Really Clever Bank Card Fraud - Schneier on Security

Eric Riley • July 30, 2013 7:55 AM

When I get something (by email) asking me to check into an online account, I never follow the link, but instead open a new window and look for the corresponding message via their website (or check whatever account item needs to be checked).

I have never been called by my credit union, nor any bank for any reason – I like to think I would be too suspicious, but I probably wouldn’t have been. Now, however, I’ll do effectively the same as I would online; hang up and call the institution back and ask about it. (In the unlikely event that anyone tries this particular scam on me…)

I wonder also – since we don’t (and haven’t for years) have a landline, how would this work with cell phones?

David • July 30, 2013 7:56 AM

Need to be on a really old POTS switch.

David • July 30, 2013 7:58 AM

I have been called but only to verify one or two transactions, full stop. As in, “Sir, did you charge $X and ThisPlace yesterday and $Y and SomeWebSite this morning?”

No information asked of me other than “Yes” or “No.”

Tom Stone • July 30, 2013 8:05 AM

It does not need to be a POTS switch. It is required behaviour for all land lines in the US. The timer is usually set for 15-20 seconds. Some switches have it set for as long as 30 seconds. Even the new equipment operating on optical networks using SIP or H.248 protocols are required to support this for land lines.

Richard • July 30, 2013 8:06 AM

Never ever give out your ATM/credit card PIN number over the phone. Or over E-mail, or on a website. That PIN number is only for authorizing your card at a Point Of Sale or ATM terminal. Banks over here make that very clear to their customers. So clear, that I doubt anyone would fall for this scam.

Someone pointed out to me that Citibank in the USA asks for ATM card PINs over the phone. I hope they are mistaken and there is a different PIN for phone banking.

Peter • July 30, 2013 8:16 AM

@Eric Riley, you don’t even have to read the full article because it’s in the extract Bruce posted: the victim here did hang up and call the institution back. That’s one of the really clever bits of the scam.

@Richard, the fact that they called him in the morning when he was still hungover probably helped to lower his defences against typing in his PIN.

Species5618 • July 30, 2013 8:40 AM

Caller still controls PSTN/POTS calls in the UK, unless the line config is specifically changed, (lifts phones and free taxi phones in shops for example)

The phone part of this (with innocent courier middle) has been used recently in Gloucestershire UK, with older people,

My father has an interesting defence against such matters,
ALWAYS calls me after any call he does not understand !

Jonathan • July 30, 2013 8:44 AM

FYI: When I clicked through to the article, there was an NSFW advertisement on the page. I don’t know if it shows up for everyone, but it could potentially cause problems if your work monitors Internet usage.

bob • July 30, 2013 8:54 AM

@ Jonathan “NSFW advertisement”? On the Guardian site? Where do you work? In the UAE?

NBJar • July 30, 2013 9:21 AM

@Jonathan If your work monitors Internet usage, then that already is a problem.

ramriot • July 30, 2013 9:32 AM

I have heard of the issue of a landline recipient being unable to end a call by hanging up. This I believe is mainly because of the need for backward compatibility with a few remaining antique systems.

Though since the perpetrators know where this guy lives, would it not be more likely that they just tapped into his line with an engineers test unit at the street connection?

Also still wondering about the mothers Maiden-name issue. Did they really have this info or did they just ask him to say it and they confirmed. If the former, and since this is the UK we are talking about then with thanks to crowd-sourcing many birth rolls have been digitized, see: http://www2.freebmd.org.uk/ I just checked and with only my first and last name, the county and the decade I was born in I got ONE result.

I am now off to get all my banks to drop mothers maiden-name from their security question list for my accounts.

Michael T. Babcock • July 30, 2013 10:10 AM

Even for those who are wise enough not to give out their PIN, the fake bank could easily request you to reset your PIN, at which point the user types in a new PIN twice and the thieves now have it.

