63

As title says, I was asked for my online banking password while on the process of getting in touch with a real person. This is something I'd never do and knowing that the call was being recorded (for further improvement of the bot I was talking to) makes it even worse.

For sure, after that, I hung up and I'm pretty sure it is a violation of privacy as you are asked for private details and also it is not encrypted whatsoever.

  • Have anyone been asked for this before?
  • Is this a normal practice?
  • After saying my ID number, the bot refered to me as "Mr. my_last_name" so I guess it is a legit phone number but, could they been hacked and the support number hijacked?
  • Should I take any actions?
sysfiend
  • 2,364
  • 4
  • 14
  • 22
  • 29
    Did you initiate the call or did they? Is the phone number legit? Typically you have different credentials for online and phone banking, so this does definitely seem like a phishing attempt. – Tom K. Aug 09 '17 at 09:33
  • 8
    I made the call to a phone number listed on their website – sysfiend Aug 09 '17 at 10:25
  • 22
    Did you check if you called the right number and if it was the correct website? I'm not aware if this happens with support numbers, but phishers are known to use urls that contain spelling mistakes to grab login credentials. If it's their (the bank's) legit phone number, this just seems like (very) bad policy on the side of the bank and not like a phishing attempt. A phone number can be compromised and used by an attacker, but this is not something for your everyday script kiddie. – Tom K. Aug 09 '17 at 10:29
  • 7
    @Tom yes, I checked everything and it was fine. The phone number was a legit one and so was the site I was visiting. I'd say it's a horrible policy. – sysfiend Aug 09 '17 at 13:05
  • 3
    This is normal. Many banks do this. When you call their support line, they need to authenticate you somehow. Asking for your creds is one way. Whether it's a good way is another question entirely, but it's certainly a popular way. – Xander Aug 09 '17 at 13:46
  • 5
    I wouldn't say that this is a popular way. As I mentioned earlier, **IF** you are asked for credentials over the phone, it should only be for specific phone banking-related credentials. I have never experienced anything like this and I've been doing online banking for 15 years with several banks. Maybe this differs from country to country, but it would be news to me. – Tom K. Aug 09 '17 at 13:50
  • 2
    I can use banking over phone. To authenticate myself, i have a phone banking password - different from online password - which I need to tell them. Any chance that's what happend? – Christian Aug 09 '17 at 13:51
  • 2
    @tom whilst some banks do indeed have separate phone banking authentication mechanisms, I don't see any particular reason (from a security standpoint) for that separation. Generally in my experience phone banking creds are constrained by the input mechanism which tends to make them somewhat weaker than web app. banking ones, but that's not an absolute requirement. – Rory McCune Aug 09 '17 at 14:03
  • @RоryMcCune: My personal theory was, that for online banking you typically need a 2nd factor (e.g. a token sent to your phone) which would be pretty impractical while doing banking over the phone itself, while phone banking only need one (your login credentials). That's why - in my experience - password policies for phone banking are much stricter than for online banking. But this is pure speculation on my side. – Tom K. Aug 09 '17 at 14:10
  • Did it simply ask for your id or also for your password? The former is relatively harmless, the latter is terrible policy. – Mast Aug 10 '17 at 06:02
  • 4
    "After saying my ID number, the bot refered to me as 'Mr. my_last_name' " Am I the only one seeing here already a problem? I mean that means I could get knowledge of account owners, just by putting in random account numbers. I think there is quite a lot wrong with that companies policies. – Zaibis Aug 10 '17 at 07:21
  • Did you perhaps get a call from your bank just before you made your phone call? There is a known "line open" scam where someone pretending to be your bank calls on your landline, and encourages you to call back via the official phone number from the bank website. They don't hang up their end of the call, keeping the line open - so when you "call your bank" they continue the pretence, because in fact you never left their call. See [this blog](https://www.herts.police.uk/advice/crime_prevention/protect_your_money/scams_targeting_older_people/scam_police_and_bank_callers.aspx) – RichVel Aug 11 '17 at 06:20
  • 1
    In all the banks I ever used, such a password is always *different* from any online banking password (even technically, phone passwords are obviously limited to digits only). So yes, this setup is very common but has to do nothing with your online credentials. – Gábor Aug 11 '17 at 10:51
  • Just say a random word to fail the bot and get put through to a person who will authenticate you in the more familiar manner – MattP Aug 12 '17 at 19:59

8 Answers8

61

Assuming that you called them on a published number, I'd say that this sounds like it was an interactive Voice Response (IVR) system, which is pretty common in the banking world.

