TOT: HSBC scam letter

[Bill Wright]

The bloke who collects scrap metal round here was telling me he'd had a
letter purporting to be from HSBC bank plc. It said that someone had
attempted to access his account on the phone, but failed to 'complete
our security procedures'. So would he fill in the form giving his name,
address, passwords, etc. The whole package was apparently very
convincing, including a handsome HSBC brochure detailing the firm's
services.

There is, however, one big give-away. He doesn't bank with HSBC.

About a week later my aunt rung. "I've had a letter from the bank..."
She'd taken the letter into town and shown it to HSBC where she banks.

The clerk had looked at it, then consulted her computer, then said,
"Yes, someone attempted to access your account at 5.21am on the 6th, but
they failed to give the password."

My aunt has never used telephone banking; in fact she didn't know there
was such a thing. However the clerk said that she was all set up for it.
Aunty came away confused. I've suggested that she goes back to the
branch and asks for the password details, to see if that reveals anything.

Bill

[harry]

So presumably there was a return address (to send in the completed
form)?
Sounds a bit anecdotal.
Did he go to the police with it?

[Lobster]

On 12/09/2012 07:40, harry wrote:
> On Sep 12, 1:20 am, Bill Wright <b...@invalid.com> wrote:
>> The bloke who collects scrap metal round here was telling me he'd had a
>> letter purporting to be from HSBC bank plc. It said that someone had
>> attempted to access his account on the phone, but failed to 'complete
>> our security procedures'. So would he fill in the form giving his name,
>> address, passwords, etc. The whole package was apparently very
>> convincing, including a handsome HSBC brochure detailing the firm's
>> services.
>>
>> There is, however, one big give-away. He doesn't bank with HSBC.
>>
>> About a week later my aunt rung. "I've had a letter from the bank..."
>> She'd taken the letter into town and shown it to HSBC where she banks.
>>
>> The clerk had looked at it, then consulted her computer, then said,
>> "Yes, someone attempted to access your account at 5.21am on the 6th, but
>> they failed to give the password."
>>
>> My aunt has never used telephone banking; in fact she didn't know there
>> was such a thing. However the clerk said that she was all set up for it.
>> Aunty came away confused. I've suggested that she goes back to the
>> branch and asks for the password details, to see if that reveals anything.

> So presumably there was a return address (to send in the completed
> form)?
> Sounds a bit anecdotal.
> Did he go to the police with it?

In both cases it sounds to me like the letters would have been genuine,
ie a response by the bank to an attempt to hack in to the account; and
that the scrappie's recollection that the form asked for his actual
password was wrong (I'm not with HSBC myself, but I suspect more likely,
he was asked for a new password so they could reset it?)

Certainly, compared with e-mail spamming (which costs a tiny fraction of
a penny per contact to send, and only needs a miniscule 'hit' rate to
succeed, it seems a highly cost-ineffective.

David

[Nightjar]

Local radio was warning people about bogus attempts to get password
details from HSBC customers a couple of weeks ago and there are similar
warnings on their internet banking web sites. The usual rules apply -
they will never ask for your password or log on details.

Colin Bignell

[Martin Brown]

On 12/09/2012 01:20, Bill Wright wrote:

> The bloke who collects scrap metal round here was telling me he'd had a
> letter purporting to be from HSBC bank plc. It said that someone had
> attempted to access his account on the phone, but failed to 'complete
> our security procedures'. So would he fill in the form giving his name,
> address, passwords, etc. The whole package was apparently very
> convincing, including a handsome HSBC brochure detailing the firm's
> services.
>
> There is, however, one big give-away. He doesn't bank with HSBC.

Was it addressed to him though? HSBC seem to be a bit prone to having
customers that forget to move their credit cards when they move home or
more accurately a system that holds two contact addresses - which can
lead to an old one being used for emergency contact notification!!!

I had one addressed to a Mr G Brown at my address having lived here for
most of fifteen years. I got notified of a dodgy transaction on an HSBC
credit card I knew nothing about. Suspecting stolen identity I took it
to the bank only to discover that a previous resident had been a Mr G
Brown (no relation) and that his HSBC credit card had very recently been
compromised. They acted to alter his credit card contact address - there
must be two since I never saw any of his credit card statements.

Another interesting gotcha with the "Barclaycard (In)Secure" card
protection service when you move house is that you have to notify the
(hidden) provider of your change of address or you will be charged in
perpetuity for a service that sends a complete list of all your old
credit cards to your former address and charges you for this so called
"service". When challenged they cite the data protection act.

> About a week later my aunt rung. "I've had a letter from the bank..."
> She'd taken the letter into town and shown it to HSBC where she banks.
>
> The clerk had looked at it, then consulted her computer, then said,
> "Yes, someone attempted to access your account at 5.21am on the 6th, but
> they failed to give the password."
>
> My aunt has never used telephone banking; in fact she didn't know there
> was such a thing. However the clerk said that she was all set up for it.
> Aunty came away confused. I've suggested that she goes back to the
> branch and asks for the password details, to see if that reveals anything.

They can't give her the password only force a reset and send her a new
initiation code. HSBC online banking requires a magic widget and as such
is relatively secure unless the token is physically stolen. They also
recommend you use Rapport anti-key logging software (but I have a
suspicion that it destabilises IE9 even more than it is already).

--
Regards,
Martin Brown

[Martin Brown]

Or so they say. They should never do it especially for PIN & password.
When you ring them some do ask for a pair of letters from it.

But it doesn't stop them from cold calling and demanding me to prove my
identity to them (I refuse and we get a nice off script bind). I always
assume that anyone ringing me about banking is a hostile player. IF they
will tell me what it is about I will ring them back on a published
number and if they won't I instruct them to put it in writing and
remember that all calls are recorded for "Training Purposes".

And they will never send you links to their site in an email either -
don't make me laugh, they do it all the time. They will do anything to
generate more income from their suckers^d^d^d^d^d^ customers.

Interest rates are a whopping 0.01% on some accounts now.

--
Regards,
Martin Brown

[Paul D Smith]

...snip...

Not sure about this HSBC one but there were some "rather good" scam letters
circulating where I live recently claiming to be in relation to wills for
relatives in Asia. One was sent to my elderly neighbour who had indeed
served in Asia during WW2 and the letter named a relative correctly,
although the name was a common one so it could have been a guess.

It had all the smell of a scam though, as it proved to be when a work
colleague received an identical letter (different recipient and relative's
names) a few days later.

So if you're "in the know" not too hard to spot, but given it was a well
typed, grammatically correct letter with enough detail to seem plausible, it
did get my neighbour thinking. Fortunately he asked me first but I'll bet
some in his position wouldn't have.

Paul DS.

[WCZ]

>They can't give her the password only force a reset and send her a new
>initiation code. HSBC online banking requires a magic widget and as such is
>relatively secure unless the token is physically stolen. They also
>recommend you use Rapport anti-key logging software (but I have a suspicion
>that it destabilises IE9 even more than it is already).

