BOFH: Password HELL. For you, mate, not for me "Okay, I'll just need your username and password to verify this," the customer rep tells me. "You know my username." I respond "I just told you." "Yes, but we need to verify that you have access to your account." "I told you the answer to my secret phrase question." "The secret phrase is only used to verify your identity, …
I do have to admit when it comes to stuff like this, I just have to be myself for a minute and I usually get hung up on. Not rude or anything, I just start asking questions (like how did you get this number? Can you prove you're not in violation of the data protection act etc etc) and provide accurate if awkwardly phrased answers and pretty soon I am talking to myself again.
I rarely get cold calls, but when I do by heck I put them through the mill!
And I always ask questions back when it is a legitimate call, it's always nice asking them where, when and value of my last transaction, or when my account was opened.
Co-Op bank and Amex always seem to enjoy playing along, the others not so much (especially EE)
"Hello sir, we have been passed your details because one of your family has been in an accident recently" or whatever.
Whenever I get one of those calls I always start the conversation off with "What's my name?"
and they always have a go at guessing it!
Oh nothing so sensible as Mr Brown or Mr Smith, which has a statistical chance, but the most random list of internationally known celebrities...Mr Blair, Mr Trump, etc, gets thrown at me, in that one in a beeelion chance they might win gold.
A bunch of chancers by any definition.
Last one of those I had was at work and when asked by the lovely chap from the Indian Subcontinent if I had been injured in the accident that wasn't my fault, I said:
Me: "Yes it was awful I've never been in a fatal accident before at least not one where I died"
Sounding very interested: "So you were injured in the accident?"
Me: "Yes mortally wounded as it turned out, the funeral was lovely though"
Sounding very interested: "Can you describe your injuries?"
Me: "Yup Death by Decapitation and not the good kind, not going to walk away from that"
Sounding extremely interested: "Have you spoken to a lawyer yet?"
Me: "No very few people talk to you when you're dead, I'm grateful for your call."
Sounding disinterested: "Are you saying you didn't survive the accident?"
At this point there is the sound of someone else joining the call.
Me: "Yes, and I wouldn't recommend cremation if I were you!"
Line goes dead
My general response to people wanting to talk to me about the accident i was in is,
'Christ, I've been in an accident? Really? Am I OK? Do my family know? It must have been serious as I don't remember it'
Generally don't get much further than that before they hang up, although you do get the odd one who doesn't understand and you have to spell it out for them.
My wife plays helpless, and "oh dear my husband is not home at the moment & he deals with $attempted_scam, his name is Rufus Firefly* and you can reach him on ..., and uses the number for one of the telemarketers that comes through on an unblocked number
*safe in knowledge few have watched Duck Soup , I am considering getting her to change the name she uses to Lancelot Link
In America we tend to get cold calls by robot. Since they'll persist in spite of anything you do, all you can do is hang up and see if you can block the number in future (at least I haven't yet been cold called from a hidden number, probably because those that do tend to end up being police traced).
Ah yes. I once received an "emergency call." The caller asserted that my Bank of America account had a problem. He had a dense, south Asian accent. Then he asked me to give him my bank account number! Hmmm.
"But, you are calling me. Why would you need my account number?"
The assertion is, "we need to verify your account."
"Verify what?"
"Your account!"
"But you should already have the number."
"Yes, we do. But, we need to verify it."
"What did you say your name was?" He really hadn't. There was a pause, "Jim Smith."
"Where are you calling from?"
"Kansas City."
"Interesting, Jim. You know, from your accent, I would have thought you weren't west of Peshawar."
<Click>
I had a brilliant outcome to a scam call a couple of weeks ago...
Scammer: (heavy Indian accent) Ma'am this is David and I'm calling from BT, how are you today?
Me: (Deciding on the bright and breezy appoach) Awake!
Scammer: Ma'am, the reason I am calling is that we are worried about your internet, for the past few nights it has been sending us error messages which indicate to us it is being used illegally at night, do you understand?
