— no support group from a big company is going to call you. Ever.
— never give out codes sent to use via sms or push notifications to someone requesting them via phone or email. Never. The messages often even say that!
— Don’t put all your private info behind one password, so don’t use Google Authenticator backed by your Google Account as your password manager. Always use a third party like 1Password or similar.
— Don’t have the same email you use banking and investments be the email that the world knows. Create a new email for that. If you use Chrome, even use a separate profile with that email, and only have your password manager as an extension. No others.
- claiming to be the online banking support of my bank
- asking me to read them a code sent to me via SMS
and when I refused to do that, they blocked my login credentials for online banking and sent me a sternly worded (paper) letter that my account could not be upgraded automatically for their software system migration because I had refused to engage with their support agent.
I then had to create a new login in their app, call the phone number on their letter and read that guy the SMS code and, to my surprise, that was the only !!! authentication needed to activate the new login credentials that I had just created.
(BTW, this was one of the top 100 largest banks worldwide)
It's almost like some companies are training you to fall for scams.
EDIT: This specific instance was Deutsche, but Chase has the exact same horrible habit of calling and then asking for an OTP code.
I've gotten calls from my bank before, where they tried to get me to authenticate after I answered the phone. I said "look, you called me, I'd be crazy to just answer the phone and give out personal info." They refused to provide any info that I could have used to validate that they were legit (like telling me something about my account number, when my account was created, etc.). They said I had to authenticate with them before they would tell me anything.
Sometimes the rep is understanding, and acknowledges that he would have the same reaction, but other times it's like they don't realize they're asking their customers to do something Very Stupid™.
Over a decade ago, I worked in a bank call centre, first as one of the people who would occasionally make those outbound calls and have those crazy conversations, and then later in their customer experience team. It was well known that those outbound calls to customers were a mess, but it was thought of as tricky to fix. The dilemma was that the risk department felt they needed to identify people, but not only were those people often hesitant to provide any info, we wanted them to be - for everyone else who called them, but not for us.
It was also difficult that when people asked whether they could call back, we encouraged them to, but couldn't guarantee they'd then speak to the same person. They'd need to just talk to whoever they got. That was usually enough to put the person off and they would just take the risk (unfortunately).
Edit: Just wanted to add that I personally didn't want the people to make an exception to their unknown caller scepticism. Perhaps this bugged me more than others, but I would strongly encourage them to call back, and then do my best to get the call-back transferred to me. For that and many other reasons which I like to think of as preferring quality over quantity, my stats were as bad as you'd imagine!
When that bank did really try to tackle this issue, they quickly realised that there was more than one level of risk, and for the vast majority of the calls, we could get by with very little of that customer verification process - basically just that we had called them on a number they had provided, and they stated their name (which I think was more as a recorded verification that they were at least stating they were the correct person). For the much smaller number of outbound calls with more risk, we could then ask the person to call back. Once the risk peeps were on board, it was vastly improved fairly easily.
I'm not in that space at all now, but it seems far easier than it was back then. A few banks I'm a customer of send notifications right into the online banking app, which the customer approves, confirming that they at least have access to that. I don't know what they do if you don't have the app installed. I do find it a little sad that it is yet another thing pushing you to need a smartphone (and to install yet another app). On the other hand, I think all of those banks require me to have the app to use as an authentication token to do any kind of online banking even on a desktop browser, so if you're going to do that, may as well take advantage of it everywhere.
It happened with Schwab. I've enabled option trading in one of my accounts and got a call from Schwab, asking to authenticate me. I told them I couldn't trust it's a legit call; give me a number and case number and I'd call back.
> … I had to authenticate with them before they would tell me anything.
Sensible. But this whole “we called you now prove to us who you are” mess is stupid.
“Hey, this is Carol from Le Bank. Please just give us a call back at our main number found in the app or on our website. Then you can reach me directly at extension 123.”
From 25 August 2025, you will benefit from the upgrade for online banking and Deutsche Bank app.
[..]
From 25 August, you will be able to simply reset your PIN yourself.
[..]
after logging in, you can also see accounts for which you are an authorised signatory."
But out of fairness, let me just mention that Chase behaves the same way. I think all of them just don't really care about small- and medium-sized businesses.
I've had this same issue with BECU (Boeing Employee's Federal Credit Union). They're a really good financial institution, but like many, they suffer from nearsightedness. They know that they're "the good guys", so they feel that it's unnecessary for them to properly authenticate themselves to you. So it's asymmetrical security and asymmetrical trust.