I've had that Rapport thing installed for quite sometime on the VM I only
use for internet banking. Doesn't appear to have caused any issues with
IE9.

--

WCZ

[Dave Liquorice]

On Wed, 12 Sep 2012 01:20:50 +0100, Bill Wright wrote:

> The bloke who collects scrap metal round here was telling me he'd had a
> letter purporting to be from HSBC bank plc. It said that someone had
> attempted to access his account on the phone, but failed to 'complete
> our security procedures'. So would he fill in the form giving his name,
> address, passwords, etc. The whole package was apparently very
> convincing, including a handsome HSBC brochure detailing the firm's
> services.

If there is one thing a bank will never ask for in a scam e- or
snail-mail it's a password. Though having said that Coventry Building
Society do something odd but their login system is so complicated I've
forgotten all the bits required to do it.

> The clerk had looked at it, then consulted her computer, then said,
> "Yes, someone attempted to access your account at 5.21am on the 6th,
> but they failed to give the password."
>
> My aunt has never used telephone banking; in fact she didn't know there
> was such a thing. However the clerk said that she was all set up for
> it. Aunty came away confused. I've suggested that she goes back to the
> branch and asks for the password details, to see if that reveals
> anything.

They won't (or shouldn't!) give them to her. I suggest she goes to the
bank and gets them to disable telephone and online banking as she doesn't
use them and they are an now obvious security risk. Also take a letter
(and keep a copy) stating that and give it to them as well as talking to
them to get the access disabled. The letter is so that if her account
does get hacked, she can point at the letter and say "How? Give me all my
money back."

--
Cheers
Dave.

[Nightjar]

On 12/09/2012 08:21, Martin Brown wrote:
> On 12/09/2012 07:51, Nightjar wrote:

...

>> Local radio was warning people about bogus attempts to get password
>> details from HSBC customers a couple of weeks ago and there are similar
>> warnings on their internet banking web sites. The usual rules apply -
>> they will never ask for your password or log on details.
>
> Or so they say. They should never do it especially for PIN & password.
> When you ring them some do ask for a pair of letters from it.

I have an entirely separate security password for use when speaking to
them on the telephone.

> But it doesn't stop them from cold calling and demanding me to prove my
> identity to them (I refuse and we get a nice off script bind).

Technically, it isn't a cold call, as you deal with them. However, my
account is annotated that I don't want sales calls and I don't get any.

> And they will never send you links to their site in an email either -
> don't make me laugh, they do it all the time.

Again, at my request, they don't send me emails either.

Colin Bignell

[Alan Braggins]

In article <RgW3s.13157$CU7...@fx02.am4>, Lobster wrote:
>> On Sep 12, 1:20 am, Bill Wright <b...@invalid.com> wrote:
>>> The bloke who collects scrap metal round here was telling me he'd had a
>>> letter purporting to be from HSBC bank plc.

[...]

>>> There is, however, one big give-away. He doesn't bank with HSBC.

[...]

>In both cases it sounds to me like the letters would have been genuine

Genuine letter from a bank he doesn't have an account with?

Possible if someone stole his identity to set up the account, I suppose,
in which case he really needs to talk to the bank....

[Man at B&Q]

According to IT staff at work Rapport is a pain in the a**e.

MBQ

[Man at B&Q]

On Sep 12, 9:13 am, "Dave Liquorice" <allsortsnotthis...@howhill.com>
wrote:

> On Wed, 12 Sep 2012 01:20:50 +0100, Bill Wright wrote:
> > The bloke who collects scrap metal round here was telling me he'd had a
> > letter purporting to be from HSBC bank plc. It said that someone had
> > attempted to access his account on the phone, but failed to 'complete
> > our security procedures'. So would he fill in the form giving his name,
> > address, passwords, etc. The whole package was apparently very
> > convincing, including a handsome HSBC brochure detailing the firm's
> > services.
>
> If there is one thing a bank will never ask for in a scam e- or
> snail-mail it's a password. Though having said that Coventry Building
> Society do something odd but their login system is so complicated I've
> forgotten all the bits required to do it.

I think that's the one with the grid of letters and numbers that you
have to quote from.

MBQ

[Davey]

I agree, that sounds like the best advice of all. If she doesn't need it
or want it, have it permanently disabled, and the creator of the
access will be denied any use of it. The bank should also try to catch
him when he does try, at least by noting where he 'phones from.
I recently had a new Debit card issued to me from HSBC, they wouldn't
tell me why, just gave the impression that a bunch of account details
had been compromised. I didn't notice that news on the TV News.
--
Davey.

[Man at B&Q]

On Sep 12, 8:21 am, Martin Brown <|||newspam...@nezumi.demon.co.uk>
wrote:

So change to a bank that has a clue, and don't leave money lying
around in a non-interest paying current account. A lot of people are
their own worst enemies when it comes to money management.

MBQ

[David Taylor]

On 2012-09-12, Davey <da...@example.invalid> wrote:
>
> I recently had a new Debit card issued to me from HSBC, they wouldn't
> tell me why, just gave the impression that a bunch of account details
> had been compromised. I didn't notice that news on the TV News.

It happens frequently, and is often reported somewhere, if not on the
mainstream TV news channels.

Usually it is because the bank has learned (possibly through patterns
of fraud) that a particular merchant has been compromised, and they
re-issue cards to any customers who have transacted with them during
the relevant period.

--
David Taylor

[Roderick Stewart]

In article <1KW3s.2741$is1....@newsfe23.iad>, Martin Brown wrote:
> > Local radio was warning people about bogus attempts to get password
> > details from HSBC customers a couple of weeks ago and there are similar
> > warnings on their internet banking web sites. The usual rules apply -
> > they will never ask for your password or log on details.
>
> Or so they say. They should never do it especially for PIN & password.
> When you ring them some do ask for a pair of letters from it.

If *you* call *them* the situation is entirely different, because you will
have used a bona fide phone number so you know who you are talking to. The
golden rule is never to forget who initiated the call. If *they* called
*you*, no matter how pleasant they sound or whatever they're offering, you
must assume you don't know who they are (unless you recognise the
individual from a previous call of course).

One of the ploys of some cold-callers is to keep you talking (extolling the
merits of whatever they're trying to flog) for a so long that by the time
they ask for your details they hope you'll have forgotten that you don't
know them from Adam.

Rod.
--

[Brian Gaff]

Maybe its an inside job.

Brian

--
Brian Gaff....Note, this account does not accept Bcc: email.
graphics are great, but the blind can't hear them
Email: bri...@blueyonder.co.uk
______________________________________________________________________________________________________________


"harry" <harol...@aol.com> wrote in message
news:3993a2df-ef96-41bf...@y12g2000yqg.googlegroups.com...