Me: (thoughtfully) Riiight...
Scammer: Ma'am, we're talking about your router, OK? It's been hacked, OK?
Me: (energetically) Oh, right! Hang on, I work in IT, let me check the logs!
Scammer: You're an IT professional?
Me: Yes!
Scammer: (sounding wary) Right. I am talking to Mrs <surname>, yes?
Me: Nope! (Not married, and not going to correct them!)
Scammer: (confused, talking loudly to self) Then who the hell are *YOU*?!?
Me: (trying not to laugh) Well, that's not very polite for this time in a morning!
Scammer: (realises he said the last sentence out loud, not in his head!) >click<
Kept me laughing for days, that did! :D
"Hello sir, we have been passed your details because one of your family has been in an accident recently" or whatever.
I think in the future it's going to be my wife who was injured. She's being treated in the Institute for Clinical Orthopaedics, ICO for short, in Wilmslow. Phone number 01625 545 745...
And good luck to the ambulance chaser who tries following that one up.
I get the "Windows Support" ones rather often, I usually hang up, but sometimes they tick me off so I mess with them. Sometimes my only computer is an Apple. Sometimes its various Linux distros, a few times I simply invent an OS name and claim I wrote my own. Having claimed to be "Windows Support", they have then undercut themselves. One of these days, I'll spin up a Windows VM and let them play a while, then power it off in mid-stream and claim they broke my computer.
I might also, at some point, interrupt them right off and say something "Oh, thank goodness you called! My computer thingie won't get on the Interweb thing, you can help me fix it!" And since their only skill will be connecting remotely to a working machine and loading it with crapware, yet they claim to be "support"...I predict awkward pauses.
This post has been deleted by its author
There's a guy that has been posting YT vids where he torments the scammers. Nothing unusual about that; there are plenty of these knocking about but this one has been giving users a few pointers with regard to the kind of epithets guaranteed to wind them up from weaker taunts like "chutiya" to more hard core terms like "teri makichoot"... I'll say no more than that!
And I always ask questions back when it is a legitimate call, it's always nice asking them where, when and value of my last transaction, or when my account was opened.
I do the same. Surprising how many of these organisations expect me to give out some serious ID info (name, address, last address, DOB, security questions etc etc etc) but have a hard time when I ask them some things that would verify that they have access to my account.
Some of them get real pissed off when I tell them to go away and hang up on them. Even though I do politely say "I'm afraid I can't confirm you are from my bank, so I am now ending this call". Some do provide me with a way I can get back to them when I call their number (must be through the organisation's published (in phone book no less) number, not a number the caller tries to give me!)
Some get real shirty when you don't play the game by their rules....
Had the 'bank' call me once and I said I'd rather call them but the girl was insistent that I couldn't do that as she wasn't calling from the regular number. Already alarm bells are ringing in my mind but she very patiently explained that we wouldn't be talking about my accounts or any personal info. She then said to verify she was legitimate that I had been in a particular branch last Thursday, which I had and then gave me the time I'd visited which was again accurate and that I'd spoken to the manager. She said she didn't have access to any personal details but they wanted to check that the level of service I had received was adequate for my needs etc. She was charming and never once went near anything that I would have flagged as a scammer question. I did check with the bank and they do indeed do checks like this on their staff.
Flipside to that coin, stayed at a hotel (part of a large chain) in the Middle East over Christmas and when they asked for an email address gave them a unique one @mydomainname.com. I checked the box to say I didn't want my details passed on or sold or contacting in any way. Yesterday I received an email from some business in the same country to that address and I was unimpressed. Called the hotel and spoke to the switchboard and had a nice girl there explain that whilst I might think that I'd received it because it was from the same country it probably wasn't anything to do with the hotel.
Her: "Loads of people have your email address right?"
Me: "No only you have that particular address"
Her: "We wouldn't pass on your details if you told us not to. Are you sure?"
Me: "Yes because the email address is yourhotelchain@mydomainname.com, it is unique to you and I haven't given it to anyone else because I've never stayed at your chain before!" (and won't again after this).