The worst part of this (for BECU) is that they've been warning their customers about phishing attacks from entities claiming to be BECU.
My old insurance company (Cigna) used to call me and demand information to verify it was me. I eventually figured out it was a thing to try to convince me into getting cheaper cancer treatment so they could save money.
Ye. I called my bank to unblock my Mastercard after they blocked it due to Blizzard charging 10USD or something for Star Craft. I just told them my name and they unblocked it.
On another occasion the bank called me regarding my house insurance and asked me to identify myself with their dongle.
Like, there is a wonder I have any money at all in my account. But then again, giving away plastic cards with a magic number on that you gave to strangers for them to withdraw an amount of their choosing from your account was the norm for decades ...
Maybe the wisdom is "Security through no security"?
I had to call Chase about an issue with my credit card. I called them and knew I was talking to a legit agent. At least as sure as one can ever be. Still, at one point she asked me to read back the code she texted me. I started to do so then stopped. I explained that the text she sent me specifically states "We will never ask you for this number (over the phone". I refused to read it back since it violated their own stated policy.
She had to do some additional work to resolve my issue but it did get fixed.
My local medical clinic sent me an sms with a link, asking me to change my medical info. I called them to point out how they were training their patients to fall for sms scamms.
At my (very large) bank, they have asked me to read them a code from text that literally said "Do not share this code with anyone over the phone" in the text message next to the code. I'm 100% sure it was my bank asking for the code. I called them from a number I found on their site over HTTPS and verified from another source, they knew my account information. I gave it to them while telling them they need to fix this. This was a few years ago. Nothing bad ever happened. Just bad security practices.
I called them about my Fitbit warranty and the rep needed to verify my account and wanted me to give him the code from SMS that explicitly said in the SMS not to give it to anyone!
No my account did not get hacked afterwards. Yes it was a legit service rep because afterwards he was able to pull up info on my previous warranty claim.
I know Wells Fargo gets a bad wrap (and rightly so) for some of their behavior, but IME they've always had their stuff together with online access and banking.
Did the OTP message they sent you state that this code was specifically to authenticate on the phone?
If it did and even included details like the person‘s name, that would make me feel safe. If it’s a generic OTP that could be used to log into my account or reset its password, though…
Yes, I've also had wells fargo require me to read codes that were emailed back to them, and while this was mitigated by me calling them, it sketched me out every time I had to do it.
They treat you as you deserved to be treated: As a serf. You let them stomp all over you and still come crawling back to plead with them to let you bank with them. Even though there's hundreds of banks you can switch to.
If anything even remotely similar happened to me, I'll instantly close all accounts and move my business to another bank.
The bank's policies and those like it are the root cause of these scams. There are countless things like this where real "legit" behavior is completely indistinguishable or sometimes even worse than scams.
There will always be people that are "wallet inspector" stupid that you can't really shield from scams. But common sense practices and consistent messaging would solve a lot of the problem. There needs to be better accountability for companies that have these insecure practices. The same way they'd be held accountable for a data breach. Oh, wait...
Google support actually did ask me for that code when I had them disable energy savings on my nest thermostat. (it's insane that this had to be done through support, it's the setting where the power company can essentially control your thermostat in exchange for savings)
To their credit/discredit, when I said no I'm not giving that out it says not to they just moved on. Not sure why they even asked then.
Yes, it is so easy to enable this setting, they even keep sending us notifications to enable it. But once enabled, it is impossible to disable it.
It is a setting that let your power company to change your temperature settings when grid is under load. We wouldn’t mind it but they turned our heat way down during one freezing night while we were sleeping. Everyone woke up with cold next day.
The asymmetry in activating/deactivating may be because power companies discount rates (don't know if it is automatic or you have to contact the provider) for people with that setting active, and removing it dusqualifies you from the discount, so there is at least potentially an asymmetrical financial impact of toggling it one way vs the other.
> — no support group from a big company is going to call you. Ever
> - never give out codes sent to use via sms or push notifications to someone requesting them via phone or email. Never. The messages often even say that.
Chase bank still, as of last week, asks for these codes over inbound calls. Drives me mad. They do so when calling me about fraud alerts, not the other way around.
NEVER answer - like NEVER :) absolutely NEVER answer... calls or text... it is really simple. I also have Chase and I have blocked just about every single number they called me from (probably like 12 over the last decade)
My phone is set to Do Not Disturb by default. Only 5 numbers can reach me direct to ring and that is immediate family only. I never answer calls from unsaved numbers. If they really need to reach me they can leave a voicemail.
