New Credit Card Scam (fwd)

Jason Holt jason at lunkwill.org
Mon Jul 11 17:37:36 EDT 2005


I remember the first time a site asked for the number on the back of my credit 
card.  It was a Walmart or Amazon purchase, and with no warning they 
redirected me to some site with a questionable domain. I thought for sure my 
session was being hijacked, and my bank had given me no idea what the number 
was for or whether it was something I was supposed to give out.

To me, this is closely related to the discussions we have here about web 
browser security semantics.  With a very good understanding of the underlying 
PKI, we can usually sort out "secure" from "suspicious" site behaviors with 
some discussion, but how is the average user (or even the average engineer) 
supposed to cope?  Is there a standard or even just a document somewhere that 
defines best practices for both server and user behavior with respect to SSL 
web sites and credit card transactions?  Or are we leaving them to forward 
emails to each other warning them not to give out their 3-digit codes over the 
phone, and that they had better make sure their Dell doesn't have a DHS 
keylogger installed...

 							-J

---------- Forwarded message ----------
Date: Mon, 11 Jul 2005 11:28:50 -0700 
To: undisclosed-recipients:  ;
Subject: New Credit Card Scam

I got this from a co-worker today:
  Apparently, they don't ask for your number, just the 3 digit code on the
back. They'll tell you they're calling from your Visa or Mastercard company
and that they're trying to verify whether or not you've made a $497.99
purchase from a company in Arizona or something. They'll tell you to call
your credit card company if you have any questions, etc, and they never ask
for your card number, so it sounds pretty legit, but it's not. If it does
happen to you, within a few minutes of the phone call you'll have a charge
for $497.99 on your card. You can always call the credit card company
yourself and make sure they're the ones wanting to check about fradulent
charges, so if you get a call that sounds fishy, just tell them you'll call
them back at the number on your card.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list