Her: "Oh, I'm not sure who to transfer your call to."
Me: "Well as I made sure I told you I don't want any contact from you and I've been sent something maybe your head of (IT) data security?"
Her: "I'm not sure I know who that is, why them?"
Me: "Because if you really haven't sold/passed on my details then I would suspect you've got a problem somewhere with your computers/data."
Her: "I think all the IT people have gone home can you call back tomorrow?"
"when they asked for an email address gave them a unique one @mydomainname.com"
I do the same thing. Company.auxinfo@mydomain.com
Set up my server so the catch-all address forwards to a unique address for my inbox.
When I start getting spam from someone I :bounce: their address and have a script that fires off an email to abuse@company.com complaining about it for every spam I get.
I have started doing something just as amusing .. I start talking to them and then stop mid-sentence, I apologise and ask them to wait a moment, then put my side on mute and see how long they last for before hanging up. Longest so far was a very persistent 15 minutes and 47 seconds. Either that or he fell asleep for a bit in between...
Similar to what I do. At the start of the call I say, "Oh, you need to talk to Fred. He'll be very interested. Hold on, I'll go get him." Then I set the phone down. There is usually sime background noise (the TV), so the caller knows I have not hung up. An hour later I check to make sure the call has ended. I figure they cannot be scamming others if they are sitting on hold, and they have no one to curse when they realize 'Fred' is never coming.
I used to get cold calls quite often ... first I tried the "I heard this call is recorded, I do not wish to be recorded, for privacy reasons. That worked well, but some tried to insist .... so I switched to this tactic:
When I get cold a call, I only speak German ... needless to say, this has been registered in their systems and they now no longer call me. Have not had a cold call in months or years ? ... at one point it was several calls weekly!!!!
I found out that a French web merchant, cdiscount, was selling my mobile number, I specified it in my details because it is useful when the delivery man tries to locate my home ... I do not shop there anymore.
Tut mir wirklich Leid aber ich verstehe Sie nicht, Ja.
My usual response to cold callers goes as follows:-
Caller: "Scam scam scammity scam?"
Me (Best 1930's BBC accent): "I'm terribly sorry old chap, but I'm afraid I don't speak a word of English. Good day to you!" *hang up*
If they call back, I say (crossly) "I said GOOD DAY SIR!" *hang up*
I do reserve Black Speech(tm) for more suitable occasions, like yelling at Russians at a hotel buffet.
Telemarkters get a very thick accent in Low German (low like High/Lowlands). Most of the non-native German callers do think it is a variant of unparsable English (For Germans it is like Scots to English). And you can use it to politely insult people. We do have several upper court decisions, that insults in Low German are always with a condescending irony and therefore not punishable. Even when used against the police.
Sometimes it pays to be a minority.
Not true , I get EE calling me up, offering to help me move a better tariff with them. They know i'm already with them , but the salesdroids dont seem to know how much I'm currently paying , or have any schemes that wont involve me paying more money.
/but YOU called US/
/easier ways to get your name removed from a mailing list,/
Recently spent some time getting things on and off my books. One of these was a 'collections' issue on my credit history for $1.49
Yup. One dollar and 49 cents. <original item balance was well over $5K, and I still have the 'all paid, glad to do business with you, please come again' printed invoice>
The company involved tried to turn that $1.49 into $52 in when we we're figuring out how to get the flag off the books (it had 3 more years to go). All sorted now. But they've been calling my cell daily. With WunderFul Offers and Cheep Credit. I'm collecting the automated messages in recordings. I'll figure out what to do with the audio stream later. Might have to borrow a Stephen Harper Tactical Calling Tool. I'm just wondering if I can get the accounting department head's home phone number. Sadly what was once a decent furniture shop is now owned by a bunch of tools as far as I can tell.
