- Todd's Blog has 680 entries (4 private) and has been viewed 2,784,488 times.
- Lottery Post members have made 2789 comments in Todd's Blog.
- Todd is a Platinum member
April 23, 2020, 8:52 pmWhen in Doubt: Hang Up, Look Up, & Call Back
This is a fantastic article that describes how complex scams can work. It is based on an actual scam that fooled even a security-conscious person.
When in Doubt: Hang Up, Look Up, & Call Back
Many security-conscious people probably think they'd never fall for a phone-based phishing scam. But if your response to such a scam involves anything other than hanging up and calling back the entity that claims to be calling, you may be in for a rude awakening. Here's how one security and tech-savvy reader got taken for more than $10,000 in an elaborate, weeks-long ruse.
Today's lesson in how not to get scammed comes from "Mitch," the pseudonym I picked for a reader in California who shared his harrowing tale on condition of anonymity. Mitch is a veteran of the tech industry — having worked in security for several years at a fairly major cloud-based service — so he's understandably embarrassed that he got taken in by this confidence scheme.
On Friday, April 17, Mitch received a call from what he thought was his financial institution, warning him that fraud had been detected on his account. Mitch said the caller ID for that incoming call displayed the same phone number that was printed on the back of his debit card.
But Mitch knew enough of scams to understand that fraudsters can and often do spoof phone numbers. So while still on the phone with the caller, he quickly logged into his account and saw that there were indeed multiple unauthorized transactions going back several weeks. Most were relatively small charges — under $100 apiece — but there were also two very recent $800 ATM withdrawals from cash machines in Florida.
If the caller had been a fraudster, he reasoned at the time, they would have asked for personal information. But the nice lady on the phone didn't ask Mitch for any personal details. Instead, she calmly assured him the bank would reverse the fraudulent charges and said they'd be sending him a new debit card via express mail. After making sure the representative knew which transactions were not his, Mitch thanked the woman for notifying him, and hung up.
The following day, Mitch received another call about suspected fraud on his bank account. Something about that conversation didn't seem right, and so Mitch decided to use another phone to place a call to his bank's customer service department — while keeping the first caller on hold.
"When the representative finally answered my call, I asked them to confirm that I was on the phone with them on the other line in the call they initiated toward me, and so the rep somehow checked and saw that there was another active call with Mitch," he said. "But as it turned out, that other call was the attackers also talking to my bank pretending to be me."
Mitch said his financial institution has in the past verified his identity over the phone by sending him a one-time code to the cell phone number on file for his account, and then asking him to read back that code. After he hung up with the customer service rep he'd phoned, the person on the original call said the bank would be sending him a one-time code to validate his identity.
Now confident he was speaking with a representative from his bank and not some fraudster, Mitch read back the code that appeared via text message shortly thereafter. After more assurances that any additional phony charges would be credited to his account and that he'd be receiving a new card soon, Mitch was annoyed but otherwise satisfied. He said he checked his account online several times over the weekend, but saw no further signs of unauthorized activity.
That is, until the following Monday, when Mitch once again logged in and saw that a $9,800 outgoing wire transfer had been posted to his account. At that point, it dawned on Mitch that both the Friday and Saturday calls he received had likely been from scammers — not from his bank.
Another call to his financial institution and some escalation to its fraud department confirmed that suspicion: The investigator said another man had called in on Saturday posing as Mitch, had provided a one-time code the bank texted to the phone number on file for Mitch's account — the same code the real Mitch had been tricked into giving up — and then initiated an outgoing wire transfer.
It appears the initial call on Friday was to make him think his bank was aware of and responding to active fraud against his account, when in actuality the bank was not at that time. Also, the Friday call helped to set up the bigger heist the following day.
Mitch said he and his bank now believe that at some point his debit card and PIN were stolen, most likely by a skimming device planted at a compromised point-of-sale terminal, gas pump or ATM he'd used in the past few weeks. Armed with a counterfeit copy of his debit card and PIN, the fraudsters could pull money out of his account at ATMs and go shopping in big box stores for various items. But to move lots of money out of his account all at once, they needed Mitch's help.
