A Solution To Banking Scams?

Sensory

masonic said:

Sensory said:

masonic said:

What RG2015 might be referring to is a telephone password that the bank must give you if they call you. One bank is now sending push notifications in their app which enable both parties to verify they are talking to the right person, rather like authorising a debit card transaction. No system is perfect though, as people can always be persuaded to do the wrong thing.

Yes, just like convincing a victim to reveal an OTP, verifying via push notification is just another vector for fraudsters to bypass via social engineering. There are quite a few services that verify via push notification too (as an alternative in addition to OTP). As long as a system allows users to trigger a request for an OTP/push notification, there's always a possibility that a fraudster could do it too.

I think you misunderstand. The push notification is sent by customer services at the bank to notify the customer they are on the phone to a genuine bank employee. It is sent while the the bank is on the phone with the customer. The customer must authenticate within the app and confirm the notification. The customer can decline the notification if they are not currently on the phone to their bank. This gives pretty good protection because the fraudster has no way of sending the push notification (without compromising the bank's IT system) and a man in the middle would be very tricky to execute while the fraudster is on the phone with the genuine bank customer services in order to get CS to push out the notification at the right time. As such it prevents the need for customers to disclose "memorable information" to an unauthenticated caller.

I do agree that it is easily bypassed if the customer does not know to require it whenever someone claiming to be from the bank calls.

It’s not about specifics to an individual process. The sending of a push notification for the customer to verify is essentially no different to sending an OTP to the customer’s device so they can verify. At the moment, it may be effective barring sophisticated MitM attacks (although simultaneous mirror calls have been successfully conducted in the past), but it’s only effective if sending push notifications is ONLY ever performed when a bank cold calls a customer and becomes widespread routine practice. There are services that already verify users through push notification (e.g. when a user logs in), and if banks ever follow suit by using push notifications over or in addition to OTP (for logging in and authorising transactions), it becomes a lot easier for fraudsters to abuse.

Still, the best practice would be for banks, if cold calling, to always advise their customer to dial them back on an official number, with the bank hanging up themselves. This stops MitM mirror calling.

masonic

Sensory said:

masonic said:

Sensory said:

masonic said:

What RG2015 might be referring to is a telephone password that the bank must give you if they call you. One bank is now sending push notifications in their app which enable both parties to verify they are talking to the right person, rather like authorising a debit card transaction. No system is perfect though, as people can always be persuaded to do the wrong thing.

Yes, just like convincing a victim to reveal an OTP, verifying via push notification is just another vector for fraudsters to bypass via social engineering. There are quite a few services that verify via push notification too (as an alternative in addition to OTP). As long as a system allows users to trigger a request for an OTP/push notification, there's always a possibility that a fraudster could do it too.

I think you misunderstand. The push notification is sent by customer services at the bank to notify the customer they are on the phone to a genuine bank employee. It is sent while the the bank is on the phone with the customer. The customer must authenticate within the app and confirm the notification. The customer can decline the notification if they are not currently on the phone to their bank. This gives pretty good protection because the fraudster has no way of sending the push notification (without compromising the bank's IT system) and a man in the middle would be very tricky to execute while the fraudster is on the phone with the genuine bank customer services in order to get CS to push out the notification at the right time. As such it prevents the need for customers to disclose "memorable information" to an unauthenticated caller.

I do agree that it is easily bypassed if the customer does not know to require it whenever someone claiming to be from the bank calls.

It’s not about specifics to an individual process. The sending of a push notification for the customer to verify is essentially no different to sending an OTP to the customer’s device so they can verify. At the moment, it may be effective barring sophisticated MitM attacks (although simultaneous mirror calls have been successfully conducted in the past), but it’s only effective if sending push notifications is ONLY ever performed when a bank cold calls a customer and becomes widespread routine practice. There are services that already verify users through push notification (e.g. when a user logs in), and if banks ever follow suit by using push notifications over or in addition to OTP (for logging in and authorising transactions), it becomes a lot easier for fraudsters to abuse.