PS phone lines are easily tapped in many places, even without this trick. Following someone home and vampire tapping their line for the call to the real bank would work too if they did a reset over the phone.

Frank2039 • July 30, 2013 10:11 AM

Meh, too many moving parts for a working system. Has some clever elements to it, but for a high risk operation, I would toss it. Also requires close personal contact with targets which increases risk.

Nick P • July 30, 2013 10:51 AM

That is pretty clever.

Richard • July 30, 2013 10:51 AM

@Michael T. Babcock: ATM card PIN resets over a phone line? Really? Do these banks really want to be defrauded, or what? PIN resets here can be done in person at your local bank branch or via snail mail (to be picked up at the post office with photo ID). Teaching customers to type in an ATM card PIN over a phone line is a real security fail by the banks.

niranjan • July 30, 2013 11:19 AM

Clever indeed. It still works in India for POTS lines from the govt owned telcos. These firms started very early and unfortunately have much wider subscriber base than private firms.

We usually face another problem with this thing. When the calling person doesn’t hang up, the line gets busy & couldn’t make or receive calls. I recently had to call up on mobile and ask them to disconnect completely.

jb • July 30, 2013 12:06 PM

A courier coming by to physically look at the card? Seriously?

I have lost/had compromised various cards, and each time the bank killed the card and mailed me a new one instantly. Any effort to do anything else would ring all the fraud-alarm bells with me.

Jeff • July 30, 2013 12:44 PM

FYI, the reason for the delayed disconnect is so that the person answering the call can hang up and move to another extension, or hang up and shout to somebody else in the household to pickup. It’s useful when there’s no “Hold” button, as is the case with older phones.

X • July 30, 2013 1:25 PM

Indefinite delayed disconnect: I want that for telemarketers!

Tim! • July 30, 2013 1:35 PM

RE: NSFW

It’s not really an advertisement, it’s a link to featured content. In the right sidebar, it links to a review of the film Nymphomaniac. Side boob with nipple.

Clive Robinson • July 30, 2013 1:45 PM

@ Jeff,

The historic reason you have given is not the reason it originaly worked the way it did. It actually goes back to “operator boards” back in the 1800’s before Strowger gear started to replace them.

But this attack method is far from new…

In the early days of telephones being used for auctions one to rig an auction was to dial in with the microphone muted the auction house agent would pick up on the ring and then not hearing anything would put it down. Provided the person who rang in kept the line open a telephone bidder could not dial in. Such dirty tricks were well known just after WWII due to rare book auction rigging which a UK MP Jerremy Foot had an enquirey involvment with.

The actuall trick used here of fake dial/ring tone was used to hack the simplistic “modem dial back” security precaution.

There is also similar tricks done by survalence and ileagle phone equipment called “pole jobs” that I’ve mentioned on this site befor.

Tanuki • July 30, 2013 2:16 PM

This is not “really clever” – it’s “Gullible Guardian-reading journo believing ethnic-minority-people-from-supposed-call-centres who call you out of the blue”

My late aunt got suckered this way back around 2002. She was, admittedly, 94 years old at the time and had a worrying trust in supposed authority-figures.

Dirk Praet • July 30, 2013 6:37 PM

I packaged the card up as requested and waited for the courier to arrive …

That’s were a red alert has to go off and you call:

Card Stop Services. It’s one of these indispensable numbers that should be stored in your phone/address book always.
The police, hoping they get on site fast enough to arrest the courier. Optionally, you call in your nextdoor MMA fighter neighbour to help restrain the guy if the cops are taking their time. In the US, calling in an act of domestic terrorism in progress may speed up the process.

Godel • July 30, 2013 7:45 PM

In the REALLY old exchanges, the calling party could hold up the called party’s line forever, or until manually released by staff.

In more modern exchanges this behavior was deliberate, to allow the called party some limited time to unplug their phone and relocate to a different phone point in another part of the house.

