TSB banking alert

[Bob Williams]

Applies to TSB customers, who really do not need this krap at this moment in time: –

From Lincolnshire police:

Tsb Port Out Alert

There has been an increase in reports made in May by TSB customers relating to “port-out” fraud. Fraudsters are number porting a victim’s telephone number to a SIM card under their control and then using the number to access the victim’s bank accounts.

The increase in the number of reports corresponds with the timing of TSB’s computer system update, which resulted in 1.9 million users being locked out of their accounts. Opportunistic fraudsters are using TSB’s system issue to target individuals, which follows the increase in phishing and smishing communications also targeting TSB customers this month. Victims’ bank account and personal details including their phone number are collected by the fraudster, providing them with the information to execute the fraud.

Number porting is a genuine service provided by telecommunication companies. It allows customers to keep their existing phone number and transfer it to a new SIM card. The existing network provider sends the customer a Port Authorisation Code (PAC), that when presented to the new provider allows the number to be transferred across. This service can, however, be abused by fraudsters.

To gain control of the victim’s phone number, fraudsters convince the victim’s mobile phone network provider to swap their number on to a SIM card in the fraudster’s control. Once the fraudster has control of the number they are able to intercept the victims’ text messages, allowing them to use services linked to the victim’s phone number. This can include requesting an online banking password reset or access to any two factor authentication services.

Victims have reported large losses as a result of this fraud. One victim initially dismissed text messages received from their network provider containing a PAC number. Two days later £6,000 was removed from the victim’s TSB current account. The victim subsequently contacted their phone provider and was informed that someone contacted the provider purporting to be the victim and had cancelled their contract and transferred their number to a new SIM. This action allowed the banking fraud to take place.

Protect Yourself:

PAC Code notifications

If you receive an unsolicited notification about a PAC Code request, contact your network provider immediately to terminate the request. Also notify your bank about your phone number being compromised.

Clicking on links/files:

Don’t be tricked into giving a fraudster access to your personal or financial details. Never automatically click on a link in an unexpected email or text. Remember, criminals can spoof the phone numbers and email addresses of companies you know and trust, such as your bank.

Requests to move money:

A genuine bank or organisation will never contact you out of the blue to ask for your PIN, full password or to move money to another account.

Port-out Fraud versus SIM Swapping

Port-out fraud is often incorrectly referred to as SIM swap fraud. SIM swap fraud works in a similar fashion, however, instead of porting the victim’s number to a new network provider, the fraudster impersonates the victim and requests a new SIM card for their account. Once they have access to the new sim, they have access to the number.

Message Sent By
Action Fraud (Action Fraud, Administrator, National)

When the Thought Police arrive at your door, think -
I'm out.

[The Duke]

This is interesting, and a good(ish) was you circumvent 2 factor authentication  given its basic fall back feature is an sms.

To combat this  and make you 2 factor as strong ad it can be, you a proper authenticator app. There is a few good ones, authey is one and Google’s own authenticator is good. You can use both to run all (most) 2 factors through..

Though most normal peeps, wouldn’t have a clue.it existed, never mind how to set it up.

HSBC does a sort of good login process for non tech people, a dongle that produces a unique sign in code every time. It’s identical to Google’s and the rest authenticator, on HSBC is a physical device and not phone/pc based.

[Bob Williams]

I don’t bank using the mobile or any other device than this desktop, or my missus’ laptop. I just don’t trust it and have no valid reason why. If we can’t bank online with the desktop or laptop, the very good branch is just a couple of miles away.

When the Thought Police arrive at your door, think -
I'm out.

[Bob Williams]

Reviving this Thread because I found this:

http://tinyurl.com/yc9zwmjj

– which explains Sim Swap. If you know how it works, you know where it lurks…

I just made that up.??

When the Thought Police arrive at your door, think -
I'm out.

[Richard]

Authentication that uses the mobile network as one of its props is useless for many. Mobile reception is just too hit or miss. Most of the time there is no usable or reliable reception so all transactions would be prone to fail. Add in the risk of SIM card changing by crooks and the whole shebang starts to fall apart. I guess if you had an otherwise unknown mobile used only for finance; something could be worked out. However it is unlikely that I would seek to deal with my finances in a location chosen only because it had mobile access; bus shelters anyone?

