this post was submitted on 15 Mar 2024
209 points (97.3% liked)

Technology

59534 readers
3195 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

I was tricked by a phone-phisher pretending to be from my bank, and he convinced me to hand over my credit-card number, then did $8,000+ worth of fraud with it before I figured out what happened.

you are viewing a single comment's thread
view the rest of the comments
[–] nivenkos@lemmy.world 26 points 8 months ago (4 children)

The real answer here is to have decent digital ID as 2-factor authentication.

This scam would be practically impossible in Sweden with BankID for example.

[–] kernelle@0d.gs 28 points 8 months ago (2 children)

Adding multiple factors to authentication just adds another step to the scam, it doesn't make it impossible by any means.

[–] nivenkos@lemmy.world 20 points 8 months ago (2 children)

For BankID it somewhat does, because only registered services can make the request - so they'd need to register a scam service and then use that. Which also makes it an easier job for anti-fraud police.

So it'd be a lot more complicated.

Like obviously at a certain point if someone is willing to do everything they can - then they will be scammed, see this for example: https://www.bbc.com/news/uk-england-leeds-67208755

But the more steps there are, the higher the chance the person realises it is a scam.

[–] prole@sh.itjust.works 8 points 8 months ago* (last edited 8 months ago) (1 children)

For BankID it somewhat does, because only registered services can make the request

I'm not an expert on digital banking, but this sounds like a no-brainer... Aside from marginally increasing compliance costs, why would this not just be the norm everywhere?

I mean... It was rhetorical. I know why.

[–] nivenkos@lemmy.world 7 points 8 months ago

It kind of is the norm.

Just a few countries like the US are really backward in terms of accessible banking - mainly due to having no federal ID, residence registration, etc. too on top of outdated bureaucracy.

[–] kernelle@0d.gs 4 points 8 months ago

"A chain is only as strong as its weakest link" - We are the weakest link in any security chain, and always will be. Social engineering is one hell of a drug.

[–] TORFdot0@lemmy.world 11 points 8 months ago

It doesn’t matter how many locks you have if you give the scammers the keys. And so many people give up the keys

[–] logicbomb@lemmy.world 25 points 8 months ago (2 children)

Another thing is that I feel like the era of the private phone number has passed. I see the use case for phone numbers for businesses, but people just don't use them very much anymore otherwise.

Like, we don't memorize them. We don't dial them. They're just entries in our contacts.

At this point, we could create an alternative way of contacting private phones. Something based on whitelisting instead of blacklisting. Something that can be easily shared but not easily guessed. Something that would be easy to trace who called you.

All of these phone scams rely on the idea that a stranger can just up and contact you without any effort. It's ridiculous. If we got rid of that, we'd save people from untold billions of dollars of scams almost instantly.

[–] nivenkos@lemmy.world 8 points 8 months ago

Yeah, my ex was scammed this way too - exactly like Cory describes, they happened to ring right as she was going through the whole visa and tax process and pretend to be regarding the IRS, etc. and since she was dealing with a lot of similar calls it was an easy mistake to make.

More services available online and e-mail communication makes this a bit better.

[–] rottingleaf@lemmy.zip 3 points 8 months ago

PSTN is easy for surveillance to be just replaced with a modern system.

It is also relied on by business models of many things, like WhatsApp and Telegram and what not.

The something you are talking about seems suspiciously similar to the Internet with cryptographic IDs.

[–] 0x0@programming.dev 2 points 8 months ago (1 children)

He gave them his CC number over the phone. How would Sweden's BankID protect against that?

[–] nivenkos@lemmy.world 4 points 8 months ago

More that you'd never need to provide it, but many transactions will also require 2FA, even by the credit card.

[–] gian@lemmy.grys.it 1 points 8 months ago (1 children)

I think this is true in most of the EU banks.

[–] nivenkos@lemmy.world 1 points 8 months ago (1 children)

Spain and the UK have no real digital ID (Spain has some horrible Java certificate based system, but you can't use it for much). I think Germany's digital ID is in a similar position too although it's been many years since I lived there now.

The UK is in the same position as the US with no national ID or residence registration at all.

Only the Netherlands, Finland and Scandinavia really have it sorted out for banking and government services.

[–] gian@lemmy.grys.it 1 points 8 months ago

Wait, I was talking about the fact that most EU bank (if not all) need to have a two factor authentication system in place, which limit a lot what a scammer can do.
In this case I think that a scam like this would not be possible or at least it would be stopped in the moment the bank app would ask to confirm what I am supposedly doing.

A national digital ID system is nice (in Italy we have the SPID), but it does not limit anything if you really can do everything with just the credid card number.