Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

>I’ve personally never had that happen. It should go on a name and shame list

The key situation for giving out an SMS code that the gp is pointing out is the customer initiates the call to the support center.

For example, suppose somebody wants to add a credit-card to their smartphone digital wallet. They have to call the bank issuing their credit-card to do that. Once the customer support person answers the call, a common security verification (e.g. Chase Bank does this) is for them to send you a 6 digit code to your phone. You then repeat this code back to the support person on the call. They want proof of your identity and also proof that you physically have the smartphone with you. Repeating the SMS code to the customer support person is safe because the customer called the official 1-800 number on the back of their card.

That's a totally different sequence of steps from receiving a random call from somebody claiming they are from Chase Bank. Yes, in those cases, you never give out SMS codes to that untrusted person on the phone.



I agree with everything you said.

Note, however, that those are two "totally different sequences of steps" to you and I, and "completely analogous / equivalent sequences of steps" to my father in law :-/


Justifiable in a vacuum, but the end result is grandma knows "sometimes it's OK to give the code to the person on the phone"


They should have users receive the code and then submit said code into the application for verification, with clear instructions that this code is produced as a result of a support call, and to confirm you are on an existing call when submitting the code.

Doing so would not force users to divulge codes over the phone, and enable support staff to verify identity all without training users that reading codes over the phone is acceptable.

Thoughts on that?


Still not foolproof. Attacker can MITM the connection by initiating their own call to the real support line and relaying instructions between the user and support.


How else are you supposed to do identify verification over the phone?

I think if the war against phishing online has taught us anything, it's that humans can't be trusted to not reveal secrets to scammers. Only machine-to-machine public key authentication (like TLS or WebAuthn or U2F) is truly phish-proof.


The signin 2SV SMS verbiage used by Chase is: "Chase: DON'T share. Use code 12345678 to confirm you're signing in. We'll NEVER call to ask for this code. Call us if you didn't request it."

I assume in the case where the customer initiates the call and support is verifying their identity via SMS, they use different text (i.e. not "to confirm you're signing in"). Otherwise, that'd be pretty ridiculous.


found today’s optimist, congrats you win one warm fuzzy feeling.

the verbiage is the same.


I think I at one point ran into this with Chase and the verbiage was not the same. Are you speaking from experience?


I am; I seem to recall it was Chase (and I do have a Chase account) but it could have been another bank or financial institution.


"Extraordinary claims require extraordinary evidence."

My reply involved the effort of sending a test message from my Chase account, to capture the exact text used. If you want people to engage with you in good faith, you should put similar effort into your replies, rather than just use Reddit-speak for "I think you're wrong."




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: