Help: Fallen for a scam email!

shortcrust

I bet it's not a scam. If it is, they're aiming rather low.

Would I post those details on here? No but that's more to do with privacy than security. Would I worry if a site was hacked and I knew those details had been stolen? No not really. There's not much anyone could do with them, and you could probably find them anyway with a bit of googling.

jonesMUFCforever

Yes the BA one is a scam have had dozens of them over the last couple of weeks.
(Of course it is not really from BA)

shortcrust

jonesMUFCforever wrote: »

Yes the BA one is a scam have had dozens of them over the last couple of weeks.
(Of course it is not really from BA)

Is it really? I'd have thought they'd have gone for a bit more info than that.

baza52

jonesMUFCforever wrote: »

Yes the BA one is a scam have had dozens of them over the last couple of weeks.
(Of course it is not really from BA)

are these scams?

http://highlife.ba.com/competitions-and-offers/

Arleen

baza52 wrote: »

its not clear if the BA thing is a scam or not.
If I gave you my name and address and mobile number do you honestly think you could get more info from my mobile provider about me?
How would you answer the security questions?

Are you saying I could open a BT phone book and look at any page to get someone's name, address and phone number and BT would give me their bank details etc if I rang them lol

And the date of birth and email. This is how confidence tricksters work, as you then "have forgotten password" but can, for example, give out other details about your account. And all of the companies fall for it, almost always, because they are to be consumer friendly, and in the end, all they will give out is more information. And how can some information be hurtful, as even if this is a ploy, they already have as many details, right? Not to mention that just the fact that I will call them as your phone number and know the date of birth name and address is usually more than enough (and spoofing mobile number is super easy if you know how to host your own VOIP) to even satisfy company procedure in case of forgotten password.

You don't have to take my word for it, even though I work in infosec, just look how it works in practice: https://www.youtube.com/watch?v=lc7scxvKQOo and no, it's not arranged or fake but what happens every single day.

baza52

voip is voice over internet protocol, nothing to do with spoofing a mobile number.

You read far too much and believe too much of what you read.

How has VOIP got anything to do with knowing someone's mobile number?

noh

baza52 wrote: »

voip is voice over internet protocol, nothing to do with spoofing a mobile number.

You read far too much and believe too much of what you read.

How has VOIP got anything to do with knowing someone's mobile number?

If you host your own VOIP you have control of the caller ID presented to the recipient of the call.

baza52

noh wrote: »

If you host your own VOIP you have control of the caller ID presented to the recipient of the call.

so do you think the likes of 3, T mobile, etc cannot recognise a call from within their own network?

You will still need to pass any security questions they ask to verify you are the account holder.
For all they know you could have found or stolen the phone your calling on.

Arleen

baza52 wrote: »

so do you think the likes of 3, T mobile, etc cannot recognise a call from within their own network?

You will still need to pass any security questions they ask to verify you are the account holder.
For all they know you could have found or stolen the phone your calling on.

They could if they are hosting it via private number, routed only inside of they network and not callable from outside. In any other scenario, they cannot verify the authenticity of calling number (without sending some text for example and asking the caller to read it).

As for passwords and all that, every service has procedures to recover your password, as people forget them. And then instead they will ask you for some details, most common are, including with financial institutions: the first line of the address, postcode, date of birth, occasionally (if they have it and have better security) time you moved to current address. Everything but the date is available in the few details you say not to panic about.

And with details on a couple of your credit accounts, what is stopping me from signing up with say Experian and obtaining an online copy of your credit file? All you need is a bit more data, primarily what current credit accounts you have, or had in the past. And those can be obtained over the phone, given sufficient amount of time, will and starting information.

So I recommend to educate yourself on the subject of social hacking rather than telling someone, who does infosec for a living, that he reads far too much and wrongly believes in it. Instead, I suggest to pick up a book on the subject and learn how, and why, you should defend against it. "Social Engineering" by Christopher Hadnagy is a good entry-level position.

Or if you still think that I am talking nonsense, please post those details about yourself right here, and let us know in a week or two how it went for you.

baza52

front line support staff rarely can see a customers password, they have no need to and its asking for problems.
(yes I have managed call centres and nobody can see a customers password in plain text)
New passwords are usually sent to the email address held on file so unless you can compromise the password for the email account your not getting anywhere.
Its possible a password can be sent to a mobile phone number, will a spoofed VOIP account receive this?