I got scammed at the end of last week. All sorted and no harm done,
but the scammer told me that the normal security checks such as
mother's maiden name etc was no longer being used, and everything was
being done via the Pinsentry system. After resistance from me I
eventually went along with it and gave him all he asked for! :-(

As I said, no harm done because I immediately contacted my bank who
blocked everything, but be aware that the scammers are now trying to
use the Pinsentry system to get account details etc from people who
are unfamiliar with Pinsentry.

Different banks may have different names for the system. It's
basically a card reader that can confirm a person's identity. It's a
pity the banks don't have a similar system for confirming who they
are, so that the private individual can check they're not talking to a
scammer.

--
Chris

On 23/10/2022 13:49, Chris Hogg wrote:
> I got scammed at the end of last week. All sorted and no harm done,
> but the scammer told me that the normal security checks such as
> mother's maiden name etc was no longer being used, and everything was
> being done via the Pinsentry system. After resistance from me I
> eventually went along with it and gave him all he asked for! :-(
>
> As I said, no harm done because I immediately contacted my bank who
> blocked everything, but be aware that the scammers are now trying to
> use the Pinsentry system to get account details etc from people who
> are unfamiliar with Pinsentry.
>
> Different banks may have different names for the system. It's
> basically a card reader that can confirm a person's identity. It's a
> pity the banks don't have a similar system for confirming who they
> are, so that the private individual can check they're not talking to a
> scammer.
>
How did they contact you?

When I refused to give details to someone who claimed to be from my
bank, they said 'well call the number on your card'

--
You can get much farther with a kind word and a gun than you can with a
kind word alone.

Al Capone

On 23/10/2022 14:23, The Natural Philosopher wrote:
> On 23/10/2022 13:49, Chris Hogg wrote:
>> I got scammed at the end of last week. All sorted and no harm done,
>> but the scammer told me that the normal security checks such as
>> mother's maiden name etc was no longer being used, and everything was
>> being done via the Pinsentry system. After resistance from me I
>> eventually went along with it and gave him all he asked for! :-(
>>
>> As I said, no harm done because I immediately contacted my bank who
>> blocked everything, but be aware that the scammers are now trying to
>> use the Pinsentry system to get account details etc from people who
>> are unfamiliar with Pinsentry.
>>
>> Different banks may have different names for the system. It's
>> basically a card reader that can confirm a person's identity. It's a
>> pity the banks don't have a similar system for confirming who they
>> are, so that the private individual can check they're not talking to a
>> scammer.
>>
> How did they contact you?
>
> When I refused to give details to someone who claimed to be from my
> bank, they said 'well call the number on your card'

That isn't good enough either if you do it on the same phone line.

A well equipped bad actor can play dial tone to you and hold the line
open and them pretend to answer as your bank after you have dialed the
right number on your bank card. I think telco's have shortened the delay
before the line drops to mitigate against this trick.

--
Regards,
Martin Brown

On 23/10/2022 13:49, Chris Hogg wrote:
> I got scammed at the end of last week. All sorted and no harm done,
> but the scammer told me that the normal security checks such as
> mother's maiden name etc was no longer being used, and everything was
> being done via the Pinsentry system. After resistance from me I
> eventually went along with it and gave him all he asked for! :-(

So you mean he tricked you into entering your card number and doing the
ID me by PIN and passing him that information (possibly allowing access
to your bank account). I suggest you contact R4 You & Yours they will
love this as a story of the latest scam - I can see lots of people
falling for it if the spiel on the other end of the line is done well.

My default position is always that all cold callers are presumed hostile
until proved innocent. Usually they can't do that to my satisfaction.

> As I said, no harm done because I immediately contacted my bank who
> blocked everything, but be aware that the scammers are now trying to
> use the Pinsentry system to get account details etc from people who
> are unfamiliar with Pinsentry.
>
> Different banks may have different names for the system. It's
> basically a card reader that can confirm a person's identity. It's a
> pity the banks don't have a similar system for confirming who they
> are, so that the private individual can check they're not talking to a
> scammer.