Have a wee dram Simon, good to see you back. (It is friday after all and, Oh, Look. The three systems where they won't let me set up my ssh keys need password changes)
we have people using their surname with an incrementing two digit number – kept on a bit of paper under their keyboards in case they forget their name."
Yes, I've dealt with managers like that.
Some places actually make employees use Strong! passwords.
You can tell by the yellow sticky notes on the corner of the monitors...
And you might be able to get their login from their name tag.
I think I've mentioned this before, but I'll run it again as it's relevant.
Some years ago I was in a meeting on the new corp password policy (minimum 8, at least one capital and number). I opined that as our users were a lazy bunch and thus likely to want one password and many of our legacy systems maxed out at 8 chars for a password, I could deduce the following: A 7 letter dictionary word, first letter capitalised and a number on the end, probably zero or one. I also suggested that with that sort of hint, any competent cracking tool shouldn't need to break step on the way in.
Looking at the expressions that produced on the faces around the meeting room table, I think I hit the jackpot.
correct horse battery staple is nice, but I prefer the Bruce Schneier password: uTVM,TPw55:utvm,tpwstillsecure.
Doing contract support at $Large Financial Organisation I temporarily needed a better login than the one I had to do something dangerous and irreversible without leaving (my) fingerprints in the logs if shit went wrong, so I asked my manager for his login and password which he gave me quite happily... The password ended in 22. Knowing the AD enforced password changes for security purposes every two weeks I speculated he had been there for about 10 months or so.
"How did you guess?"
The proper thing to do is not to increment, but simply to add a character to the end. Which single, random character you added is pretty easy to remember, and you've been practicing the rest of the password for 90 days so you won't have forgotten it, and eventually you have a 60 character monstrosity of random characters and everyone wonders how you ever remember such a thing.
A favorite of mine, is to gasp/yell out "Can't talk, on fire!"
Hmm.. Nastier side of me awakening...
"Oh, sorry I don't know much about that. I'll grab my son. Jim, someone on the phone about the computer. Jim? [sound like a father knocking on a bedroom door] Oh NO! Jim! NO! [into phone] He's hung himself. Quick, call the ambulance" follow by lots of sounds of screams etc.
Or add in a few other endings.. Been shot/stabbed.. Looking at furry porn... Caught in the act with his mother...
Sadly I don't get cold calls so can't have any fun :(
My wife had a nice one.
She makes a young girl voice and yells:
- "Mommy, there's this idiot babbling on the phone, do I hang up on him or let him talking his lungs out?"
She then replies with adult voice:
- "Watch your language young missy! [Slap noise]
- Ow mommy it hurts! [slap]
- Mommy stop! [slap slap slap] [crying] I won't do it again mommy! [hang up]
Good times. Now we don't do that anymore, because people might actually report us.
However,
'"Here? No, we implemented it and a bunch of other security measures but then we got told to turn them all off because it's hard for people to remember their password when it changes every six months. So there's no complexity and a two-year lifetime. The only time one of the execs on the top floor changes their password outside of this process is when they start up extramarital relationship in the building and don't want their PA to find out."'
I thought BOFH was supposed to be satire, not real life?
I find having a Google Voice number very useful. When I have to give a phone number to some odious person or organization, such as when car shopping for example, it's fun to see who decides to spam me on the number, then contact the only person or company I've given that number to and listen to them swear they don't share it with anyone. Then simply change to another number with a few clicks.
Mine are all from India and contain truly horrible mispronounced names, mostly because I gave a "survey which will never pass on your details" a name of someone who has been dead for 45 years.
So far my very dead ancestor has been involved in all sorts of adventures and ordered all sorts of stuff. The most fun is explaining to superstitious scammers that they were talking to the house poltergeist, which normally causes death by fear (pinched that plot from various Ring movies). Always get a kick from asking them (very seriously) how tortured the ghost sounded.
Got a bunch of phone calls from a scammer offering me a wonderful all expenses paid trip to their new 5 star hotel in Mexico.