To make matters worse, the fraud investigator said the $9,800 wire transfer had been sent to an account at an online-only bank that also was in Mitch's name. Mitch said he didn't open that account, but that this may have helped the fraudsters sidestep any fraud flags for the unauthorized wire transfer, since from the bank's perspective Mitch was merely wiring money to another one of his accounts. Now, he's facing the arduous task of getting identity theft (new account fraud) cleaned up at the online-only bank.
Mitch said that in retrospect, there were several oddities that should have been additional red flags. For one thing, on his outbound call to the bank on Saturday while he had the fraudsters on hold, the customer service rep asked if he was visiting family in Florida.
Mitch replied that no, he didn't have any family members living there. But when he spoke with the bank's fraud department the following Monday, the investigator said the fraudsters posing as Mitch had succeeded in adding a phony "travel notice" to his account — essentially notifying the bank that he was traveling to Florida and that it should disregard any geographic-based fraud alerts created by card-present transactions in that region. That would explain why his bank didn't see anything strange about their California customer suddenly using his card in Florida.
Also, when the fake customer support rep called him, she stumbled a bit when Mitch turned the tables on her. As part of her phony customer verification script, she asked Mitch to state his physical address.
"I told her, 'You tell me,' and she read me the address of the house I grew up in," Mitch recalled. "So she was going through some public records she'd found, apparently, because they knew my previous employers and addresses. And she said, 'Sir, I'm in a call center and there's cameras over my head. I'm just doing my job.' I just figured she was just new or shitty at her job, but who knows maybe she was telling the truth. Anyway, the whole time my girlfriend is sitting next to me listening to this conversation and she's like, 'This sounds like bullshit.'"
Mitch's bank managed to reverse the unauthorized wire transfer before it could complete, and they've since put all the stolen funds back into his account and issued a new card. But he said he still feels like a chump for not observing the golden rule: If someone calls saying they're from your bank, just hang up and call them back — ideally using a phone number that came from the bank's Web site or from the back of your payment card. As it happened, Mitch only followed half of that advice.
What else could have made it more difficult for fraudsters to get one over on Mitch? He could have enabled mobile alerts to receive text messages anytime a new transaction posts to his account. Barring that, he could have kept a closer eye on his bank account balance.
If Mitch had previously placed a security freeze on his credit file with the three major consumer credit bureaus, the fraudsters likely would not have been able to open a new online checking account in his name with which to receive the $9,800 wire transfer (although they might have still been able to wire the money to another account they controlled).
As Mitch's experience shows, many security-conscious people tend to focus on protecting their online selves, while perhaps discounting the threat from less technically sophisticated phone-based scams. In this case, Mitch and his bank determined that his assailants never once tried to log in to his account online.
"What's interesting here is the entirety of the fraud was completed over the phone, and at no time did the scammers compromise my account online," Mitch said. "I absolutely should have hung up and initiated the call myself. And as a security professional, that's part of the shame that I will bear for a long time."
January 28, 2018, 8:45 amInteresting look at how good Google Maps have become
February 5, 2017, 11:05 pmBest SB ever
I'd say that ranked as the best Super Bowl game ever. Amazing! Congrats to the Patriots, especially Tom Brady. I think he settled who is the best QB of all time.
January 29, 2017, 11:12 amBrowser makers say decry the use of antivirus -- except Microsoft Defender
Anyone who has visited my blog in the past probably knows that I have been advocating for years that Windows users should completely remove all anti-virus software — except for Microsoft's built-in Defender software (which used to be called Microsoft Security Essentials).