The concept is that the system takes your authentication information before passing you on to a contact centre agent. The benefit of this from a security perspective is that then the agent in the call centre doesn't have to ask you to authenticate yourself, before discussing your account.

If correctly implemented this should be no more insecure than typing your password into a website. There is an automated system processing the voice data and it should store/log this appropriately.

Of course as you point out there is the risk of phone tapping, but then if you assume that your phone line is tapped, any form of phone banking is insecure as they've got to authenticate you somehow to be able to discuss your account with you.

EDIT: To add some more details, rather than leave them scattered around comments that could get cleared.

Basically banks have to authenticate you somehow, no matter which channel (e.g. web, phone, branch) you use to contact them, and there are trade-offs to be considered.

On the one hand having dedicated credentials per channel is useful in that it reduce the risk of compromise, and avoids muddying the message of "don't tell people your web password" but it leaves users with more credentials to manage and in all likelihood a lot of password resets if users only use a specific channel rarely (with all the vulnerabilities that frequent resets attract)

So the option that it appears, from the information provided, that's used here is to combine the credentials for the web and phone channels, and to use an automated IVR system on the phone channel to avoid credentials being given to contact centre agents. The upside here is single set of creds, so user's won't forget them, and the downside is the scenario we see where bank messaging "don't give people your password" leads to problems in using this system.

In terms of the IVR system security, this is essentially like any other system that processes data. It needs to be secured appropriately so that user credentials are not exposed, no different than the web channel.

Obviously a system like hardware (not SMS) 2FA could work well in this scenario as numeric codes are easily passed to IVR systems, but that has it's own tradeoffs in terms of cost and user experience.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/63620/discussion-on-answer-by-rry-mccune-my-bank-support-just-asked-me-for-my-online). – Jeff Ferland Aug 10 '17 at 16:55
  • How you you pronounce your password to the automated system? Those things can't even understand words to begin with, and now passwords? LOL. – developerwjk Aug 10 '17 at 22:17
  • 4
    This doesn't address the fact that the call was being recorded. – Brian McCutchon Aug 11 '17 at 02:34
  • 15
    You imply that the phone and web channels are fundamentally the same, but it's still very important to stress that with a standard voice call there isn't really an accessible method to secure it end to end. On the web we have SSL that can establish end to end encryption automatically—where the user sees icons and can view the certificate details. With phone banking, just about everything is out in the open, and could be intercepted by someone in the middle. – Peter Aug 11 '17 at 04:02
  • 1
    @BrianMcCutchon typically banks don't record the IVR portion of calls, for exactly the reason of avoiding logging credentials inappropriately – Rory McCune Aug 11 '17 at 07:36
  • @Peter and on traditional landlines we don't have malware, and missing patches and a variety of other risks. I didn't really say they were the same but that they were similar in respect of the fact that they are both channels which require authentication. In the case of a general banking customer (not using a smartphone) I'd actually suggest that the risks of phone banking credentials being intercepted are lower than the risks of web channel creds being intercepted due to the prevalance of malware targeting the PCs accesing online banking sites. – Rory McCune Aug 11 '17 at 07:38
  • "Dear Mr. *Mouse*, please input the code that we have just sent via SMS to your registered cell phone number to speak with a representative". Easy and secure. A lot of banks implement stronger 2FA where a weaker factor is used to inquire, the stronger to order transactions – usr-local-ΕΨΗΕΛΩΝ Aug 11 '17 at 15:11
  • @usr-local-ΕΨΗΕΛΩΝ SMS authentication isn't really secure since GSM is vulnerable to impersonation attacks. – StockB Aug 11 '17 at 15:20
  • @StockB I forgot "pretty" before secure. My mistake. Impersonation is not an issue in our enabling scenario. Eavesdropping is. But you must control both gsm net and bank's public call center. Still "pretty?" Note I never meant "strongly" secure. – usr-local-ΕΨΗΕΛΩΝ Aug 11 '17 at 16:15
  • 2
    @StockB replace sms by "the code in your authy app". Then again, impersonisation is not a problem in this use case, because if you receive a spoofed sms, the worst case is that you say the code in that spoofed message out loud. The real issue is if someone is able to intercept the sms, and use this one-time token before you do, which depending on the time required to set up this call ranges from not likely to pretty much impossible. In any case, it is likely 100 times safer than having someone say their password out loud, where people could possibly overhear it. – Sumurai8 Aug 11 '17 at 17:37
  • Good points. SMS may be more secure than the status quo, but if implementing a new, modern two-factor authentication system, I would aim for a more secure implementation, e.g. RSA or Authy. – StockB Aug 11 '17 at 17:51
  • @BrianMcCutchon, what does "recorded" mean, though? Does it necessarily mean that the call is stored for a length of time? Because some would argue that any kind of mic capture is recording, which could include bots. Not to mention that it's unclear if the bot portions would have been recorded (incidentally, it makes you wonder if "this call is being recorded" gets recorded). – Kat Aug 22 '17 at 22:25
9

