This just landed in my inbox: more proof, if it were needed, that banks are dumber than a sack of nails when it comes to security. Or they just don’t care:
The email comes ostensibly from HSBC’s Singapore office. But it’s actually mailed by 8rewardsroad.com, a Singapore-based marketing company with a somewhat dodgy website. (As in the pages don’t seem to load without Flash and some pretty awful stuff.) They claim among their clients HSBC and OCBC, another Singapore bank. In other words, no easy way to tell whether the email is really from the bank or not.
The email itself offers up to $S400 per customer, though reading the fine print you—and the person you’re referring–have got to jump through a lot of hoops first.
But that’s not the beef. The beef is that this could so easily be a phishing scam. And even though it’s not, the fact that a bank is sending these emails out contradicts its claims that it won’t communicate by email with customers except to send them notifications of e-statements and other obvious forms of communication. Getting emails like this just lowers customers’ guard. And the tempting element, with the red Refer now button prominently displayed twice on the email, doesn’t help matters.
Worse, if you click on that link you go to a website www.apps.asiapacific.hsbc.com – which to the uninitiated could be any website, and is definitely not the hsbc.com.sg that the bank’s Singapore customers usually go to. There, referring customers are asked to give a lot of detail about themselves, and the person they’re referring, including what kind of bank account they have, their passport/ID number, their banking relationship manager, etc etc. Enough for a social engineer to get somewhere with.
I despair that banks will get the security thing. I really don’t think they care. They certainly don’t seem to care enough to stop their marketing department putting out toxic trash like this.
The South China Morning Post reports (I’ve got the hard copy here; everything there is behind a subscription wall, so no full link I’m afraid) of a clever scam where the bad guys steal just enough stuff — cards + identity — from a victim to be able to social engineer their way into trust, but not enough for the mark to realise there’s anything missing before the sting. This takes some doing.
This is how it works: The fraudsters swipe a wallet or handbag from under chairs and tables at a weekend sporting event in Hong Kong. They remove bank ATM card and a business card of the owner and replace everything else. They then research the individual (presumably online, though they may have access to other information, I guess, from associates on the inside at a bank?).
They then wait a day and then call up the mark, identifying themselves as from the victim’s bank, asking some personal details and then asking if they’ve lost their ATM card. This may be the first time the mark has realised the card is lost. Along with a professional and comforting tone, and any personal details that the fraudster has been able to unearth online, this would further lure the victim into a false sense of security.
It’s then the fraudster would say he will cancel the cards and provide a temporary password once the account holder has typed their PIN into the phone. I like this bit; it would be easier and tempting, as in other scams (like this one in the UK) to try to persuade the victim to just give out their PIN verbally. But asking them to enter it into the keypad of their phone adds to the ‘illusion of formal procedure’ that social engineering relies so heavily on. The fraudster, of course, is easily able to attach a device to their phone to capture the tones of the PIN and decode it. They could even just record the tones and play them back against a set of tones. (Each digit has a different tone, according to something called dual tone multifrequency, or DTMF. Tones can be decoded using the Goertzel algorithm, via software like this.)
Once the PIN is handed over, the account is emptied. In the case cited in the SCMP, some HK$47,000 was removed with 82 minutes of the fraudster obtaining the PIN.
So, the obvious and slightly less obvious go without saying:
- Never give your PIN to anyone, even a smooth-talking fella calling himself “Peter from HSBC.”
- Regularly check your purse to see whether all your cards are there. If not, cancel them immediately.
- Don’t put your name cards, or other revealing personal details, in the same place as your credit cards.
- Don’t ever accept a call from your bank without taking down the person’s name and number and a telephone number you can verify independently (on statements or online.) Then call the bank back. Banks don’t like to do this, because it might mean you call them up when they don’t want to, but tough.
- Give your bank hell every time they call you up and start asking you questions like “you have a credit card with us, is that right, sir? Would you like to up the limit on that card?” This is just asking for trouble, since calls like that are one small step away from a social engineering attack “Please just give me the card details and some personal information and we’ll increase that limit rightaway, sir”. If not that, it at least sows the idea in the customer’s mind that their bank phones them, and that somehow that’s OK.
- Be aware that Google et al can, when combined, a pretty clear picture of who you are, even if you’re not a blogger or other form of online exhibitionist. So don’t be lulled by someone calling who seems to know enough about you to be able to pretend to be someone official.
Anyone at the Rugby Sevens this weekend, take note.