In article <tj3fo6$1bla$2@gioia.aioe.org>,
Martin Brown <'''newspam'''@nonad.co.uk> wrote:
> On 23/10/2022 14:23, The Natural Philosopher wrote:
> > On 23/10/2022 13:49, Chris Hogg wrote:
> >> I got scammed at the end of last week. All sorted and no harm done,
> >> but the scammer told me that the normal security checks such as
> >> mother's maiden name etc was no longer being used, and everything was
> >> being done via the Pinsentry system. After resistance from me I
> >> eventually went along with it and gave him all he asked for! :-(
> >>
> >> As I said, no harm done because I immediately contacted my bank who
> >> blocked everything, but be aware that the scammers are now trying to
> >> use the Pinsentry system to get account details etc from people who
> >> are unfamiliar with Pinsentry.
> >>
> >> Different banks may have different names for the system. It's
> >> basically a card reader that can confirm a person's identity. It's a
> >> pity the banks don't have a similar system for confirming who they
> >> are, so that the private individual can check they're not talking to a
> >> scammer.
> >>
> > How did they contact you?
> >
> > When I refused to give details to someone who claimed to be from my
> > bank, they said 'well call the number on your card'

> That isn't good enough either if you do it on the same phone line.

> A well equipped bad actor can play dial tone to you and hold the line
> open and them pretend to answer as your bank after you have dialed the
> right number on your bank card. I think telco's have shortened the delay
> before the line drops to mitigate against this trick.

when I was called by a scammer on my landline, I rang my bank using my
mobile phone.

--
from KT24 in Surrey, England - sent from my RISC OS 4té
"I'd rather die of exhaustion than die of boredom" Thomas Carlyle

On 23/10/2022 16:08, Andy Burns wrote:
> The Natural Philosopher wrote:
>
>> Chris Hogg wrote:
>>
>>> Andrew wrote:
>>>
>>>>> It's a pity the banks don't have a similar system for confirming who
>>>>> they are, so that the private individual can check they're not talking
>>>>> to a scammer.
>>>>
>>>> Barclays does have just that system. You set up a word or phrase
>>>> on your Barclays PinSentry app that only the genuine bank will
>>>> know about.
>>>
>> No, you dont.
>
> Yes you do, you maybe you've become blasé to it? As you start the
> barclays app, it says
>
> "Hi $firstname $lastname
> please enter your 5 digit passcode
> $yourchosenphrase"
>
> I've never known them use the chosen phrase outside of the phone app
> though.
>
I dont use a phone app.

I use a PIN sentry

It wants my membership number, my credit card number and a pin sentry
generated code

--
You can get much farther with a kind word and a gun than you can with a
kind word alone.

Al Capone

On 23/10/2022 17:04, Chris Hogg wrote:
> On Sun, 23 Oct 2022 16:57:10 +0100, Andy Burns <usenet@andyburns.uk>
> wrote:
>
>>
>> Chris Green wrote:
>>
>>> You should never tell anyone the 'magic number' the card reader gives you.
>>> The only thing you should ever do with it (as far as I am aware) is to enter
>>> it in the right field when logging in to your bank or when confirming
>>> payments and such.
>>
>> The counter staff sometimes ask you to put your PIN into their PINsentry to
>> verify your ID in branches
>
> Yes, done that occasionally, which is partly why it seemed OK to do it
> over the phone. Perhaps the whole pinsentry thing was just a
> smoke-screen to make it look as though the scammer was genuine. Unless
> they could somehow unscramble the number it gave and make use of the
> pin. But TNP says no.
>
I really dont think so. Its a one time password.
--
You can get much farther with a kind word and a gun than you can with a
kind word alone.

Al Capone

Martin Brown <'''newspam'''@nonad.co.uk> wrote
> Rod Speed wrote
>> Martin Brown <'''newspam'''@nonad.co.uk> wrote

>>> I won't touch phone banking apps though. Anything daft enough to have
>>> my PIN available in plaintext isn't going to have me as a user.

>> But the best phone apps use touch ID or facial recognition on the
>> phone, no PIN involved.