[Davey]

It happened to my Citibank card in the US at least three times, but
each time, it was part of a big news item, I was one of thousands, if
not more, each time. This was the first time it has happened to me in
two years in the UK, so I was expecting similar news coverage. I asked
for more details, but they referred me to the HSBC Fraud Squad, and I
haven't got round to contacting them yet. I am expecting it to be
linked to some particular merchant, but since they haven't told me
such, hopefully the issue is sorted now. I can't steer clear of the
merchant if I don't know who it is.
I also read that the HSBC account card can be de-coded/by-passed, by
somebody serious enough. I personally preferred the older system
whereby you had a long series of digits, and you needed to enter
three specific digits when requested; with this card thingy, I can't get
access if I don't have it with me. Pros and cons, as always.
--
Davey.

[Bill Wright]

harry wrote:

> So presumably there was a return address (to send in the completed
> form)?
> Sounds a bit anecdotal.
> Did he go to the police with it?

I've now seen the paperwork. The return envelope is addressed to a
Coventry box number. The only mistake in the whole thing is that 'Box'
is given as 'Pox'.

Bill

[Phil Cook]

Hmm, speaking as a postie, I wonder if the IB would be interested. The
IB is the Post Office Investigation Branch. Normally they will claim to
be "transparent" meaning you can do what you like with a P.O. box number
but if this is a fraud they may want to know. Of course it could be a
private box number at one of those shops with boxes.

Either way the best thing to do with it is to let the bank know what is
going on and they can take it from there.
--
Phil Cook

[Dave Liquorice]

On Wed, 12 Sep 2012 02:36:07 -0700 (PDT), Man at B&Q wrote:

>> Though having said that Coventry Building Society do something odd but
>> their login system is so complicated I've forgotten all the bits
>> required to do it.
>
> I think that's the one with the grid of letters and numbers that you
> have to quote from.

Yes, there is a bit of cardboard involved. If you forget your username
and passowrd I think you are stuffed as you need the other to get a
reminder of one. The reminder or reset comes via snail mail.

--
Cheers
Dave.

[Bob Eager]

I don't object to that.

What I do object to (and my Visa supplier has done it twice this year) is
having the card blocked without anyone telling me it has been done. On
one of the occasions, I tried to use the card three days later (I wasn't
spending much!) and found it was blocked. Phoned them and they said "Oh
yes, we did that on Wednesday. You'll get a new card in a few days".



--
Use the BIG mirror service in the UK:
http://www.mirrorservice.org

*lightning protection* - a w_tom conductor

[R. Mark Clayton]

"Bill Wright" <bi...@invalid.com> wrote in message
news:k2okh7$4vq$2...@speranza.aioe.org...

I get these by email all the time, but by mail is much rarer. There was
some sort of scam from Spain, where they even sent you an SAE - I think he
may just have got a bit confused.

[Davey]

On 12 Sep 2012 20:19:41 GMT

I haven't had that, but I was using my credit card in Mexico for
several weeks, paying the hotel bill with it, and the occasional
restaurant bill, with no problem. But the second time I went to use it
at Office Max, they had to call the mother ship to make sure it was me.
Which it was. Weird. What about all the several hundred dollar hotel
charges that had gone by beforehand?
--
Davey.

[charles]

In article <k2r8ht$ffo$2...@n102.xanadu-bbs.net>,

Davey <da...@example.invalid> wrote:


> I haven't had that, but I was using my credit card in Mexico for
> several weeks, paying the hotel bill with it, and the occasional
> restaurant bill, with no problem. But the second time I went to use it
> at Office Max, they had to call the mother ship to make sure it was me.
> Which it was. Weird. What about all the several hundred dollar hotel
> charges that had gone by beforehand?

different vendors have different "floor limits".

--
From KT24

Using a RISC OS computer running v5.18

[Dave Liquorice]

On 12 Sep 2012 20:19:41 GMT, Bob Eager wrote:

> What I do object to (and my Visa supplier has done it twice this year)
> is having the card blocked without anyone telling me it has been done.
> On one of the occasions, I tried to use the card three days later (I
> wasn't spending much!) and found it was blocked. Phoned them and they
> said "Oh yes, we did that on Wednesday. You'll get a new card in a few
> days".

Yes I've had that from Visa a couple of times. Once triggered by an
online purchase froma store for the first time. The stores £1 "probe"
transaction came from the US somewhere, then they tried to put through
the main transaction from the UK a minute later, which Visa rejected and
blocked the card. I had to use a different card to make the purchase.
First I knew about the block was a few days later in the Co-op...

The system has since improved and they have a phone system that calls you
and gives a list of transactions only one of which is valid, you have to
pick the valid one. There might also be a list of valid transactions and
you have to picke the bogus one. The fictious ones (not the one that has
triggered the fraud system) are not stupidly so, they will be from places
you do use the card at. Might take about 10mins to go through but the
card is automagically unblocked provided you get the answers right.

--
Cheers
Dave.

[Davey]

But it was the credit card company that issued the 'call home'
instruction to the vendor, not the vendor itself.
--
Davey.

[Martin Brown]

On 13/09/2012 08:18, Dave Liquorice wrote:
> On 12 Sep 2012 20:19:41 GMT, Bob Eager wrote:
>
>> What I do object to (and my Visa supplier has done it twice this year)
>> is having the card blocked without anyone telling me it has been done.
>> On one of the occasions, I tried to use the card three days later (I
>> wasn't spending much!) and found it was blocked. Phoned them and they
>> said "Oh yes, we did that on Wednesday. You'll get a new card in a few
>> days".
>
> Yes I've had that from Visa a couple of times. Once triggered by an
> online purchase froma store for the first time. The stores �1 "probe"
> transaction came from the US somewhere, then they tried to put through
> the main transaction from the UK a minute later, which Visa rejected and
> blocked the card. I had to use a different card to make the purchase.

A probe transaction or a tiny donation to charity followed almost
immediately by a larger one will ring fraud alarm bells very loudly.

> First I knew about the block was a few days later in the Co-op...
>
> The system has since improved and they have a phone system that calls you
> and gives a list of transactions only one of which is valid, you have to
> pick the valid one. There might also be a list of valid transactions and
> you have to picke the bogus one. The fictious ones (not the one that has
> triggered the fraud system) are not stupidly so, they will be from places
> you do use the card at. Might take about 10mins to go through but the
> card is automagically unblocked provided you get the answers right.

The worst one is that Barclaycard frequently ask impossible questions
even for the rightful owner of the card to answer correctly. The worst
ever was for the final installment on a fitted kitchen for delivery to
the cardholder address where as proof of ID I was asked in order:

Q: What hotel did you stay at in Chester last November?
A: None
Q: Name a street that connects to your road? (no street names)
A: A19
Q: ... about a dozen more taking best part of an hour.
Lucky it was quiet and the merchant patient.

Examining Barclaycard statements later revealed that the mysterious stay
at a "Hotel in Chester" which we failed to answer correctly was in fact
the works Medieval Banquet at Lumley Castle in County *DURHAM*.
(Their address in "Chester le Street" truncated I presume)

To add insult to injury after all the trouble validating this admittedly
large transaction three years later owing to a "computer error" the
vendor re-ran the transaction again and took a four figure sum off my
Barclaycard. It was unwound pretty quickly but very annoying.

