if they can't actually read Cyrillic, it's a stamp and that's all that matters.
nucleardog
Had the same thing happen with a debt collector. They would identify themselves, but seeing as their name was meaningless to me as we had no prior relationship, and even if I knew what they were calling about I had no debt I was aware of...
They were a _little_ more cooperative about it though.
"Hi this is <Person> from <ABC Inc.>. Can I start by confirming your name and date of birth?"
"Who is this?"
"<Person> from <ABC Inc.>. Can I start by confirming your name and date of birth?"
"No, you may not. What's this regarding?"
"I can't discuss that with you until you verify your identity."
"Okay, well I have no idea who you are so I'm not about to do that."
"Well, I can't tell you anything else until you confirm your identity for me."
"Okay."
"So can I get your name and date of birth please?"
"No."
"..."
"..."
"..."
"..."
"Can you tell me what _day_ in January of 1970 were you born?"
(Turns out the ISP did their usual ISP thing and failed to mark that I'd returned my modem when cancelling service a few months prior then told no one and sent it to collections. The debt collector was very adamant that I needed to set up a payment because this wasn't going away. I walked into one of the ISP's retail outlets, told them what happened, they sighed heavily because this comes up _constantly_ and called in to have it marked returned and I never heard from anyone ever again. The end.)
nmstoker
HSBC had famously terrible systems when I dealt with them for a mortgage years ago - they were so bad that the staff I spoke with pre-briefed me on the range of issues their website could suffer from.
The best was that certain sections were circular, so it would start to ask the same questions again but displaying answers prefilled in - yet it would arbitrarily forget particular (different) details on each loop, defaulting to values other than what you'd entered before, so there were only certain points you should exit the loop at, to be sure it would submit the right information!
On the plus side, despite their system woes, they had very competitive rates, so it was definitely financially worth spending another 20 minutes and accepting their idiocy!
ses1984
I had something similar happen to me except it was for health insurance authorization, for a regular treatment. So, every two weeks they would call me and ask me for personal info, and refuse to explain who they were or why they called until I gave it to them. Every two weeks I would try to explain how dumb that was. No direct call back number, of course.
hinkley
These are largely outsourced which is why they are so terribly integrated with your bank's main phone tree.
Mine actually tries to ask for PII and I tell them to kindly fuck right off and go to my bank website and ask them what the fraud number is.
SketchySeaBeast
It's fun when you phone the bank's regular number, waiting hours to get someone on the phone, and they say that number isn't legitimate when it actually is.
Even better when it's a bank you don't use and the number on their site goes to an automated system that won't let you access it without an account number, so you have to scrounge for alternative phone numbers to get to talk to someone.
anonym29
last digit +/- [1-9] usually isn't a bad place to start for larger institutions
aitchnyu
They could have published the procedures/numbers online. IME companies decided that publishing notices/articles on the web, setting up subdomains and modifying apps are expensive projects. That leaves only noreply@bank.com for communication.
vorador
It could also be misguided security guidelines – because of things like caller id spoofing where scammers would spoof one of their actual numbers to lull people into a false sense of security
godelski
Not a bank, but Apple Mail inline displays PDFs. I've been getting these PayPal Bitcoin scam emails lately and checking from Apple Mail they look legitimate. Problem is, I don't have a PayPal account...
In Gmail or Thunderbird they don't just show the PDF and since they display the sender differently it makes it obviously a scam.
Sometimes it feels like companies are just helping scammers and I don't know why.
lcnPylGDnU4H9OF
> Sometimes it feels like companies are just helping scammers and I don't know why.
There's a lot of similarities to scamming and marketing. In particular, they both have essentially the same desire for well-designed messages.
bearjaws
This is especially annoying when I have their app installed, if the app popped up warning me of fraud, I would trust it far more than a random phone call.
RandomBacon
My bank has implemented suggestions I've given them in the past (USAA), but recently they used a different domain for a legitimate-seeming email (the email was about something I just did, and it was to an address I only use with that bank), and I called them up and spoke with someone in their fraud department to ask about it. I told them either they were hacked, or they were training their customers to fall for phishing, and asked them to create a ticket.