> AT least in the UK the banking phone app contains the bank card PIN

I don't believe that last bit. It certainly isnt in any of my banking apps.
And to get into the banking app to see it even if the bank is actually
stupid enough to show your pin in the banking app, you have to
unlock the phone with touch ID or face ID and do that to get into
the app too.

> and there has been a spate of recent thefts from gyms where the mobile
> phone and bank card(s) were stolen and account emptied before the
> individuals affected even knew they were missing. It hinged on the flash
> up display of a TFA OTP code sent to the real users mobile phone which
> could be read momentarily by any Tom, Dick or Harry.

Clearly that won't work if the banking phone app requires the touch
ID or face ID to match before you can do anything in the app.

> Bank then says "Your problem you must have disclosed your PIN".
> BBC discovered otherwise after a bit of experimentation. BBC R4 5/9/22

> https://www.bbc.co.uk/programmes/m001brf0

That is comprehensively mangled and they say at the end that
you shouldn't have your phone and cards in your bag. That
means that someone who steals your phone with the banking
app on it can't loot your account.

And the other obvious way to protect yourself is to only use
apple pay to pay for anything and that also requires your touch
ID or face ID to actually authorise the transaction. And you
never need you PIN because apple pay doesn't even ask you
for it for the higher value transactions, unlike when a card is used.

> The scam is still in play right now.

> Most UK banks have now adjusted their TFA txt preamble so that the OTP
> is no longer visible in the preview flash up msg on a locked phone.

You never see anything on a locked iphone.

On 23/10/2022 18:41, Chris Hogg wrote:
> On Sun, 23 Oct 2022 18:18:33 +0100, Harry Bloomfield Esq
> <a@harrym1byt.plus.com> wrote:
>
>> On 23/10/2022 13:49, Chris Hogg wrote:
>>> Different banks may have different names for the system. It's
>>> basically a card reader that can confirm a person's identity. It's a
>>> pity the banks don't have a similar system for confirming who they
>>> are, so that the private individual can check they're not talking to a
>>> scammer.
>>
>> Shouldn't you be suspicious of absolutely everyone who contacts you - I
>> am, I never even own up to my name, until they have been able to confirm
>> who they are. Genuine callers don't mind you being suspicious of them.
>
> Well, yes, I was suspicious. But he was very persuasive, persistent
> and convincing (by using the pinsentry routine which I recognised from
> when I had visited my local branch in the past).
>
> So how would you confirm who they are? Banks go to some length to
> confirm who you are, but confirming who they are doesn't seem to be
> part of their thinking. It would be quite simple for there to be
> similar set of questions and answers that you could ask them and check
> the answers, without having to use any app.
One problem is actually getting to talk to anyone at the bank with an
understandable accent in a short period of time, to confirm (or
otherwise) what the scammer was trying to do. Obviously you can't do
anything online in case there is a security issue.

--

Jeff

On 23/10/2022 16:59, Chris Hogg wrote:
> On Sun, 23 Oct 2022 16:39:51 +0100, Chris Green <cl@isbd.net> wrote:
>
>> Chris Hogg <me@privacy.net> wrote:
>>> On Sun, 23 Oct 2022 14:32:38 +0100, Martin Brown
>>> <'''newspam'''@nonad.co.uk> wrote:
>>>
>>>> and doing the
>>>> ID me by PIN and passing him that information
>>>
>>> No, I didn't give him my pin, at least not directly, unless he is able
>>> to deduce it from my pinsentry response. Could that happen, and if so,
>>> what's the point of pinsentry? Not a sentry at all.
>>>
>> I don't really understand this. You should never tell anyone the
>> 'magic number' the card reader gives you. The only thing you should
>> ever do with it (as far as I am aware) is to enter it in the right
>> field when logging in to your bank or when confirming payments and
>> such.
>>
>> Someone asking you what the number is screams 'scam' at me.
>
> When new security regulations for on-line shopping were published by
> the government about two years ago I got a pinsentry from my local
> Barclays branch, expecting to have to use it regularly when buying
> stuff on-line. But I've never had to use it and this was the first
> time anyone ever asked me to use it, so I wasn't exactly familiar with
> what was or wasn't the right thing to do.
>
Pin sentry only needed to login to your bank online, it is optional
between that and a pin code texted to your mobile for *some* transactions
--
You can get much farther with a kind word and a gun than you can with a
kind word alone.