I disagree that push notifications are essentially the same as OTP. OTP can be disclosed to a fraudster, while push notifications communicate a signal directly between customer and the bank. A big weakness of OTP is it is often unclear what it will be used for. I also disagree that push notifications are only effective if they are only performed in the scenario mentioned. It doesn't weaken the effectiveness for a bank to also use a push notification to send the customer details of a debit card transaction that is being made for them to confirm, for example. It is simply a means of asking a question of the customer in a more secure fashion.

It does rely on the customer to read the contents of the message and respond appropriately, but if someone calls the customer and says that they are from the bank and will just send a push notification to prove it, then the customer receives a notification stating "You are about to spend £500 at STEAMGAMES.COM LUXEMBOURG Approve/Cancel" and approves it rather than the expected notification "XXX from customer services has called your registered phone number, please confirm you are currently speaking with them Approve/Cancel", there really is no helping them.

In any case, I think we can probably agree the above is an improvement on being cold called and having to tell the caller your first line of address, postcode, date of birth, mother's maiden name and the name of your first pet before you have any idea they are who they say they are.

UKMAN1969

RG2015 said:

Have you shared your idea with anyone; for example friends or family?

Do they agree that your idea is a game changer?

Hi, Yes I have shared it with family and a few trusted friends, they agree its a game changer

Sensory

masonic said:

Sensory said:

masonic said:

Sensory said:

masonic said:

What RG2015 might be referring to is a telephone password that the bank must give you if they call you. One bank is now sending push notifications in their app which enable both parties to verify they are talking to the right person, rather like authorising a debit card transaction. No system is perfect though, as people can always be persuaded to do the wrong thing.

Yes, just like convincing a victim to reveal an OTP, verifying via push notification is just another vector for fraudsters to bypass via social engineering. There are quite a few services that verify via push notification too (as an alternative in addition to OTP). As long as a system allows users to trigger a request for an OTP/push notification, there's always a possibility that a fraudster could do it too.

I think you misunderstand. The push notification is sent by customer services at the bank to notify the customer they are on the phone to a genuine bank employee. It is sent while the the bank is on the phone with the customer. The customer must authenticate within the app and confirm the notification. The customer can decline the notification if they are not currently on the phone to their bank. This gives pretty good protection because the fraudster has no way of sending the push notification (without compromising the bank's IT system) and a man in the middle would be very tricky to execute while the fraudster is on the phone with the genuine bank customer services in order to get CS to push out the notification at the right time. As such it prevents the need for customers to disclose "memorable information" to an unauthenticated caller.

I do agree that it is easily bypassed if the customer does not know to require it whenever someone claiming to be from the bank calls.

It’s not about specifics to an individual process. The sending of a push notification for the customer to verify is essentially no different to sending an OTP to the customer’s device so they can verify. At the moment, it may be effective barring sophisticated MitM attacks (although simultaneous mirror calls have been successfully conducted in the past), but it’s only effective if sending push notifications is ONLY ever performed when a bank cold calls a customer and becomes widespread routine practice. There are services that already verify users through push notification (e.g. when a user logs in), and if banks ever follow suit by using push notifications over or in addition to OTP (for logging in and authorising transactions), it becomes a lot easier for fraudsters to abuse.

I disagree that push notifications are essentially the same as OTP. OTP can be disclosed to a fraudster, while push notifications communicate a signal directly between customer and the bank. A big weakness of OTP is it is often unclear what it will be used for. I also disagree that push notifications are only effective if they are only performed in the scenario mentioned. It doesn't weaken the effectiveness for a bank to also use a push notification to send the customer details of a debit card transaction that is being made for them to confirm, for example. It is simply a means of asking a question of the customer in a more secure fashion.