My position with cold calls from people pretending to be my bank is

"*YOU* cold called me so until you prove who *YOU* are I'm not going to
confirm or deny who *I* am. If it so important then ring back when you
have put someone on the line who can prove to me that you are my bank
otherwise put it in writing and send it to my home address."

We deadlock at this point. Most often it really is my bank trying to
sell me something that makes their sales droid a handsome commission.

Only twice in several decades has it been a real fraud alert (and they
do ring back PDQ) and then ask a very specific question like:

"Was this transaction on <date> for <amount> with <company> really made
by you?"

--
Regards,
Martin Brown

On 23/10/2022 13:49, Chris Hogg wrote:
> I got scammed at the end of last week. All sorted and no harm done,
> but the scammer told me that the normal security checks such as
> mother's maiden name etc was no longer being used, and everything was
> being done via the Pinsentry system. After resistance from me I
> eventually went along with it and gave him all he asked for! :-(
>
> As I said, no harm done because I immediately contacted my bank who
> blocked everything, but be aware that the scammers are now trying to
> use the Pinsentry system to get account details etc from people who
> are unfamiliar with Pinsentry.
>
> Different banks may have different names for the system. It's
> basically a card reader that can confirm a person's identity. It's a
> pity the banks don't have a similar system for confirming who they
> are, so that the private individual can check they're not talking to a
> scammer.
>

Barclays does have just that system. You set up a word or phrase
on your Barclays PinSentry app that only the genuine bank will
know about.

On 23/10/2022 14:31, Martin Brown wrote:
> On 23/10/2022 14:23, The Natural Philosopher wrote:
>> On 23/10/2022 13:49, Chris Hogg wrote:
>>> I got scammed at the end of last week. All sorted and no harm done,
>>> but the scammer told me that the normal security checks such as
>>> mother's maiden name etc was no longer being used, and everything was
>>> being done via the Pinsentry system. After resistance from me I
>>> eventually went along with it and gave him all he asked for! :-(
>>>
>>> As I said, no harm done because I immediately contacted my bank who
>>> blocked everything, but be aware that the scammers are now trying to
>>> use the Pinsentry system to get account details etc from people who
>>> are unfamiliar with Pinsentry.
>>>
>>> Different banks may have different names for the system. It's
>>> basically a card reader that can confirm a person's identity. It's a
>>> pity the banks don't have a similar system for confirming who they
>>> are, so that the private individual can check they're not talking to a
>>> scammer.
>>>
>> How did they contact you?
>>
>> When I refused to give details to someone who claimed to be from my
>> bank, they said 'well call the number on your card'
>
>
> That isn't good enough either if you do it on the same phone line.
>
> A well equipped bad actor can play dial tone to you and hold the line
> open and them pretend to answer as your bank after you have dialed the
> right number on your bank card. I think telco's have shortened the delay
> before the line drops to mitigate against this trick.
>

Old hat. That was effectively closed ages ago and Digital Voice phones
plugged into your router are immune to it.

On Sun, 23 Oct 2022 14:23:10 +0100, The Natural Philosopher
<tnp@invalid.invalid> wrote:

>>
>How did they contact you?

Telephone.

--
Chris

On Sun, 23 Oct 2022 14:32:49 +0100, Andrew
<Andrew97d-junk@mybtinternet.com> wrote:

>>
>> Different banks may have different names for the system. It's
>> basically a card reader that can confirm a person's identity. It's a
>> pity the banks don't have a similar system for confirming who they
>> are, so that the private individual can check they're not talking to a
>> scammer.
>>
>
>Barclays does have just that system. You set up a word or phrase
>on your Barclays PinSentry app that only the genuine bank will
>know about.

Don't know how to do that. I don't do on-line banking, internet
banking, telephone banking or whatever, and I don't have the banking
app. I regard all of them as just more to worry about and additional
ways a scammer can get access to my account. Fat lot of good it did
me! I get wiser and more paranoid every day. As I said, I managed to
get everything blocked before any damage was done, and a new card is
on its way.