Al Capone

The Natural Philosopher wrote:

> I dont use a phone app.
> I use a PIN sentry
> It wants my membership number, my credit card number and a pin sentry generated
> code

the phone app incorporates the functionality of a PINsentry, without having to
carry around a bit of blue plastic.

On Mon, 24 Oct 2022 04:41:58 +1100, Chris Hogg <me@privacy.net> wrote:

> On Sun, 23 Oct 2022 18:18:33 +0100, Harry Bloomfield Esq
> <a@harrym1byt.plus.com> wrote:
>
>> On 23/10/2022 13:49, Chris Hogg wrote:
>>> Different banks may have different names for the system. It's
>>> basically a card reader that can confirm a person's identity. It's a
>>> pity the banks don't have a similar system for confirming who they
>>> are, so that the private individual can check they're not talking to a
>>> scammer.
>>
>> Shouldn't you be suspicious of absolutely everyone who contacts you - I
>> am, I never even own up to my name, until they have been able to confirm
>> who they are. Genuine callers don't mind you being suspicious of them.
>
> Well, yes, I was suspicious. But he was very persuasive, persistent
> and convincing (by using the pinsentry routine which I recognised from
> when I had visited my local branch in the past).
>
> So how would you confirm who they are? Banks go to some length to
> confirm who you are, but confirming who they are doesn't seem to be
> part of their thinking. It would be quite simple for there to be
> similar set of questions and answers that you could ask them and check
> the answers, without having to use any app.

But that stuff would soon be well known so the spammer would be able to
produce it.

Makes more3 sene to tell the person they are calling an incident number
and then the called person can call the number on the card or statements
and supply the incident number to be connected to the caller again and
be sure that it really is the bank which called them.

On Sun, 23 Oct 2022 18:46:37 +0100, charles <charles@candehope.me.uk>
wrote:

>
>when I was called by a scammer on my landline, I rang my bank using my
>mobile phone.

Ah, that looks like a promising idea. Next time, I'll try that, and
there is bound to be a next time!

--
Chris

On 23/10/2022 18:41, Chris Hogg wrote:
> On Sun, 23 Oct 2022 18:18:33 +0100, Harry Bloomfield Esq
> <a@harrym1byt.plus.com> wrote:
>
>> On 23/10/2022 13:49, Chris Hogg wrote:
>>> Different banks may have different names for the system. It's
>>> basically a card reader that can confirm a person's identity. It's a
>>> pity the banks don't have a similar system for confirming who they
>>> are, so that the private individual can check they're not talking to a
>>> scammer.
>>
>> Shouldn't you be suspicious of absolutely everyone who contacts you - I
>> am, I never even own up to my name, until they have been able to confirm
>> who they are. Genuine callers don't mind you being suspicious of them.
>
> Well, yes, I was suspicious. But he was very persuasive, persistent
> and convincing (by using the pinsentry routine which I recognised from
> when I had visited my local branch in the past).

Social engineering attacks always are. The only defence is attack.
Tell them to FOAD more or less politely - they have cold called you.
You have no evidence that they are who they claim to be (end story).

I don't know why this isn't more widely publicised since it is
absolutely *BOMB PROOF*. All cold callers are presumed hostile.
(most are, or only doing it to get their sales bonus at my expense)

It does FUCK UP the SOP of most cold calling sales pitches though.

> So how would you confirm who they are? Banks go to some length to
> confirm who you are, but confirming who they are doesn't seem to be
> part of their thinking. It would be quite simple for there to be
> similar set of questions and answers that you could ask them and check
> the answers, without having to use any app.

You tell them to either put it in writing or *PROVE* to you exactly
*WHO* they are before going any further. Most times they CBA.

--
Regards,
Martin Brown

On 23/10/2022 18:46, charles wrote:
> when I was called by a scammer on my landline, I rang my bank using my
> mobile phone.

When my bank called me and wanted to ask me some security questions I
pointed out that he had a good idea who I was, he'd phoned me, but I had
no idea who he was.