It does rely on the customer to read the contents of the message and respond appropriately, but if someone calls the customer and says that they are from the bank and will just send a push notification to prove it, then the customer receives a notification stating "You are about to spend £500 at STEAMGAMES.COM LUXEMBOURG Approve/Cancel" and approves it rather than the expected notification "XXX from customer services has called your registered phone number, please confirm you are currently speaking with them Approve/Cancel", there really is no helping them.

OTP notifications vary in their level detail; some services are more informative with context and others are not.

Just because OTPs can be communicated to fraudsters does not mean they are less secure within the context of impersonation during cold calls. (On a technical level SMS is more vulnerable to interception, although WhatsApp is being utilised by some services to communicate OTPs.) During cold call impersonations, the fraudster simply needs to convince the user to take action. With OTPs, the OTP needs to be communicated to the fraudster, and the fraudster then verifies with the bank; with push notifications, the verification is direct by the user; either way, the end result is the same and it’s just a matter of convincing the user to do it.

masonic

Sensory said:

masonic said:

Sensory said:

masonic said:

Sensory said:

masonic said:

What RG2015 might be referring to is a telephone password that the bank must give you if they call you. One bank is now sending push notifications in their app which enable both parties to verify they are talking to the right person, rather like authorising a debit card transaction. No system is perfect though, as people can always be persuaded to do the wrong thing.

Yes, just like convincing a victim to reveal an OTP, verifying via push notification is just another vector for fraudsters to bypass via social engineering. There are quite a few services that verify via push notification too (as an alternative in addition to OTP). As long as a system allows users to trigger a request for an OTP/push notification, there's always a possibility that a fraudster could do it too.

I think you misunderstand. The push notification is sent by customer services at the bank to notify the customer they are on the phone to a genuine bank employee. It is sent while the the bank is on the phone with the customer. The customer must authenticate within the app and confirm the notification. The customer can decline the notification if they are not currently on the phone to their bank. This gives pretty good protection because the fraudster has no way of sending the push notification (without compromising the bank's IT system) and a man in the middle would be very tricky to execute while the fraudster is on the phone with the genuine bank customer services in order to get CS to push out the notification at the right time. As such it prevents the need for customers to disclose "memorable information" to an unauthenticated caller.

I do agree that it is easily bypassed if the customer does not know to require it whenever someone claiming to be from the bank calls.

It’s not about specifics to an individual process. The sending of a push notification for the customer to verify is essentially no different to sending an OTP to the customer’s device so they can verify. At the moment, it may be effective barring sophisticated MitM attacks (although simultaneous mirror calls have been successfully conducted in the past), but it’s only effective if sending push notifications is ONLY ever performed when a bank cold calls a customer and becomes widespread routine practice. There are services that already verify users through push notification (e.g. when a user logs in), and if banks ever follow suit by using push notifications over or in addition to OTP (for logging in and authorising transactions), it becomes a lot easier for fraudsters to abuse.

I disagree that push notifications are essentially the same as OTP. OTP can be disclosed to a fraudster, while push notifications communicate a signal directly between customer and the bank. A big weakness of OTP is it is often unclear what it will be used for. I also disagree that push notifications are only effective if they are only performed in the scenario mentioned. It doesn't weaken the effectiveness for a bank to also use a push notification to send the customer details of a debit card transaction that is being made for them to confirm, for example. It is simply a means of asking a question of the customer in a more secure fashion.

It does rely on the customer to read the contents of the message and respond appropriately, but if someone calls the customer and says that they are from the bank and will just send a push notification to prove it, then the customer receives a notification stating "You are about to spend £500 at STEAMGAMES.COM LUXEMBOURG Approve/Cancel" and approves it rather than the expected notification "XXX from customer services has called your registered phone number, please confirm you are currently speaking with them Approve/Cancel", there really is no helping them.

OTP notifications vary in their level detail; some services are more informative with context and others are not.