They said that domain name was not theirs, and they only use usaa.com in their emails. They locked my account without telling me. I had to call them back to get them to unlock my account, and I think that person in their fraud department understood the issue and they said they created a ticket.
We shall see...
kakuri
I interviewed for a software engineering position at USAA. After seeing the incompetence of the interviewers none of the nonsense they do surprises me.
unethical_ban
I worked in IT ops there for a long time, and since then have seen the inner workings of companies in several different fields.
They had by far the most competent cybersecurity group I've witnessed. Things have changed in a decade maybe.
But, they still use proprietary TOTP from Symantec which is annoying.
RandomBacon
> But, they still use proprietary TOTP from Symantec which is annoying.
They at least used to, but I'm not sure they still do.
(And when they did, I was able to copy the key into a MFA app of my choice.)
But now as an end-user, it's all built in to their own banking app. I don't use the code from the app though, because I just use my personal 4 digit pin (after entering in my unique password from my password manager).
freedomben
Yeah I've never worked there, but been a customer since 2005. For many years there, USAA was really cutting edge of tech and highly competent. The system has slowly gotten a little less usable though, but at least it still works most of the time
pyuser583
When buying or selling a house, this can get really bad. You have all sorts of entities which extensions of other entities. The bank has a mortgage sector which uses a different domain.
I also had to deal with a medical device recall, which was terrible. I had to trust some skeezy domains.
This isn't hard to fix, all you need to do is list on your website your "partner domains."
My personal security protocol was to search a .gov website for contact info of financial institutions, go to the domain listed, look for a customer service number, and call that to find out what domains to trust. Customer service people thought I was weird.
At one point, a customer service person said, "you know it's legitimate because if you go to LinkedIn, you can see the person you're dealing with has <Bank Name> listed as their employer."
AnimalMuppet
> At one point, a customer service person said, "you know it's legitimate because if you go to LinkedIn, you can see the person you're dealing with has <Bank Name> listed as their employer."
"Yeah? Give me two minutes, and mine will say the same. So, will you give me your personal info?"
astura
>When buying or selling a house, this can get really bad. You have all sorts of entities which extensions of other entities. The bank has a mortgage sector which uses a different domain
Huh? I got my mortgage thru a mortgage broker and I only dealt with a single person.
pyuser583
I did the first time too, and he screwed us. We realized we could get a mortgage just fine without a broker.
Domain insanity aside, or course.
I have a strong anti-mortgage-broker bias. Mostly because of that one bad apple.
0x5FC3
User facing tech and marketing practices at banks are the worst. Every Indian bank login form I've ever had to use is
- hostile to password managers.
- You cannot copy paste passwords.
- Client side password hashing
- Stupid requirements like the password cannot have more than 15 characters and even have a whitelist of character sets! (Looking at you HDFC)
- And of course, run of the mill spam
They are all stuck in the early 2000s.
vladvasiliu
> cannot have more than 15 characters
That's something! My bank insists on exactly 6 numbers. Not characters, numbers.
They're also hostile to password managers and don't allow copy/paste. You have to click on the numbers with your mouse.
"My security" is very important to them, so they've moved 2nd factor from a physical fob, to an app tied to my phone, and now they've improved it further by switching to sms!
Now, this isn't some neighborhood mom 'n'pop bank, but the biggest or second-biggest bank in France.
SoftTalker
> My bank insists on exactly 6 numbers. Not characters, numbers.
When I see this kind of thing I suspect that it's a web app that's simply a proxy for some mainframe screens that were written in the 1990s (or earlier).
meindnoch
I bet it's actually a set of solenoid actuators physically typing into a 90s terminal.
tzs
I remember at least one major US bank saying that the reason they only allowed short passwords was indeed that it was the limit for login passwords on their mainframe.
I was sure this was complete bullshit because even if everything is handled on the mainframe a user using their online banking would not be logging on to the mainframe. The online banking password is a credential for the bank's application(s) that run on top of the mainframe's system software.
When a new customer signed up for an account the bank would not create a new mainframe user account for that user. A bank customer account would just exist in the bank's database and would be completely independent of actual mainframe user accounts. If the online banking password needed to be stored on the mainframe it would be in one of the bank's tables, not wherever that mainframe's system software stores password.
