Oddbean

Just got a scary call from a very convincing scammer :/ 1. Hi, it's your bank. We just blocked fraudulent activity associated with your debit card starting in 1234. 2. We also blocked your internet banking. Verify that if you want. (yes, it was blocked.) 3. To recover your debit card, please come to the closest branch 4. We now just need you to authorize a change in your password because of law 12343456 of the consumer protection what not ... 5. Please open your banking app, do not login (cause there I would have noticed that nothing was broken and that no cellphones were bought with my card) 6. Click the "BE Pass" below to authorize this complicated protocol we are following here. Turns out, they knew my name, national ID, maybe not the debit card number as these all start the same with the same bank, my phone number and my email address that I exclusively use with that bank. They made 3 failed intents to get into my online banking so it got blocked, went to the "recover my login using the banking app" page, called me with a well trained scammer and when they thought I was ready to click "ok" within 3 minutes - the time you have for these BE-Pass authorizations - they hit ok on that "change my password" page. I hate I did believe it was my bank for so long, despite noticing some red flags early on during the call.

Yes. They never went for the middle ground of asking me to provide any personal data but went straight from knowing stuff and showing competence to asking to hand over the keys and that's where I pulled the plug. In hindsight I wonder what they could have achieved that would not have been appropriate other than me providing them with a free sample of my voice.

I hate the banking making very complicated login procedure with proprietary 2FA that can be bypassed somehow if you use their banking app on your registrered phone and fingerpint login. The more complexe and confusing it is, the more people choose bad password and try to avoid entering anything at all if they got the option to do it. They could use standard Webauth and passkey, which are way easier to use and probably safer, which people could use with many accounts and get used to it long term so they would not try to shortcut it or get tricked into unlocking their account to a scammer because they have no clue what's going on.

BE-Pass is their 2FA application. It's not bad as it shows you some details but in the case of the password it does not show you the new password, so if you get two requests in the BE-Pass app, they look equal and you don't know which new password you are confirming - the attacker's or yours. Google Authenticator would require me to enter the code into the website where I requested the password update while the hacker would need me to give him the code. I think it's more transparent that giving that code over phone is a blind signature than when they trick me into clicking a mere button in the 2fa app.

FYI it's a common trick that scammers use, that they give you the *first* four numbers instead of the last four. The first 4 numbers just identify the bank that issued the card. If someone tries this on you, hang up immediately, block & report the number, and notify your bank that someone is trying to scam you using this method and what else they used to try to persuade you. #selfdefense #selfhelp

first numbers: Yeah, as I said in OP, I am aware of this and will not fall for it again. Hang up immmediately: Why not have some fun and waste the scammers time? Block and report: Probably pointless as these scammers are likely to spoof their number anyway. Case in point, a relative got a scam call from his bank yesterday and the number was indeed registered as belonging to the bank. Tell the bank: Yeah, maybe. Next time I see them.