Figureitout • July 30, 2013 11:45 PM

How did they have my mother’s maiden name?
Christ, why is this still a question?! Create your own then a unique answer or simply brick it; simple F*cking solution!

I’ve had to lose some people following me before, or make many turns to find out they were and if they kept coming I would’ve had a “word”.

Re: NSFW meta-stories
–Why was there a story about someone sticking their penis in a toaster? Seriously, OW! People in the UK call Americans stupid…I feel like I’m being trolled….

This is just like academic cheaters, they must get some sort of extreme pleasure by not only breaking the law but initiating the attack. I can reason w/ someone seeking fair revenge b/c one must fight initial attacks/bullying. But the effort spent here is not only a waste but will lead to security measures that will make future life a living hell!

Figureitout • July 30, 2013 11:49 PM

Oh yeah, my ATM PIN was setup over the phone. Does not make me feel comfortable whatsoever as I don’t control the network. If I actually had more than $100 I would care a little more about the security but I would laugh at someone wasting even an hour and serious risk to get less than $100.

One of the nice things about being broke is you can laugh at someone trying to rob you and if they do you might as well try to kill them and make it really worth their while.

Figureitout • July 31, 2013 12:55 AM

So the “penis in toaster” story literally just disappeared from the “recommended” stories side section. Rise and shine time in the UK. Here for the Internet Archive and for those in the future; and in case anyone thought I was lying.

The future of the internet: Content on Links constantly changing and being altered w/ script kiddy language (!) and can thus not really be trusted. Can we just get the story Bruce is linking to instead of all this crap and twitter/facebook buttons shit I’m so sick of it.

Erica • July 31, 2013 3:42 AM

Caller has control is still standard in the UK.

Even when it is a mobile phone calling a landline.

Several times I’ve had my landlined effectively subjected to a denial-of-service attack by a bum-dialed mobile.

Not true for mobile-to-mobile calls.

And, of course, the original attackers from the article have to get lucky with the right dial tone — or an unobservant mark.

Anonymous spaniard • July 31, 2013 6:57 AM

About landline hangup, here in Spain there is a long delay of about 10 minutes between the line becomes completely silent until the call is ultimately dropped, although this only works when both ends are landlines. I find it quite annoying when spam calls do not properly hang up and they kidnap my landline for some time.

Many years ago it was the caller the only one who could end a call. I remember going to a neighbour’s home to call my mother’s neighbour to tell her that she left her phone unhanged.

Clive Robinson • July 31, 2013 9:01 AM

@ Figureitout,

With regards the inappropriate use of the toaster (I can think of quite a few jokes to make about it 🙂 it is not just an American prediliction to put the “meat&two veg” in weird and dangerous places.

You only have to look at “product safety” documentation to see this. One such is from a well known manufacturer of chain saws which advises against applying the chain saw against the genitals…

Such documentation has been a source of “idle thoughts” in those dark hours when insomnia strikes, after all the implication of such warnings is “somebody has already done this”, you have to wonder why…

There are also those other product documents where “marketing speak” has got the better of “common sense”. One such was the claim on a rectal thermometer that an employee of the manufacture had “personaly tested it for your commfort and satisfaction”, which gives rise to the thought about “working at the bottom end of the production line” having a whole new meaning.

Figureitout • July 31, 2013 1:49 PM

which advises against applying the chain saw against the genitals…
Clive Robinson
–Bloody hell! derrrka derrrrr

SchneieronSecurityFan • July 31, 2013 2:15 PM

@ Tom Stone, Correct. While at work, I just called one of our business lines using my cell phone. I hung up the business line. After 15 seconds, I pressed the button for the outside line that I had just called and I was still on “the line” with my cell phone.

To disconnect the land line, hook-flash the land line 3 times. The dial tone then sounds. (I hook-flashed the business land line phone once or twice & put my receiver back on the cradle. I could hear the dial tone sounding momentarily before the receiver went on-hook. I lifted my receiver pressed the outside line button and was “reconnected” to my cell phone.)

