- A jetlagged Troy Hunt accidentally clicked a link and logged into an account only to realise he had been phished.
- Despite reacting quickly, attackers were able to export a mailing list for Hunt’s personal blog.
- Hunt has detailed the attack and warned his subscribers in a timely fashion.
No, absolutely not standard. This is where red flags should go up. If your bank texts you a code when you log in, then that’s what the scammers are doing (trying to log in as you, triggering the website to send you the code to confirm that it’s you logging in (except it’s not you, it’s them), and then getting you to tell them the code so they can finish logging into your account.
There are two types of texts:
The first is needed for user-initiated actions, the second is only used to ensure the person you’re talking to has access to the device on file.
When I called the actual bank, they did the second one to reset my account credentials, and again when I set up the MFA app after the trip. It’s absolutely a thing. When I call for help navigating the website, the person on the phone walks me through the SMS verification process, but explicitly tells me to not tell them that first type of code.
Scammers do the first and cannot do the second, which is why they have the warning text on the first and not the second (though there is different warning, which makes it clear they’re different). My fail was skimming the text for the number and ignoring the warning about not giving it to anyone.
I personally know of two different banks who send a notification to your phone app to verify that it’s you they are speaking with on the phone, and they will do this even when it’s them that called you and not the other way around.
It’s security theater as it doesn’t prove anything to either party (as it’s trivial for scammers to have a man-in-the-middle) but they still do it.
Then you tell them you will call them back, hang up, call the bank yourself and do it that way. If they are legit, they can tell you their name and extension and you can verify that is even real when you personally call the bank.
I did this once, it was legitimate but he refused to tell me even what department he called from. I said i wasn’t going to give personal into to an incoming call and i wasn’t calling back unless i knew why. He ended up mailing me a letter instead.
I almost got scammed a few years ago by being called about fraudulent activity the day after i reported fraudulent activities, in hindsight I think they just got lucky with timing, but I take no chances now.
Ever noticed how decades ago if someone defeated a bank’s security we called it bank robbery, but now it’s called identity theft and we get blamed for it.
USAA does this when someone calls in, but I think that last part is the real difference here