Wednesday, September 7, 2011

Ingenious fraud

I just got a SMS from 503-929-3160 with the text
WELLS FARGO ALERT: Your ATM CARD has been DEACTIVATED. Please contact us at: 650-550-9255.

There were 2 tip-offs that this was a fraud: first, the stereotypical use of unnecessary capitalization and, second, the fact that I don't have an account with Wells Fargo.

Out of curiosity, I called the number to be greeted with an automated voice claiming to be the Wells Fargo card activation line and asking me to enter my 16 digit card number. I entered a bogus card number (sixteens ones) and was promptly cut off. Rumor has it that if you enter something with a valid check digit that the automated service will then prompt for your PIN number and then proceed to drain your account empty.

The ingenious part of this scam is that it relies on the fact that there is no way to authenticate who sent a SMS. With online phishing attacks you can look at the URL to confirm that you are dealing with the entity that you expect. In addition, banks and other high-profile web sites get Extended Verification Certificates for their websites to help make it more clear when you are interacting with the real thing. But there is no such thing for text messages: you just see a phone number. How many people know the phone number of their bank and/or have entered it into their phone's address book?

With services like Twilio making it trivial for ne'er-do-wells to extend their phishing attacks out of cyberspace into telephony, I suspect we'll be seeing more of these types of fraud attempts in the future. Of course, savvy people will never trust random text messages, but that still leaves a huge potential target for increasingly sophisticated fraud. God knows I hope my mother doesn't get one of these texts.