Friday, October 07, 2016

security #fail

warning: long post ahead. summary at the end.

recently, I received a call from HDFC bank, from someone who claimed to be my "personal banker". I was wondering why, because I used to have a personal banker long ago, but he suddenly disappeared off the scene, and I honestly didn't miss him one bit, because there's nothing I need a personal banker for.

in fact, that guy prompted me to once tweet that "a personal banker is a salesman you're forced (or was it obliged? I don't remember) to be nice to 😁"

so this well spoken lady claiming to be my personal banker introduced herself and asked me to save her number and whatnot. and then she said that she could see I was eligible for a credit limit enhancement on my credit card. I have no idea why anyone would offer me that, as I don't even use that card. but apparently your credit limit contributes to your credit score, and it's always good to have a good credit score. or maybe I was simply in a good mood and wasn't too occupied with work that day. either way, I agreed. she said that I would receive a OTP on my mobile, which I would have to key into the IVR. sounded legit.

the IVR switched on, it asked me to enter my card number. when done, it asked me to enter my OTP. since the OTP was on my phone, and I was on the call, it took a few seconds to switch apps and read the number, memorize it, switch back and dial it. and HDFC somehow expected me to be super quick, so the IVR exited before I could dial it in. the lady was back on the line. she said I took too long, so I would have to try again. she launched the IVR again. I entered my card number. it then asked me to enter my OTP. and then I heard my "personal banker"'s voice, asking me to hurry.

WHAT?!!

I was too shocked to respond.

she was on the line with the IVR, had already heard my card number, and was about to hear my OTP!

I was literally shell shocked. I thought I was this close to being scammed. if she hadn't spoken, I'd have been a goner (metaphorically speaking).

the IVR exited, I regained my composure, and asked her why she was on the line. I told her that I was extremely uncomfortable with this and did not want to go ahead with it. she was polite, but it was clear that she didn't understand my concern. I tried explaining as well, but she was like "I can only hear beeps, not the actual number"

she obviously didn't know how tone dialing (or indeed, IVR systems) work.

I gave up and made an excuse and hung up.

I didn't really need the limit upgrade, but she had set my mind working. is there any way to verify that this is or is not some sort of scam? I thought hard, and the only thing I could come up with was the HDFC official call center. so I dialed in, and of course I had to enter my authentication details on the IVR, something I have done scores of times before, but which got me thinking this time. anyway, I guess the number listed on my card and the website had to be trusted, I hoped.

I finally got someone on the line. I asked her if I was eligible for a credit limit upgrade. she affirmed. I asked her to confirm my current and new limit. it matched what I was told earlier. she told me I would be sent an OTP and would then be put on the IVR. so far, the story matched. I had just one last point to confirm. I asked her if she would be on the line while I entered my details.

she said she would.

this time, I didn't bother arguing. I had called HDFC on their listed number, so unless an extremely well engineered scam was in place, I should be safe.

the transaction went through, I got a message from HDFC confirming that my request was accepted to etc.

I called my "personal banker" to let her know that I had done the upgrade by calling phone banking, as I was not comfortable entering my OTP on an inbound call. she still didn't understand, but I didn't care.

I haven't heard from her ever since. but I did get a call the other day from a guy who also claimed to be my personal banker. I told him I already have one, and he insisted that he was my real personal banker from the head office, while the other person must have called from some branch.

I'm pretty sure he's not from the head office, because he wants to meet me in person now. I'm just bracing myself for more insecure bullshit and another attempt to sell me something I don't need.

anyway, TL;DR:

do not enter personal details on IVR. especially on an inbound call. if it's an inbound call, selling you something you want, find a way to get to the same offer from an outbound call to a verified number. do all due diligence to verify the outbound number. and never accept an outbound number that's given to you by the caller. they are bound to make excuses to avoid this, but be firm.

do not assume any IVR is secure. those "beeps" are the keys of your keypad being transmitted across. anyone listening will know what you have entered. so be wary.

and whenever you come across a bank legitimately forcing or inducing you to do these things, give them feedback that this is not acceptable.

(ps: have you come across any other such suspicious things? let me know in the comments, I'll be happy to vet and write up about them!)

3 postscripts ;:

Pallav said...

My bank people keep mailing me to tell me to NEVER give my OTP or any bank details to anyone calling claiming to be from the bank. They make it a point that they will never call asking for such details. The only time I remember getting a call from someone from my bank was to deliver my card to my address.

It's a vishing scam or something that you just narrowly escaped from.

Lot of such call centers are there to scam people. They're doing so nationally as well as internationally. You should report the number you got the call from to your bank, at least.

milinddesai said...

A friend was duped like that. He was told it was for redemption of points and it was from icici card. I only wonder how did they get the otp and password just on the basis of beeps.

S iyer said...

I'd once called up StandardChartered Bank to resolve a grievance. They asked 20 questions, presumably to ascertain that the person calling is me. Yah, I was calling from my registered phone which was duly validated by IVR before I was posted through to a executive. So, a few of those answers, I guess, is not satisfactorily answered. Suddenly the executive is like, "Have you validated your IPIN?" "Can I request you to validate you one more time plz?" I said "suit yourself" and I am redirected to an IVR, where I can clearly hear the executive punching her keyboard.

Just saying, its common place for the CCE to listen in on IVR. I was not particularly bothered back then because I'd dialed a published number. The bank guys have you by your predominant anatomical instrument anyways, if you know what I mean.