“[REDACTED] Bank has noticed your [REDACTED] debit card ending [nnnn] was used on 11-06-2020 19:45:37, at [REDACTED] for £99.99. This payment was declined. If this was you please reply YES, otherwise please reply NO. There is no need to call us. Responding to this text is the quickest way to update your account.”
The alert appeared to be about one of my cards.
It was a newish one. Issued to replace its expired predecessor, the week before the lockdown began.
I had opened the envelope. Scrawled on the signature strip. Tested that the card worked at the automatic teller machine around the corner. Then stashed it in my “go bag”, where it remains today. I checked!
Both the accompanying letter and expired card had been ritually sacrificed to my crosscut shredder.
Neither the card nor the debit card number had ever been used in a store or to make purchases online. Its details had not been registered as a payment method for the likes of Amazon, ApplePay, or Paypal.
But here is the thing: it wasn’t me attempting to make the purchase!
I briefly wondered whether the text was a phishing scam?
What better way to dupe a punter into sharing their personal details and memorable information than to initiate a fake fraud alert and investigation?
I had received similarly worded text messages from the bank a couple of times in years past. They had originated from the same number. Previously, it had been me making a purchase. In each instance, the transaction had been inexplicably declined by the card payment processor, resulting in one of those awkward “computer says no” moments at the checkout.
Text message swiftly arriving to defuse the tension between shop assistant and hopeful customer.
A quick “YES” in response, and the transaction had successfully gone through on the second attempt.
Of course, that didn’t mean it that it wasn’t a scam this time.
A fraudster could have spoofed the originating phone number that the bank used for such messages. It isn’t hard to do. Was I being paranoid after my recent identity theft experience? Possibly.
Curious, I texted back “NO”.
Immediately I received another text message from the number.
“Thanks for confirming that it wasn’t you making the payment. We will call you as soon as we can between 08:00-21:00. Out of these hours please call us on [REDACTED]”
Then my phone began to ring.
Upon answering, I was warmly greeted by a friendly lady with a Scottish accent who claimed to be from the bank’s fraud detection department.
She asked a couple of questions in an attempt to verify my identity.
I responded by asking how I could verify hers?
I had received a cold call from a stranger.
Who was calling from an unfamiliar number.
They sought to confirm my address and memorable information.
To my simple mind, this was exactly the sort of thing a bank fraud prevention officer should be discouraging!
The lady conceded that I had a point. She provided me with a reference number, then told me to look up the contact number for the bank’s fraud line on its website. Then she hung up.
Which left me wondering how hard would it be for a bad actor to modify static content on a bank website? How long would it be before anyone noticed? How many customers would be suckered?
Five minutes later I had called the bank’s fraud number. Had my identity verified. Twice. Supplied the reference number. Now I was once more speaking to the friendly Scottish lady.
She asked whether I had made the purchase that had been declined?
I had not.
She asked whether I knew of anyone else who may have been making a purchase using my account? For example, children making in-game purchases on a computer game, or a spouse sharing an online shopping account with pre-populated payment details.
I did not.
I was pretty sure my kids had not figured out how to turn the Amazon man into Santa Claus. Yet.
Nor had they learned to avoid culinary “Dad-sasters” by ordering home delivery pizza on my account.
The fraud prevention officer checked the account transaction history, and conceded it probably wasn’t me making the purchase attempt.
The only transaction on file that had involved the debit card in question had been the ATM withdrawal, three months earlier.
She apologised for the inconvenience caused, but said the card appeared to have been compromised. It would need to be cancelled, and a replacement issued.
5 days business days without a debit card didn’t bother me overly.
The fact that the card had somehow been compromised troubled me greatly.
Had a burglar broken into my house undetected during lockdown? While we were all home. Found the card. Taken down the details. Attempted a purchase. But not stolen anything. Implausible.
Was the “burglar” one of my kids? My lady wife? The troublesome cat? Possible, but unlikely.
Perhaps the bank had a data leak, or their systems were compromised. It couldn’t be ruled out.
Could one of the staff at the local supermarket where the cashpoint was located have obtained my card details from their CCTV camera footage? Image resolution has come a long way in recent years. Who am I kidding?
Maybe an enterprising thief fitted a card skimmer to the ATM? Harvesting my details as I inserted the new card. It is not unheard of.
Once again the uncomfortable truth was I would likely never learn the answer.
For many years, my father recorded all his usernames and passwords in a little black diary that he carried everywhere he went in his shirt pocket. The key to his banking, brokerage, and tax kingdoms.
This approach had evolved after his house was burgled. Twice.
The first time thieves stole my father’s coin collection. My mother’s engagement and eternity rings. And all their electrical equipment, including computers.
The second time occurred roughly three months later. Shortly after the insurance company had delivered “new for old replacements” for the majority of the items taken in the original break-in. The police said this was a common pattern.
His children tried to persuade him to move to a more secure solution. Arguments ranged from single point of failure to the major inconvenience caused should his diary ever be lost. Stolen. Or wet.
Each Christmas one of us would give him a replacement diary for the next calendar year. He would spend Boxing Day laboriously copying out all the details into the new edition. Our actions enabled his bad habits, but at least he had the old diary as a backup. “Just in case”.
All that changed years later, when we had the misguided idea to hold a surprise party for my father. Seeking to celebrate a milestone birthday or a major life achievement, surrounded by his friends and former colleagues. This was back in those innocent days when doing such things was considered nice, thoughtful even.
Today it would be an egregious and unforgivable violation of personal privacy!
One of us liberated the pocket diary while he was taking a nap, to look up the phone numbers of his best friends, so that we could enlist them as co-conspirators in organising the party. The diary was safely returned before he woke up.
The party was a success. My father had a great time, even tearing up a little while giving a nice speech thanking everyone for helping him celebrate whatever the occasion had been.