--
Chris

On Sun, 23 Oct 2022 14:32:38 +0100, Martin Brown
<'''newspam'''@nonad.co.uk> wrote:

>On 23/10/2022 13:49, Chris Hogg wrote:
>> I got scammed at the end of last week. All sorted and no harm done,
>> but the scammer told me that the normal security checks such as
>> mother's maiden name etc was no longer being used, and everything was
>> being done via the Pinsentry system. After resistance from me I
>> eventually went along with it and gave him all he asked for! :-(
>
>So you mean he tricked you into entering your card number

Yes, that.

>and doing the
>ID me by PIN and passing him that information

No, I didn't give him my pin, at least not directly, unless he is able
to deduce it from my pinsentry response. Could that happen, and if so,
what's the point of pinsentry? Not a sentry at all.

--
Chris

On 23/10/2022 15:20, Chris Hogg wrote:
> On Sun, 23 Oct 2022 14:32:49 +0100, Andrew
> <Andrew97d-junk@mybtinternet.com> wrote:
>
>>>
>>> Different banks may have different names for the system. It's
>>> basically a card reader that can confirm a person's identity. It's a
>>> pity the banks don't have a similar system for confirming who they
>>> are, so that the private individual can check they're not talking to a
>>> scammer.
>>>
>>
>> Barclays does have just that system. You set up a word or phrase
>> on your Barclays PinSentry app that only the genuine bank will
>> know about.
>
No, you dont.

A Barclays PIN sentry reads your card and requests your PIN, and then
issues various authorisation codes dependent on the transaction.

> Don't know how to do that. I don't do on-line banking, internet
> banking, telephone banking or whatever, and I don't have the banking
> app. I regard all of them as just more to worry about and additional
> ways a scammer can get access to my account. Fat lot of good it did
> me! I get wiser and more paranoid every day. As I said, I managed to
> get everything blocked before any damage was done, and a new card is
> on its way.
>
PIN sentry is about the best online banking authorisation there is.
Which for Barclays, takes some achievement.

Ive never had any issues with it,m apart from the battery needing
replacing after 15 years

--
"When one man dies it's a tragedy. When thousands die it's statistics."

Josef Stalin

On 23/10/2022 15:22, Chris Hogg wrote:
> On Sun, 23 Oct 2022 14:32:38 +0100, Martin Brown
> <'''newspam'''@nonad.co.uk> wrote:
>
>> On 23/10/2022 13:49, Chris Hogg wrote:
>>> I got scammed at the end of last week. All sorted and no harm done,
>>> but the scammer told me that the normal security checks such as
>>> mother's maiden name etc was no longer being used, and everything was
>>> being done via the Pinsentry system. After resistance from me I
>>> eventually went along with it and gave him all he asked for! :-(
>>
>> So you mean he tricked you into entering your card number
>
> Yes, that.
>
>> and doing the
>> ID me by PIN and passing him that information
>
> No, I didn't give him my pin, at least not directly, unless he is able
> to deduce it from my pinsentry response. Could that happen, and if so,
> what's the point of pinsentry? Not a sentry at all.
>
No, but he would have got a valid transaction ID and been able to at
least view your account.

--
It is the folly of too many to mistake the echo of a London coffee-house
for the voice of the kingdom.

Jonathan Swift

On 23/10/2022 15:22, Chris Hogg wrote:
> On Sun, 23 Oct 2022 14:32:38 +0100, Martin Brown
> <'''newspam'''@nonad.co.uk> wrote:
>
>> On 23/10/2022 13:49, Chris Hogg wrote:
>>> I got scammed at the end of last week. All sorted and no harm done,
>>> but the scammer told me that the normal security checks such as
>>> mother's maiden name etc was no longer being used, and everything was
>>> being done via the Pinsentry system. After resistance from me I
>>> eventually went along with it and gave him all he asked for! :-(
>>
>> So you mean he tricked you into entering your card number
>
> Yes, that.
>
>> and doing the
>> ID me by PIN and passing him that information
>
> No, I didn't give him my pin, at least not directly, unless he is able
> to deduce it from my pinsentry response. Could that happen, and if so,
> what's the point of pinsentry? Not a sentry at all.