I mentioned this somewhere and someone who actually worked on bank systems commented that some banks actually really do have a mainframe user account per bank customer account.
I think that doesn't actually change my point that blaming a short online banking password limit on mainframe system software limitations is complete bullshit.
Users are not asked for their password when they use non-online banking, such as at ATMs or through a teller at the bank. This shows that the bank does have interfaces that allow performing all the normal functions a customer needs to do without the customer needing to supply a login password.
Online banking is going through a web server. They web application should be using those interfaces that don't require a customer mainframe login to work. The password the customer supplies to the web interface should be a credential for the web interface and be completely separate from any mainframe login password.
GuB-42
As I understand it, the thing with "click the number" codes is that it is a protection against keyloggers. The numbers are usually scrambled and when you click on it, you don't send the code but the position of the numbers you clicked. So for someone to get your code, you need both a screen capture and the position of mouse clicks.
So 6 digits is low entropy, but it is compensated by a few layers of security. I don't know in practice how effective it is against passwords. I have seen it done in several banks, insurance companies, etc... including online banks. So I guess that it is not that bad. Most discourage SMS/email second factor in favor of their apps though. The physical fob is probably a hassle for them so they will try to push you to other solutions, usually an app.
LorenPechtel
Yup, keylogger defense. I've seen a system with a full virtual keyboard to let you type anything without hitting a key--explicitly as a security measure. Fixed keyboard, though, I've never seen one with randomized targets. Capturing everything would be an awful lot of data for malware to export so I don't think screen capture is much of a risk.
jszymborski
Royal Bank of Canada (at least until recently, haven't been a customer for a while) just silently truncates your password. Discovered this when I thought I saw the number of masked characters go down, and then entered my password with one less character and logged in. (This was on mobile)
thmsths
I wonder if it's because they look at security more globally. Their actions probably keep lowering security for people who understand the risks and are willing to take the extra steps to protect themselves but on the other hand they probably drive up adoption of some extra security for most other folks. Or if you want to be less charitable: they were tired with dealing with support calls from a lot of tech illiterate people and decided to just sacrifice security.
vladvasiliu
I'm sensible to these considerations.
But I don't see how a JS applet where you need to click on a bunch of numbers in plain view of whoever is curious to look over your shoulder helps with this. People have to type in their customer number in a regular text field anyway, so why not use the same thing for the password?
dbetteridge
Worstpac?
ThePowerOfFuet
SG?
vladvasiliu
BNP. I used to have an account with Boursorama (which belongs to SG) and they also had the point-and-click number thing, but I think the code was a bit longer.
sometimes_all
There was some brouhaha a few weeks ago when someone posted a screenshot on reddit about an Indian public sector bank's app refusing to run because a user had installed Firefox, and according to that bank, was a "malicious app that could steal user data".
Indian banks and many of the government websites are some of the most user-hostile things out there. Once upon a time, I used to think this was primarily to deter malicious actors from preying on tech-illiterate users, but given that the banks don't want to use all the tools/frameworks out there which help websites be both secure and user-friendly, I've changed my opinion.
ryandrake
It's insane that any rando app on your device can have access to the list of other apps installed on your device.
never_inline
There's a certain Indian public sector banking app which won't run at all unless you give it camera, full filesystem and some other crucial permissions.
I have not received any spam similar to the OP from my bank. But it seems (at least the popular belief) the lower level employees regularly leak your account details to scam callers.
yonatan8070
Yeah my bank requires me to reset my password every 180 days, only accepts passwords from 6 to 11 characters, and has a whitelist of valid characters. All this leads to a situation where I want to sign in, I'm then prompted to reset my password, but the autogenerated passwords from Firefox don't actually work because they are too good, so I switch to a terminal to make up a custom password to their rediculus requirements.
ddejohn
> Client side password hashing
Forgive my ignorance, but what's wrong with this one?
mnw21cam
If the hashing is done on the client and then sent to the server, then the server is effectively just processing as a plaintext password. If an attacker gets hold of the server password database, then they can just connect to the server and pretend to be the client and hand it the hashed password that they read from the database breach.