Upon learning that his security system had been breached, my father took immediate action. He enlisted the help of one of his friends to set up a password manager on his by then ancient laptop.
All those usernames and passwords were diligently keyed into the software vault, secured by a master password. One password to rule them all.
From that point onwards, password manager browser add-ons allowed anybody with access to my father’s computer to log into any of his online accounts at the click of a button.
He continued to maintain the pocket diary as an offline backup, now including the password to his password manager.
We only discovered after his death that my father had used the same password for his computer and password manager that he had been recycling for years on just about every online account he had ever opened! Choosing convenience over data protection until the very end.
My recent spate of identity theft issues suggests my approach has also been found wanting.
Had I become complacent or lazy?
Chosen convenience over data protection once too often?
Failed to keep abreast of the ever-changing best practices and cybersecurity threat landscape?
The truth is probably a mix of all three.
Purchasing items online follows a fairly standard series of steps, involving both “something you have” and “something you know”.
- Register for an account, typically with your email address.
- Create a password. The “something you know” part.
- Demonstrate you control the email address via responding to a confirmation link. The “something you have” part.
- Supplying a payment method and billing address details.
- The next time you visit, click the “forgot password” link because a material number of repeat customers won’t remember their password. A password reset link will be emailed out, providing an automated means of accessing the account without knowing the password.
The email account is key here. Serving as usernames for most accounts, and also the workflow for resetting a password. Controlling the email account grants control of many of the other accounts. A skeleton key to life.
Therefore it would make sense to reduce the risk of a bad actor gaining control of the email account.
A strong password, unique to the email account, is a practical first step.
Except a strong password is very difficult to remember. So you write it down somewhere.
You decide an electronic “somewhere” is preferable.
However, that “somewhere” then provides an additional vulnerability vector.
So you hide it behind another password. Perhaps inside an Excel file. Or within a password manager.
Being suspicious by nature, you don’t trust these password stores to remain secure from a determined attack . You choose to store only part each password within them. Creating another layer of “something you know” protection by requiring the addition of couple of characters that aren’t written down, before anyone could successfully make use of the content of the password register.
Then you remember that hard drives fail.
Thumb drives containing backups are small and easily lost.
Planned obsolescence means electronic goods like phones and computers get periodically replaced.
You decide to make an offsite backup of your password backup.
The realisation dawns that now not only is your local copy a risk, but so too is your cloud provider.
Your individual account, secured by yet another password, could be compromised in isolation.
Or the cloud provider themselves could be breached en masse. Vulnerable from within to underpaid technical support staff and opportunistic hackers from without.
When does the cycle of risk and mitigation end?
Adopting Two Factor Authentication (2FA) is a pragmatic way of reducing the risk of account capture. This provides a secondary “something you have” challenge.
Some people use their mobile phone number as a 2FA method. A time-limited one-time passcode or link is dispatched whenever somebody attempts to log into your account. Control the phone number, control the access.
This turns your phone handset into a single point of failure, especially if you have your smartphone logged into your email account. Many of us do these days.
Software 2FA token generators remove that SIM porting risk.
Tokens are generated on your device, never transmitted over a network.
Software tokens on phones fail to address the single point of failure risk.
It can also make future handset upgrades a traumatic ordeal. Trying to de-register the 2FA from the old device and re-register it on the new one is a non-trivial undertaking.
Hardware token generators provide another form of resilience. Once again, there is no network transmission of the tokens. This time the device is physically separate from your phone or computer.
Back in the olden days, SecurID tokens were widely used. Until their token generating algorithm on was leaked.
Today the modern-day equivalent of those old fashioned hardware 2FA tokens is a Yubikey.
The strength of a physical 2FA token pattern is you need to be able to physically touch it to use it.
The weakness of the physical 2FA token pattern is you need to be able to physically touch it to use it.
Forget or lose the token, and you are locked out of your account. By design.
Unless you printed out a copy of the backup codes. Which allow you to gain access, via a back door, in the unfortunate event that you lose your physical 2FA key.
It occurs to you that your house is vulnerable to fire or natural disaster, endangering your offline paper-based copy of those backup codes. Or, if you hadn’t bothered with all that password manager and 2FA shenanigans, the piece of paper you wrote down your original strong password upon so that you wouldn’t forget it!
Perhaps a safe deposit box is the answer? Assuming you can still find a provider who is willing to run the risk of having their vault full of illicit items. Trading convenience for physical security.
But what if you need access to the paper-based backup during a bank holiday weekend or while holidaying overseas?
Instead, you fold up that print out. File it away somewhere that feels safe, but remains close by. In your “go-bag” perhaps?
Then you realise that you have reinvented your father’s little black book security setup!
Which would fail the moment the moment the real threats start. A bad actor requesting access by breaking your fingers, or threatening your kids.
- BBC (2020), ‘Dropbox hack ‘affected 68 million users‘
- Cimpanu, C. (2019), ‘Chinese hacker group caught bypassing 2FA’, ZDNet
- Cimpanu, C. (2020), ‘Android malware can steal Google Authenticator 2FA codes’, ZDNet
- Finkle, J., Shalal-Esa, A. (2011), ‘Exclusive: Hackers breached U.S. defense contractors’, Reuters
- Krebs, B. (2020), ‘All About Skimmers’, Krebs on Security
- Kumar, M. (2019), ‘iCloud Possibly Suffered A Privacy Breach Last Year That Apple Kept a Secret’, The Hacker News
- Ponemon Institute (2019), ‘The 2019 State of Password and Authentication Security Behaviors Report‘
- Unger, J. (2017), ‘Thousands of deposit box valuables ‘cannot be traced to owners’, BBC News
- XKCD, ‘Security‘