Log in

No account? Create an account

Previous Entry | Next Entry

Arrgh! Con artistry hits work

There is an old-school type of fraud, conducted by phone, that's the old-world equivalent of the "phishing" emails you get all the time. You know the ones I mean--the emails that say "There has been a problem with your online banking/your online PayPal account/your eBay account/whatever, please click here to confirm your identity." And then you click there, and you're taken to a Web site that looks like your bank site, or PayPal, or eBay, and you type in your bank account number or your username and your password, and Wham! You've just given your information to Russian organized crime!

The old-school variant is the same thing but on a more personal, more individual level, from con artists who believe in age-old, hand-crafted fraud, not this soulless, mass-produced fraud we see so much of today.

In the old-school, hand-crafted variant, the con man calls you up on the phone and says "Hi there! I'm John from Bank of America. Bad news! We think someone just tried to use your bank account fraudulently! Did you just order $2,000 worth of rare wine to be shipped to an address in Hong Kong?"

And you freak out and your heart starts pounding and you sa "No! No, I didn't! Oh no! What do I do?"

And he says "Relax, don't worry, we thought it was fraudulent, we've put a freeze on your bank account. And then you're all like "Phew! That was close!" while visions of bounced checks and ruined credit dance in your head. And then he says "OK, we'll reverse the charge and unfreeze your account. For security, we need you to confirm that you're the real bank account owner. What's your social security number? What's your bank account number? What's your debit card number? What's your PIN?"

And he's hoping you're so freaked out that you'll just gullibly tell him.

This kind of fraud fell out of favor a while ago when folks invented caller ID, because (a) the con man doesn't want to give out his caller ID number and (b) people get suspicious when they get calls that are supposedly from the bank but it says "caller ID blocked."

They're making a comeback, though, since it is now cheap and easy to fake caller ID numbers. The con men put fake caller ID numbers--usually random 1-800 numbers (because people think "oh, if it's coming from an 800 number it must really be my bank!") that are not really the bank's numbers (because the con artist doesn't want folks calling the bank to confirm the story) into a gadget or computer program that fakes what you see on your caller ID.

So today, apparently there's a con artist who's rapid-fire calling dozens of potential dupes...

...and is forging our phone number on his caller ID spoofer.

So folks are calling us (a LOT of folks are calling us) and screaming at us--"How dare you try to get my bank account number, you motherless sons of flea-infested goat herders!"

They are savvy enough to realize that the call is a dupe, but gullible enough to believe that the number they see on the caller ID is actually the number that the con artist is calling from.

*headdesk* *headdesk* *headdesk* *headdesk* *headdesk* *headdesk*


( 9 comments — Leave a comment )
May. 6th, 2009 09:52 pm (UTC)
Oh, lord. I got one of those a few weeks ago, telling me that my debit card had been blocked for online purchases and asking me to call "The Security Department" about.

Fortunately, I bethought myself and called my credit card issuer instead, to politely inquire if this were indeed the case. I got as far as "blocked" and she chimed in with "...for online purchases. You didn't give them any information, did you?"

I hadn't, and I had a new phone number for her to add to the security investigation, so we were both happy with the conversation.
May. 6th, 2009 10:19 pm (UTC)
time to set your voicemail with a message that they need to call their personal banks fraud department...and have your real callers (the ones looking for YOU) send a text message so you can call them back instead.

Then call the phone company...

Though you have probably thought of all of this on your own already.
May. 6th, 2009 10:21 pm (UTC)
It's actually pretty easy to fake caller ID. VOIP phones are expected to be honest and declare their caller ID, and the network doesn't verify.

You can also exploit this to listen to and change someone else's cell phone voicemail.
May. 6th, 2009 10:22 pm (UTC)
Or they're just too angry at the moment to be thinking clearly. No less frustrating to you, though.
May. 6th, 2009 10:31 pm (UTC)
They are savvy enough to realize that the call is a dupe, but gullible enough to believe that the number they see on the caller ID is actually the number that the con artist is calling from.

No. Not _gullible_, but lacking in knowledge. By pure coincidence my girlfriend asked me this weekend about how trustworthy caller ID was. She's well above average tech-savvy wise, but had no idea that caller ID could so easily be spoofed.

Ignorance != Gullible.
May. 6th, 2009 11:49 pm (UTC)
That's true. Mea culpa.

The gullibility, if there is any, is in the automatic assumption that the information we get by way of the various gadgets and programs we use is infallible. We do tend to make that assumption--if our email program tells us that this email is from Mom, then it is from Mom; that if our caller ID gizmo says the call is from thus-and-such a number, then it is; and so on.

I think it'd probably be helpful if, at a very early age, we trained people to be skeptical of *any* information given to us by *any* gizmo, gadget, or computer program. We learn early on (or most of us do) not to reflexively believe information given to us by strangers, but we don't seem to generalize that skepticism to devices and computer programs as well.
May. 7th, 2009 12:09 am (UTC)
I've noticed this before; data provided the computer is sacrosanct and not questioned... even if the answer is bogglingly wrong.

Although, thinking about it, this isn't just in the computer realm. I disagree with your "don't believe strangers" statement. Urban legends are a variation on this theme. People tend to believe, as long as the source _seems_ plausible. How many people don't believe in the moon landing? How many people believed Obama was a muslim intent on destroying the American way of life?

Maybe this comes back to earlier discussions we had on story telling. People believe stories that fit into their world view and makes them appear correct/good/justified in that view. Hmm... need, to think on that.

Computers and gizmos are the ultimate in authorative statements; you never see a caller ID unit saying "I think the call is from blah". It says "call from blah". That printout you just collected after the computer chewed on your problem for 30 minutes... it's an absolute statement.

In mathematics (I used to do that, many years ago) we were taught to sanity check our results; mistakes are easy to make. It takes _training_ to be sceptical. I agree with you that people need to learn similar skills for their everyday life; not just from gizmos but from _any_ source (computer, gizmo, TV program, newspaper, co-worker...).

Hang on... isn't that called "thinking for yourself"? Nah, that'll never catch on.

So, maybe, what this means is that user interfaces need to take into account peoples inclination to believe stuff; rather than being "this is the answer!" a range of answers are given. Absolute statements are given caveats; "received information says call is from blah". I'm not going down the mega-legal-disclaimer path; I'm talking about understanding human limitations and working around them.

Hmmm... sounds like a PhD project for someone :-)
May. 7th, 2009 12:35 am (UTC)
Perhaps it would be as simple as making caller ID boxes say "This call is from thus-and-such (unverified)" or making Web browsers say "You are at Google.com (unverified)" unless the browser sees an SSL certificate and requested the page via DNSSEC?

In fact, that might be a good solution to the problem. If there is any way at all for any gadget's output to be manipulated, attach "(unverified)" to its output, whatever the gadget or the output might be. "This email is from your mother (unverified)". "It is 97 degrees outside (unverified)".
May. 7th, 2009 12:41 am (UTC)
Dunno if that would be a _solution_ to the problem, but it'd be a good initial step. Essentially that'd be exposing the "trust level" of the data to the user. It still allows potential trust attacks (yeah, I saw what you did with DNSSEC to support SSL :-)) but should, at least, get people thinking about the problem.

Until they get so used to seeing "(unverified)" on everything that they ignore it :-(
( 9 comments — Leave a comment )