Now it seems that major technology companies — the companies that build the web browser that you are using right now to look at this post — are saying the same thing. Using McAfee, Semantec, Kasperski, etc., actually erodes the security of your web browser, rather than making it more secure. The article I have linked below describes why this is. Basically it boils down to the fact that the browser makers build in all kinds of advanced threat prevention and then when you install anti-virus software it basically disables all that built-in security and replaces it with their own rather insecure and outdated program code.
If you're using Windows 8, 8.1, or 10, all the protection you need is built into the operating system, and installing additional security software is not only pointless, but makes your computer less secure, in the opinion of the biggest technology companies. Windows 7 and Windows Vista did not come with the software built-in, but it can be installed for free. Whether it is built-in or installed by you, any additional anti-virus software can be safely uninstalled using the Programs and Features applet in the Windows Control Panel.
Here's a link to the article in question:
Last Edited: January 29, 2017, 11:13 am
June 14, 2016, 8:25 pm"Second Cousins," "Once Removed", and More Explained in Chart Form
Really interesting article clearly defines these confusing terms in chart form.
May 6, 2016, 9:57 amSubscribing to Apple Music will delete your files
It looks like this rarely-reported fact is finally getting some mainstream attention. Check out the article (link below) by a composer who writes that when he subscribed to Apple Music, the service systematically deleted the 122GB of music on his computer — including music he composed himself and rare recordings of various songs.
Apple seems to get a pass on these things in the media, which for some reason is infatuated with the company. Any other company would be excoriated for doing stuff like this.
I never have, and never will, subscribe to Apple services for reasons like this. I do not even enable iCloud, other than for backing up my phone.
Microsoft's OneDrive music service and Groove music pass are much better, IMHO. If you have your own music library, you just copy the music into your OneDrive Music folder (which retains the original files on your PC) and then the service lets you stream that music on any device, including iPhone and Android phones. That's a free feature of OneDrive + the Groove app, which is pretty incredible. If you optionally purchase the Groove music pass service you can also stream any music (not just music you own) to any device.
Last Edited: May 6, 2016, 9:57 am
March 20, 2016, 5:33 pmWhirlpool is the last American appliance manufacturer
If Donald Trump is not elected, I wonder how long it will be before Whirlpool moves to China or Mexico.
January 8, 2016, 11:45 amStill running Windows 8? Time to upgrade, or else
I see from the Lottery Post web stats that many people are still running Windows 8 on their computers. If you're one of these people, you really need to do the free upgrade to Windows 10.
Here is the link to an article that came out today describing WHY it is so important to upgrade: http://www.zdnet.com/article/still-running-windows-8-time-to-upgrade-or-else/
You should leave yourself about an hour to do the free upgrade. When you're ready, go to the following link and get started: https://www.microsoft.com/en-us/software-download/windows10
Last Edited: January 8, 2016, 11:46 am
April 6, 2015, 7:16 pmNew Microsoft Surface 3
I've been a huge fan of Microsoft's Surface Pro 3 ever since it came out last August. I purchased one of the Intel i7 models, and it was able to successfully replace my laptop, just as Microsoft claimed it could.
It's an incredible computer/tablet.
Now Microsoft has come out with the Surface 3 (note the word "Pro" missing), which is available for pre-order, and ships in early May.
I was at a Microsoft store in the mall today, and Microsoft has a bunch of the new Surface 3's that you can play with in the store.
All I can say is wow, they have done it again. The thing is a perfect replacement for an iPad, as the size is very similar, and it's extremely light-weight -- and silent, due to the fact that it is fanless. And it starts at $499!
While the Surface Pro 3 does offer the ability to be just a tablet when you remove the keyboard, the new Surface 3 is that tablet you can just chuck in a bag to read a book someplace, and easily lounge around on the couch and surf the Internet on. The fact that it is so light and portable makes it even more amazing that the thing is a full Windows computer also, able to run anything that a desktop PC can run. And the screen is spectacular -- great colors and better than HD (1080P) resolution.
