"Yeah, right!" You think. Obvious scam, isn't it? You tell the caller to do unmentionable things to a goat. They sigh.

"I can assure you I'm calling from Chase bank. I understand you're sceptical. I'll send a push notification through the app so you can see this is a genuine call."

Your phone buzzes. You tap the notification and this pops up on screen:

This is obviously a genuine caller! This is a genuine pop-up, from the genuine app, which is protected by your genuine fingerprint. You tap the "Yes" button.

Why wouldn't you? The caller knows your name and bank and they have sent you an in-app notification. Surely that can only be done by the bank. Right?

Right!

This is a genuine notification. It was sent by the bank.

You proceed to do as the fraud department asks. You give them more details. You move your money into a safe account. You're told you'll hear from them in the morning.

Congratulations. You just got played. Scammers have stolen your life savings.

How the scam works

This is reasonably sophisticated, and it is easy to see why people fall for it.

1. The scammer calls you up. They keep you on the phone while...
2. The scammer's accomplice calls your bank. They pretend to be you. So...
3. The bank sends you an in-app alert.
4. You confirm the alert.
5. The scammer on the phone to your bank now has control of your account.

Look closer at what that pop is actually asking you to confirm.

We need to check it is you on the phone to us.

It isn't saying "This is us calling you - it is quite the opposite!

This pop-up is a security disaster. It should say something like:

Did you call us?

If someone has called you claiming to be from us hang up now

Yes, I am calling Chase - No, someone called me

I dare say most people would fall for this. Oh, not you! You're far too clever and sceptical. You'd hang up and call the number on your card. You'd spend a terrifying 30 minute wait on hold to the fraud department, while hoping fraudsters haven't already drained your account.

But even if you were constantly packet sniffing the Internet connection on your phone, you'd see that this was a genuine pop-up from your genuine app. Would that bypass your defences? I reckon so.

Criminals are getting increasingly good at this. Banks are letting down customers by having vaguely worded security pop-up which they know their customers don't read properly.

And, yes, customers can sometimes be a little gullible. But it is hard to be constantly on the defensive.

Further reading

You can read the original story from the victim on Reddit. See more comments on Mastodon.

A piggy bank is close to perfect security. If you are seven and your adversary is a younger sibling.

Storing your own money is a mug's game. Having a fiver on you for emergencies might be sensible - but stuffing cash under your mattress is not advisable. Loss, theft, and fire are all real concerns.

The world is moving away from cash. Just before the pandemic, I went a year without using cash. Since then, I haven't withdrawn any notes.

Holding on to cash is like running your own bank. You have to check that the money you're given isn't counterfeit, store it safely, insure against loss, protect against theft, project future needs, etc. It is a massive faff.

So people use banks. In the UK, they're mostly free. I give an institution my money and, due to a combination of their size, insurance, and regulators, I'm confident that my money will still be there tomorrow. They are unlikely to give me fake notes, and they can refund me if I've been defrauded. I trust them.

Enter the crypto-dudes with their plaintive cry "But I shouldn't have to trust anyone!"

Sure. I fully support your right to get paid in cash and to store all of it in a lockable box guarded by your dog.

But don't come running to me when the dog eats all over your notes and shits them out in the middle of nowhere.

As Moxie wrote a few weeks ago that most people don't want to run their own servers. I'm a massive nerd and run a few servers. And it is a pain in the arse! This website runs on someone else's cloud infrastructure so it doesn't break too often. I don't have the time, energy, or skill to securely run important servers all by my self.

Do people want to manage their own cryptographic keys? I doubt it. It's complicated and fragile.

The complexity can be magically managed away with better technology and usability. Up to a point. You no longer need a degree in electronics to tune in to a radio station. But look at the number of people who don't know how to re-tune their car radio's presets.

So people will gather around big institutions. Those which have the funds, insurance, and regulatory oversight to provide a reasonable degree of trust.

Sure, some people will hold on to their own cryptokeys - just like some people only want to be paid in cash. But, just as now, they'll be the minority.

There's an inherent fragility built into cryptocurrencies. If your physical bank notes are damaged, the bank will replace them. If you are defrauded, the bank will reimburse you. If your loved one dies, and you inherit their assets, the bank is legally obliged to give you access.

Cryptocurrency has none of that.

• If your hardware wallet or keys are destroyed, you've lost everything.
• If you are defrauded, you've lost everything.
• If your loved one dies and didn't give you access, you've lost everything.

Would you carry around your life savings in your wallet? Would you store everything of value in your home in a safe? Would you want to run your own banking infrastructure?

I doubt it.

The "not-your-keys-not-your-crypto" folk want us to return to an almost prehistoric means of storing and transporting money. Thankfully, most people realise how backwards that is.

Barclays bank knows that customers are worried about this. So they've produced a handy website where you can see if a telephone number belongs to Barclays.

Because no one knows how to build a sensible web service any more, the page loads a 1.3MB JSON file containing every number that Barclays has.

barclays.co.uk/content/dam/json-files/TelephoneNumberChecker_26_03_2021.json

Over 74,000 numbers...

To be fair, Barclays does use a large number of prefixes for its phone numbers. But surely this could be handled in a more sensible way, like a regex?

Mind you, the service doesn't even work if you use the +44 prefix

Nor if you accidentally include some trailing punctuation Nor if you format it with dashes

So a regex might be a bit beyond them.

Now, in fairness, the site does say that just because a number appears to come from them - doesn't mean it is them.

And, looking at the file name of the JSON file, it appears to be recently updated. Which is good, I guess. Although I still think it is weird to give fraudsters a list of every single number in your range.

But, seriously, why not POST the number to a service which can be updated? Wouldn't that make more sense than slowly downloading the nine billion names of god seventy-four thousand numbers of Barclays?

Thanks to The AntiSocialEngineer and Robert Schifreen for pointing this out.

The most top-notch ones let me log on to their website, fill in a form, and all the address changes are made.

A few required me to ring up and speak to a human being, which was a little annoying, but not the end of the world.

Only one company insisted that I write them a letter. Co-Op Business Banking. Despite having a moderately competent website, they couldn't process a change of address online. Their phone staff were equally insistent that I buy a stamp, find a post box, and make one of their minimum-wage staff copy-type my details in manually.

Forget that noise. This is what I sent them.

Oh, and I copy-and-pasted a scan of my signature. Because that proves it's me. Right?

They didn't write back, but they did change my address. Which was nice.

Oh...

On the back page of the 25 February 2011 edition of the City AM newspaper, is this lovely specimen. Thankfully, City AM have placed their paper under CC BY NC.

Let's take a zoom in on the code and the instructions that accompany it.

You Know What's Coming Next, Don't You?

I knew, before I even scanned in this code what the result would be. I bet you do too.

Just... why bother? How much of our money did this atrocity cost? A full-fat web page that's expensive to download, slow to render, complicated to navigate, and generally useless.

RBS - rather than paying millions in fines for your rotten practices and investing in the highly polluting Tar Sands project - why not spend a few quid on a decent mobile website?