Obligatory warning message:

Don't ever give your password to anyone, and don't let this answer influence this kind of behaviour in any way.

Because one can't possibly know all the circumstances in this particular case, a bit of speculation is necessary when giving an answer to this question.

If I understood everything correctly, the case is as follows:

The OP visited the bank's website, looked up the support number and then he/she initiated a call. After giving only his/her banking ID(?) the bot at the end of the line greeted the OP with his/her last name and then asked for the online banking password.

Yes, this could have been a phishing attempt by an attacker. The site you visited could've been altered and another support number could've been set up. After doing all this, the attacker then had to wait until the OP visited the site voluntarily1 and then call the number. The attacker would've also had to set up a telephone bot which is also able to connect the banking ID to the last name of OP2.

This - to me at least - looks like a really big effort to just get the password to an online banking account, which isn't even that valuable when using a typical online banking system. You typically need a second factor to do any kind of transaction of money. It's still a compromising of the bank account, but nothing that can't be fixed.

I highly doubt, that this is a phishing attempt. It just doesn't seem like a good policy to me, especially if it's not clear for users, that their online password is also used for authentication over the phone.

(1) In theory an attacker could fake some kind of emergency which would then lead a user to call the support number.

(2) Unless the OP made a mistake and mentioned his/her last name earlier during the call.

Tom K.
  • 7,913
  • 3
  • 30
  • 53
  • 1
    Care to explain the downvote? – Tom K. Aug 09 '17 at 13:46
  • Un-downvoted, because on re-reading, I generally agree with your conclusion. The advice to "never share your password" is almost always true, but isn't 100%, and given the details of the situation laid out by the OP, the phishing scenario is a non-starter. – Xander Aug 09 '17 at 14:08
  • So your advice is basically to never use anything that requires password, including bank web site? – 9ilsdx 9rvj 0lo Aug 09 '17 at 14:29
  • 6
    I don't know where you read that. – Tom K. Aug 09 '17 at 14:34
  • @Tom So how *do* you perform phone banking if you don't give them your password? – Martin Bonner supports Monica Aug 10 '17 at 12:59
  • 5
    I really don't understand why I have to clarify this, but because it came up a second time now, I will. I guess you are referring to either of two statements in my answer: 1.) "Don't give your password to **anyone**..." Please note that this is referring to a **person** and not to an automated system. In general I do agree with Rory's statement: "If correctly implemented this should be no more insecure than typing your password into a website." But for me this statement is only true, if it is disclosed to users, that their password for online banking is used for phone banking as well. – Tom K. Aug 10 '17 at 13:12
  • 3
    So if you are referring to this statement: 2.) "It just doesn't seem like a good policy to me..". I do believe that for seperate systems you should have either different passwords or - if this isn't possible for whatever reason - it should at least be obvious for users that they are using the same password for two different services. I could go into more detail regarding my mindset concering this particular issue, but I feel this is way beyond the scope of this question. – Tom K. Aug 10 '17 at 13:12
8

Yes you should take action, report it to your bank, in all likelihood this was a phishing attempt.

This shouldn’t happen and isn’t normal practice.

Your bank will never ask you for your pin number or password.

EDIT: After reading your comments and the clarification (posted after my awnser) that the contact was entirely initiated by you it is possible/probable that this isn't a phishing attempt and is either a very bad policy (as voice id/biometrics should not require a secret password to work) or a request for information supplied to prove identity in this kind of scenario.