By giving him the number that PIN sentry displays after you put your PIN
into it the bank's computer will be under the impression that he is you!

I'm wondering how they got your account details to pull this trick.

PINsnetry machines should have a label on "*NEVER* disclose this number
to anyone on the phone" only enter it into a secure bank website.

--
Regards,
Martin Brown

On 23/10/2022 15:20, Chris Hogg wrote:
> On Sun, 23 Oct 2022 14:32:49 +0100, Andrew
> <Andrew97d-junk@mybtinternet.com> wrote:
>
>>>
>>> Different banks may have different names for the system. It's
>>> basically a card reader that can confirm a person's identity. It's a
>>> pity the banks don't have a similar system for confirming who they
>>> are, so that the private individual can check they're not talking to a
>>> scammer.
>>>
>>
>> Barclays does have just that system. You set up a word or phrase
>> on your Barclays PinSentry app that only the genuine bank will
>> know about.
>
> Don't know how to do that. I don't do on-line banking, internet
> banking, telephone banking or whatever, and I don't have the banking
> app. I regard all of them as just more to worry about and additional
> ways a scammer can get access to my account. Fat lot of good it did
> me! I get wiser and more paranoid every day. As I said, I managed to
> get everything blocked before any damage was done, and a new card is
> on its way.

Online banking from a well secured PC is pretty reliable. I was an early
adopter since Belgian banks had sophisticated encryption based banking
software and a digital currency Protons way back in the late 1990's.

So long as you run something like Trusteer Endpoint Protection (other
brands are available) to prevent keyboard loggers and the like and have
up to date AV software on your PC it is as secure as a bank machine.

All the banks online offerings are slightly different. Some have a
welcome page that you can customise to have a picture or phrase on so
that you will recognise it as the real one and not a carbon copy.

Increasingly they require TFA which has me waving my phone in the air at
the highest point of the garden trying to get the text before the
website times out. It is often rather touch and go.

I won't touch phone banking apps though. Anything daft enough to have my
PIN available in plaintext isn't going to have me as a user.

--
Regards,
Martin Brown

The Natural Philosopher wrote:

> Chris Hogg wrote:
>
>> Andrew wrote:
>>
>>>> It's a pity the banks don't have a similar system for confirming who
>>>> they are, so that the private individual can check they're not talking
>>>> to a scammer.
>>>
>>> Barclays does have just that system. You set up a word or phrase
>>> on your Barclays PinSentry app that only the genuine bank will
>>> know about.
>>
> No, you dont.

Yes you do, you maybe you've become blasé to it? As you start the barclays app,
it says

"Hi $firstname $lastname
please enter your 5 digit passcode
$yourchosenphrase"

I've never known them use the chosen phrase outside of the phone app though.

On Mon, 24 Oct 2022 01:49:13 +1100, Martin Brown
<'''newspam'''@nonad.co.uk> wrote:

> On 23/10/2022 15:20, Chris Hogg wrote:
>> On Sun, 23 Oct 2022 14:32:49 +0100, Andrew
>> <Andrew97d-junk@mybtinternet.com> wrote:
>>
>>>>
>>>> Different banks may have different names for the system. It's
>>>> basically a card reader that can confirm a person's identity. It's a
>>>> pity the banks don't have a similar system for confirming who they
>>>> are, so that the private individual can check they're not talking to a
>>>> scammer.
>>>>
>>>
>>> Barclays does have just that system. You set up a word or phrase
>>> on your Barclays PinSentry app that only the genuine bank will
>>> know about.
>> Don't know how to do that. I don't do on-line banking, internet
>> banking, telephone banking or whatever, and I don't have the banking
>> app. I regard all of them as just more to worry about and additional
>> ways a scammer can get access to my account. Fat lot of good it did
>> me! I get wiser and more paranoid every day. As I said, I managed to
>> get everything blocked before any damage was done, and a new card is
>> on its way.
>
> Online banking from a well secured PC is pretty reliable. I was an early
> adopter since Belgian banks had sophisticated encryption based banking
> software and a digital currency Protons way back in the late 1990's.
>
> So long as you run something like Trusteer Endpoint Protection (other
> brands are available) to prevent keyboard loggers and the like and have
> up to date AV software on your PC it is as secure as a bank machine.
>
> All the banks online offerings are slightly different. Some have a
> welcome page that you can customise to have a picture or phrase on so
> that you will recognise it as the real one and not a carbon copy.
>
> Increasingly they require TFA which has me waving my phone in the air at
> the highest point of the garden trying to get the text before the
> website times out. It is often rather touch and go.
>
> I won't touch phone banking apps though. Anything daft enough to have my
> PIN available in plaintext isn't going to have me as a user.

But the best phone apps use touch ID or facial recognition on the phone,
no PIN involved.

Chris Hogg <me@privacy.net> wrote:
> On Sun, 23 Oct 2022 14:32:38 +0100, Martin Brown
> <'''newspam'''@nonad.co.uk> wrote:
>
> >and doing the
> >ID me by PIN and passing him that information
>
> No, I didn't give him my pin, at least not directly, unless he is able
> to deduce it from my pinsentry response. Could that happen, and if so,
> what's the point of pinsentry? Not a sentry at all.
>
I don't really understand this. You should never tell anyone the
'magic number' the card reader gives you. The only thing you should
ever do with it (as far as I am aware) is to enter it in the right
field when logging in to your bank or when confirming payments and
such.

Someone asking you what the number is screams 'scam' at me.

--
Chris Green
·

Chris Green wrote:

> You should never tell anyone the 'magic number' the card reader gives you.
> The only thing you should ever do with it (as far as I am aware) is to enter
> it in the right field when logging in to your bank or when confirming
> payments and such.

The counter staff sometimes ask you to put your PIN into their PINsentry to
verify your ID in branches

On Sun, 23 Oct 2022 16:39:51 +0100, Chris Green <cl@isbd.net> wrote:

>Chris Hogg <me@privacy.net> wrote:
>> On Sun, 23 Oct 2022 14:32:38 +0100, Martin Brown
>> <'''newspam'''@nonad.co.uk> wrote:
>>
>> >and doing the
>> >ID me by PIN and passing him that information
>>
>> No, I didn't give him my pin, at least not directly, unless he is able
>> to deduce it from my pinsentry response. Could that happen, and if so,
>> what's the point of pinsentry? Not a sentry at all.
>>
>I don't really understand this. You should never tell anyone the
>'magic number' the card reader gives you. The only thing you should
>ever do with it (as far as I am aware) is to enter it in the right
>field when logging in to your bank or when confirming payments and
>such.
>
>Someone asking you what the number is screams 'scam' at me.

When new security regulations for on-line shopping were published by
the government about two years ago I got a pinsentry from my local
Barclays branch, expecting to have to use it regularly when buying
stuff on-line. But I've never had to use it and this was the first
time anyone ever asked me to use it, so I wasn't exactly familiar with
what was or wasn't the right thing to do.

--
Chris

On Sun, 23 Oct 2022 16:57:10 +0100, Andy Burns <usenet@andyburns.uk>
wrote:

>
>Chris Green wrote:
>
>> You should never tell anyone the 'magic number' the card reader gives you.
>> The only thing you should ever do with it (as far as I am aware) is to enter
>> it in the right field when logging in to your bank or when confirming
>> payments and such.
>
>The counter staff sometimes ask you to put your PIN into their PINsentry to
>verify your ID in branches

Yes, done that occasionally, which is partly why it seemed OK to do it
over the phone. Perhaps the whole pinsentry thing was just a
smoke-screen to make it look as though the scammer was genuine. Unless
they could somehow unscramble the number it gave and make use of the
pin. But TNP says no.

--
Chris

Chris Hogg wrote:

> Perhaps the whole pinsentry thing was just a
> smoke-screen to make it look as though the scammer was genuine. Unless
> they could somehow unscramble the number it gave and make use of the
> pin.