It seems that once a transaction is approved it can be rerun any number
of times up to six years later even if the original card has expired!
(oh and it shows the original transaction date on the statement)

--
Regards,
Martin Brown

[Mark]

On Wed, 12 Sep 2012 08:21:32 +0100, Martin Brown
<|||newspam|||@nezumi.demon.co.uk> wrote:

--snip--

>But it doesn't stop them from cold calling and demanding me to prove my
>identity to them (I refuse and we get a nice off script bind). I always
>assume that anyone ringing me about banking is a hostile player.

Agreed. My last bank had an automated system that calls the customer
and asks you to type in personal information into the handset to prove
who you are! I pointed out the flaw in this system to them several
times but they are completely unable to understand.

Not surprisingly I have closed my account with them.
--
(\__/) M.
(='.'=) If a man stands in a forest and no woman is around
(")_(") is he still wrong?

[Mark]

My debit card was recently blocked. Eventually I found out that, if
you sign for a purchase instead of using C&P, then your card is
automatically blocked for futher C&P transactions (but not for cash
withdrawls)! It was possible to unblock the card but I had to make a
special trip to the bank to do it.

[Bob Eager]

That must be very new. The latest two blocks were only 3 and 5 months ago.

[charles]

In article <m7h358hp4t4hull7e...@4ax.com>, Mark

i'd have a problem with that - my nearest branch is well over 300 miles
away.

[Allan]

"Roderick Stewart" <rj...@escapetime.removethisbit.myzen.co.uk> wrote in
message news:VA.00000d9...@escapetime.removethisbit.myzen.co.uk...

Not necessarily true. there was a scam around earlier this year, where
*they* called you and asked you to call them back on the published number;
then they pretended to hang up but actually they just played you a recording
of dial tone. After you had dialled *they* pretended to answer the call and
asked for all your details.

Allan

[Allan]

"WCZ" <w...@nospam.com> wrote in message
news:k2pffq$o4k$1...@speranza.aioe.org...

> >They can't give her the password only force a reset and send her a new
> >initiation code. HSBC online banking requires a magic widget and as such
> >is relatively secure unless the token is physically stolen. They also
> >recommend you use Rapport anti-key logging software (but I have a
> >suspicion that it destabilises IE9 even more than it is already).
>
> I've had that Rapport thing installed for quite sometime on the VM I only
> use for internet banking. Doesn't appear to have caused any issues with
> IE9.
>

> --
>
> WCZ

It seems to work OK with IE (8 and 9) for me, but I normally use Chrome. If
Chrome updates itself then it usually freezes until after I've updated
Rapport - and if the Rapport people haven't yet written their "fix" for the
update I have to wait and use IE until they have.

Allan

[Martin Brown]

That is actually very clever social engineering by the scammers and will
probably catch out all but the most wary.

--
Regards,
Martin Brown

[Frank Erskine]

On Thu, 13 Sep 2012 14:38:43 +0100, "Allan" <sot17...@yahoo.co.uk>
wrote:

>
>"WCZ" <w...@nospam.com> wrote in message
>news:k2pffq$o4k$1...@speranza.aioe.org...
>> >They can't give her the password only force a reset and send her a new
>> >initiation code. HSBC online banking requires a magic widget and as such
>> >is relatively secure unless the token is physically stolen. They also
>> >recommend you use Rapport anti-key logging software (but I have a
>> >suspicion that it destabilises IE9 even more than it is already).
>>
>> I've had that Rapport thing installed for quite sometime on the VM I only
>> use for internet banking. Doesn't appear to have caused any issues with
>> IE9.
>>
>> --
>

Nick Clegg walked into a branch of HSBC to cash a cheque. As he
approached the cashier he said "Good morning , could you please cash
this cheque for me"?

Cashier: "It would be my pleasure Sir. Could you please show me your
ID?"

Clegg: "Well I didn�t bring my ID with me as I didn't think there was
any need to. I am Nick Clegg, the Deputy Prime Minister!!!"

Cashier: "I�m sorry, but with all the regulations, monitoring, of the
banks because of impostors and forgers, etc. I must insist on proof of
identity."

Clegg: "Just ask anyone here at the bank who I am and they will tell
you. Everybody knows who I am."

Cashier: "I am sorry Deputy Prime Minister but these are the bank
rules and I must follow them."

Clegg: "I need this cheque cashed."

Cashier: "Perhaps there�s another way: One day Colin Montgomery came
into the bank without ID. To prove he was Colin Montgomery he pulled
out his putting iron and made a beautiful shot across the bank into a
cup. With that shot we knew him to be Colin Montgomery and cashed his
cheque.
Another time, Andy Murray came in without ID. He pulled out his tennis
racquet and made a fabulous shot where the tennis ball landed in my
cup. With that spectacular shot we cashed his cheque..So sir, what can
you do to prove that it is you, and only you, as the Deputy Prime
Minister?"

Clegg stood there thinking and finally says: "Honestly, I can't think
of a single thing I'm good at."

Cashier: "Will that be large or small notes, deputy Prime Minister?"

--
Frank Erskine

[fred]

In article <tpl4s.385$Qy1...@newsfe18.iad>, Martin Brown
<|||newspam|||@nezumi.demon.co.uk> writes

I think I'm safe, there's no way the scammers could possibly duplicate
the incredibly annoying machine driven interface that my bank employs,
if I got to speak to someone within 5mins I'd definitely smell a rat!
--
fred
it's a ba-na-na . . . .

[The Natural Philosopher]

Indeed. If you get through in under 20 minutes is not a real bank, its
scammers.

Mind you, is there a difference, anymore?


--
Ineptocracy

(in-ep-toc’-ra-cy) – a system of government where the least capable to
lead are elected by the least capable of producing, and where the
members of society least likely to sustain themselves or succeed, are
rewarded with goods and services paid for by the confiscated wealth of a
diminishing number of producers.

[Dave Liquorice]

On Thu, 13 Sep 2012 14:42:49 +0100, Martin Brown wrote:

>> Not necessarily true. there was a scam around earlier this year, where
>> *they* called you and asked you to call them back on the published
>> number; then they pretended to hang up but actually they just played
>> you a recording of dial tone. After you had dialled *they* pretended
>> to answer the call and asked for all your details.
>
> That is actually very clever social engineering by the scammers and
> will probably catch out all but the most wary.

Do you know your CC Co's number of the top of your head? I don't, I'd
have to go and find it. In the mean time I'd have hung up the phone...

Of course many people would not know the number either but ask the
scammer what it is, write it down, get "dial tone" and dial it... In fact
I wouldn't be surprised if the scammers give a "direct access" number
saying that it will avoid the queues on the main public number.

--
Cheers
Dave.

[Andy Champ]

On 13/09/2012 17:11, Tim Streater wrote:
> You could always dial someone you know locally, see who answers.

Occurs to me to dial my own mobile...

Andy

[Mike Barnes]

Tim Streater <timst...@greenbee.net>:
>In article <tpl4s.385$Qy1...@newsfe18.iad>,

>Do they check what digits get entered while they are holding the line
>open? You could always dial someone you know locally, see who answers.