Either way I would contact your bank (via some method other than this phone number) and explain your concerns and get clarification from them that this request was legitimate.

TheJulyPlot
  • 7,669
  • 6
  • 30
  • 44
  • 1
    Phishing is usually initiated by the perpetrator, not when you call the site's customer service. – Barmar Aug 09 '17 at 13:25
  • 8
    This is not phishing, and it is a normal practice to authenticate a caller. – Xander Aug 09 '17 at 13:42
  • 8
    OP called the bank on their published contact number, what makes you think that was phishing? – Rory McCune Aug 09 '17 at 13:59
  • 2
    As the OP called the bank on their published contact number, it seems very unlikely to be phishing (unless of course we assume that his PC has been infected with malware, but that's a bit of a roundabout way to phish someone...) – Rory McCune Aug 09 '17 at 14:01
  • This wasn't entirely clear (at least I missed it), before being clarified in the comments, after I answered. Upon futher review it is possible that this isnt a phishing attempt and it is either a very bad policy or a request for information supplied to prove identity in this kind of scenario. – TheJulyPlot Aug 09 '17 at 14:06
  • 5
    @TheJulyPlot out of curiousity how would you recommend a bank to authenticate a customer who calls their call centre? – Rory McCune Aug 09 '17 at 14:16
  • Would zou report it to the bank, if their web site required password for authentication? It's basically the same. – 9ilsdx 9rvj 0lo Aug 09 '17 at 14:27
  • @Rory McCune I've never really had to think about or analyse it to any great extent, but I suppose of the top of my head I would say via some information provided for this scenario. A type and set of shared secrets. Im not 100% on the solution to be honest, but I would still not say via the passing of legitimate secret that only the user should know, even if this is to a bot. (Voice ID system do not require this to function either (to my knowledge)) This feels like bad practice and also trains users to accept that they may need to give up their passwords legitimately. What would you recommend? – TheJulyPlot Aug 09 '17 at 14:30
  • 4
    @TheJulyPlot Well I used to work in banking as an IT security analyst, so this is one I've faced, although this was back in the day before voice biometrics and 2FA were easy options. You have a choice, either use the same creds. as for the web channel (which is the situation here), or use a separate set of creds (e.g. a specific "phone" banking password). Using two sets of creds is not ideal as users will likely forget the set they use less often. Ideally I'd recommend that both channels use hardware 2FA so that you enter a one-time numeric token in addition to a password. – Rory McCune Aug 09 '17 at 14:38
  • @9ilsdx 9rvj 0lo I wouldn't say it is the same. Even if implemented correctly it has more complexity, and therefore has more risk than simply providing your password. – TheJulyPlot Aug 09 '17 at 14:41
  • 1
    @Rory Mcune Yes I was about to say a second factor along with some other information. This feels less risky, but as I say I've never had to look at it in any depth. – TheJulyPlot Aug 09 '17 at 14:44
7

I would not trust this bank. Even if this phone call was totally legit to their systems, it just proves that they don't understand the security implications in at least two ways:

  1. If your web password is simple enough to be pronounceable to a bot that it could understand it well enough to validate that it is indeed your password, it is not a secure enough password for something as sensitive as bank information. By forcing users to pronounce (or somehow enter it through the keypad, which honestly sounds like absolute hell) their password they are encouraging insecure passwords.

  2. From Rory's answer:

If correctly implemented this should be no more insecure than typing your password into a website.

and

In terms of the IVR system security, this is essentially like any other system that processes data. It needs to be secured appropriately so that user credentials are not exposed, no different than the web channel.

Talking on a phone is VERY different from communicating on a web channel. Unless you are using an encrypted phone line from you to the bank, anything transmitted over the line can be eavesdropped. Whereas a properly implemented web login cannot be eavesdropped as it uses end-to-end encryption. In fact in the best implementations, your password is never transmitted in a recoverable form, so even if the bank's web server had been infected, it would not be able to discover your password (it could only verify that you are in possession of the correct password). Here is a discussion on why this hashing technique (in addition to the already encrypted communication channel) would or would not be used: Why is client-side hashing of a password so uncommon?

[T]hey've got to authenticate you somehow to be able to discuss your account with you.

This is true, but using web credentials is not the way to do it. And for the reasons I mentioned above, phone communication has inherent insecurities and I do not do sensitive business over the phone if I can help it.