If you hash the password on the server instead, then if the password database is breached, then an attacker needs to actually reverse the hash[0] and find the original password in order to log in, because that's all that the server will accept.
[0] Note, this should be difficult[1] [1] In crypto, "difficult" should mean "impossible before the end of the universe"
hahn-kev
No it's not. Did you ever think that you can hash something twice? Hash it once on the client, then hash and salt it server side, like normal. It means that the server never actually knows your password, but that's about all it gives you.
eldaisfish
Indian banks and their websites are likely among the worst in the world. The fact that many situations require printing forms, dealing with SMS-based 2FA, multiple passwords, sometimes with different requirements… I’m not surprised that many Indians still prefer the hassle of visiting a branch.
sometimes_all
The branches are worse. Staff rotates _constantly_. Most of the new ones don't know anything, including most straightforward things people go to branches for. Almost everyone from the tellers to the branch manager is mandated to upsell/cross-sell something or the other, and in the most non-transparent way possible (so that the right people get the commission). Need a bank locker? Jack up your savings account balance. Need a credit card? Get a unit-linked insurance plan, else don't waste our time. A couple of tellers will start calling random people to sell things (in direct violation of central bank rules).
0x5FC3
I assure you, dealing with the staff at the bank is different ball game altogether.
I had to write 3 different "letters" (paper pen) to have a phone number typo (on their part) corrected.
never_inline
Indian government's websites (eg: IRCTC train booking, exam registration portals) are worse IME.
TimTheTinker
The naive people in decision-making positions often don't realize the risks involved in their behavior until they or someone near to them gets hurt -- in this case scammed or sued.
We used to have a lot of people like this running businesses in the US before roughly 2012, but white (and black) hat hacking began spreading quickly and made generally short work of the problem.
stantaylor
I used to work for a financial services company that had a strong and well-managed security culture. The company got acquired, and afterwards, we kept getting emails from third parties for various things, all supposedly initiated by execs/groups at the parent company.
We employees of the acquired company discussed the emails in Slack: we were sure that these emails were legitimate, but acting on them would have broken our security policies, so we all decided to all report them as phishing attempts. We understood that we were engaging in malicious compliance, but our actions were also a best practice, so we couldn't technically be criticized for it.
After a while of this, execs at the parent company would send out sometimes exasperated-sounding emails ahead of time, alerting us to the email that we should expect to receive and how they wanted us to respond. Of course, that led to discussions of how we know that that pre-email emails were legitimate. After a while, we all lost interest in this malicious compliance and adopted the much laxer security culture of the acquiring company.
x0x0
I had to fire the MSP I hired because they needed to install some software on everyone's computer, so they sent a company-wide email, with no clearance from anyone, directing approximately 40 people to open terminal and paste in a string sent in that email. Along with instructions on how to open terminal.
The absolute last thing anyone competent does is train employees to receive communications like that in email and follow them. If they'd asked for 3 minutes at an all hands to prep employees, or announced in slack, or something similar then ok. Or some out-of-band announcement that this was legit.
bunderbunder
I also suspect that the social dynamics of these kinds of organizations make it difficult for the right people for making these kinds of decisions to rise to the right positions for making them.
There's almost a catch-22: setting good, effective policies tends to involve a lot of telling people "no". And it's hideously difficult to do that without ruffling the feathers of people who control promotions.
TimTheTinker
Yeah, fear of consequences (due to something bad happening) seems to be the only way to both motivate and justify adopting more secure practices and policies.
AnimalMuppet
"Let me explain why that would be a career-limiting mistake for you..."
Mtinie
Considering that on paper these businesses all have employees serving as CISO, EVP-, SVP-, and many, many Directors of Security, I find it highly unlikely that the accumulated experience of the people and their teams results in decisions like this. It's hard to distinguish incompetence from malice in many situations but calling them "naive" seems to be indirectly excusing customer-hostile behavior.
It doesn't make any sense to me because it's expensive to make sure your company's services are secure, but it's also expensive to not be secure. Perhaps it's less expensive to not worry about it because the loss-of-customers impact on revenue are still under the cost of doing it right. If that's the case it's a sad state for all of us.