Ring your own number. You should get the engaged tone and it will cost
you nothing.

--
Mike Barnes

[Allan]

"Dave Liquorice" <allsortsn...@howhill.com> wrote in message
news:nyyfbegfubjuvyypb...@srv1.howhill.co.uk...

It used to be that on a landline phone the call remained connected even when
you hung up, if the other person initiated the call. It used to remain
connected forever (the so-called CSH condition, standing for "called
subscriber hung") unless either the caller hung up or someone at the
exchange forced the call to be cleared - but that was a long time ago when I
worked in a Strowger exchange). I don't know if that is still true or not.
So you could "hang up" and go to look for the number, and then pick up the
phone later and hear their fake "dial tone". I doubt that hey had number
recognition, but I presume they had a tone recognition system that simply
removed the dial tone and connected back to a human when it heard any key
tone. If they didn't have a human available at the time, and had to put you
on hold, that would just make it more believable.

Allan

[Davey]

This was recently discussed at length, probably in the uk.telecom group.
--
Davey.

[Dave Liquorice]

On Thu, 13 Sep 2012 23:21:34 +0100, Allan wrote:

> It used to be that on a landline phone the call remained connected even
> when you hung up, if the other person initiated the call.

Still does I think but some exchanges will send ringing to the called sub
if the caller is still there for a time (FSVO "a time") when the called
sub hangs up.

--
Cheers
Dave.

[alan]

On 12/09/2012 10:34, Man at B&Q wrote:

>
> According to IT staff at work Rapport is a pain in the a**e.
>


The problem with this type of software commonly used on "customers"
computers is that it will become a target itself for viruses/trojgens
etc. You are possibly more secure by not using it.

--
mailto:news{at}admac(dot}myzen{dot}co{dot}uk

[alan]

On 13/09/2012 12:32, Mark wrote:

> I pointed out the flaw in this system to them several
> times but they are completely unable to understand.
>
> Not surprisingly I have closed my account with them.
>

Goldfish CC (when they were still around) sent me all my credit card
details - name, address, cc number, internet user name, password and pin
number. The information was split between 3 separate snail mails BUT
they all arrived in the same post in distinct Goldfish branded envelopes.

When I wrote to them suggesting that there was something wrong with the
system I got the "standard" reply that it was secure!

[alan]

On 13/09/2012 08:18, Dave Liquorice wrote:

>

> Yes I've had that from Visa a couple of times. Once triggered by an
> online purchase froma store for the first time. The stores �1 "probe"
> transaction came from the US somewhere, then they tried to put through
> the main transaction from the UK a minute later,

I had my card blocked when I purchased something on Ebay and ticked the
box to pay an extra �1 to a designated charity. The payments from my
card went to two different recipients with the same time stamp which
triggered the automatic blocking.

[alan]

On 13/09/2012 11:02, Martin Brown wrote:

> The worst one is that Barclaycard frequently ask impossible questions
> even for the rightful owner of the card to answer correctly.

Have you made a purchase for �6.21 in Luxembourg? You have to realise
this is where Paypal is located for billing purposes.
Or you have to know that the little shop where you used card is part of
a chain and all the card transactions are attributed to a location 300
miles away from where you used your card.

[Steve Thackery]

Dave Liquorice wrote:

> On Thu, 13 Sep 2012 23:21:34 +0100, Allan wrote:
>
>> It used to be that on a landline phone the call remained connected even
>> when you hung up, if the other person initiated the call.

Still is that way for landlines, but not mobiles. Mobile networks
support backward-clearing, so the call is terminated if either party
clears down.

> Still does I think but some exchanges will send ringing to the called
> sub if the caller is still there for a time (FSVO "a time") when
> the called sub hangs up.

I thought that feature was only found on PABXs? Maybe I'm wrong, but I
don't think BT would let one type of exchange differ from another type
when we're talking about such a fundamental feature.

The only user-noticeable difference I'm aware of is the message-waiting
interrupted dial tone, which differs between System X and System Y
exchanges.

However, I've been out of BT for some time, now, so my knowledge could
be out of date.

--
SteveT

[Dave Plowman (News)]

In article <Fb-dnbyQIYgJZM3N...@bt.com>,
R. Mark Clayton <nospam...@btinternet.com> wrote:
> I get these by email all the time, but by mail is much rarer.

Well yes, email is effectively free, whereas even bulk mail costs.
Although Virgin don't seem to have found this out yet. ;-)

--
*Starfishes have no brains *

Dave Plowman da...@davenoise.co.uk London SW
To e-mail, change noise into sound.

[Zimmy]

On 12/09/2012 07:53, Lobster wrote:
> On 12/09/2012 07:40, harry wrote:
>> On Sep 12, 1:20 am, Bill Wright <b...@invalid.com> wrote:
>>> The bloke who collects scrap metal round here was telling me he'd had a
>>> letter purporting to be from HSBC bank plc. It said that someone had
>>> attempted to access his account on the phone, but failed to 'complete
>>> our security procedures'. So would he fill in the form giving his name,
>>> address, passwords, etc. The whole package was apparently very
>>> convincing, including a handsome HSBC brochure detailing the firm's
>>> services.
>>>
>>> There is, however, one big give-away. He doesn't bank with HSBC.
>>>
>>> About a week later my aunt rung. "I've had a letter from the bank..."
>>> She'd taken the letter into town and shown it to HSBC where she banks.
>>>
>>> The clerk had looked at it, then consulted her computer, then said,
>>> "Yes, someone attempted to access your account at 5.21am on the 6th, but
>>> they failed to give the password."
>>>
>>> My aunt has never used telephone banking; in fact she didn't know there
>>> was such a thing. However the clerk said that she was all set up for it.
>>> Aunty came away confused. I've suggested that she goes back to the
>>> branch and asks for the password details, to see if that reveals
>>> anything.
>
>> So presumably there was a return address (to send in the completed
>> form)?
>> Sounds a bit anecdotal.
>> Did he go to the police with it?
>
> In both cases it sounds to me like the letters would have been genuine,
> ie a response by the bank to an attempt to hack in to the account; and
> that the scrappie's recollection that the form asked for his actual
> password was wrong (I'm not with HSBC myself, but I suspect more likely,
> he was asked for a new password so they could reset it?)
>
> Certainly, compared with e-mail spamming (which costs a tiny fraction of
> a penny per contact to send, and only needs a miniscule 'hit' rate to
> succeed, it seems a highly cost-ineffective.
>
> David

The bank would never ask for any online password by post, they would
simply reset it so you were prompted for a new one online. Only the most
ill-informed would ever give out such information by phone or post as
there will never be any need to, (unless its a dedicated telephone
password).

Z

[Zimmy]

It would have to be a pretty clever fake system that removed the dial
tone as soon as you pressed a key then waited the exact right amount of
time while you dialled the number before playing the ringing tone and
then pretending to answer... I dare say it could be done with a modem
and some specially written software, but surely easier just to target
the most gullible.

It wouldn't work on my phone at least as you can always hear my
autodialer routing it through 18185.