Now, I love Apple hardware, particularly the iPad and iPhone. But the thing I hate about Apple products is the operating system. I really dislike how Apple forces you to use everything within their "walled-off" ecosystem, and if Apple doesn't specifically allow something on their devices, you're out of luck.
You have some music on your computer that you want to put on your iPhone or iPad? You practically need to be a rocket scientist to get it into iTunes and then synchronized onto your device. It's great for Apple, because it "forces" people to buy their music through Apple's store, but not so great for users who want to be able to use what they already have.
So the fact that Microsoft is starting to make really terrific products that can match (and exceed) what Apple has out there is great news for me -- one step closer to living Apple-free!
Last Edited: April 6, 2015, 7:17 pm
August 27, 2014, 10:45 am64-bit version of Google Chrome finally available
Google has finally released a 64-bit version of its Chrome web browser. Also included in the latest release is improved font rendering, meaning that text appears much crisper, especially on high resolution displays.
They do make it a little tricky to upgrade to the 64-bit version though. It doesn't automatically upgrade from 32-bit to 64-bit.
To do it, you need to re-install the browser, which is not as bad as it sounds. Here are the steps:
- Go to the Google Chrome download page for 64-bit Windows
- Download and do the install (pretty simple)
- Restart the browser after the install is complete
- After restarting, to verify that you are running the 64-bit version, click "About Google Chrome" in the main menu, and you should see the version number as "Version 37.0.2062.94 unknown-m (64-bit)"
April 5, 2014, 8:50 amHow wolves changed an entire ecosystem
This video, less than 5 minutes long, is pretty incredible.
March 3, 2014, 9:56 pmSwitching back to Internet Explorer
After using Google Chrome as my daily Web browser for the last few years, I'm now switching back to Internet Explorer, at least for a while.
Chrome is a fantastic Web browser, but as of the past few versions, something is wrong.
I always keep many tabs open, because during the day I constantly need to switch to various Web pages. It's part of my work stream.
The problem is that Chrome seems to have developed some memory problems -- or something like that. I have gotten to the point where I need to restart the browser at least once a day, just to "clear out the gunk". I restart the browser and all of those dozen tabs or so are running snappily again. And then they start slowing down until I need to restart again.
So it's back to IE. I'm now using IE 11 running on Windows 8.1.
IE11 has most of the features that I love about Google Chrome. Mainly the ability to automatically syncronize bookmarks, settings, and tabs between computers. Plus at this point it's just as fast as Chrome, and it supports most of the same modern Web standards -- so you won't have to be left in the stone ages anymore.
And now that I mention syncing bookmarks and such, I should mention that's one great feature about Windows 8.1: complete intergration of SkyDrive (which has recently been renamed to OneDrive). What a great service.
Everything is setup to be able to automatically save to the "cloud", which is like an extra hard drive attached to your computer, except it's stored on the Internet. So you never need to worry about losing your documents in SkyDrive, because Microsoft automatically backs everything up. And because it's stored in the "cloud" you can access all of your files on any computer instantly. The IE11 Web browser uses SkyDrive (OneDrive) behind the scenes to automatically syncronize all your bookmarks, settings, tabs, etc.
So I guess we'll see how this works out. Who knows, maybe I'll be back on IE for a few years.
August 22, 2013, 10:25 amYour perilous future on Windows XP
If you are still using Widnows XP on your computer, you need to read this article. Especially if you are under the impression that you don't need to upgrade because "you don't need new features", or because "it works fine right now as it is", or any other reason.
July 11, 2013, 9:05 amBest product demonstration of 2013
How many times can you say "WOW"?
The best part? You can buy it now right here!
Last Edited: July 11, 2013, 9:08 am
May 6, 2013, 11:37 amVideo: How the new Corvette interior was designed
This is a really interesting presentation that shows how the new C7 Corvette interior was designed, starting early on with sketches, and proceeding to clay and real material mockups. There is a great amount of detail in the second half in the Q&A part. It sounds like the audience is made up of dealers who want to know the details.