When you answer a call your brain kinda loses its ability to step back and think. Almost like the same trick that those people who ask for directions and steal your watch do.
Security is not the main reason I do this but it has been nice knowing I can't be reached directly by scammers and hackers.
I stopped answering unknown numbers because everything that's important comes via email anyway. But a friend of mine has a job that requires them to answer calls from weird numbers, so it's tough.
> never give out codes sent to use via sms or push notifications to someone requesting them via phone
Unfortunately, some call centers DO use that for verification in some cases (i.e. you call them, and they send you a code to your email/phone that you read back).
>I’ve personally never had that happen. It should go on a name and shame list
The key situation for giving out an SMS code that the gp is pointing out is the customer initiates the call to the support center.
For example, suppose somebody wants to add a credit-card to their smartphone digital wallet. They have to call the bank issuing their credit-card to do that. Once the customer support person answers the call, a common security verification (e.g. Chase Bank does this) is for them to send you a 6 digit code to your phone. You then repeat this code back to the support person on the call. They want proof of your identity and also proof that you physically have the smartphone with you. Repeating the SMS code to the customer support person is safe because the customer called the official 1-800 number on the back of their card.
That's a totally different sequence of steps from receiving a random call from somebody claiming they are from Chase Bank. Yes, in those cases, you never give out SMS codes to that untrusted person on the phone.
Note, however, that those are two "totally different sequences of steps" to you and I, and "completely analogous / equivalent sequences of steps" to my father in law :-/
They should have users receive the code and then submit said code into the application for verification, with clear instructions that this code is produced as a result of a support call, and to confirm you are on an existing call when submitting the code.
Doing so would not force users to divulge codes over the phone, and enable support staff to verify identity all without training users that reading codes over the phone is acceptable.
Still not foolproof. Attacker can MITM the connection by initiating their own call to the real support line and relaying instructions between the user and support.
How else are you supposed to do identify verification over the phone?
I think if the war against phishing online has taught us anything, it's that humans can't be trusted to not reveal secrets to scammers. Only machine-to-machine public key authentication (like TLS or WebAuthn or U2F) is truly phish-proof.
The signin 2SV SMS verbiage used by Chase is: "Chase: DON'T share. Use code 12345678 to confirm you're signing in. We'll NEVER call to ask for this code. Call us if you didn't request it."
I assume in the case where the customer initiates the call and support is verifying their identity via SMS, they use different text (i.e. not "to confirm you're signing in"). Otherwise, that'd be pretty ridiculous.
My reply involved the effort of sending a test message from my Chase account, to capture the exact text used. If you want people to engage with you in good faith, you should put similar effort into your replies, rather than just use Reddit-speak for "I think you're wrong."
Chase did this to me. A million alarm bells but even after hanging up and restarting the conversation from a phone number publicly listed on their website as a support contact they still did it. Wild.
Stripe Support does it for certain specific cases (email & phone). However, whenever they do it, it's a bilateral code generation: The support agent also gets a code they have to read out to the end user, which is featured prominently to them, saying the agent will have to read it out to get authentified.
Also me. Every 10 years my domains expire, and I can just pay a few hundred bucks again and forget about it, or I can do a bunch of work to move them somewhere and adjust A records and fuck around with stuff I don't remember and potentially have downtime.
IAM permissions are almost always a pain to get right but they can be so useful when you can create an API key with permissions to do only exactly what it needs to do.
Google business support called me to close the loop on an issue I had with a business listing. It was from a very busy and loud call center, and was made by someone with a heavy accent.
But over here our bank has also been sending out leaflets on how to avoid scams, and the top two are "if you need to call, call the number written on the back of the card" and "if you're not sure, come to the bank in person".
Same thing I tought my parents, and my mom actually got a call about some "personal info they needed to verify", said she'll come to a bank in person, they said "ok", she went in person, and they actually needed to verify some data (some EU regulation, she hasn't visited a bank in years).
I'm in the midst of a transfer of enterprise account ownership with with Apple, and I can assure you, the only way to complete it is to wait for a phone call from Apple Support from 1-512-884-5022. You can call this number back and verify it is indeed Apple Support and get notified it does not accept inbound calls, only outbound.
During a Tracfone support call I made recently, they sent a 2FA text to me. I said to the rep, "The text says 'Don't share this code with anyone.' Can I share it with you?" They laughed and said yes. It was completely legit as I had called Tracfone for some service changes.
So some of these systems are very poorly designed.
