When booking travel for our second trip to Europe this year, the badly tuned Falcon Fraud Manager triggered for both of our payment cards again. It blocked Isabelle’s card and sent out an alert for mine. This itself is bad enough, but how they both banks are then verifying the transaction seems like a recipe for setting up their customers to be phished via the phone.
About 12 hours or so after booking travel I received a voice mail saying they had detected a potentially fraudulent transaction on my credit card, and it asked me to call back the number 1-888-918-7313.
I did, and a friendly call center employee asked me to provide him with the following information to proceed:
- Home phone
- Full Name
- Full date of birth
- Last 4 digits of my social security number
Now thinking about it, this seems like a really bad idea. I have no idea who I am talking to on the phone. For all I know, this could be a phishing operation abroad. You can get a 1-800 number instantly, and forward it to a Skype-In number which you then can forward anywhere. This is not even a new trick, but has been done since at least 2006.
In this case, it was legitimate. I was talking to Anthony who is working for PSCU Financial Services, who is running the Falcon system for cards issued by my bank, the Stanford Federal Credit Union. And to Anthony’s credit, when I started asking questions he immediately suggested that I should call my bank to verify the phone number. I asked him if PSCU recommends giving out the above information to someone who calls you and claims that they are working for your bank. He said they are neutral, but this is their standard practice.
The real risk here is that the SFCU is training their customers to give out personal information to anyone calling them and claiming to be their bank. Experience has shown that consumers are not good in judging what personal information is sensitive and what is not. Assume a consumer receives 3 legitimate calls over a year, and then an phishing call asking for a complete SSID. My guess is that anywhere from 10% to 50% of consumers would provide that information.
I asked Anthony of PSCU for his opinion if this is an issue. He did agree that this practice makes it more likely that consumers give out information when being called. I also talked to Nadene at SFCU member services and she agreed that this would increase the risk of consumers giving out sensitive information. She also said all the above is essentially “public record”, which I would argue at least for the full date of birth and home phone is incorrect (most states require these to be blackened out in public documents).
In the end what the banks are trying to do here is to lower the cost of fraud verification. If I call through the call center of my bank, this will add somewhere around $10-$30 in call center cost. However the downside is that the banks are essentially training their users to become easy targets of phone phishing attacks.
I always ignore those calls and call the number on my credit card myself. Generally though you’ll know that your card was declined so the only person with the information needed to phish you is probably the merchant on the other end of the denied transaction, and the merchant is already mostly a trusted entity in the credit card trust model.
In this case, the transaction was approved and triggered the alert after the fact. I have had this happen a lot, for some very innocent transactions. My favorite is from buying a plate of pasta airside (ie. behind security) at the Denver Airport. I am getting a fraud alert quite frequently (about once every 1-2 months) and it is mostly after a successful transaction.