A Solution To Banking Scams?

jbrassy

I have a great idea that I'm not going to tell you unless you give me loads of money. 

That argument never fails 😂

RG2015

Have you shared your idea with anyone; for example friends or family?

Do they agree that your idea is a game changer?

RG2015

I have often thought that having a password or security answer that a bank had to give you would be a great security feature.

Zanderman

RG2015 said:

I have often thought that having a password or security answer that a bank had to give you would be a great security feature.

It would, but I'd wager there would still be loads of people that would get scammed! 

A lot of the scams these days seem to rely on the scammers persuading the punter that they can ignore the existing warnings and systems - even though those warnings and systems say, categorically, things like 'never give this code to anyone not even to your bank' and yet when a scammer rings up the punter is persuaded, amazingly, to give the code to them, because, er, they think that they're the bank!  That's the bank that said don't tell us the code, ever.

So if there was a secret answer the bank had to tell you I'd bet a similar proportion of people would still believe the scammer when they say that, in this case, the secret answer is not needed, for some made up reason, perhaps that it's been compromised by hacker or something.

You can never protect everyone, there will always be suckers and we might all be one one day.

To the OP of this thread, I'm not sure why you're asking here if you've already had no joy with the banks.  I really doubt anyone anywhere will take you seriously without details, so if you won't give details you're on a loser. 

And, sorry, I really doubt you've thought of a scheme that banks and security experts haven't already thought of. There's a whole industry of security experts out there in the financial and online world.  To be amazingly better than them would be, er. amazing.  If you're 'not anything to do with banks or finance etc' and are 'a normal bloke doing a normal job' then you'll presumably have no knowledge at all of what systems the banks have considered.

Sensory

RG2015 said:

I have often thought that having a password or security answer that a bank had to give you would be a great security feature.

I know Skipton show you a user-chosen image and a custom phrase that you set as part of the login process.

Sensory

Zanderman said:

RG2015 said:

I have often thought that having a password or security answer that a bank had to give you would be a great security feature.

A lot of the scams these days seem to rely on the scammers persuading the punter that they can ignore the existing warnings and systems - even though those warnings and systems say, categorically, things like 'never give this code to anyone not even to your bank' and yet when a scammer rings up the punter is persuaded, amazingly, to give the code to them, because, er, they think that they're the bank!  That's the bank that said don't tell us the code, ever.

It doesn't help that some banks (and other services like BT Business) use OTP as a method of user verification where the phone agent does request the code, which is the worst practice as it confuses the overall issue. Barclays was a recent one, where their app specifically warns not to share PINsentry codes, passcodes and passwords, but 'passcodes' refers to your static 5-digit account passcode and not OTPs. Marcus was worse though, as the code they ask for has zero difference to one used for password resets.

masonic

Sensory said:

RG2015 said:

I have often thought that having a password or security answer that a bank had to give you would be a great security feature.

I know Skipton show you a user-chosen image and a custom phrase that you set as part of the login process.

Which is a great example of an idea which seems good, until you realise that a fraudster can simply scrape these from the genuine site after submitting the username and feed them up on a phishing site almost in real time. Some of the other banks that were doing this stopped, because it just gives people a false sense of security.

What RG2015 might be referring to is a telephone password that the bank must give you if they call you. One bank is now sending push notifications in their app which enable both parties to verify they are talking to the right person, rather like authorising a debit card transaction. No system is perfect though, as people can always be persuaded to do the wrong thing.

Sensory

masonic said:

Sensory said:

RG2015 said:

I have often thought that having a password or security answer that a bank had to give you would be a great security feature.

I know Skipton show you a user-chosen image and a custom phrase that you set as part of the login process.

Which is a great example of an idea which seems good, until you realise that a fraudster can simply scrape these from the genuine site after submitting the username and feed them up on a phishing site almost in real time. Some of the other banks that were doing this stopped, because it just gives people a false sense of security.

In theory, this flaw extends to requesting OTP codes too, with the phishing site waiting to capture input to near-instantaneously relay to the genuine site. Even steps that involve requesting randomly selected data could be fed back to the phishing site for data capture, ala man-in-the-middle attack. At least with websites, it's easy to check the top-level domain before logging in (not that many login pages warn users to actually check the address bar before inputting details though).

masonic said:

What RG2015 might be referring to is a telephone password that the bank must give you if they call you. One bank is now sending push notifications in their app which enable both parties to verify they are talking to the right person, rather like authorising a debit card transaction. No system is perfect though, as people can always be persuaded to do the wrong thing.

Yes, just like convincing a victim to reveal an OTP, verifying via push notification is just another vector for fraudsters to bypass via social engineering. There are quite a few services that verify via push notification too (as an alternative in addition to OTP). As long as a system allows users to trigger a request for an OTP/push notification, there's always a possibility that a fraudster could do it too.

AskAsk

"I am not anything to do with banks or finance etc, I am a normal bloke doing a normal job."

and here lies the problem.  fraudsters and thieves are way ahead of the banking security and can exploit weaknesses in security measures and people.  if you are not in the industry yourself you will not know about the data laws, tech stuff that goes on in order to come up with a preventative measure.

it's like me saying i have come up with a way to stop buildings collapsing without understanding how a building is built in the first place and how it is held up.

grumiofoundation

masonic said:

UKMAN1969 said:

masonic said:

Do you provide them with as much detail about your idea as you have done here?

Obviously I am not going to post the whole idea here, that would be silly

They are ignoring you for a reason. If I put myself in a bank executive's shoes and I received your original post as an email, then I would definitely not take it seriously. Presumably if you are unwilling to share here, then you have been unwilling to share elsewhere, because as you say you think your idea is worth a lot of money, but it would be easy for anyone to copy and you don't have any IP protection. In that situation your only option would be to get it to the point where you can obtain a patent, then disclose it to the banks who can evaluate it and see if they agree with you about its value. That is assuming you haven't misunderstood the practicalities of your idea or missed any fatal flaws.

I suppose the first step on this process would be to engage with a patent attorney to establish that your idea is indeed patentable and doesn't infringe on the intellectual property of others.

I agree, somewhat ironically I would think i was being scammed....