Z

[Andy Burns]

Zimmy wrote:

>>>>> there was a scam around earlier this year, where
>>>>> *they* called you and asked you to call them back on the published
>>>>> number; then they pretended to hang up but actually they just played
>>>>> you a recording of dial tone. After you had dialled *they* pretended
>>>>> to answer the call and asked for all your details.
>

> It would have to be a pretty clever fake system that removed the dial
> tone as soon as you pressed a key then waited the exact right amount of
> time while you dialled the number before playing the ringing tone and
> then pretending to answer...

No, just a few minutes work writing a script for Asterisk ...

[Steve Thackery]

Andy Burns wrote:

> No, just a few minutes work writing a script for Asterisk ...

I, also, think it could be done quite easily.

Surely it's time for BT to implement backward clearing. No doubt it
will break a few systems here or there, but they'd soon get updated.
It can't be common for a system to *rely* on no-backward-clearing in
order to work.

I don't want someone to be able to tie up my line, even for a few
minutes.

--
SteveT

[Man at B&Q]

Some do, for the initial password when setting up the account.

MBQ

[Martin Brown]

Are you sure about that? If so you should send evidence to the ICO (fat
lot of good it will do though they are a spineless toothless watchdog).

Oh and name and shame the relevant banks so we can avoid them. If they
make this sort of basic security error who knows what else is wrong.

The bank should send you a new password by secure anti-tamper custom
letter whenever you need one with specific instructions how to open it
and read the content and to notify them immediately if it has been
opened or tampered with before you get it. You can change it when you
first go online.

Sending any banking password in the clear either electronically or by
post is complete madness. The most that they can reasonably ask for is
two or three letters from your magic phrase or password (and then only
give it if you have originated the phone call to a known bank number).

--
Regards,
Martin Brown

[Man at B&Q]

On Sep 17, 11:14 am, Martin Brown <|||newspam...@nezumi.demon.co.uk>
wrote:

<sigh> I did say it was for the password when setting up the account.
Just giving them two or three letters would not help very much would
it?

For the password to be activited, it has to reach the bank. I doubt a
scammer is going to open the post read the password (no other
identifiable account details) and then send it on its way. They can't
do anything useful with it. They can't change any of the account
details with it. They can't login with it.

As part of a process, it is secure.

MBQ

[Man at B&Q]

On Sep 17, 1:04 pm, Martin <m...@address.invalid> wrote:
> On Mon, 17 Sep 2012 11:13:59 +0100, Martin Brown

> HSBC isn't one of them.

>
>
>
> >Are you sure about that? If so you should send evidence to the ICO (fat
> >lot of good it will do though they are a spineless toothless watchdog).
>
> >Oh and name and shame the relevant banks so we can avoid them. If they
> >make this sort of basic security error who knows what else is wrong.
>
> >The bank should send you a new password by secure anti-tamper custom
> >letter whenever you need one with specific instructions how to open it
> >and read the content and to notify them immediately if it has been
> >opened or tampered with before you get it. You can change it when you
> >first go online.
>

> They shouldn't be using passwords.

Why not? What do you suggest they use that isn't some form of
"password".

> >Sending any banking password in the clear either electronically or by
> >post is complete madness. The most that they can reasonably ask for is
> >two or three letters from your magic phrase or password (and then only
> >give it if you have originated the phone call to a known bank number).
>

> Using passwords is stupid.

So are some usenet posters.

MBQ

[Man at B&Q]

On Sep 17, 4:35 pm, Martin <m...@address.invalid> wrote:
> On Mon, 17 Sep 2012 08:11:30 -0700 (PDT), "Man at B&Q"

> passwords sent out on bits of paper are not quite the same as  a
> pincode and an associated card issued by and in a bank.

What is PIN if not a password?

My PINs have always (bar one) been sent out on paper of one sort or
another. The only time I had to go to bank was years ago when I was a
student and lived in a slightly pikey area.

MBQ

[John Williamson]

Martin wrote:

> Real security conscious banks do not send pin codes out on bits of
> paper nor are they transmitted by phone.
>
So, in your opinion, how should real banks communicate the PIN to the
client? Bearing in mind that not all people needing a PIN can receive
electronic communications. As the PIN and the relevant card are never
posted from the same source or at the same time, it seems, according to
the evidence, to be sufficiently secure for most users. They also
recommend that the PIN they send be used only to change to another one.

>> My PINs have always (bar one) been sent out on paper of one sort or
>> another. The only time I had to go to bank was years ago when I was a

>> student and lived in a slightly pikey area. insert
>
> Then change your bank now.

Can you suggest one? All the UK banks I know of send the PIN out printed
on a piece of paper, or printed on a piece of plastic inserted in one.


--
Tciao for Now!

John.

[Martin Brown]

On 17/09/2012 16:35, Martin wrote:
> On Mon, 17 Sep 2012 08:11:30 -0700 (PDT), "Man at B&Q"

> passwords sent out on bits of paper are not quite the same as a
> pincode and an associated card issued by and in a bank.

You *HAVE* to be joking! A PIN has just four numeric digits and puts up
about as much resistance to a savvy attacker as a chocolate fireguard.

Modern thermal IR cameras can actually read the keypad sequence back,
but even a brute force attack will succeed 0.3% of the time by sheer
luck. And they will do slightly better in practice since the system will
not permit certain very dumb choices like 0000,1111, 0123 etc.

A four digit PIN is entirely useless to protect an internet banking
account. It is barely adequate for chip & PIN - and there are already
technical attacks against that system which work.

The most secure banking applications I have come across are BBL in
Belgium where you are physically given an envelope with a cryptographic
key that you install on your PC together with a decent password pair one
for access and one for transactions. The encryption is formidable and
the bank card itself can hold e-cash called protons.

Several banks and corporate firewalls provide users with a token that
has a 6 digit security code which varies every minute or so. This
coupled with a password provides reasonable security.

Others use a challenge and response with preshared information where you
only provide a part of the information that you hold for each
transaction. One way to spot dodgy Barclaycard secure sites is that they
will attempt to ask you for the entire secure code.


--
Regards,
Martin Brown

[Paul Ratcliffe]

On Mon, 17 Sep 2012 18:56:34 +0100, Martin Brown
<|||newspam|||@nezumi.demon.co.uk> wrote:

> Several banks and corporate firewalls provide users with a token that
> has a 6 digit security code which varies every minute or so. This
> coupled with a password provides reasonable security.

All of ours were changed last year. Nobody wanted to say why.

[Mark]

On Mon, 17 Sep 2012 17:28:55 +0100, John Williamson
<johnwil...@btinternet.com> wrote:

>Martin wrote:

-- snip--

>So, in your opinion, how should real banks communicate the PIN to the
>client? Bearing in mind that not all people needing a PIN can receive
>electronic communications. As the PIN and the relevant card are never
>posted from the same source or at the same time, it seems, according to
>the evidence, to be sufficiently secure for most users. They also
>recommend that the PIN they send be used only to change to another one.