No, they can't get your PIN from the code you gave them.

But they can use it for a one-time logon to your bank, if they know the details
that e.g. appear on one of your cheques.

What was the purported reason for the cold call?

On Sun, 23 Oct 2022 17:35:40 +0100, Andy Burns <usenet@andyburns.uk>
wrote:

>Chris Hogg wrote:
>
>> Perhaps the whole pinsentry thing was just a
>> smoke-screen to make it look as though the scammer was genuine. Unless
>> they could somehow unscramble the number it gave and make use of the
>> pin.
>
>No, they can't get your PIN from the code you gave them.
>
>But they can use it for a one-time logon to your bank, if they know the details
>that e.g. appear on one of your cheques.
>
>What was the purported reason for the cold call?

He said it was because there was a debit transaction they thought was
suspicious, and they had blocked it temporarily but needed my details
to block it permanently.

--
Chris

On 23/10/2022 16:13, Rod Speed wrote:
> On Mon, 24 Oct 2022 01:49:13 +1100, Martin Brown
> <'''newspam'''@nonad.co.uk> wrote:
>
>> I won't touch phone banking apps though. Anything daft enough to have
>> my PIN available in plaintext isn't going to have me as a user.
>
> But the best phone apps use touch ID or facial recognition on the phone,
> no PIN involved.

AT least in the UK the banking phone app contains the bank card PIN and
there has been a spate of recent thefts from gyms where the mobile phone
and bank card(s) were stolen and account emptied before the individuals
affected even knew they were missing. It hinged on the flash up display
of a TFA OTP code sent to the real users mobile phone which could be
read momentarily by any Tom, Dick or Harry.

Bank then says "Your problem you must have disclosed your PIN".
BBC discovered otherwise after a bit of experimentation. BBC R4 5/9/22

https://www.bbc.co.uk/programmes/m001brf0

The scam is still in play right now.

Most UK banks have now adjusted their TFA txt preamble so that the OTP
is no longer visible in the preview flash up msg on a locked phone.

--
Regards,
Martin Brown

On 23/10/2022 13:49, Chris Hogg wrote:
> Different banks may have different names for the system. It's
> basically a card reader that can confirm a person's identity. It's a
> pity the banks don't have a similar system for confirming who they
> are, so that the private individual can check they're not talking to a
> scammer.

Shouldn't you be suspicious of absolutely everyone who contacts you - I
am, I never even own up to my name, until they have been able to confirm
who they are. Genuine callers don't mind you being suspicious of them.

On 23/10/2022 15:20, Chris Hogg wrote:
> Don't know how to do that. I don't do on-line banking, internet
> banking, telephone banking or whatever, and I don't have the banking
> app. I regard all of them as just more to worry about and additional
> ways a scammer can get access to my account.

I view it the opposite way, it makes your own access much more rapid and
secure, especially so the use of contactless and instant notifications
of transactions via my phone

On Sun, 23 Oct 2022 18:18:33 +0100, Harry Bloomfield Esq
<a@harrym1byt.plus.com> wrote:

>On 23/10/2022 13:49, Chris Hogg wrote:
>> Different banks may have different names for the system. It's
>> basically a card reader that can confirm a person's identity. It's a
>> pity the banks don't have a similar system for confirming who they
>> are, so that the private individual can check they're not talking to a
>> scammer.
>
>Shouldn't you be suspicious of absolutely everyone who contacts you - I
>am, I never even own up to my name, until they have been able to confirm
>who they are. Genuine callers don't mind you being suspicious of them.

Well, yes, I was suspicious. But he was very persuasive, persistent
and convincing (by using the pinsentry routine which I recognised from
when I had visited my local branch in the past).

So how would you confirm who they are? Banks go to some length to
confirm who you are, but confirming who they are doesn't seem to be
part of their thinking. It would be quite simple for there to be
similar set of questions and answers that you could ask them and check
the answers, without having to use any app.

--
Chris