> Always use a third party like 1Password or similar.
Or even better, don't rely on a third-party hosted service.
I've been a Codebook[1] user since the old-days when they used to call it Strip.
They are old-school, local-system storage. With sync/backup done how you like it (all three encrypted before it leaves your computer):
- Dropbox
- Google Drive
- Local folder (which you can then sync with using your own mechanism)
- Recently (only this year) they introduced a totally optional hosted subscription cloud-sync option for those who want it
Honestly if someone from Google Support calls me, my immediate response would be: "Google... Support? Now there's two words I've never heard in the same sentence before."
AMEX fraud support group called me. A real live agent.
Capital One texts codes during live calls and requests the customer read the code to them.
A health care provider sends emails with links to 3rd party domain to provide encrypted email, because a) regular email isn’t supposedly not HIPAA compliant and b) apparently the health care provider’s web and app infrastructure which provides secure messaging is not secure enough for certain messages. It’s indistinguishable from a phishing attack.
Hospital direct invoicing by email, also includes 3rd party links, which takes the user to a site asking for personal information including SSN. It’s certainly phishing. Right? Nope, it’s legit, and no option to get a mailed bill once volunteering an email address.
I think half of mobile device users don’t know or can’t handle a best practices workflow.
The reality is the tech industry sucks, it’s bad at its job, gives shitty advice to everyone then goes and violates all of it
leading to loss of trust.
regular email isn’t supposedly not HIPAA compliant
It isn't.
I work in healthcare, and if anyone in the company sends an email with PHI or PII in it, we're supposed to alert the Security department, or lose our jobs.
The danger with stating this in terms of absolutes like:
> no support group from a big company is going to call you. Ever.
Is, eventually, you probably will get a call from a support group at a big company, as many have noted in response, and then all of the other absolutes in the list also become "well, people say never, but I think this is one of those exceptions" instead of "it's never worth taking the risk of assuming it's the company who really called you".
A company, even big one people joke about having a complete lack of actual human support agents, may really call you one day. The other 364 days of the year it's probably a scam. The safe bet is to take the issue they called about and contact the official support channel yourself (being careful to get a real one and not an ad/fake site if you need to Google it). It may not always seem the most convenient, but it only takes one mistake to end up in a much more inconvenient place one day.
Include SPAM call blocker in that list! Notably, both iOS and Android have that feature. Never pick the first call from an unknown number! If it's urgent and they are genuine, they'd leave either a voicemail or a text.
Has anyone invented something like the TLS three-way handshake, or a U2F challenge, that can use spoken words as a transport layer? People could then be "safely" tricked into reading back "correct-horse-battery-staple" or whatever, because they actually wouldn't have the ability to generate a usable sequence unless the attacker first provided something that only the real site owner could provide.
I'm imagining something with the non-phishability of U2F but the usability of an SMS 6-digit code. Maybe that's U2F.
I am a big fan of keepass which I sync with dropbox, good apps exist for iphone/android/mac/windows/linux. But I don't know if that's more secure than a password provider like 1password. At least not fitting into the typical profile, and being able to control the data, open source code, and offline access feels like the optimal way for me.
>never give out codes sent to use via sms or push notifications to someone requesting them via phone or email. Never. The messages often even say that!
Some services even say that when they are indeed codes you are _supposed_ to read back to them. Which clearly helps further train people to ignore that language.
> — never give out codes sent to use via sms or push notifications to someone requesting them via phone or email. Never. The messages often even say that!
I tried making this point downthread but it bears repeating higher up. Per OP, this was account with Authenticator enabled. If you have a working authenticator setup, they aren't going to "ask for a code", since by definition you're already authenticated. And while I'm no expert, I really don't think there is such a thing. Recovery for a lost account never goes back to device-in-hand once you have enabled full 2FA.
Something is being skipped in the description of the phish here. I don't think OP is being completely honest.
The code I read to them was a Google account recovery code. That’s how they accessed my Google account. I, mistakenly, believed they needed to confirm I was still alive and the rightful owner of the account.
Then the attacker used Google SSO to perform the initial log in to my coinbase account. Then they opened Google Authenticator, signed in as me, to get the coinbase auth code so they could complete coinbase’s 2fac.
But... that's an email that would be sent to a non-gmail address, the one on file that you originally registered your account with. And while I don't have copies of the transactions in front of me, these things are not unclear as to their purpose or intent. They tell you straight up that they're resetting the authentication for the account and to be sure you are doing it intentionally. They're also accompanied by warnings that would be simultaneously sent to your active gmail address and to the Authenticator app.
