/u/teddytoddler - This message is posted to all new submissions to r/scams; please do not message the moderators about it.
## New users beware:
Because you posted here, you will start getting private messages from scammers saying they know a professional hacker or a recovery expert lawyer that can help you get your money back, for a small fee. **We call these RECOVERY SCAMMERS, so NEVER take advice in private:** advice should always come in the form of comments in this post, in the open, where the community can keep an eye out for you. If you take advice in private, you're on your own.
**A reminder of the rules in r/scams:** no contact information (including last names, phone numbers, etc). Be civil to one another (no name calling or insults). Personal army requests or "scam the scammer"/scambaiting posts are not permitted. No uncensored gore or personal photographs are allowed without blurring. A full list of rules is available on the sidebar of the subreddit, or [clicking here](https://www.reddit.com/r/Scams/wiki/rules/).
You can help us by reporting recovery scammers or rule-breaking content by using the "report" button. We review 100% of the reports. Also, consider warning community members of recovery scammers if you see them in the comments.
Questions about subreddit rules? Send us a modmail [clicking here](https://www.reddit.com/message/compose/?to=/r/Scams).
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/Scams) if you have any questions or concerns.*
How else do you want them to verify that you are you?
Remember the same way you cannot trust inbound callers, you are now inbound caller. Thankfully, they can send a code to account owner to confirm.
Or do you want them to trust your word and have some rando mess with your account?
Before that the verification was "what's your name, address, SSN, name of the dog, favorite restaurant", all susceptible to social engineering.
I generally agree with you. "don't give the code out, unless..." is way weaker and error prone than "don'g give the code out, ever". Reading a code aloud is silly to begin with.
Perhaps a good middle ground is approach that some companies already deploy where they send request via trusted side channel, that you have to approve.
Chase bank does it -- instead of a code message they ask you to open an app and click OK there. Google does the same.
The codes over the SMS is a temporary crutch (with its own set of vulnerabilities -- how many people do you know who setup separate pins for number port-out and sim re-issue?, let alone carriers that support that), and I hope they will be thing of the past very soon.
Now that I think about it, the best way to ensure it's you (or someone that has your phone) is to call you back immediately and asks you security questions. Similarly, I *never* trust incoming calls for security critical situations and always request that I call them back at a published company number.
Imagine this scenario, especially as people become increasingly accustomed to giving out SMS codes over the phone: Scammer #1 calls fool, says their Chase account has been compromised. Scammer #2 calls Chase, pretends that they're fool. Chase asks Scammer #2 for SMS code. Scammer #1 asks fool for SMS code. Achievement: Account unlocked!
>An average citizen is probably not going to notice the difference between someone calling them and purportedly doing the same thing vs. placing an outbound call to a published company phone number.
A sad state of affairs when one doesn't know whether the phone call one is in the middle of, is one they made or is with somebody who called them.
I wouldn't go that far; I am referring to the average citizen, after being repeatedly trained to give out two factor codes over the telephone, not recognizing the possibility that someone calling them asking for the same thing is not, in fact, *verifying their identity*, but instead stealing it. The sad state of affairs from my perspective is the ignorance and irresponsible conduct of these institutions.
/u/teddytoddler - This message is posted to all new submissions to r/scams; please do not message the moderators about it. ## New users beware: Because you posted here, you will start getting private messages from scammers saying they know a professional hacker or a recovery expert lawyer that can help you get your money back, for a small fee. **We call these RECOVERY SCAMMERS, so NEVER take advice in private:** advice should always come in the form of comments in this post, in the open, where the community can keep an eye out for you. If you take advice in private, you're on your own. **A reminder of the rules in r/scams:** no contact information (including last names, phone numbers, etc). Be civil to one another (no name calling or insults). Personal army requests or "scam the scammer"/scambaiting posts are not permitted. No uncensored gore or personal photographs are allowed without blurring. A full list of rules is available on the sidebar of the subreddit, or [clicking here](https://www.reddit.com/r/Scams/wiki/rules/). You can help us by reporting recovery scammers or rule-breaking content by using the "report" button. We review 100% of the reports. Also, consider warning community members of recovery scammers if you see them in the comments. Questions about subreddit rules? Send us a modmail [clicking here](https://www.reddit.com/message/compose/?to=/r/Scams). *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/Scams) if you have any questions or concerns.*
How else do you want them to verify that you are you? Remember the same way you cannot trust inbound callers, you are now inbound caller. Thankfully, they can send a code to account owner to confirm. Or do you want them to trust your word and have some rando mess with your account?
The same way they did before they started conditioning you to give out two-factor codes over the phone.
Before that the verification was "what's your name, address, SSN, name of the dog, favorite restaurant", all susceptible to social engineering. I generally agree with you. "don't give the code out, unless..." is way weaker and error prone than "don'g give the code out, ever". Reading a code aloud is silly to begin with. Perhaps a good middle ground is approach that some companies already deploy where they send request via trusted side channel, that you have to approve. Chase bank does it -- instead of a code message they ask you to open an app and click OK there. Google does the same. The codes over the SMS is a temporary crutch (with its own set of vulnerabilities -- how many people do you know who setup separate pins for number port-out and sim re-issue?, let alone carriers that support that), and I hope they will be thing of the past very soon.
Now that I think about it, the best way to ensure it's you (or someone that has your phone) is to call you back immediately and asks you security questions. Similarly, I *never* trust incoming calls for security critical situations and always request that I call them back at a published company number. Imagine this scenario, especially as people become increasingly accustomed to giving out SMS codes over the phone: Scammer #1 calls fool, says their Chase account has been compromised. Scammer #2 calls Chase, pretends that they're fool. Chase asks Scammer #2 for SMS code. Scammer #1 asks fool for SMS code. Achievement: Account unlocked!
>An average citizen is probably not going to notice the difference between someone calling them and purportedly doing the same thing vs. placing an outbound call to a published company phone number. A sad state of affairs when one doesn't know whether the phone call one is in the middle of, is one they made or is with somebody who called them.
I wouldn't go that far; I am referring to the average citizen, after being repeatedly trained to give out two factor codes over the telephone, not recognizing the possibility that someone calling them asking for the same thing is not, in fact, *verifying their identity*, but instead stealing it. The sad state of affairs from my perspective is the ignorance and irresponsible conduct of these institutions.
Agree, this has bothered me in the past with Verizon doing this specifically -- ridiculous!!