I let him ramble on for a few minutes and then when he asked for my credit card number to reserve my trip, I said:
"Wait, did you say Mexico? I was asked never to return to Mexico. There was some trouble with the cartels and some explosions..."
The phone call ended rather abruptly after that.
Mine was wonderful. A friend of mine died a couple of years ago, and I took over his cell phone number because we had some contacts in common (I used Magic Jack). He had LOTS of debt (including to me), and I wanted to be in the loop. A couple of weeks ago, I got a call from a debt collector (surprise!) and I played along, he asked me what I was going to do about the debt of some minor amount (in relation to mine which was a few orders of magnitude larger). I told the guy I wasn't going to do anything. He then started out with all sorts of legal jumble and giving me a bad time. I really didn't care, he was much farther back in the (debt) line than I was. He ended up quite flustered, and it felt good for me. It was truly a BOFH phone call.
Another time a collection agency tried to collect on an older debt (over 5 years old) and when I asked for the date of the debt, he said the older date, and I replied "Good luck with that!". He hung up pretty quickly.
Every BOFH in training should take it upon themselves to waste AS MUCH TIME as possible for the guy on the other end. This makes their "profit" per man hour go down, and thwarts their business model.
Satire? I don't think so!
Last year I hit a roe deer which bashed in the front of the car requiring new bodywork, raditor, A/C unit etc. Shortly afterwards I started getting phone calls from 01618544845, 01609608992 - (amongst others) trying to tell me I could make a claim against the third party. They didn't seem to know the third party was an ungulate, so could play up with 'will it be deer?" - though only when in the mood to do so. Fortunately the phone allows me to put a block on the phone number (and a growing list of them) so the problem went away.
I ask to put them on hold, make them wait for 15-20 seconds come on the line and treat them like a phone sex line, when they interrupt, I quickly apologize, err wrong line and back to hold mode, for a longer wait. Wash Rinse Repeat till they hang up. Works every time.
I think I am now off the cold-call list for a funeral-insurance slinger. My preferred method of burial is to be left on the side of the road in a burlap sack and the council can dispose of the body at their expense or let everyone put up with the smell and associated public health risks. (#deathhacks)
Got the Microsoft scam call about 2 minutes after activating a new smartphone on a new line of service for one of our employees. I was still going through the phone setup when it rang.
As soon as I realized what it was, I tried telling the drone on the line that I my computer was running Linux, then verbally berating him, calling him an idiot, etc. as he doggedly pursued his script, apparently not listening to a word I was saying, as my coworkers began laughing while my volume level increased.
Finally (nearly shouting) I got him to hang up when I explained that he was calling not only a brand new number but a corporate IT department.
On another forum, someone posted about receiving these calls. One of the other members operated a VOIP network server... he set the autodial to the scammers number & set it to call & play screaming monkeys at them. Over & over again, until that number was cancelled.
Over time more people added the numbers they were receiving calls from & he treated them to the same, then when he had multiple numbers, got creative & started calling 2 & connecting them to each other.
1: "IRS, can I help you?"
2: "No, I am from the IRS!"
1: "Stop using that fake Indian accent!"
2: "I'm not faking and accent!"
Fun when you have the tech available! :-D
I Changed my name about 10 years ago give or take, and i still get calls for my old name.
this being a good initial sign this is a spam call. 'hi is this Mr xxx' ........ um (ok so i know this is a sales call from a VERY ols list, how much spare time do i have? do i fancy playing Y/N).
but this has been great as if they say : 'we see you were involved in an accident within 2 years' well you can really push on that, i got them to admit once they have old lists they buy to make up call numbers.
or sometimes, 'oh im sorry, i died about 10 years ago now.' followed by im sorry to hear that, and they continue...
ive tried all the fun ones, 'sex change, call me mary' to im a mormon, and dont have electricity or a phone (great for survery calls) make up REALLY outlandish stuff. ive been 90, with a teenage bride, (or multiple).. its a challenge to make up the most outragious stuff you can and keep them going.
