On Saturday evening 31 Jan 2015, I was the target of a vishing attack. Some smart set of people tried to steal my credit card details. The following things saved me from the fraudsters
- Knowing some basics of credit card (card#, dates, CVV, 3D secure PIN etc.,)
- Knowing the basics of telephone SMS
- All those articles regarding fraud in arstechnica.com
- Social engineering training from siemens
Here is how the whole thing went through. I am going to list the phone conversation here between myself and the fraudster. I have reduced the transcript here for the sake of brevity. The call went close to 20 mins. All of them were very polite and had nice fluency over English. The accent was north Indian.
(lady 1) Fraud: Hello. Am I speaking to Ferose Khan saab. (in hindi)
Me: Yes
(lady 1) Fraud: We are calling from icici bank credit card section. It seems one of your credit card’s 8000 reward points are expiring.
(This is a coincidence that made me trust her. I have 2 ICICI cards and one expired recently. May be that card’s points are expiring with it. Also I had close to 8000 points.)
Me: Yes. I have an icici platinum credit card. is it related to that card?
(lady 1) Fraud: Yes. We will redeem the points for you and send the coupons to your address and credit 5000 reward points since you are our platinum customer.
Me: Okay. But I have changed my address recently. So I am not sure whether that request went through?
(lady 1) Fraud: I will have to transfer you to another agent who deals with address change also.
Me: Okay.
(lady 2) Fraud: Hello sir. It seems you have requested an address change.
Me: Yes.
(lady 2) Fraud: To check that I need to verify your credentials. Can you tell your card number.
Me: 1234 5678 1234 5678
(lady 2) Fraud: Can you tell me the date of expiry?
Me: 11/11
(lady 2) Fraud: To verify your phone number I am going to send an OTP to your mobile and email. Tell me the OTP.
Me: I get an SMS from VM-ICICB “One time password (OTP) for IVR transaction for your card ending with xxxx xxxx xxxx 1234 is 123456.”
(lady 2) Fraud: Can you tell me the OTP.
Me: Yes its 123456. I am a bit confused. Why are you redeeming the points for me. I will be back tomorrow. I can do this on my own.
(lady 2) Fraud: No sir this has to be done now.
Me: Okay. What are the coupons that you are going to send me?
(lady 2) Fraud: Some travel coupons, gift coupons, a free wrist watch, Belt and a branded shoes.
Me: Don’t send those travel coupons. I am not interested in them. There will be a coupon from shopper stop. Can you look it up. That’s what I order normally.
(lady 2) Fraud: (she fumbles a bit and could not answer). Sir actually I am from the verification department. The other department will handle the gift details.
Me: Okay
(lady 2) Fraud: At the back of your card there will be a 7 digit number starting with 1234. Can you tell that number?
Me: But that is my cvv number. Why do you need that?
(lady 2) Fraud: I need that for verification.
Me: No I am not going to give that over phone.
(lady 2) Fraud: So I will transfer the call to my superior.
Me: Okay
(guy 1) Fraud: Hello sir.
Me: I am really irritated now. If my points are expiring why didn’t you call me last month?
(guy 1) Fraud: I am sorry for the inconvenience caused. we tried calling but couldn’t reach you sir.
Me: Okay
(guy 1) Fraud: Are you interested in this automatic redemption service.
Me: yes. do it.
(guy 1) Fraud: Can you verify the card valid from date
Me: 01/01
(guy 1) Fraud: Can you turn your card back and tell me the 7 digit number.
Me: Yes. There is a 7 digit number. But that is the cvv number. I am not going to give that.
(guy 1) Fraud: Sir I am not asking any confidential details here. As per icici your date of birth, mothers maiden name and 3D secure pin are the confidential details. kindly tell me that number
Me: If I give that number then you can go and make a purchase. Its as good as giving my card to you.
(guy 1) Fraud: But that will require your 3D secure pin sir.
Me: But if the store is from out of india for eg amazon.com. You can make a purchase without that PIN.
(guy 1) Fraud: Sir you received an OTP from VM-ICICB just now right. Are you doubting us?
Me: Anyone can send such a message with “from number” being VM-ICICB
(guy 1) Fraud: No sir its not possible.
Me: It is possible. give me a number I can send a similar message.
(guy 1) Fraud: Sir are you interested in this service from us?
Me: Yes I am interested.
(guy 1) Fraud: Then kindly provide that number. Without that I cannot update the system. I will increase your credit limit to X mount sir.
Me: But my credit limit is already more than X.
(guy 1) Fraud: In that case its okay. To send the free gift kindly tell me the number sir.
Me: No I am not going to give that number to you.
(guy 1) Fraud: Sir you are not listening to me sir. That number is cvv “customer verification value”. It is used to verify the customer. Also when you give the card at any merchant location it is visible to all. You need not worry.
Me: No it is a secure information. In my card I have even scrapped that number. I am not going to give that number over phone. If my points will be lost because of that, then let the reward points go to bin. I will cancel the card this monday.
(guy 1) Fraud: Sir. No sir. please don’t do like this. you are an esteemed customer based on your transaction. Kindly allow us to provide this service. Are you interested in this service?
Me: yes
(guy 1) Fraud: Then let me know the cvv number.
Me: No.
(guy 1) Fraud: Thank you sir. Nice talking to you.
(call disconnected.)
There are couple of things that triggered my doubts.
- When I was telling the card number. Typically icici would have this so they don’t repeat them. But in this case she was repeating the number orally. And I felt something wrong.
- Sending an sms from VM-ICICIB can be done very easily with the internet based sms clients. I have done it myself. It doesn’t prove that they are from icici.
- Typically if I don’t provide an information. Icici customer care will cut the call. But here the guys were persistent.
- When I asked for the shopper stop coupon. she fumbled. This too made me think about the genuineness of the call.
- That cvv is not a confidential information.
- They transfer the call suddenly without any need.
- The credit limit stated was less than my current limit.
Mistakes that I did
- I gave the card number to one agent. (they used last four numbers in formatting an OTP)
- To different agents I gave different information. (credit card #, From, To)
- I should have told them to send an email and cut the call.
- I took the call at a wrong time (when we are packing our stuff to return and there are lot of guests returning back). So I was not prepared for it.
- Whenever I ask them some tough question they transfer the call and start over altogether.This irritated me and also made me loose focus.
Some basics
- The information that is printed at the back of the card is secure. Once you get the card memorize the cvv and scrap it.
- In case if someone demands a crucial information over phone. Ask them to send a mail.
- Ask them some questions like your name, address etc and verify them.
- Don’t be in answering mode. This is not a quiz rapid fire round. And if someone calls you you need not validate your identity. It is them who has to validate their identity.
- You won’t know when you will get such a call. Be prepared for it.
- A bank will never take responsibility for such mistakes from your side.
- 3D secure PIN is only for india. So any foreign currency purchase can be done without that.
- cvv is card verification value. This is used to make “card not present” transactions. In places where you cannot enter PIN number this number will be asked for. And the merchant is not suppose to store the cvv number as a part of transaction. That way the card will not be compromised if this data is stolen.
- Some purchases don’t show up in the statement immediately. Also be cautious and check the alert sms sent by banks.
Wish you all safe banking.
–Ferose
Ferose Blog 