Having said that I do start to worry about the capabilities of TSB to ever get its mess sorted out, or should I say its misguided Spanish parent to realise what a major screw up they have wrought. While it is not for me to suggest that they are amateurs, they are not. They have done this sort of thing before, but with smaller banks in different fields.

All in all the effect will be to polarise people into those who will continue as they were with internet banking via and those who feel that the risks, complexities and threats are too much for them to handle. We now have stark evidence of those risks being publicised every day by TSB’s victim customers.

Personally this is a shame, I had wondered about transferring from the branch of NitWit bank that I have used since the 1960s to TSB and the idea was front of mind only a few days before Sabadell started their train wreak. I had a previous relationship with the Lloyd’s now TSB in the village/town* and had found it convenient. The staff were friendly and helpful.

*It is really only a village but has a town charter.

[The Duke]

Authenticator apps don’t use the Internet/mobile signal to work. Your app and the online codes are time synced at time of set up, and runs forever.

Though if you had no signal, you wouldn’t be online anyway. So it wouldn’t be an issue.

Back to the op, it’s not just banks that this is an issue with. Actully, it’s the eBay, and Amazons of the world where the ops trick would work best.

Bob, unless you know your wifi is fully secured, it’s actually safer to use the banks app over the cellular signal. Never do anything remotely related to cash on a random wifi link. If you go out the house, you should have a proxy auto turn on (via GPS or l when the phone can’t see your home/work wifi. That way if you do ever accidentally join a public wifi, like maccies, or costas you you still be safe.

Proxy proxy proxy.

[Bob Williams]

It’s all fully secured Steve and I don’t bank using a mobile, don’t have to. Missus uses her laptop to bank and I use this desktop, we can reach the branch easily. IT specialist & network engineer gson has made sure everything is fully secured, although I have just changed my passwords and other details, I do it at irregular intervals. The annoying thing about TSB (and other sites) is that they don’t accept any other characters but lower and upper case letters and numbers in passwords. I like sprinkling a few odd symbols about.

Yesterday morning I had someone “shoulder surfing” at an ATM. Before even inputting my card, I gave him my best snarl and an invitation to ‘go away’ which he did, accompanied by stares from two more people waiting. Complete stranger to them both, they said. That’s his pitch ruined, bet he finds another.

When the Thought Police arrive at your door, think -
I'm out.

[Richard]

Steve, I said it’s a polarising issue. I see the passkey generator is  of value, all other things being equal as I used a stand-alone one twenty years ago to access a corporate network. I do my financial work at home where the records live and so do I for most of the time.

If the number generators work, why are authorisation codes sent out via insecure SMS links? The point is that TSBs performance decreases, not increases confidence in the banking.

I hold multiple cards and bank accounts in case one goes AWOL why change? Also all banks need to update their systems so I look forward to more problems.

Bob, in a case like your shoulder surfer I wish I had the nerve to photograph them at their work.

 

[The Duke]

That’s the weak link Richard. But that is the fall back option of dual factor. If you use a proper authenticator (app based or physical) the numbers are generated clientside, so no need for the sms. Both sms and email, are only ment as the fall back option.

[Richard]

The Duke wrote:

That’s the weak link Richard. But that is the fall back option of dual factor. If you use a proper authenticator (app based or physical) the numbers are generated clientside, so no need for the sms. Both sms and email, are only ment as the fall back option.

OK, that makes more sense.

[The Duke]

The issue is Richard, most, no all, normal folk, will just use the fallback option. Authenticator apps are simple enough to set up but more effort than any normal folk will be bothered doing. So they will just opt for sms or email both better than nothing, but not the best.

[Richard]

Yes Steve, ease of use is always the killer application and to hell with the consequences. I always used the accounts department staff for testing, they knew nothing, understood less and would always find the issues no one else would ever find. The result back then was a better product, I guess the same applies to security, if it is too hard to use, you need to find out why and how to stop the abusers, gracefully.

