So a very interesting thing happened today. I was a ‘potential’ telephone scam victim. I was sitting in my research lab working on my project and suddenly my I get a call on my phone with the caller ID being displayed as “UNKNOWN”. Being a cyber security researcher I really get excited when I get such calls and I make sure not to miss such calls. 🙂
I picked up the call and a computerized female voice tells me very politely that my debit card has been blocked and if I wanted to reactivate it I need to ‘Press 1’. So the things to note here are that the call is from an unknown number and the AI did not say the name of the bank; clear signs of a phone scam to obtain my information.
So I went along with the scam just to see how is it designed and what flaws does it have if any. I pressed ‘1’ and the AI asked me to enter my 16 digit debit card number followed by the pound (#) sign. At first I entered random 16 digits just to see how the AI responds. As I had expected, the response was that the card number entered is invalid. Every card number has the first six-digits as Issuer Identification Number (IIN), which identifies the financial institution.
So in the next attempt, I used the first six digits of my Bank of America debit card followed by ten random digits. Yes, it expected the numbers this time and asked me for my card expiration month and year. I entered random 4 digits again and at this point it did not check the validity of the input and accepted my response as is. Then the AI asked me for my 4-digit debit card personal identification number (PIN) as the final verification step to reactivate my account. I again responded with four random numbers (1234).
Voila!!! My card was reactivated and no further action was required from my end.
People please beware of such scams and make sure you do not disclose any information to such scammers. After the Equifax breach, it is good to stay more alert as information obtained using such scams can be combined with your social security numbers and other details to conduct more fraudulent activities and social engineering attacks.