As with anything, take my advice with a grain of salt. The likelihood of your phone line being tapped by a person or organization who would be interested in using your online password against you is very slim. I leave it to the reader to weigh this risk to the risks of the bank improperly securing other communication channels and to chose what level of risk they are willing to take.

You will never be 100% secure. You can only mitigate risks to an acceptable level.

Kallmanation
  • 1,736
  • 1
  • 8
  • 10
  • *"In fact in the best implementations, your password is never transmitted in a recoverable form, so even if the bank's web server had been infected, it would not be able to discover your password (it could only verify that you are in possession of the correct password)."* This doesn't sound right. Citation/explanation needed. (I'm not a crypto expert, so it's *possible* you're right, but from the crypto I *have* studied I don't see how you can be.) – Wildcard Aug 09 '17 at 20:45
  • Original source: I have personally written several web apps that use this technique. But, I will search for an external reference to cite for that section. Thanks for the feedback! – Kallmanation Aug 09 '17 at 20:48
  • That sounds fundamentally impossible. And it sounds like you're rolling your own crypto. Look forward to your citations. – Wildcard Aug 09 '17 at 20:50
  • Definitely not impossible. Just a _very_ clever use of simple mathematics. And as in the question I referenced, we can disagree about its necessity and its cost/benefit tradeoff. – Kallmanation Aug 09 '17 at 20:55
  • 1
    "Put another way, while it does provide some minor protections, from the point of view of the server, the client side hash should be treated as if it was the user's direct password. It provides no more or no less security *on the server* than if the user had directly given their password and should be protected as such." Yes, we can disagree also about just how clever it is. :) – Wildcard Aug 09 '17 at 22:11
  • 1
    I don't think I'd agree that for ordinary users the risk of communication over a standard phone line presents a significantly higher risk than using a web channel. In fact given the large number of risks specific to the web channel (e.g PC malware, exploits against Internet accessible web servers), I'd suggest that the risks *for a standard banking customer* are likely to be lower in using a correctly setup phone channel than in using the web channel. – Rory McCune Aug 10 '17 at 07:59
  • Rory, the practical side of my brain would have to agree with you. Hence the last two sentences in my second to last paragraph. I just felt it was important to mention the differences in risk between a phone line and an internet communication. – Kallmanation Aug 10 '17 at 12:05
  • @Wildcard See [challenge-response authentication techniques](https://en.wikipedia.org/wiki/Challenge–response_authentication#Cryptographic_techniques). Basically, the server stores only your password hash, but rather than directly asking you to send over a hash of your attempted password for authentication, it uses a "challenge and response" method where the password hash is used as an encryption key for some sort of nonce. – Blackhawk Aug 10 '17 at 15:39
2

There are usually different credentials for phone banking and online banking. This avoids most temptations and conflicts of interest since telephone banking can only be initiated through a logged phone operator, and at least my bank quite clearly points out that its online credentials will never get asked or accepted via phone, exactly because of phishing.

If it were completely trivial to distinguish phishing from bonafide stupidity, phishing would be less of a thing. Either way trusting the other side with your online credentials seems like a bad idea.

1

Disclaimer: never share your login credentials, passwords or PIN numbers in person, over the phone or online. Only use bank passwords on the verified website of the bank, checking your browser's security information (next to the https).

I wouldn't call it a "violation of privacy" since theoretically your password (or its hash) is information already shared between you and the bank. Since you were the one calling customer service, it seems you have unearthed either a bug or a security leak in their system.

  • I have been asked for parts of my PUK or factory ID from the piece of plastic my SIM card was removed from by a human customer service employee when calling about my mobile phone account. And for a few digits from my account number by a bank employee, when calling the bank, never my password.
  • No this is not normal practice, most banks warn you to never even write down your password, not to tell it to anyone and only use it from your computer when logging into the internet banking service over HTTPS.
  • It is possible they have been hacked (namely the bot software used at their service center) or alternatively it could be an unplanned security risk/bug in their software. Either way, saying your password over the phone is a security risk in itself, as it is possible you could be overheard, the phone call is being redirected (for instance if your phone was hacked) or someone could be intercepting and listening in on the conversation.
  • Contact your bank through another avenue and report the security risk. You can either try to report the bug through the contact/error reporting form on their website or go to your local branch office in person. Another thing to do would be to check the bank website for help pages associated with their phone service. These will usually describe the process required to use their customer service line and if this step (telling the bot your password) is not included, someone has most likely compromised their bot software or it is a phishing attack by someone at their service center, if this step is included it is most likely an overlooked security risk. Either way you should report this, most financial services will take such a complaint very seriously.
  • Depending on the result of this complaint you may have to also contact your phone company, because this could be the result of malicious software or a security risk with your provider. To provisionally rule this out, try contacting the banking service with another phone on a different network.
8DX
  • 135
  • 1
0

They weren't asking for your online banking password, but your password/passphrase for their phone system. A bank (let alone any company/system) using the same credentials for your online banking and phone banking just does not exist.

-typical "secure" web password:

+o_TH3-m*0N2017! which is then stored in the DB as a hash (e.g. 8dd6ae487b790146f6570cb5b01f7f70224f6706). To authenticate you entered the right pass, the system rehashes your input and if it's a match you're authenticated.

For phone systems, passphrases would be stored as plain text or automated system would require you to use only numbers/letters and state them letter by letter.

Unless you want to fill us in on the bank you're using, you might get more clarity by calling your bank back and asking to speak to a representative?

Finally -- since you called them, a phishing attempt isn't likely

skrewler
  • 101
  • 3
-1

From first sight it looks like a scam, but you have things to do now:

  1. When people receive calls like this, it is usually recommended to call the banks central inquiry phone nuber and ask for a real person to receive confirmation if the case is real.

    Since it is very probably a phishing trick, you should report it to them. It helps them to block or find the criminals.

    • You need to provide information about the phone number or e-mail, where it was coming from
    • Provide information about the time of the call and any other suspicious activities with dates.
    • Provide infomation about the information they asked, and if you provided anything to them.

  2. Change any datas possible, best with calling the central inquiry line, where you give them a FRESH new email and phone number, where you can communicate securely. Best not to read sms from unknown numbers.

    • Change the user name, password, pin. Limit the amount of credit withdrawable. But honestly, if you were giving them an ID, I would just simply ask for a new account based on security reasons. It depends on your bank, how flexible they are.
    • After your new email is registered, you need to change the password and security questions in your account too. If the account seems to be secure, you can transfer that money to an other one, or best to personally get it paid in cash to you in the bank or transferred to the new account by them. Tell them that you were giving out informations.
    • Do not trust any sites popping up in your (comproised) email/account. Even SSL(secure site) can be fake.

  3. Optionally you can contact the police, but it is a waste of time without any specific information.

Some of these might seem overkill and improbable, but I have seen many clever, tricky criminals. Ttey come from Russia or India on a daily basis, where law enforcement will not care about your EU/US authorities.

edit @ questioner comment

You did not seem to specify how it happened. I do not know if it was edited, but as I understood it seemed like they contacted you. If you called the number of the official site (no click on email links), than you did what I said. But:

  1. NONE of the companies I knew so far (banks or IT) ask for passwords on phone. As you said, its recorded, unencrypted, and usable without the agreement of the owner. They do not even ask for full ID numbers!
  2. On the contrary I know companies, who have to inform you that the call is recorded, and the employee is FORBIDDEN to ask for any password, and they forbid the owner to tell any of those. Not even an automated systems ask for entering full passwords by buttons or saying it into the phone. If this was a real company, I would leave this bank immediately.
  3. This exactly looks like a scam. A "real person" is a key point in social engineering. The scammer gains trust by being authentical. These kind of tricks are pulled off on a daily basis. What I described is an official routine of professional companies. I agree, it is a horrible policy if this was a real bank.
TriloByte
  • 231
  • 2
  • 8
  • 2
    none of this should be needed as I made the phone call to a number they provide their customers. – sysfiend Aug 09 '17 at 13:06
  • @sysfired There are number of ways a number on their site could not have been legitimate. Anyone with either access to your PC or your network could redirect the domain to fake site and edit it to whatever. There could have even been a hack anywhere between you and your ISP somewhere and someone redirected you to fake website. Unless web ssl certificates were legitimate and so on, that could've been a fake website. Either way your bank should not ask you for any passwords since they ultimately don't need them to do anything. Same goes for any online support what so ever. – SEJBR Aug 09 '17 at 13:19
  • If they derived OP's last name from just his/her ID this seems like an awful lot of work to just get an online banking password. – Tom K. Aug 09 '17 at 13:26