It's probably reasonably secure as long as you trust everyone you live
with and your postman. Some banks ask you to confirm receipt before
they activate the card.

However a friend of mine had credit cards stolen and used because his
mail was intercepted by lodgers. This happened to him twice too!
--
(\__/) M.
(='.'=) If a man stands in a forest and no woman is around
(")_(") is he still wrong?

[Mark]

On Tue, 18 Sep 2012 09:27:18 +0100, Martin <m...@address.invalid> wrote:

--snip--

>ABN AMRO provides a card reader into which you insert your card. The
>card reader connects to your PC and uses software provided by the bank
>to read and transmit the information when you do internet banking.
>The pin code is only entered into the card reader. According to a
>Dutch university the software provided is vulnerable to attack, but no
>real cases have been provided so far.

With the Nationwide I used to have a card reader but it didn't connect
to the PC. You would insert your card and type in the PIN and a
couple of other pieces of information. It would display a number
which you would type into the web page. If implemented properly this
would be far more secure than a password since the code is never the
same twice. However this was not used for logging in but for setting
up new payments.

[Man at B&Q]

On Sep 18, 9:15 am, Mark <i...@dontgetlotsofspamanymore.invalid>
wrote:

> On Mon, 17 Sep 2012 17:28:55 +0100, John Williamson
>

> <johnwilliam...@btinternet.com> wrote:
> >Martin wrote:
>
> -- snip--
>
> >So, in your opinion, how should real banks communicate the PIN to the
> >client? Bearing in mind that not all people needing a PIN can receive
> >electronic communications. As the PIN and the relevant card are never
> >posted from the same source or at the same time, it seems, according to
> >the evidence, to be sufficiently secure for most users. They also
> >recommend that the PIN they send be used only to change to another one.
>
> It's probably reasonably secure as long as you trust everyone you live
> with and your postman.  Some banks ask you to confirm receipt before
> they activate the card.

That was purely a marketing ploy for at least some institutions. Once
they had you on the phone they would give you the hard sell on "card
protection" insurance before activating the card.

MBQ

[Man at B&Q]

On Sep 18, 9:15 am, Mark <i...@dontgetlotsofspamanymore.invalid>
wrote:

> On Mon, 17 Sep 2012 17:28:55 +0100, John Williamson
>

> <johnwilliam...@btinternet.com> wrote:
> >Martin wrote:
>
> -- snip--
>
> >So, in your opinion, how should real banks communicate the PIN to the
> >client? Bearing in mind that not all people needing a PIN can receive
> >electronic communications. As the PIN and the relevant card are never
> >posted from the same source or at the same time, it seems, according to
> >the evidence, to be sufficiently secure for most users. They also
> >recommend that the PIN they send be used only to change to another one.
>
> It's probably reasonably secure as long as you trust everyone you live
> with and your postman.  Some banks ask you to confirm receipt before
> they activate the card.
>
> However a friend of mine had credit cards stolen and used because his
> mail was intercepted by lodgers.

Should have been more careful in choosing who he lest stay in his
home.

>  This happened to him twice too!

You mean he didn't learn?

Friends like that and you lecture *us* on security. Its laughable.

MBQ

[Martin Brown]

On 18/09/2012 10:26, Man at B&Q wrote:
> On Sep 18, 9:15 am, Mark <i...@dontgetlotsofspamanymore.invalid>
> wrote:
>> On Mon, 17 Sep 2012 17:28:55 +0100, John Williamson
>>
>> <johnwilliam...@btinternet.com> wrote:
>>> Martin wrote:
>>
>> -- snip--
>>
>>> So, in your opinion, how should real banks communicate the PIN to the
>>> client? Bearing in mind that not all people needing a PIN can receive
>>> electronic communications. As the PIN and the relevant card are never
>>> posted from the same source or at the same time, it seems, according to
>>> the evidence, to be sufficiently secure for most users. They also
>>> recommend that the PIN they send be used only to change to another one.
>>
>> It's probably reasonably secure as long as you trust everyone you live
>> with and your postman. Some banks ask you to confirm receipt before
>> they activate the card.

Hard line version is you collect the PIN from the bank in person with
proof of ID. That is how it is done in Belgium for instance.

> That was purely a marketing ploy for at least some institutions. Once
> they had you on the phone they would give you the hard sell on "card
> protection" insurance before activating the card.

Indeed and you have to be *VERY* careful with that too or else you will
find they are charging you a premium to send a list of all your old
credit cards to some previous address on renewal. They outsource the
card protection insurance to a third party but typically do not pass on
change of address notifications to them citing Data Protection Act!!!

CAVEAT EMPTOR!

--
Regards,
Martin Brown

[Chris K]

On 18/09/2012 09:54, Mark wrote:
> On Tue, 18 Sep 2012 09:27:18 +0100, Martin <m...@address.invalid> wrote:
>
> --snip--
>
>> ABN AMRO provides a card reader into which you insert your card. The
>> card reader connects to your PC and uses software provided by the bank
>> to read and transmit the information when you do internet banking.
>> The pin code is only entered into the card reader. According to a
>> Dutch university the software provided is vulnerable to attack, but no
>> real cases have been provided so far.
>
> With the Nationwide I used to have a card reader but it didn't connect
> to the PC. You would insert your card and type in the PIN and a
> couple of other pieces of information. It would display a number
> which you would type into the web page. If implemented properly this
> would be far more secure than a password since the code is never the
> same twice. However this was not used for logging in but for setting
> up new payments.
>

In principle that is good but it does open up the classic "rubber hose
cryptography" attack. If you are apprehended in a dark alley and
invited to hand over your cards and PIN, the thugs can test the answer
you give immediately and soften you up a bit more until the truth emerges...

Chris K

[Mark]

On Tue, 18 Sep 2012 02:27:46 -0700 (PDT), "Man at B&Q"
<manat...@hotmail.com> wrote:

>On Sep 18, 9:15�am, Mark <i...@dontgetlotsofspamanymore.invalid>
>wrote:
>> On Mon, 17 Sep 2012 17:28:55 +0100, John Williamson
>>
>> <johnwilliam...@btinternet.com> wrote:
>> >Martin wrote:
>>
>> -- snip--
>>
>> >So, in your opinion, how should real banks communicate the PIN to the
>> >client? Bearing in mind that not all people needing a PIN can receive
>> >electronic communications. As the PIN and the relevant card are never
>> >posted from the same source or at the same time, it seems, according to
>> >the evidence, to be sufficiently secure for most users. They also
>> >recommend that the PIN they send be used only to change to another one.
>>
>> It's probably reasonably secure as long as you trust everyone you live
>> with and your postman. �Some banks ask you to confirm receipt before
>> they activate the card.
>>
>> However a friend of mine had credit cards stolen and used because his
>> mail was intercepted by lodgers.
>
>Should have been more careful in choosing who he lest stay in his
>home.

Agreed.

>> �This happened to him twice too!

>
>You mean he didn't learn?

Apparently.

>Friends like that and you lecture *us* on security. Its laughable.

