A story about being scammed by a security engineer at a large company

Robert Heaton, a security engineer at Stripe, a major payment service, has learned a lot from his experience of being fooled by credit card fraud despite his extensive knowledge of fraud. Is talking about.

I'm a security engineer and I still almost got scammed | Robert Heaton


The reason why Mr. Heaton was on the verge of being victimized by fraud was that Mr. Heaton's mobile phone received two missed calls from unknown phone numbers. When he searched for the phone number, he found that it was the number of the bank that had the account, so he thought, 'I'm sure my credit card was used for fraud.' I thought about checking with my credit card company.

Ten minutes later, another anonymous phone call came to Mr. Heaton's cell phone, and he picked it up thinking, 'It's probably a bank phone, so let's get rid of this story here.' 'This was a mistake. It should have been ignored,' said Heaton.

'I'm Barry in the bank's fraud department. I called because there was a suspicious move in your account,' he said to Mr. Heaton, who picked up the phone. Originally, Mr. Heaton hung up the phone and called back to the credit card company, but he lost the temptation to get rid of the troublesome story and continued talking.

After that, he talked for more than 15 minutes to answer Barry's various questions, and while checking the verification code that Barry sent and the text email to prove his identity, Mr. Heaton 'has a place to get caught.' I felt that it was a scam, but I wasn't convinced that it was a scam.

It was when he was asked for an Apple Pay code that he was able to spot the scam. Mr. Heaton, who did not use Apple Pay from the beginning, tried to read the confirmation code according to the explanation that the credit card and Apple Pay will be disconnected, but the code is 'a code to remove the credit card from Apple Pay'. It was not 'a code to add a credit card'. From this, he found out that the other party was trying to register Mr. Heaton's credit card in his Apple Pay account, and Mr. Heaton quickly avoided the damage of fraud.

Regarding the trick of a scammer who claimed to be Barry, Mr. Heaton said, 'Barry bought my name, address, phone number, and card number from a hacker, but my card requires an authorization code every time I shop. Barry would have called me because it had been set up, and he gave me a lengthy fake question and answer session to dispel my alertness and make me think, 'I want to get rid of this trouble sooner.' , I got used to reading the verification code aloud. '

On top of that, he commented on the lessons he learned from his experience of being fooled by fraud: 'I had a chance to notice it along the way, but I made mistakes because of pressure and negligence. Designing a system that is resistant to mistakes It's a security engineer's job, but it's still important to take some rudimentary measures as a first line of defense: suspicious calls claiming to be banks or credit card companies are hung up and written on the back of your credit card. You should call back to the correct contact information like this. '

in Security, Posted by log1l_ks