There was a pause.

"You're right you know, but no-one else has ever said that!".

I took his name and department and called him back. Yes, it really was
my bank. And it's depressing that my comment was either needed or new.

Andy

On 23/10/2022 19:20, Andy Burns wrote:
> The Natural Philosopher wrote:
>
>> I dont use a phone app.
>> I use a PIN sentry
>> It wants my membership number, my credit card number and a pin sentry generated
>> code
>
> the phone app incorporates the functionality of a PINsentry, without having to
> carry around a bit of blue plastic.

I don't use a banking app, but if it has the function of a PINsentry
wouldn't the OP have got caught in the same way?

Out of interest, what online banking can you do with a phone app that
you can't do with a computer at home? More to the point, why would you
need to do it then rather than wait until you got home?

--

Jeff

On Sun, 23 Oct 2022 17:59:53 +0100, Martin Brown wrote:

> On 23/10/2022 16:13, Rod Speed wrote:
>> On Mon, 24 Oct 2022 01:49:13 +1100, Martin Brown
>> <'''newspam'''@nonad.co.uk> wrote:
>>
>>> I won't touch phone banking apps though. Anything daft enough to have
>>> my PIN available in plaintext isn't going to have me as a user.
>>
>> But the best phone apps use touch ID or facial recognition on the
>> phone,
>> no PIN involved.
>
> AT least in the UK the banking phone app contains the bank card PIN and
> there has been a spate of recent thefts from gyms where the mobile phone
> and bank card(s) were stolen and account emptied before the individuals
> affected even knew they were missing. It hinged on the flash up display
> of a TFA OTP code sent to the real users mobile phone which could be
> read momentarily by any Tom, Dick or Harry.
>
> Bank then says "Your problem you must have disclosed your PIN".
> BBC discovered otherwise after a bit of experimentation. BBC R4 5/9/22
>
> https://www.bbc.co.uk/programmes/m001brf0
>
> The scam is still in play right now.
>
> Most UK banks have now adjusted their TFA txt preamble so that the OTP
> is no longer visible in the preview flash up msg on a locked phone.

You can also adjust that preview.

--
My posts are my copyright and if @diy_forums or Home Owners' Hub
wish to copy them they can pay me £1 a message.
Use the BIG mirror service in the UK: http://www.mirrorservice.org
*lightning surge protection* - a w_tom conductor

On Sun, 23 Oct 2022 22:16:52 +0100, Jeff Layman wrote:

> Out of interest, what online banking can you do with a phone app that
> you can't do with a computer at home? More to the point, why would you
> need to do it then rather than wait until you got home?

Pay in a cheque.

--
My posts are my copyright and if @diy_forums or Home Owners' Hub
wish to copy them they can pay me £1 a message.
Use the BIG mirror service in the UK: http://www.mirrorservice.org
*lightning surge protection* - a w_tom conductor

On Mon, 24 Oct 2022 08:16:52 +1100, Jeff Layman <Jeff@invalid.invalid>
wrote:

> On 23/10/2022 19:20, Andy Burns wrote:
>> The Natural Philosopher wrote:
>>
>>> I dont use a phone app.
>>> I use a PIN sentry
>>> It wants my membership number, my credit card number and a pin sentry
>>> generated
>>> code
>> the phone app incorporates the functionality of a PINsentry, without
>> having to
>> carry around a bit of blue plastic.
>
> I don't use a banking app, but if it has the function of a PINsentry
> wouldn't the OP have got caught in the same way?
>
> Out of interest, what online banking can you do with a phone app that
> you can't do with a computer at home?

Its actually the reverse, some of my FI require you to use online
banking when doing some stuff.

> More to the point, why would you need to do it then rather than wait
> until you got home?

Very handy to be able to move money about when out
and about when say you manage to forget to move
enough money into a debit card or find that the card
you normally use can't be used for some reason and
you need to move money into another card to use that one.

MUCH more secure and much more convenient to use
Apple Pay instead of a contactless card and it never
demands a PIN for transactions over a specified amount.

Very handy to be able to send money to someone immediately when
out an about instead of having to get more cash from the ATM.