TimTheTinker
The example given in TA seems to be a straightforward case of institutional naivety (banks doing stupid stuff that confuses customers and makes them prone to potential identical-appearing phishing attacks) -- for which the only solution is for decision makers to be convinced that something needs to change.
I don't know of anything that can convince a group of leaders making money and doing fine to change besides fear. Perhaps the US with its lawsuit-happy culture helped propel such changes more quickly than in Western Europe.
meindnoch
My bank used to call me with random marketing crap, and insisted on telling them my birthday and my mother's name before they can reveal their latest exclusive offer or some other crap. They were always dumbfounded when I retorted that it is them who need to prove that they're really calling from my bank first.
criddell
When a random call asks me to confirm some information, I always reply that I'm not going to share any personal information because I have no idea who they are. Half the time, they just hang up, the other half of the time they launch into the sales pitch.
s3p
I have this happen all the time in healthcare. I had someone from a specialist office call me and immediately ask me for my date of birth. Their surprise when I said no was incredible. But I agree with you, if THEY are the ones calling, they need to prove their identity.
LorenPechtel
I've got one that their phone robot says it's a message from my doctor's office, does not identify the office. Almost dismissed it as garbage, then realized it could be related to an upcoming appointment. And it's not even really right--unspecified doctor of mine would be my PCP, not the specialist.
Unfortunately, the medical world is caught between a rock and a hard place in this case. Can't give any info to anybody but the patient--which means they can't identify themselves when they call as the practice name directly reveals their specialty, or the doctor (google will reveal their area of practice.) And the office that's doing this is an area where some patients would want it confidential.
I think maybe it could be resolved by having the medical world go to a correct horse battery staple model--on first contact you're given a set of random words that will be used as an identifier for future contacts. Each patient gets different words so all anyone else can infer is that it's a medical provider.
I much prefer the places that go with don't leave a message/leave a brief message/leave a detailed message. No need to add security to situations that don't need it.
Tade0
My bank eventually understood this, which is why currently you can check in the app whether on their end they're seeing that you're talking with their sales rep and which one specifically.
fsflover
Forcing you to use the app isn't the best solution. I bet they only have apps for just two mobile OSes, don't they?
null
ccorcos
I’m always surprised that banks don’t have a better way of authenticating themselves to their customers (Chase and Vanguard, in particular).
They call, they say I can call back and wait in a queue, but that’s stupid.
Also crazy they don’t have a TOTP (e.g. Google Authenticator)based two-factor authentication. It’s just way more secure than email or phone number.
clarkdale
I see Conway's Law at work here. The marketing department must have its own IT department separate from the IT that maintains the core website and business functions. It's impossible for them to get on the same web domain (much less build something in the phone apps). Instead, they built their own disparate site and experience.
this_user
It gets worse. These German "Sparkassen" are small to at most medium sized credit unions. They are organised in a larger umbrella organisation that takes care of some of the services like IT, but the individual banks can pick and choose what and how much they want to handle themselves.
Some of them are larger and pretty well organised, but there are also a lot of small ones that just don't have the people and expertise for things like proper IT security practices. But customers trust them, because they position themselves as these local neighbourhood banks, even though most of them are pretty incompetent and will rip you off with high fees on accounts and shitty, underperforming investment products.
phendrenad2
> So the next idea is to register the domain as a subdomain
I think the problem is, someone in the IT department understands the high risk associated with handing out subdomains, so they refuse to do it. So other parts of the company "work around" this by registering their own domain name.
I wonder how companies like Google handle this. A subdomain of google.com is probably the most valuable hack target in the world, but google does use subdomains occasionally (...or maybe more than occasionally! https://gist.github.com/abuvanth/b9fcbaf7c77c2954f96c6e55613...)
mike_hearn
Nearly. It almost certainly never even touched IT.
The issue is that marketing is organizationally separate from IT and doesn't want to interact with them. IT is probably behind a slow, outsourced ticket based process and will take weeks to do a simple thing. They may also have random opinions about stuff marketing doesn't want them to have opinions about. So building out promos like this is delegated to SaaS services or contractors who also have no relationship with corporate IT. Then nobody in marketing really knows or cares what a subdomain is, because everything they do is just searching Google or clicking links. They never look at the address bar because it's always full of meaningless junk so why would they or anyone else care what's in it?