I really think you're reaching here trying to ascribe blame. You... just got phished.
> They should stop doing that then and use standards like everyone else.
Many of those standards are objectively poor. I don’t want to live in the world where what we are allowed to use is defined by the lowest common denominator of mediocre engineers.
Mediocrity über alles is what you are tacitly advocating for. I’ve been part of many standards processes where the majority democratic outcome was low-quality low-effort standards that were extraordinarily wasteful and inefficient because the people making the standards didn’t care, it was all about what was expedient for them. This is the default state of humanity. No one should be forced to comply with that garbage by regulatory fiat if they don’t want to.
The standards are really bad and it’s not just about protocols but hardware. Should they give away every hardware design needed too?
Lighting was an incredible boon in an era of micro usb, people just seem to forget how shit everyone else was. Now we have usb-c where companies are required to supply the port but doesn’t have to follow any actual specification, yay for standards.
> The standards are really bad and it’s not just about protocols but hardware.
Okay, if their hardware is esoteric, open the protocols for interacting with hardware.
> Should they give away every hardware design needed too?
Yeah probably. It would be a lot better, more like x86. We would actually get repairable phones instead of landfill fodder. But that's a different issue.
> Lighting was an incredible boon in an era of micro usb, people just seem to forget how shit everyone else was. Now we have usb-c where companies are required to supply the port but doesn’t have to follow any actual specification, yay for standards.
And then it became a cheap scam, whereby Apple made a few dollars off of every single lightning cable produced by anyone on Earth due to licensing.
Also, as for USB-C - doesnt matter, still better. My chargers work across multiple devices. Yes, there's some standards noncompliance, this is still a huge improvement over ZERO cross compatibility.
Its comparatively much more open, with interface and protocols specified and open source firmware implementations widely used in the wild. I'm also including BIOs/UEFI in this.
ARM and phone manufacturing is a hot mess in comparison. We're still trying to reverse engineer M series MacBooks and iPhones are off limits. Android is also not open source, no AOSP does not count.
There would be a lot more competition in the space if the hardware had proper specs, like x86 does.
What competition has x86 seen? I’m old enough to remember when there was more than Intel and AMD. When did they last license x86 to a competitor, 30+ years ago?
It’s great that documentation exists, but it doesn’t make for competition. ARM is at least licensing out to more than two manufacturers.
The DMA does not define such details, it is much more simple and agnostic. It identifies if a company creates a market within its own ecosystem, invites others to participate but doesn't offer a fair competitive field.
--> If iOS introduces non-standard changes to Bluetooth and Wi-Fi to compete against Android, this does not concern the DMA.
--> If iOS introduces non-standard changes to Bluetooth and Wi-Fi to create a product of ANOTHER market-segment (Headphones, Watches, Routers,...) they are required to provide interoperability for other brands than Apple as well.
The reason is simple: iOS has such a critical size that it is anti-competitive behavior for Apple to modify iOS in order to beat the competition on e.g. headphones.
With Bluetooth they do ruse non standard changes, heavily influenced the development of LE Audio and there is no statement about when if ever they will support LE Audio, possibly never. Apple simply doesn't care
This does nothing for the case of receiving a fake coinbase sms with a fake contact phone number.
I have had people attempt fraud in my work with live calls as follow up to emails and texts. I only caught it because it didn't pass the smell test so I did quite a bit of research. Somebody else got caught in the exact same scam and I had to extricate them from it. They didn't believe me at first and I had to hit them over the head a bit with the truth before it sank in.
Multi patterning to get effective smaller wavelengths has been around a while. It’s cheaper to reuse machines you already own, but slows down production.
OpenAI does more than LLMs, they have bio ML research etc. and Google has AlphaFold. It would not surprise me if Mistral had an ML team on physics related to work that ASML could use.
I suppose, but i don't feel like that makes mistral special enough to excuse this amount of funding. They would need clever researchers with resources to do research. The kind of AI we're talking about would likely not benefit from data-center scale training either. So why the 1.7B euro? That amount of money could fund multiple small dedicated research labs for exactly the domain ASML is interested in.
I don't think it adds up if this is truly for multi-patterning or pattern exposure correction technology.
As others mention it could be for entering and grabbing some value from down-stream technologies (actual investment expecting return of some sort) but it's odd how they skip over like 200 steps between their industry and the industry they invest in. Its like iron ore mine investing in precision screws. Its down the value added chain but such a massive leap that it makes me scratch my head.
reply