I only use cash now at garage sales and even tho I can pay
anyone who has a mobile phone number or email address,
it isnt a terrific idea to try to convince people that its as good
as cash and no risk for them when there is a queue of people
waiting to pay for what they have bought.

On 23/10/2022 21:59, Vir Campestris wrote:
> On 23/10/2022 18:46, charles wrote:
>> when I was called by a scammer on my landline, I rang my bank using my
>> mobile phone.
>
> When my bank called me and wanted to ask me some security questions I
> pointed out that he had a good idea who I was, he'd phoned me, but I had
> no idea who he was.
>
> There was a pause.
>
> "You're right you know, but no-one else has ever said that!".
>
> I took his name and department and called him back. Yes, it really was
> my bank. And it's depressing that my comment was either needed or new.

I said that to my bank years ago.

On 23/10/2022 16:39, Chris Green wrote:
> Chris Hogg <me@privacy.net> wrote:
>> On Sun, 23 Oct 2022 14:32:38 +0100, Martin Brown
>> <'''newspam'''@nonad.co.uk> wrote:
>>
>>> and doing the
>>> ID me by PIN and passing him that information
>>
>> No, I didn't give him my pin, at least not directly, unless he is able
>> to deduce it from my pinsentry response. Could that happen, and if so,
>> what's the point of pinsentry? Not a sentry at all.
>>
> I don't really understand this. You should never tell anyone the
> 'magic number' the card reader gives you. The only thing you should
> ever do with it (as far as I am aware) is to enter it in the right
> field when logging in to your bank or when confirming payments and
> such.

Barclays also use it in branch - say when making a cash withdrawal
over the counter.

> Someone asking you what the number is screams 'scam' at me.

Indeed, but that is where the job of a good pretexter comes in. To
concoct a storey plausible enough to make it seem reasonable enough in
the this context.

--
Cheers,

John.

/=================================================================\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\=================================================================/

On 23/10/2022 17:54, Chris Hogg wrote:
> On Sun, 23 Oct 2022 17:35:40 +0100, Andy Burns <usenet@andyburns.uk>
> wrote:
>
>> Chris Hogg wrote:
>>
>>> Perhaps the whole pinsentry thing was just a
>>> smoke-screen to make it look as though the scammer was genuine. Unless
>>> they could somehow unscramble the number it gave and make use of the
>>> pin.
>>
>> No, they can't get your PIN from the code you gave them.
>>
>> But they can use it for a one-time logon to your bank, if they know the details
>> that e.g. appear on one of your cheques.
>>
>> What was the purported reason for the cold call?
>
> He said it was because there was a debit transaction they thought was
> suspicious, and they had blocked it temporarily but needed my details
> to block it permanently.

Indian?

Did they just want the ID code (i.e. that generated just from your pin
and your card)?

With other details it might be enough to login to your account - but
would not be enough to make a payment to a new payee.

(However one way they try and get round that is to see if you have a
payee already setup for a suitable intermediate business. They then pay
a lump sum to that business from your account, and then ring that
business and claim to be you, and explain that you just realised you
made a mistake when making an online payment, and paid them by mistake.
Could they refund it - to a different account)

--
Cheers,

John.

/=================================================================\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\=================================================================/

On 23/10/2022 19:03, The Natural Philosopher wrote:
> On 23/10/2022 16:59, Chris Hogg wrote:
>> On Sun, 23 Oct 2022 16:39:51 +0100, Chris Green <cl@isbd.net> wrote:
>>
>>> Chris Hogg <me@privacy.net> wrote:
>>>> On Sun, 23 Oct 2022 14:32:38 +0100, Martin Brown
>>>> <'''newspam'''@nonad.co.uk> wrote:
>>>>
>>>>> and doing the
>>>>> ID me by PIN and passing him that information
>>>>
>>>> No, I didn't give him my pin, at least not directly, unless he is able
>>>> to deduce it from my pinsentry response. Could that happen, and if so,
>>>> what's the point of pinsentry? Not a sentry at all.
>>>>
>>> I don't really understand this. You should never tell anyone the
>>> 'magic number' the card reader gives you.  The only thing you should
>>> ever do with it (as far as I am aware) is to enter it in the right
>>> field when logging in to your bank or when confirming payments and
>>> such.
>>>
>>> Someone asking you what the number is screams 'scam' at me.
>>
>> When new security regulations for on-line shopping were published by
>> the government about two years ago I got a pinsentry from my local
>> Barclays branch, expecting to have to use it regularly when buying
>> stuff on-line. But I've never had to use it and this was the first
>> time anyone ever asked me to use it, so I wasn't exactly familiar with
>> what was or wasn't the right thing to do.
>>
> Pin sentry only needed to login to your bank online, it is optional
> between that and a pin code texted to your mobile for *some* transactions

It is also used for setting up a new payee on your account. So if you
want to make a BACS transfer to an account you have not already paid,
they use the "respond" facility to cryptographically sign a part of the
payment instruction.

So for a scammer to be able to make a payment they would need two pin
sentry codes - one to login, and another to make a new payment.

However just the login would then give them access to your transaction
history, and that could be used for a latter scam attempt.

--
Cheers,

John.

/=================================================================\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\=================================================================/

On 23/10/2022 15:35, The Natural Philosopher wrote:
> On 23/10/2022 15:20, Chris Hogg wrote:
>> On Sun, 23 Oct 2022 14:32:49 +0100, Andrew
>> <Andrew97d-junk@mybtinternet.com> wrote:
>>
>>>>
>>>> Different banks may have different names for the system. It's
>>>> basically a card reader that can confirm a person's identity. It's a
>>>> pity the banks don't have a similar system for confirming who they
>>>> are, so that the private individual can check they're not talking to a
>>>> scammer.
>>>>
>>>
>>> Barclays does have just that system. You set up a word or phrase
>>> on your Barclays PinSentry app that only the genuine bank will
>>> know about.
>>
> No, you dont.
>
> A Barclays PIN sentry reads your card and requests your PIN, and then
> issues various authorisation codes dependent on the transaction.

Pinsentry != Pinsentry app

(The barclays app also contains a capability to behave as a pinsentry
device)

--
Cheers,

John.

/=================================================================\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\=================================================================/

On 23/10/2022 22:16, Jeff Layman wrote:
> On 23/10/2022 19:20, Andy Burns wrote:
>> The Natural Philosopher wrote:
>>
>>> I dont use a phone app.
>>> I use a PIN sentry
>>> It wants my membership number, my credit card number and a pin sentry
>>> generated
>>> code
>>
>> the phone app incorporates the functionality of a PINsentry, without
>> having to
>> carry around a bit of blue plastic.
>
> I don't use a banking app, but if it has the function of a PINsentry
> wouldn't the OP have got caught in the same way?
>
> Out of interest, what online banking can you do with a phone app that
> you can't do with a computer at home?

There are a number - off the top of my head:

Block a compromised card

Pay by bonk. (i.e. using the phone for a contactless payment device)

Verification of an online payment on another service - say you checkout
in an online store using your cc, a proportion of the time it will want
to verify it was you and so can offer to verify using the app. Not that
different to requesting a OTP via SMS, but it can't be misdirected by
someone cloning your SIM, or getting you to read the code to them. Also
it skips the need for you to enter a code to complete the transaction -
you just confirm it on the phone.

> More to the point, why would you
> need to do it then rather than wait until you got home?

--
Cheers,

John.

/=================================================================\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\=================================================================/

On 24/10/2022 02:02, John Rumm wrote:
> On 23/10/2022 22:16, Jeff Layman wrote:

>> Out of interest, what online banking can you do with a phone app that
>> you can't do with a computer at home?
>
> Pay by bonk. (i.e. using the phone for a contactless payment device)

You've convinced me! :-))))

--

Jeff

Andy Burns <usenet@andyburns.uk> wrote:
>
> Chris Green wrote:
>
> > You should never tell anyone the 'magic number' the card reader gives you.
> > The only thing you should ever do with it (as far as I am aware) is to enter
> > it in the right field when logging in to your bank or when confirming
> > payments and such.
>
> The counter staff sometimes ask you to put your PIN into their PINsentry to
> verify your ID in branches

I don't think I have been to my personal banking bank for decades! :-)

The above wouldn't work for HSBC anyway as their equivalent of
pinsentry is personalised and doesn't require your bank card.

