This is very scary for the average person. I've taken to simply not answering any questions (not even to confirm my name) if someone calls me. If my bank calls me then I call them back on a number that's on their web site.
If my bank calls me then I call them back on a number that's on their web site.
I'm always amazed at how stupid the security situation is in these cases. Banks, telecoms services, etc. do actually call up and try to 'take me through security', and when I say "tell me something you know about me first so I know you're who you say you are", the best they can usually manage is "well, uh, you bank with [Bank]". It just perfectly trains us to fall for scams.
I’ve tried getting them to give me a checksum to verify validity. For example, tell me the sum of the last four digits of my card number. They always refuse, so I always hang up and call back. Too bad they don’t understand that giving out a checksum is not insecure.
Well, yeah, if it's not standard operating procedure I'd hope they'd refuse.
Now, it should be supported, but I don't want the folks on the front lines guessing (or figuring out on their own) what sorts of mathematical games are safe. Erring on the side of caution is the right approach for CSRs.
I've read many articles about people who were scammed, and the bank refuses to give them any money back, on the grounds it was the fault of the customer to get scammed.
So given banks have nothing to lose by scams, I suppose that explains why they just don't care about the fact they're training users to ignore them. The bank just does whatever's easiest for it, which in this case is just to call the customer.
I've even had a bank rep get angry at me for refusing to answer their questions on the cold call. I presume it wasn't phishing because when I called back on the legit number they did want to talk to me. It was a long time ago so I forget but I think they were trying to upsell me so maybe thats why he got angry - i.e. no commission for him.
Being on HN I don't think I'm the average person, but I wouldn't rule out falling for this at some point in the future as well. But doubly so for my non-technical parent or partner, I guess.