If I called the landline and ended the call with my cell phone, the cell phone goes to stand by after two seconds and the landline goes dead about a second after that.

AT&T cell phone, Verizon land line

Observation: Automated calls have dialed our business phones. Sometimes, after I hang up, the same line will start ringing. I answer and it’s the same automated solicitor.

SchneieronSecurityFan • July 31, 2013 11:12 PM

@ Clive Robinson, “The actuall trick used here of fake dial/ring tone was used to hack the simplistic “modem dial back” security precaution.”

In writing my earlier post, I recall working for a company that used that technology in 1997. The custom software that was supplied to a “client’s” computer sent data about that client when the client logged in. The company’s “server” modem would only telephone client modems that were on its list. I don’t think any Caller ID was used.

From my earlier post, a “server” modem could disconnect a line by programming hook flashes – off-hook, then on-hook, for three times with a pause, “,”, before dialing the client’s call back number.

Clive Robinson • August 1, 2013 4:11 AM

@ SchneieronSecurityFan,

The problem goes back to my knowledge to atleast 1977 and back then modems were at best nightmares of hand tuned filters giving at best 300baud, and in the UK it was not then possible to “flash the line” due to the way the Post Office local loop circuits worked (you had to pay extra for PABX services to get the extra features included in “hunt groups”).

However even when/where it was possible to “flash the line” most people implementing “callback modes” did not do it.

There were various reasons, one was just reusing somebody elses shellscript, another because for some reason ITSec bods did not even know that dial in line hold was a security issue and also because in many cases the modem did not have the capability to “flash the line”.

As with all asymetric knowledge those who knew either kept it to themselves for their own advantage or exploited it for their own advantage.

One such was the UK security services, if you can find a copy of Peter Wright’s “Spy Catcher” you will read about the “flooding” system where they used a MF RF carrier to “jump the on hook switch gap”. Prior to this they had to use other techniques which many assumed incorrectly were US style “Harmonica bugs” (invented by the Mafia).

Most of the security vulnarabilities in phone systems are actually down to representatives of the UK Security Services manipulating the standards bodies, this is especialy true of SS7 and GSM.

Having seen it going on in person I’ve been aware that the bigest security threats are “standards” because every implementation irrespective of underlying technology has to be standards compliant to connect to all public and usually all private networks.

Alex • August 1, 2013 9:35 AM

Just tested this in the UK, with 3UK’s UMTS and Virgin Media’s cable network (actually VMED’s voice service is provided using parallel copper and SS7 switching, rather than over the co-ax itself), a mobile, and an old ex-BT cordless device.

Called landline from mobile; picked up; call set up normally. Hung up landline. Could still hear something (acoustic echo cancellation’s synthetic line noise – I could make noises at the landline but not hear them on the mobile) on mobile. Picked up landline. No sound. Pressed cordless landline’s send key. Line open.

I could dial numbers on the landline, hear the tones on the mobile, and press send without any apparent effect. Pressing SEND and then immediately END, however, hung up the call (perhaps the equivalent to a “hookflash”).

aus • August 2, 2013 12:54 AM

My roomate used to phone Australia all the time 2yrs ago to talk to her family. It was a rural area and the phone was just one line, anybody in the neighborhood could pick it up and start talking too and often they did.

SchneieronSecurityFan • August 2, 2013 4:27 PM

@Alex, The “hookflash” equivalent on the cordless phone should be “Recall” or “R” – in the U.K. Hookflashing the cordless phone will leave you with a dial tone. Never heard of the SEND-END sequence. A cellular equivalent of a hookflash allows a cell phone to switch between calls if the cell phone has call waiting.

@aus, What was called a “party line” in the U.S.A., as in your roommate’s neighborhood, adds another dimension to this security problem.

Schneier on Security

Comments

Leave a comment Cancel reply