She got scammed, almost

Reading Time: 8 minutes

Above: Photo by HighwayStarz/Depositphotos

The bad guy always makes the threat in an action movie: “Don’t mess with my money.”

Most of us can relate and a surefire way to make someone feel sick to their stomach is to mess with or just attempt to mess with the money in their bank account.

That’s what happened to a Facebook user, Jordan Benston who posted about her experience of talking to the person who more than likely hacked her account. Her post has been shared more than 3,745 times, has more than 216,000 views and is a testimony to the advice, “Hang up and call them back”

Her frightening experience began when her phone rang and she picked it up to see that the call was coming from the same number that she had saved for her bank, Bank of America (she’s American). Don’t relax though, because versions of this can still happen in Trinidad and Tobago.
The “customer service representative” on the line said she was calling about Jordan’s account number and told her that there had been some fraudulent activity observed on the account and asked whether she was traveling.

Benston was not and said so and was then  asked to read out a verification code that the bank was going to send her to verify her identity. The text message came, she read out the code over the phone but then had second thoughts, hung up and called the bank back.

At this point she was informed that no one from the bank had called her. At the same time in the 3 minutes it had taken for everything to happen she started receiving text messages saying that her account ID had been looked up and her on-line password had been changed.

She was now locked out of her account. She was shocked at how quickly it had happened and the fact that the call and each of the text messages had come from the number she had saved for Bank of America on her phone.

The problem is that as life become more complex and technical there can be gaps in our understanding that give people opportunities to manipulate others.

What happened was simple. When you forget your user id or password for many on-line accounts including some banks, and you click on the “Forgot my password” link, somewhere along the line you can often choose to have a verification text message code sent to the phone number listed on your account.

This code can then be entered on-line to verify that you are indeed the account owner and not a random hacker trying to break into the account and you are then led to a screen where you can change your password.

If someone is trying to hack your account and they can get you to tell them the verification code that was sent to your phone, after they themselves requested the code, then they can change your password and lock you out of your account. That’s apparently what happened to Benston.

The second part of the hack is calling the intended victim from Bank of America’s number or any bank’s number for that matter, even a Trinidad and Tobago bank.

Unfortunately, due to strides in technology, that magic trick is not too hard for your sophisticated scammer. For one thing it’s easy to rent a virtual phone number on-line. If you do a search for it quite a few companies should come up.

Another unfortunate fact is that you can use that number, usually a US number, to pretend to be virtually any other number even the phone number of the victim that you are calling. That means someone can also pretend to be calling from Trinidad and Tobago, and from any number that you can think of, your bank, your mother, your sibling, the police, anyone.

I went to Bank of America’s website to see what one might have to do in order to have a verification code sent to one’s phone when one wants to reset one’s password and unfortunately the situation was worse than I thought for Benston.

In order to request a password reset, someone had to know the person’s card or account number plus their Social Security number, which is like our ID card number but much more important. Failing that one would have to know the account number, the card number and  pin number. This means that someone had a lot of information about Jordan.

Luckily for Benston she was able to have the bank lock down her account and said she was in the process of getting new account numbers but in the meantime her life was completely disrupted. All of her pending transactions were canceled and she couldn’t even get money from her own account beyond the cash she had in hand.

So can this happen to you in Trinidad and Tobago with your bank account? In a very broad sense yes it’s possible. Would the steps be exactly the same? Probably not, but the closer they are to what happened to Jordan Benston the more concerned I would be because as we saw, the only thing the hackers needed from her was the confirmation code, which means information like her Social Security number or her bankcard pin number were already in someone’s hands.

So can this happen to you in Trinidad and Tobago with your bank account? In a very broad sense yes it's possible. Would the steps be exactly the same? Probably not.

The more information someone has about you the easier you are to exploit. And worse, if people have your date of birth, ID card number, driver’s license number, your vulnerabilities multiply. Those numbers aren’t changing, they can always try again.

A major problem at the heart of this story is the threat of social engineering and a lack understanding on the part of Benston and the rest of us. Social Engineering is a decades old term that I believe started with hacking .

It’s a clever way of manipulating people into giving you information they shouldn’t, which is what happened with Benston. The problem is that as life become more complex and technical there can be gaps in our understanding that give people opportunities to manipulate others.