My misses made an indian cry once because she kept asking if he was happy with his sexuality... lol (almosty felt bad for him)
when there is time, and you int he mood it can be light releif.
My daughter's technique is to scream "No he's dead!". I think I need to train her to go quiet, the sob a bit then whisper the same.
I had a call from someone claiming to be from BT saying there was a problem with my line and they needed to fix it. I explained I wasn't with BT and left it at that.
Couple of days later, call from same voice saying there was a problem with my Virgin line and if I didn't help him my BT - sorry Virgin line would be cut off. I just said that no it would and rang off.
"A good thing too, because I have three passwords I use for everything – Low, Medium and High Security."
I'm glad I'm not the only one who uses this system. I also have ultra-low, which is my work password... which just has in incrementing number on the end whenever they ask me to choose a new one.
My original password, assigned for my school email (and soon everything else) was only 7 characters long.
Suddenly all websites decided they need a password with 8 characters. So I added a word to the end, pushing it up 12 chars.
Now websites started telling me my password still wasn't strong enough for some reason (even though it was a jumble of letters and one word) so I had to add even more to the end.
Suddenly, all websites NOW want symbols in the password, so I make up a new one with symbols in it, which follows the "It's a word in l33t speak" form.
NOW I'm finding some websites which are saying this isn't strong enough (probably because they can tell it's just l33t speak), so I'm forced to make another password, which at this point I honestly can't remember to the point I've had to write it down, on a post-it note, next to my monitor.
The issue I have is not with paswords, per se, but the sites that feel it's necessary to have passwords. Does this site really need to have one? Are any of you in fear of someone posting using your user id? And if they did, and we didn't have passwords, a simple, "I didn't post that," should be sufficient proof of non-authorship.
If some bloke is so hungry that he steals my loyalty points online from a sandwich shop to get a free sandwich, then bless them, and let them go in peace. And I don't really care if someone steals my grocery store couponless coupons. I don't know why they would - they are free to everyone.
My solution is by far the worse of what I have seen here. When I bookmark a site, I rename it 'site userid password'. Nothing to look up. When I click on the site I see the userid and password I have assigned. The only exception I make is for my seven-figure investment account, but my primary security on that account is not the very convoluted password I have for it. It's that no one knows it exists.
"And if they did, and we didn't have passwords, a simple, "I didn't post that," should be sufficient proof of non-authorship."
Except the impostor would just counter, "I didn't post the 'I didn't post that.' Someone's just impersonating me." Now you're into a "I said, you said" problem. Plus there's potential for identity theft, and they need not know your particulars if they can just track your message patterns and mannerisms, which can be as unique as fingerprints given enough data.
"It's that no one knows it exists."
Except that someone else MUST know: someone in the firm that manages your account. Without security safeguards, someone in the bank (not necessarily in charge of your accounts) could glean enough information to start tapping into it.
I created an @hotmail account eons ago.
Within 10 minutes I had 15 spam messages, back in the day, when Microsoft "will never tell your e-mail" blablabla... They didn't get much smarter ever since. Good spam filter testing, though.
Another good trick for p2p networks is to spew searches with 32 random characters. Those that show a valid file name with those EXACT 32 characters ending in .mp3, .mpg or whatever, you can cross off the list of valid servers. It's like asking your monkey to search for Shakespeare on google, and finding it!
I love it when the bank contacts me and then asks me to confirm my details.
"and how do I know you aren't a scammer trying to get my details, you called me, you know who I am!"
Then they ask you to call them back but won't tell you why!!!
"if this is about my credit card being overdrawn by $5, I'll fix it when I care, I'm not going to bother calling back."
Because I'm always going to contact my bank for the reason "I don't know".
Tossers.
I just say "I don't give out any information to unsolicited callers". Mostly they say "Oh, goodbye". Sometimes they say "But I only wanted..." and I just repeat "I don't give out any information to unsolicited callers".
After a few rounds of this I say "Sorry, but I've got a queue of people with me and it doesn't look at if we can do business. I'm going to have to go".
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