Anti-phishing training doesn't make sense, when you look at how people really use the internet. Not many people look at the actual text of a URL. The best anti-phishing training is "go to google and type what you're looking for, only click links from there" and not "carefully examine the domain name to try and intuit if it's owned by the organization you think it is".
cyberbanjo
Have you tried what you're recommending without an ad block extension recently?
mike_hearn
I never use adblockers, so yes.
LorenPechtel
Doesn't need to be IT being slow. I've seen it happen--we warned the guy to talk to us before putting up the new website. Admittedly, I was on the other side of the world and only reachable by e-mail, but the other guy was there in his office.
I don't know if he ever truly understood how he took out all company e-mail for nearly a week.
And trust links from Google? Keep up with the times! Sometimes the first hit is the scammers.
Rygian
For me, the money shot is Chapter 4: the bank needs to be held legally accountable of gross negligence for sending phishing-resembling emails to customers.
nmstoker
A friend told me about a company where the CISO instigated security newsletters aimed at staff to build up their experience on such topics, yet the newsletters were emailed from an external email and contained links to a hosting site that wasn't related to any of the employers regular website domains and like this case would often come across as a phishing attempt, especially when they ran competitions (apparently they appeared too good to be true, as friend's employer was famously tight!)
mnw21cam
Every weekly newsletter I get at work is sent from an external spam-sender, containing links to an external hosting site that have a unique ID for tracking clicks. Those links are then munged by Outlook which makes them hard to identify. I searched on the company web site for any confirmation that the external sender or external hosting site were legitimately being used by the company and found none, so I refuse to click on those links. I should also report them as phishing scams really.
massung
I use USAA for banking.
Something they do when they initiate a call to me on the phone is they start by making sure they are talking to me (they don’t ask me to prove it) and making sure I have the app on the my phone or access to a web page.
Then they initiate a MFA check within the app. I have to get it and read back a number. Then they ask me for my phone PIN or password. Once that’s done, then we can start talking.
mnw21cam
That is a really bad idea. That's letting anyone who phones you prove to the bank that they are you.
You should only reveal an MFA code to someone that you have called, knowing that it is the right person.
massung
Walk me through the chain you’re thinking of. I want to understand it better.
If you’re thinking that - for example - someone is attempting to log into my account online and simultaneously call me pretending to be the bank. They are presented with an MFA check and tell me they initiated it. I give it to them unwittingly, and note they are in.
My understanding is that isn’t possible here, because this “MFA check” is different than the login one. The login one is the “Google Authenticator, 6 numbers”. This is a different code entirely. Obviously I didn’t specify that in the original post. My bad.
If that wasn’t what you were thinking and you can think of how this fails, I need to know and learn more!
tempnew
The scammer calls the bank rather than trying to login. When calling, they will be asked to verify with info and the code which they will get from you. Think mitm but telephone based. The verification info (maybe just a zip code or last 4 of ssn or something publicly available) can be acquired beforehand so they only need the code to be relayed. Obviously they have to get the timing right, so you might be on the phone for a few minutes before they find a reason to ask for the code.
renewiltord
Well, if I wanted to get into your account, apparently I just call the bank and then call you. Any time they ask me something I ask you the same thing and pass it along to them, and you'll faithfully tell me. They trigger the codegen and ask me to read it back and I ask you and you happily tell me. Then I "confirm your account is safe" to you, and continue my call with the bank except now I've authenticated as you.
BobAliceInATree
You're giving a MFA number to someone that called you?!
GolDDranks
The bank I used to use had a per-verification request code that the app showed. If the party dealing with you knew the code, you could be sure they were the party who initiated the verification request.
LorenPechtel
But you said you read back the code. It should be the other way around--*you* compare the code they give you with the code the app gives you. Give zero information until identity is confirmed.
ainiriand
That's really not safe...
My bank uses a fraud detection system that calls you if suspicious activity is detected on your account. It then asks you to call back a number to verify the account activity. Every time they call, they provide a different callback number. Searching for the callback number online yields only one result, which is the fraud detection systems web page telling you to NOT trust phone calls of any kind (their advice is solid, but it tells you to not respond to their own legitimate calls)!