The specific technical issue that this story deals with and that Benston didn’t appreciate is called two-factor authentication. The password we’ve been using for ages and a one time code that we can retrieve by trusted text, email, phone call and perhaps phone app is one example.

The code, this second factor is usually meant to protect us by making a hacker or scammer have something extra to do rather than just stealing our password. And in the case of Benston, it could be said that the system kind of worked but because Jordan didn’t immediately fully appreciate how two factor authentication is meant to work it almost didn’t.

Of course the alerts about her account ID and password change mean that the situation luckily was not as dire as it seemed, since she would have gotten these in any event.

Two factor authentication is being used by banks in Trinidad. For older accounts at the banks that I’m familiar with, they still allow many actions to be performed without two factor authentication. So in the case of those older accounts a hacker wouldn’t necessarily have to call the account owner given enough information, such as the name of the person’s first pet :-)

For new accounts, at least one bank requires that clients use an app to generate a one time code that needs to be entered along with one’s user ID and password.

This is more secure and adds another layer of protection but for more mature clients and even some younger ones it adds complexity to on-line banking and sometimes that same complexity can be exploited.

It also necessitates the use of a smart-phone, which might not be something that some more mature clients take to readily.

For Benston, the two factor authentication system worked because it forced the hacker to call her in order to try to get the verification code. The system failed because – and I’m drawing from my personal experience here – humans don’t usually use verification codes with each other even if it’s a bank CSR.

We ask for driver’s license numbers and ID card numbers and Social Social Security numbers, dates of birth and other common identifiers. They are numbers but they aren’t “codes”.

Verification codes are used in the way a password is and it should be drummed into many of our heads by now, “the bank will never ask for your password.” Further, a bank, in the person of a human will never ask you for your verification code. Certainly not after the initial setup of your account at any rate.

I’ve never heard of someone asking for a verification code, and that might have been what triggered Benston to hangup and call the bank, the very oddness of the request.

I also can’t imagine how the hacker thought they would be able to get past the notifications that would be sent to Benston about her password change at least. Against certain people this attack might have worked flawlessly.

If Benston hadn’t called the bank immediately or didn’t have her account arranged to send notifications that she would immediately see, things might have been different. Most bank transactions are traceable if not reversible especially on the scale of hours and even a day or two.

Some critical points to consider.

  • Always try to call the company/bank/person back before you give out any information whatsoever. While there is technology to intercept calls to reroute them “Mission Impossible” style, unless you’re a “bigfish” you are simply not worth the effort that this would take at this time. This is along the lines of how the US allegedly bugged Germany’s leader’s cell phone.

  • If you happen to be a “bigfish” you can try using a landline since this could potentially increase the effort it would take to reroute your call. Sooner or later if it hasn’t happened already, these fake calls will come to Trinidad and Tobago. They are very easy to accomplish and given other techniques such as those used by a company know as Lyrebird, EVEN if you recognise the voice of the person that called you, you should probably call them back if you have the slightest doubt.

  • When it comes to the technology that you use, online banking, emailing, even auto mechanics, try harder to at least understand the basics of the how and the why. Ask your questions until the point where when you say “So what you’re saying is blah blah blah” you get a “Yes correct!”. Then corroborate with someone else so that you’re sure the person you asked wasn’t just trying to get rid of you. If you feel that you’re asking the wrong person, ask someone else. Take your time, but get the answers that will keep you and your money safe. You can Google it, but some people like talking to other people.

I remember I did this in a course during the last class before an exam. I kept asking the professor questions about things that weren’t too clear to me. Everyone else in the class was upset, they just wanted to leave class early and my questions were apparently keeping the class from ending.

As it turned out I got the highest grade in the class by a wide margin. Apparently they don’t give any points for leaving class early and there are no “do overs” in life when it comes to being scammed.

Fitzgerald Trevis Scott is lead programmer and Managing director of Scott and Associates, IT Services. He has over 15 years of experience managing teams, networking administration, end-user support, setting up servers, database development and many other IT support areas.

He can be reached via at by email, 868-295-5788 or on his website at fitzgeraldscott.com