--
Chris Green
·

John Rumm <see.my.signature@nowhere.null> wrote:
> On 23/10/2022 16:39, Chris Green wrote:
> > Chris Hogg <me@privacy.net> wrote:
> >> On Sun, 23 Oct 2022 14:32:38 +0100, Martin Brown
> >> <'''newspam'''@nonad.co.uk> wrote:
> >>
> >>> and doing the
> >>> ID me by PIN and passing him that information
> >>
> >> No, I didn't give him my pin, at least not directly, unless he is able
> >> to deduce it from my pinsentry response. Could that happen, and if so,
> >> what's the point of pinsentry? Not a sentry at all.
> >>
> > I don't really understand this. You should never tell anyone the
> > 'magic number' the card reader gives you. The only thing you should
> > ever do with it (as far as I am aware) is to enter it in the right
> > field when logging in to your bank or when confirming payments and
> > such.
>
> Barclays also use it in branch - say when making a cash withdrawal
> over the counter.
>
You mean your card in the reader and enter your PIN? I think I'd
run a mile!

> > Someone asking you what the number is screams 'scam' at me.
>
> Indeed, but that is where the job of a good pretexter comes in. To
> concoct a storey plausible enough to make it seem reasonable enough in
> the this context.
>
--
Chris Green
·

On Mon, 24 Oct 2022 01:43:58 +0100, John Rumm
<see.my.signature@nowhere.null> wrote:

>On 23/10/2022 17:54, Chris Hogg wrote:
>> On Sun, 23 Oct 2022 17:35:40 +0100, Andy Burns <usenet@andyburns.uk>
>> wrote:
>>
>>> Chris Hogg wrote:
>>>
>>>> Perhaps the whole pinsentry thing was just a
>>>> smoke-screen to make it look as though the scammer was genuine. Unless
>>>> they could somehow unscramble the number it gave and make use of the
>>>> pin.
>>>
>>> No, they can't get your PIN from the code you gave them.
>>>
>>> But they can use it for a one-time logon to your bank, if they know the details
>>> that e.g. appear on one of your cheques.
>>>
>>> What was the purported reason for the cold call?
>>
>> He said it was because there was a debit transaction they thought was
>> suspicious, and they had blocked it temporarily but needed my details
>> to block it permanently.
>
>Indian?

No, English. Slight accent (i.e. not BBC English) but I couldn't tell
you from where.
>
>Did they just want the ID code (i.e. that generated just from your pin
>and your card)?
>
16 digit card number and the response from the pinsentry.

>With other details it might be enough to login to your account - but
>would not be enough to make a payment to a new payee.
>
>(However one way they try and get round that is to see if you have a
>payee already setup for a suitable intermediate business. They then pay
>a lump sum to that business from your account, and then ring that
>business and claim to be you, and explain that you just realised you
>made a mistake when making an online payment, and paid them by mistake.
>Could they refund it - to a different account)

There are DD's to utilities etc, but I've never used BACS or similar.

Yesterday morning the scammer rang me again, claiming to be from
Barclays security, as before, and asking me to have my card reader
ready. Different accent. I hung up. Earlier that morning I'd had an
email welcoming me to the Barclays app. Looked very convincing, with
all the things I could do with the app. There was a phone number to
ring if I wanted to cancel the app. It wasn't a standard Barclays
number, which raised my suspicions. I didn't touch any of it and I've
double-deleted it (i.e. it's no longer even in my 'deleted' folder).

I rang Barclays and they confirmed they had blocked my debit card on
the Friday when I first contacted them, and that someone had tried to
register the app, but they had also been blocked. I made sure that
Barclays had also blocked any on-line banking and telephone banking -
I don't use them, have never used them and don't need them - I manage
perfectly well without them. Barclays also confirmed that no money had
been taken from my account. I assume the second phone call from the
scammer was another attempt to get some more details to open the app,
having failed the first time.

I hope that's the end of it.

--
Chris