[The Duke]

Yes, simplicity alway eventually Trumps security. People are naturally lazy.

Though now 10 plus years into lastpass usage, I don’t know how I’d cope with out it. Well I do, I’d have probably 3 passwords I’d use everywhere!

I say to the in-laws, just write all you pw down in your diary, far safer to have unique passwords, All be it written down, than one or two you use everywhere.

I have pages of peoples, friends and families, passwords, bank accounts, all kinds, all stored in my last pass vault. As I learned long ago, normal people, just don’t remeber or record security stuff.

Then when it breaks, it will be given to me to fix, with zero usernames or pws. So for years, I’d record all user and pw, and make a clone (clonzilla). Before I’d give them the pc back.

Since 7, I’ve dropped the cloning approach. 1. I don’t do pc family support no more, and 2. 10 I’ve not seen a real use for CZ, it’s simple enough to blow it way and start again. If the owner hasn’t backed up, that’s their issue. If I’ve fixed something of yours before, I will of informed them of backing up. So if they ever come back, it’s on them if there data is gone once the pc/pjone is fixed.

[Bob Williams]

I have an A5 book that I made myself from a cheap plastic A5 ring binder and Landscape A4 pages, which I cut centrally, to make 2 Alphabetised A5 pages. I used Open Office to design the pages, type out all my passwords, reference details and short “Help” files into text boxes which expand with more typing. I used 3 layers of sellotape along punch holes to stop the pages tearing. As I produce new/changed passwords, I cross out the old, write out the new and later print 1 new page. The small A5 book is easy to hide from prying eyes. I have the page templates in a folder on my desktop.

Firefox saves passwords if you ask it, so I occasionally trawl through Saved Passwords in FF and delete the old stuff.

When memory starts to fail later in our lives, we need all the help we can get!

When the Thought Police arrive at your door, think -
I'm out.

[Richard]

I made a list a while back and must reprint it again to show the changes. Wife’s daughter’s and my passwords all get recorded. They should go in the safe, but times are a bit hectic at the moment.

[Ed P]

I keep all my passwords in Keepass II, and the master password for that is dymotaped onto my monitor surround.  I’m too aware that i’m rapidly approaching the male UK mean life expectancy so it would be stupid to try and conceal anything my wife and family may need without warning.

I also take Bob’s comment of failing memory on board as well. I have recently witnessed a neighbour go from bright as a button to raving psychopath within a space of just six months. (I’d guess a tumour or the like may have been involved).

[The Duke]

I have opted into Googles dead man policy. If I don’t login to my Gmail for a given time (sent mine to 3 months) . They will email your chosen recipient (wife for me) , and give them access to all your Google stuff.

Within the email is my lastpass password, and instructions for ”what needs doing” given I’m probably dead. Basically it a bit of financial stuff, and access to all the family photos.

Each year Google email me, to check I still want to be in the system, also it acts as a good reminder to update any info within.

Its defo worth setting up. Official name is inactive account manager.

https://myaccount.google.com/u/0/inactive

[Richard]

Steve, interesting since a GP tablets review visit went in a direction I was not expecting. It is probably nothing but one never really knows the shape of tomorrow.

[JayCeeDee]

The Duke wrote:

I have opted into Googles dead man policy. If I don’t login to my Gmail for a given time (sent mine to 3 months) . They will email your chosen recipient (wife for me) , and give them access to all your Google stuff. Within the email is my lastpass password, and instructions for ”what needs doing” given I’m probably dead. Basically it a bit of financial stuff, and access to all the family photos. Each year Google email me, to check I still want to be in the system, also it acts as a good reminder to update any info within. Its defo worth setting up. Official name is inactive account manager. https://myaccount.google.com/u/0/inactive

 

Steve – thanks for that reminder. You had mentioned it before and I had meant to set it up, but it had been forgotten among all the other day to day carp!! It’s a very useful way to get info across to our son in the event……………..?

[Bob Williams]

Thanks Steve, I will set that up myself when I return from Chemo later today. What a useful tip, in view of how my life has gone lately.

Cheers mate!

When the Thought Police arrive at your door, think -
I'm out.

[Author]

Posts