Just because OTPs can be communicated to fraudsters does not mean they are less secure within the context of impersonation during cold calls. (On a technical level SMS is more vulnerable to interception, although WhatsApp is being utilised by some services to communicate OTPs.) During cold call impersonations, the fraudster simply needs to convince the user to take action. With OTPs, the OTP needs to be communicated to the fraudster, and the fraudster then verifies with the bank; with push notifications, the verification is direct by the user; either way, the end result is the same and it’s just a matter of convincing the user to do it.

Yes, I've been disappointed with the content of OTP notifications, but that is more of an implementation issue. Such a shame the OP's game changing alternative looks unlikely to be realised. We had the potential to consign all of these flawed methods to the dustbin.

AskAsk

cx6 said:

45 mins? You lucky lucky person.....

I had to go down to the branch with my passport.

the transfer, by the way, was to an account in my own name albeit at a different bank.

this wasn't santander was it??  i opened a new savings account with them many years ago, put in about £21k in total and when i tried to withdraw £4000 it blocked my account and i had to go into the branch with ID.

i was told that this was too large an amount and so my account had been frozen!  in the meantime they conveniently continue to accept money into the account but won't let me withdraw anything until i present ID at the branch.

that was the first time i ever had this problem with a savings account so i have avoided santander since that time.

RG2015

UKMAN1969 said:

RG2015 said:

Have you shared your idea with anyone; for example friends or family?

Do they agree that your idea is a game changer?

Hi, Yes I have shared it with family and a few trusted friends, they agree its a game changer

Good luck.

Remember that many of the great ideas in history were invariably laughed at. You need to have the courage of your convictions.

You may get some inspiration from the internet but this site is unlikely to help you in any way.

I like to believe that I know banking quite well, but I cannot imagine anything that would live up to your claims.

born_again

UKMAN1969 said:

Hi Everyone,

I am new here and I have come here after exhausting other avenues

2 years ago I come up with a simple solution to end bank fraud/scams, meaning the end of scam phone calls, emails, texts, websites.

The banks lose 100’s of millions of £’s every year due to this type of fraud/scam, I have sent many emails to the bank bosses but never even had a reply.

I know my idea could be worth a lot of money not only to me but also to all banks, it also has many other applications.

Currently this idea only exists in my head, but I have looked at it from every angle and have put solutions in place to make it 100% un-hackable & un-scamable, this system could be active very quickly as I don’t think what I am suggesting would be hard to implement, as a customer it would take you less than 10 seconds to verify you wasn’t being scammed.

I really don’t understand why no one has come up with this idea before, unless the banks don’t want to solve the problems.

I am not anything to do with banks or finance etc, I am a normal bloke doing a normal job.

So where do I go with this? who can I contact who will listen to me and take notice? It is impossible for me a normal bloke to get the email address for the people within the banks who would listen to me & understand.

Thanks Everyone

Set up a company & then tout the system round the banks till you find one that will give it a try. But & this is a massive one. Banks systems are not the same and integrating anything like your idea is fraught with problems that will most likely take years to iron out.

Less that 10 seconds for a customer to verify? Often takes longer than that to send any contact out... Then customer to read & respond...

Believe me banks employ staff that look at creating systems to do just this.

So one good scam is intercepted emails with scammers bank accounts details rather than person expecting payment...
Just how would your half term project system stop that?

born_again

Interesting to see comments on people's actions.
As someone who makes outbound calls. It never ceases to amaze me at the number of people who will just answer your questions to go through security. Even more so when having just gone through security they say "How do I know you are from the bank?"

masonic

born_again said:

Interesting to see comments on people's actions.
As someone who makes outbound calls. It never ceases to amaze me at the number of people who will just answer your questions to go through security. Even more so when having just gone through security they say "How do I know you are from the bank?"

I can understand people not wishing to phone back and risk having to wait an eternity in a queue when there is someone right there ready to help them. If one could say that no reputable bank would cold call and take you through security there and then, it would help.

Last time I was cold called by a bank I failed my security questions (completely forgot what they were), but they overlooked that and discussed my account with me anyway, just telling me I might need to answer them correctly if I was called again in the future.