(no title)

A bank called me to ask me security questions. I said that I would call back using the number on the bank's website. They said (and the bank confirmed when I did call the number) that there is no way to be transferred to the security question people when I call the bank - the only way is for them to call me. I explained that that was poor security practice. They said that I should just look at the caller ID to see that it was the bank calling. It was useless trying to tell them about caller ID spoofing.

PSA: If you are of a certain age, the last four digits might be roughly all of the useful entropy in your SSN. Be careful with them. Before 2011, the first three digits indicated the office that issued the number and the middle two (the "group number") were used in a publicly-known sequence. The Social Security Administration helpfully published periodic lists of the highest group number reached by each office. This makes it extremely easy to predict the first five numbers for people who were registered at birth, which became quite common in 1986 when tax laws changed to require children's SSNs to claim the associated tax credit.

This is just an extremely incompetent and rude loan officer. Generally the loan officers are motivated to close the deal and write you a check because they get commission from that. They are nice to their customers because pissing off customers won't get them that sweet commission. The loan officer I last talked to managed to close more than $1B of mortgages in a year and he's the nicest guy on the phone. In your case, they could for example let you email them using their official bank email address, or use the bank's own web app or messaging system.

Similar story, I transferred a decent amount of money from one bank account to another (different bank). I thought nothing of it, but I got a call randomly from what appeared to be the receiving bank's 'fraud' phone number (based on Google). I picked up, and the person on the end had an extremely thick accent similar to scam callers. He started asking me if I had made a transaction recently (I said yes), then asked me to confirm this transaction if I would provide additional information about myself, including home address and social... I refused, and was told if I didn't my bank account would get locked!

Sure enough... I had to go down to the local branch to get my account unlocked, as well as prove the amount of money I was transferring was... available in the other account? Absolutely ridiculous. I don't even know what sort of fraud they were trying to prevent, as this wasn't a new bank account and I'd made transfers between them before.

Terms of service from my bank say you're not allowed to give your PIN or secrets like one-time passwords (called "TAN" here) to third parties, not even the bank employees themselves.

But when I contacted them about a phishing practice, it was A-OK because it was a "legitimate" website that phished your credentials to view the last 180 days of transaction histories, compute a credit score, and then withdraw the money. They would "look into the situation and see if a better solution could be found" with this german company...

I don't understand how anyone is okay with this but klara or klarna or something is a pretty popular payment provider in germany as far as I know, but so my experience is now that banks like to change their security-relevant terms one-sided. But it's your fault if you give out secrets to the wrong person of course, not like the bank was going to care if your social security number had gone to a scammer for example

Any bank where this is the standard operating procedure for interacting with loan applications is not a bank that I'd want to do business with. Perhaps this was just one loan officer's way of doing things, and not the way of the business, but that's just not okay to me.

Any time anyone asks me for any part of my social over the phone, I ask for some other method of verification. Most folks have other ways of doing stuff. It's ridiculous that what should purely be an ID number is so powerful, but I can't change that fact, just how I interact with folks with regards to it.

This method of data exfiltration is in Kevin Mitnick's book! He needed a daily pin that banks used to validate intra-bank communications. He called a bank, said that he needed to fax over loan forms from another branch for signing later that day (or something like that). He then asked the bank that he called for the daily PIN. They refused because he called them. He pointed out that he was sending sensitive data to them so they needed to provide the pin... and they did.

One of my startup jobs paid us through ADP. While our ADP account was being set up, my boss told us to be on the lookout for an email from them. So one day, I'm in the middle of programming something, and I check my email. Lo and behold, there is an email from ADP... or is it? It is about fifty words long and contains five grammatical errors. It's asking me to fill out the attached PDF and email it back. The PDF is asking for my full name, address, phone number, SSN, and so on. I figure this may be some kind of phishing attempt, so I ignore it and get back to my work. If it's real, I'll hear about it again, right? Well, two weeks later, my boss tells me amazedly, "Hey, Bill from ADP is still waiting for your information! Why didn't you reply to him?!?!" I laughed and told him why.

As a bonus, when I was finally put into the system, they managed to get my zip code, phone number, and SSN wrong. At ADP, quality is job zero.

> He asked for my name, which I gave him, and then the last four digits of my social security number, which I also gave him. He then proceeded to ask for my full social security number, at which point alarms started going off in my head and I started sweating about even giving the last four digits to a stranger who had called me out of the blue.

I'm super paranoid about even the last four. The first five digits of an SSN were algorithmic for most of US history, and still mostly are but a tiny bit more random entropy, and can be narrowed down with mostly only the city in which you were born and what year. You can often use basic k-means clustering to find it even without that information. More often than not entire families share the first five (or close to it) and you only need to phish one family member to k-means cluster the five digits for the rest.

The last four are more often than not the most significant digits in terms of identification and entropy. Masking the rest is almost silly for most Americans. Our masking schemes have actually made phishing easier because people feel safer sharing just the last four, when for most those are the only four that matter.

SSN was never intended to be a secret so its design is horrifyingly bad for something that has come to be a huge secret in banking and healthcare and so many other industries. Recent SSN changes have made it a little better for anyone born after roughly 2010, increasing somewhat the entropy in the first five, but the rest of us have problems that we can't solve easily and banks should be ashamed they helped lead us to these problems.

I'd have read him the riot act on the phone. My bank has big warning banners on virtually every page of the site warning me to be careful of scammers. Someone calling me on the phone and asking for my TIN? Yeah, I don't think so.

Had a very similar experience with a bank few years ago. I filed an official complaint because it was not possible to verify the caller was authentic.

Can you guess what happened next? Yep... The complaints team cold called me and requested PII to confirm they were talking to the right person. I refused and the call ended.

Later got a letter saying it wasn't possible to followup on my issue and they didn't see any issues with what I had raised. I tried... :/

Reminds me of the repeated calls my parents received to refinance their mortgage under some government program. It took them months to realize it was legit.

Shout out to my car insurance, Amica. They called me because they needed some account information updated/clarified. Before we started doing anything I told them "Hey, not to be rude but could I call you with the number on your website? I'm paranoid about scamming and that's safer" They said "Absolutely, that actually makes a lot of sense". So, I called back and we got everything done.

The issue, I think, is the larger the company is the more incentivized it is to hide away access to it's internal employees. If you can call a department directly you can start phishing between multiple employees pretty quickly. Locking that down and putting a horrible automated system in place makes that harder to do.

I swear, it's like banks are trying to train people into being scammed.

> Turns out he actually was from the bank and he did cancel the loan application.

Plot twist! Didn't see that coming.

Seems bizarre to me that this would happen, but reading sibling comments just keeps having me shake my head in dismay.