Tag Archives: Personal identification number

How Good Information Goes Bad

image 

The Internet is fast becoming a sort of gossip chamber where the real merges with the fantasy, leaving ordinary people overwhelmed. I’m not sure it’s a good thing.

Take an email my wife forwarded me this morning. It’s from a newsgroup comprising Indonesian expat mothers in Singapore (talk about niches!). The sender had forwarded an email they received from someone who claimed to have had the scam they describe befall them in Singapore.

The scam itself is ingenious: someone phones a resident, saying they’ve got a package to deliver and confirming someone will be home. The package is a beautiful basket of flowers and wine. No card (the delivery guy says it’s coming later.) Recipient happy, but told will have to pay $3.50 as proof the delivery guy left the alcohol-containing package to an adult. Fair enough.

The recipient goes to get cash. No, says the guy, it has to be by EFTPOS—a bank card—because he’s not allowed to handle cash. Fair enough.

He swipes the card on  his machine, recipient enters PIN, and off delivery guy goes.

Within a few days, several thousand dollars disappears from the recipient’s account, via a duplicated card and the stolen PIN number.

Now this is a good, classy and brazen scam. And it’s true. It did happen—in Sydney, Australia, in October (and possibly November) 2008. The guy involved was arrested on November 21.

But it didn’t, as far as we know, happen in Singapore. Or anywhere else.

But that hasn’t stopped the email from spreading virally. In Malaysia, Canada, and elsewhere.

Myth-busting sites like Snopes and Hoax Slayer have done a good job of trying to separate fact and fiction. The problem is that as these legitimate stories spread, they serve to confuse and alarm rather than educate the public. As Hoax Slayer puts it:

While they may be perfectly valid when first launched, a problem with such warning emails is that they may continue to circulate for years and eventually become outdated and redundant. And, as noted, false or misleading information may be added to the messages as they circulate and such additions can significantly erode their use as warnings. Before forwarding such warning messages, it is always wise to check that the information they contain is accurate and up-to-date.

I quite agree. It’s good that people are wary, but not based on stories that are no longer true.

Checklist to avoid such scams:

  • Ask to see credentials of any delivery guy, whether or not he’s giving you free stuff.
  • If you’re wary, don’t accept the delivery. Even if it’s free stuff.
  • You should not be asked to pay money by someone appearing at your door unless you’re expecting the package. Sadly this is not properly adhered to, even by supposedly reputable couriers. In Indonesia I would find the couriers demanding duty payments that were not sufficiently documented.
  • Don’t let anyone swipe your bank card unless you’ve established who they are.
  • If in doubt, demand a name card and take a photo of the person with your cellphone. Then close the door.

Photo credit: North Shore Times.

Hi, I’m Sheila from Phishers ‘R’ Us

It amuses me that banks talk about security but rarely apply it in a consistent enough way to save people like you and me from getting scammed. Take what just happened to me this morning:

My bank rings me up (the number is a private number so doesn’t show up on my screen, but that doesn’t seem to be unusual anymore; nearly half of the people who call me seem to withhold their number these days. In any case, it’s not hard to fake a callerID.)

The woman on the phone tells me there’s been a problem with my last phonebanking transaction. Before she can tell me more, she asks me to key in my six-digit phonebanking ID, she says. I’m just about to do so, eager to sort out the problem, when I realize that I’ve not confirmed that she is who she says she is. So I ask her:

“Sorry, but I need to confirm who you are first.”

“Yes, I am Sheila and I work for the phonebanking division.”

“Yes, but how do I know you’re Sheila from the phonebanking division, and not Sheila from Phishers ‘R’ Us?”

Clearly Sheila hasn’t faced this kind of situation before.

“Er, well, if you key in your phonebanking ID, I can tell you details about your account, and that will confirm it.”

“Well, it may do, or else it would tell me you’d already succeeding in hacking into my account and were now just toying with me.”

A pause.

“Yes, but the PIN number goes straight into the computer,” says Sheila, a bit nonplussed now.

I try to explain that a) I’m not personally accusing her of being a scammer, only that I have no way of confirming whether she is a bank employee or a clever social engineering fraudster because she called me first and b) that technology makes it eminently possible that someone could capture my six digit PIN if I key into my phone. (A simple decoder attached to the phone will grab the DTMF signals (the beeps when you press a key) and figure out what digits they represent. I didn’t tell this to Sheila because she was already beginning to sense I was a ‘difficult customer.’)

In the end I tell Sheila I’m going to call her back, to which she politely agrees. When I later explain to her that the bank should think about plugging the hole in their security fence, she listens politely, thanks me for my feedback, and says:

“One last thing, Mr. Wagstaff. I don’t know if you’ve been told but we’re running a promotion at the moment that for every customer you’re able to bring in you get a $200 gift voucher for redemption at Takashimaya Department Store.”

A bank with its priorities right, it seems.

What amazes me about this is that banks don’t seem to have learned from past mistakes. A few months back I wrote about a scam in Hong Kong which uses exactly this tactic. Fraudsters stole wallets and handbags at a sporting event, removing only the ATM and business cards. The victims then got phone calls the next day pretending they’re from the bank informing them they’ve lost their card, and asking them to approve cancellation of the card by keying in their PIN number.  Voila. If Sheila was Sheila the Scammer, someone would be at least half way into my account by now.

I wish banks would be smarter about this. I wish in particular the banks I use would be smarter about this. Scammers are clever, particular about social engineering — the art of lulling people into a sense of false security. We ordinary people want to please, and we want to help solve a problem, especially if it’s connected to us, so we’re easy prey for someone at the end of the phone offering both.

The lesson is the same as the one I’m always trying to pass on: Don’t give anything to anyone just because they ask you to. Find out first whether they are who they say they are. A realtor asking for a deposit? Show me the documents that prove you are authorized by the landlord. Here to check the meter? Where’s your badge? Valet? How do I know you’re not just a guy in a red jacket and jaunty hat about to steal my car?

Authenticate, authenticate, authenticate. And if it’s someone like a banker, a real estate agent or an official, be hard on them if they seem impatient with your efforts. It’s your money, not theirs.