Huh? It's strange you seem to judge people's knowledge based on what
their friends know.

[Chris K]

On 18/09/2012 14:01, Martin wrote:

> Even when three failed attempts lead to your card being blocked?
>

That's part of the implied threat. After the first one has demonstrably
failed, it rather depends on whether you are prepared to offer a second
PIN value to the mugger that also fails....

One way round this that has been suggested is to issue a distress PIN
that presents plausible account info at the ATM without much cash on
offer. That may secure the release of the cardholder without further
injury.

http://xkcd.com/538/

Chris K

[Bob Eager]

On Tue, 18 Sep 2012 14:01:09 +0100, Martin wrote:

> On Tue, 18 Sep 2012 12:17:45 +0100, Chris K <neb...@nowhere.com>
> wrote:
>

> Even when three failed attempts lead to your card being blocked?

No, that's the beauty of using the card reader. It is a standalone unit
but knows how to validate the PIN.



--
Use the BIG mirror service in the UK:
http://www.mirrorservice.org

*lightning protection* - a w_tom conductor

[Bob Eager]

On Tue, 18 Sep 2012 15:35:11 +0100, Martin wrote:

> Validating the PIN is hardly rocket science for the implementer. The PIN
> is stored in the card.
>
> There's a web site containing a Cambridge PhD thesis that explains in
> detail how to make a device to plug into an ATM that avoids the need to
> know the PIN number on the card. There is probably a factory churning
> them out in an East European country. The device relies on the poor
> design of the card. The ATM sands the entered PIN to the card the card
> compares the entered PIN to the PIN on the card and sends a signal to
> the ATM if the PINs match. The device just generates the signal.

Which is a lot more work than just getting hold of a free card reader
from the bank. An exhaustive approach doesn't take long with only four
digits.

[Johny B Good]

On Thu, 13 Sep 2012 23:21:34 +0100, "Allan" <sot17...@yahoo.co.uk>
wrote:

>
>"Dave Liquorice" <allsortsn...@howhill.com> wrote in message
>news:nyyfbegfubjuvyypb...@srv1.howhill.co.uk...
>> On Thu, 13 Sep 2012 14:42:49 +0100, Martin Brown wrote:
>>
>>>> Not necessarily true. there was a scam around earlier this year, where
>>>> *they* called you and asked you to call them back on the published
>>>> number; then they pretended to hang up but actually they just played
>>>> you a recording of dial tone. After you had dialled *they* pretended
>>>> to answer the call and asked for all your details.
>>>
>>> That is actually very clever social engineering by the scammers and
>>> will probably catch out all but the most wary.
>>
>> Do you know your CC Co's number of the top of your head? I don't, I'd
>> have to go and find it. In the mean time I'd have hung up the phone...
>>
>> Of course many people would not know the number either but ask the
>> scammer what it is, write it down, get "dial tone" and dial it... In fact
>> I wouldn't be surprised if the scammers give a "direct access" number
>> saying that it will avoid the queues on the main public number.
>>
>> --
>> Cheers
>> Dave.
>>
>>
>It used to be that on a landline phone the call remained connected even when
>you hung up, if the other person initiated the call. It used to remain
>connected forever (the so-called CSH condition, standing for "called
>subscriber hung") unless either the caller hung up or someone at the
>exchange forced the call to be cleared - but that was a long time ago when I
>worked in a Strowger exchange). I don't know if that is still true or not.
>So you could "hang up" and go to look for the number, and then pick up the
>phone later and hear their fake "dial tone". I doubt that hey had number
>recognition, but I presume they had a tone recognition system that simply
>removed the dial tone and connected back to a human when it heard any key
>tone. If they didn't have a human available at the time, and had to put you
>on hold, that would just make it more believable.

When I was working in strowger exchanges, some 30 years ago, they had
S&Z pulse equipment to force release such held calls. The pulse
interval was based on the local rate metering, afaicr, but regardless,
such a call would typically be force released after a 6 to 12 minute
period.

Trunk calls (national out of area) had their own force release
mechanism with much shorter timouts (30 to 90 seconds, iirc).

Occasionally, the local call force release would fail due to various
problems affecting the working of the S&Z pulses on the Final Selector
rack involved or anywhere in between. This usually came to light when
the called subscriber reported a dead line (from another phone line of
course!).

If I remember correctly, there were monitoring points within the
exchange that could generate failure alarms for a whole range of
conditions, including the S&Z pulses, so such individual failures were
pretty rare events.

At the end of the day, it is the caller who controls the connection
(limited by timeout mechanisms to guard against 'accidental' failure
of the caller to hang up at the end of the call or against line or
equipment faults that could mimic this effect). It is useful for the
called subscriber to know that he can hang up on the caller for at
least 20 seconds before the call gets dropped in order to pick up the
call on another handset without having to run back and forth as he
would need to do if he had been the one who had initiated the call.

Apropo of which, if you forget that it was your missus who _made_ the
call when she hands the phone to you so you can have "A quick word
with your father" and you tell him to hang on whilst you pick him up
on another phone, you will be presented with dial tone rather than the
dulcet droning of your aged parent.

Calling back is usually going to result in busy tone for the time it
takes for your elderly father to finally give up hanging onto the
phonecall wherupon the most likely outcome will be a return call from
said aged (but now irate) parent. IOW, be certain that the other party
was the caller before hanging up on one _then_ picking up on another
phone.

Of course, almost every household theses days has a DECT base station
plugged into the phone line with two or more handsets which generally
eliminates the need to juggle calls between plugged in extension
phones. Also, getting back on topic, the intercom facility can prove
very useful for aligning aerials or dish antennas when you can press
gang a friend or family member into reporting the signal strength
readout from the telly. ;-)

Regarding the issue of testing for fake dialtone, dialling your own
number beforehand to test for engaged tone is a reasonably effective
test if you don't have a mobile phone handy to make a test call to.
The call to your own mobile being the most definitive test since you
can verify the caller without the expense of answering the test call.

However, if the scammer is using a dedicated hardware setup to
identify the tones, calling your own number could still result in
'engaged tone'. You might want to "Ring a Friend" if you don't have a
mobile phone to hand.
--
Regards, J B Good

[Johny B Good]

On Fri, 14 Sep 2012 11:40:08 +0100, "Dave Plowman (News)"
<da...@davenoise.co.uk> wrote:

>In article <Fb-dnbyQIYgJZM3N...@bt.com>,
> R. Mark Clayton <nospam...@btinternet.com> wrote:
>> I get these by email all the time, but by mail is much rarer.
>
>Well yes, email is effectively free, whereas even bulk mail costs.
>Although Virgin don't seem to have found this out yet. ;-)

Yes, I know _exactly_ what you mean (although it does let you know
just how much they abuse customer loyalty).

I don't decry their inducements to new prospective customers, just
the fact that the newly recruited customers pay a little less for 50%
more than their existing customers do once the special introductory 6
month rate has expired.

BTW,*Starfishes have no brains * isn't strictly true. More accurate
to say they don't have a "Central Nervous System".